0xSh3rr1nf0rd
Search…
0xSh3rr1nf0rd /?
Blogs
Office Templates and GlobalDotName - A Stealthy Office Persistence Technique
KnowledgeBase
COM Attack Surface
Miscellaneous
Code Execution Templates
Downloaders and Shellcodes
Win32 API Execution
Frameworks Resources
Powered By GitBook
Win32 API Execution

Powershell

Add-Type

Add-Type calls the csc compiler, which writes to disk.
$User32 = @"
using System;
using System.Runtime.InteropServices;
public class User32 {
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MessageBox(IntPtr hWnd, String text, String caption, int
options);
}
"@
Add-Type $User32
[User32]::MessageBox(0, "This is an alert", "MyBox", 0)

Dynamic Invocation - UnsafeNativeMethods

This snippet's purpose is to demonstrate the concept of Dynamic Invocation,
For actual operational usage I recommend using this amazing project by TheWover
https://github.com/TheWover/DInvoke
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp[email protected]()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object
System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$VirtualAllocAddr = LookupFunc kernel32.dll VirtualAlloc
$VirtualAllocDelegateType = getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])
Previous
Downloaders and Shellcodes
Next - Miscellaneous
Frameworks Resources
Last modified 3mo ago
Copy link
Outline
Powershell
Add-Type
Dynamic Invocation - UnsafeNativeMethods