UnKn0wnBooof Posted February 18, 2014 Posted February 18, 2014 OK, As the title states, I want to be able to extract a encrypted zip archive and output the files directly into RAM with Powershell so that it was never written to the disk. Any ideas? Anyone written a script to do this? Would be great to implement it into my duck payload. If anyone has alternatives to the use of Powershell, then still consider replying - Powershell isn't mandatory. Thanks. Quote
MB60893 Posted February 19, 2014 Posted February 19, 2014 Hi Lavanoid, Yeah, I really want to be able to do this as well. The only way I have really seen to do this is through a meterpreter drop or something like this. Maybe you could use a program like Cameyo to do this. I don't know. I will do as much as I can to see what I can do. Please anyone else who reads this forum, get behind Lavanoid and help solve this problem. MB60893. Quote
UnKn0wnBooof Posted February 19, 2014 Author Posted February 19, 2014 I may have found one possible solution, http://doc.xceedsoft.com/products/Xceedzip/Unzipping_files_from_a_zip_file_directly_to_memory.html HHHHmmmmmm . Quote
Xcellerator Posted February 24, 2014 Posted February 24, 2014 The thing is, I take it that you'd also want to execute this executable (I assume its an executable you're talking about extracting) from memory.In-memory execution is not easy to pull off - it requires some kind of executable to already be running. A possible scenario could be powershell executing some base64 encoded payload straight into memory or a buffer overflow exploit that injects a reverse shell. So, you're pretty much stuffed with dumping a binary, which means getting it past the AV. A technique you could try is creating a volume shadow copy (a system restore point but for a specific directory), which cannot be edited once created. This would preserve your binary from any snooping AVs. Then you can mount the shadow copy and execute from there.Any AVs with memory scanning features would *probably* pick up on this, but you'd be screwed anyway if that happened! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.