Jump to content

[Q] Extracting encrypted zip archives with powershell and load them directly into RAM.


UnKn0wnBooof
 Share

Recommended Posts

OK,

As the title states, I want to be able to extract a encrypted zip archive and output the files directly into RAM with Powershell so that it was never written to the disk.

Any ideas? Anyone written a script to do this? Would be great to implement it into my duck payload.

If anyone has alternatives to the use of Powershell, then still consider replying - Powershell isn't mandatory.

Thanks.

Link to comment
Share on other sites

Hi Lavanoid,

Yeah, I really want to be able to do this as well. The only way I have really seen to do this is through a meterpreter drop or something like this. Maybe you could use a program like Cameyo to do this. I don't know. I will do as much as I can to see what I can do.

Please anyone else who reads this forum, get behind Lavanoid and help solve this problem.

MB60893.

Link to comment
Share on other sites

The thing is, I take it that you'd also want to execute this executable (I assume its an executable you're talking about extracting) from memory.

In-memory execution is not easy to pull off - it requires some kind of executable to already be running. A possible scenario could be powershell executing some base64 encoded payload straight into memory or a buffer overflow exploit that injects a reverse shell.

So, you're pretty much stuffed with dumping a binary, which means getting it past the AV.

A technique you could try is creating a volume shadow copy (a system restore point but for a specific directory), which cannot be edited once created. This would preserve your binary from any snooping AVs. Then you can mount the shadow copy and execute from there.
Any AVs with memory scanning features would *probably* pick up on this, but you'd be screwed anyway if that happened!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...