[Q] Extracting encrypted zip archives with powershell and load them directly into RAM.

[UnKn0wnBooof]

OK,

As the title states, I want to be able to extract a encrypted zip archive and output the files directly into RAM with Powershell so that it was never written to the disk.

Any ideas? Anyone written a script to do this? Would be great to implement it into my duck payload.

If anyone has alternatives to the use of Powershell, then still consider replying - Powershell isn't mandatory.

Thanks.

[MB60893]

Hi Lavanoid,

Yeah, I really want to be able to do this as well. The only way I have really seen to do this is through a meterpreter drop or something like this. Maybe you could use a program like Cameyo to do this. I don't know. I will do as much as I can to see what I can do.

Please anyone else who reads this forum, get behind Lavanoid and help solve this problem.

MB60893.

[UnKn0wnBooof]

I may have found one possible solution, http://doc.xceedsoft.com/products/Xceedzip/Unzipping_files_from_a_zip_file_directly_to_memory.html

HHHHmmmmmm .

[Xcellerator]

The thing is, I take it that you'd also want to execute this executable (I assume its an executable you're talking about extracting) from memory.

In-memory execution is not easy to pull off - it requires some kind of executable to already be running. A possible scenario could be powershell executing some base64 encoded payload straight into memory or a buffer overflow exploit that injects a reverse shell.

So, you're pretty much stuffed with dumping a binary, which means getting it past the AV.

A technique you could try is creating a volume shadow copy (a system restore point but for a specific directory), which cannot be edited once created. This would preserve your binary from any snooping AVs. Then you can mount the shadow copy and execute from there.
Any AVs with memory scanning features would *probably* pick up on this, but you'd be screwed anyway if that happened!