PoSHMagiC0de Posted April 29, 2017 Share Posted April 29, 2017 Hmm, So, who is interested in injecting their powershell process into another process to hide it? Only advantage to this is if you are not going to be there. Makes no sense to do it with the BB connected since you are going to be there but if you ever wanted to leave something behind (like the keylogger payload) but want it to be hidden well I can create a solution for you. I planned on doing it eventually when I was done optimizing the BBTPS but I can take a break from it to think of and create a template for ya'll. It will be borrowing from the PowershellEmpire teams PSInject module which uses the reflectivedllinject module from Powersploit to inject a dll that is 32bit or 64bit (dll holders and code to inject base64 unicode powershell into it before injection is all done by the Powershell Empire team' work, no need to reinvent the wheel. You can see I am a fanboy of theirs. :-P). The ideal way to use this is your launcher will be what is injected that will download the rest of the script. Reason for this is the placeholder in the dlls for the powershell code is only 3000 bytes big. That means your script after being encoded (and it has to be encoded) can only be 3000 characters long. No compression supported. Encode it and then do a length on it to see. But....your launcher will most likely be tiny and it will download and load the rest of the script which will have no limitation. The limitation is only with the initial injected powershell code into the dll. It will have to be a 2 stage process. First stage is quacked and pulls the injector script. The injector script will be psinject and command to invoke it along with all parameters and your base64 script are appended to the end so it all gets downloaded and ran with no additional stuff....or you can add an extra function to the injector to download your base64 script to add to the command and run. The script you use with the injector will be similar to the one first launched to get things started meaning it is injected into the premade dlls and then into the process of your choice and it then becomes the download cradle for your actual payload. So. Phase 1, get admin, or not if you are not aiming at a system process. Phase 2. Run first download cradle (same commands everyone is running to get their scripts started with QUACK) to get injector that will inject and launch second download cradle that will pull your actual script (like keylogger). After it is running, you will not be able to see it unless you use a tool like Sysinternals process explorer and inspect the threads of that process. Warning, no output to the console is shown with injected process unless you write it somewhere like to a file or send it back to the server but consider the injected process to have no console access. Of course you could still launch programs and do messageboxes to interact with the local terminal. if you inject a neverending process, it will never end and will not be able to be killed unless you use process explorer to kill its thread or you kill the process it hides in. Reboot would work too. Once again, for quick smash and grab runs this is highly useless but for deposits it is worthwhile. Let me know. No sense doing all the work with no interest hehe. "Just because you have a hammer, doesn't make everything a nail." :-P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.