Closed yakss closed 8 years ago
Sorry you're running into issues.
Invoke-ReflectivePEInjection -PEBytes $VoidDllBytes -FuncReturnType Void -DoNotZeroMZ
I'm unable to replicate the crash in Win10 and WinXP. Feel free to include the output with -Verbose
$PEBytes = [IO.File]::ReadAllBytes((gci ".\calc.exe").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ
Again, this executed for me without issue. Please provide -Verbose output.
$PEBytes = [IO.File]::ReadAllBytes((gci ".\hello.dll").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ
In this example, the included hello.dll is a text file which is why you get the PE is not a valid PE file
error. Try it again with an actual DLL and provide the -Verbose output if it doesn't load. It is recommended that you use the included test source code for your own testing in the PowerSploit\CodeExecution\Invoke-ReflectivePEInjection_Resources
directory.
For general advice on building PEs that are purpose-built to be loaded with Invoke-ReflectivePEInjection, refer to Joe's article.
Hi,
I'm in the middle of an exciting Pentest, but have the exactly same problem (tested on Win7 and 2008 R2).
PS C:\Users\Administrator\Downloads> $PEBytes = [IO.File]::ReadAllBytes('c:/windows/system32/notepad.exe')
PS C:\Users\Administrator\Downloads> Invoke-ReflectivePEInjection -PEBytes $PEBytes -Verbose
VERBOSE: PowerShell ProcessID: 3052
VERBOSE: Calling Invoke-MemoryLoadLibrary
VERBOSE: Getting basic PE information from the file
VERBOSE: Allocating memory for the PE and write its headers to memory
VERBOSE: Getting detailed PE information from the headers loaded in memory
VERBOSE: StartAddress: 0x0000000002840000 EndAddress: 0x0000000002875000
VERBOSE: Copy PE sections in to memory
VERBOSE: Update memory addresses based on where the PE was actually loaded in memory
VERBOSE: Import DLL's needed by the PE we are loading
Invoke-Command : New function reference is null, this is almost certainly a bug in this script. Function Ordinal: 345. Dll: COMCTL32.dll
At C:\Users\Administrator\Downloads\PowerSploit\CodeExecution\Invoke-Reflective
PEInjection.ps1:2892 char:17
+ Invoke-Command <<<< -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
+ CategoryInfo : OperationStopped: (New function re...l: COMCTL32.dll:String) [Invoke-Command], RuntimeException
+ FullyQualifiedErrorId : New function reference is null, this is almost certainly a bug in this script. Function Ordinal: 345. Dll: COMCTL32.dll,Microsoft.PowerShell.Commands.InvokeCommandCommand
PS C:\Users\Administrator\Downloads>
I would be honoured to give you remote access to my VM should you want to help in the troubleshooting.
Cheers. Jerome
Hi Jerome,
Are you getting an identical error for the EXE you're trying to load as you are for notepad.exe? I'd rather not look into an issue with loading notepad only to find that your EXE still doesn't load.
Hi, Sorry for the wasted time. Finally the issue was only with notepad. My EXE works fine.
First of all I faced with some problems while executing Invoke-ReflectivePEInjection test. I installed Pester 3.3.14 and PowerSploit 3.0.0 (latest releases) I executed tests from PowerSploit-3.0.0\Tests and I got the following output:
Everything is ok till the following command executes:
A powershell process is exited with prompt(see sceenshoot). Also I got application crash when I tried to execute exe loading context(see sceenshoot )
I also tried to inject calc.exe from windows/system32 folder. I wrote a simple test script:
And got an error:
Also I compiled my own simple hello world executable application using msvc2008:
And got an error:
I tried to use -ForceASLR option and i got a powershell application crash.
Also I compiled my own simple hello world dll using msvc2008 and tried to inject it:
I got an error:
What is wrong with your Invoke-ReflectivePEInjection script? What is wrong with my hello.exe and hello.dll ? Why my builded dll is not valid PE file? How to build correct exe/dll? You might reproduce this test (look at hello.dll and hello.exe files in zip archive in attachement, or you also might build executables from hello.cpp, see build_hello_dll.bat and build_hello_exe.bat)
My system info:
OS: Windows 7 x86 SP1 6.1.7601.65536
Name Value
CLRVersion 2.0.50727.5420 BuildVersion 6.1.7601.17514 PSVersion 2.0 WSManStackVersion 2.0 PSCompatibleVersions {1.0, 2.0} SerializationVersion 1.1.0.1 PSRemotingProtocolVersion 2.1
hello_app.zip