search

PowerShellMafia / PowerSploit

PowerSploit - A PowerShell Post-Exploitation Framework
Other
11.79k stars 4.59k forks source link

Invoke-ReflectivePEInjection issues #115

Closed yakss closed 8 years ago

yakss commented 8 years ago

First of all I faced with some problems while executing Invoke-ReflectivePEInjection test. I installed Pester 3.3.14 and PowerSploit 3.0.0 (latest releases) I executed tests from PowerSploit-3.0.0\Tests and I got the following output:

PS C:\PowerSploit-3.0.0\Tests> Invoke-Pester
Describing Invoke-Shellcode
 [+] should pop calc without arguments 2.43s
 [+] should pop calc in host process with -Shellcode arg 2.11s
 [+] should pop calc in victim notepad.exe process without -Shellcode arg 2.21s
 [+] should pop calc in victim notepad.exe process with -Shellcode arg 2.15s
Describing Invoke-DllInjection
 [+] should inject a known system DLL 2.13s
 [+] should not inject a non-existent DLL 22ms
 [+] should not inject to a non-existent process 60ms
Describing Invoke-WmiCommand
   Context Successful code execution
    [+] should execute a sample payload locally and clean up properly 5.26s
    [+] should execute a sample payload "remotely" (localhost) and clean up properly 5.13s
    [+] should execute a sample payload with explicit arguments locally and clean up properly 5.13s
   Context Invalid arguments
    [+] should not process invalid registry hives 39ms
Describing Invoke-ReflectivePEInjection
   Context DLL loading
    [+] should load a DLL (wchar_t*) in memory within powershell.exe and returns "Hello, world!" 626ms
    [+] should load a DLL (char*) in memory within powershell.exe and returns "Hello, world!" 771ms

Everything is ok till the following command executes:

Invoke-ReflectivePEInjection -PEBytes $VoidDllBytes -FuncReturnType Void -DoNotZeroMZ

A powershell process is exited with prompt(see sceenshoot). Also I got application crash when I tried to execute exe loading context(see sceenshoot )

I also tried to inject calc.exe from windows/system32 folder. I wrote a simple test script:

$PEBytes = [IO.File]::ReadAllBytes((gci ".\calc.exe").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ

And got an error:

Invoke-Command : New function reference is null, this is almost certainly a bug in this script. Function Ordinal: 380.
Dll: COMCTL32.dll
C:\PowerSploit-3.0.0\CodeExecution\Invoke-ReflectivePEInjection.ps1:2892 sign:17
+         Invoke-Command <<<<  -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $Pro
cName,$ForceASLR)
    + CategoryInfo          : OperationStopped: (New function re...l: COMCTL32.dll:String) [Invoke-Command], RuntimeEx
   ception
    + FullyQualifiedErrorId : New function reference is null, this is almost certainly a bug in this script. Function
   Ordinal: 380. Dll: COMCTL32.dll,Microsoft.PowerShell.Commands.InvokeCommandCommand

Also I compiled my own simple hello world executable application using msvc2008:

$PEBytes = [IO.File]::ReadAllBytes((gci ".\hello.exe").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ

And got an error:

Warning: PE is not compatible with DEP, might cause issues
Warning: PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting
PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)
Invoke-Command : VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in
 a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants
might be free).
С:\PowerSploit-3.0.0\CodeExecution\Invoke-ReflectivePEInjection.ps1:2892 sign:17
+         Invoke-Command <<<<  -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $Pro
cName,$ForceASLR)
    + CategoryInfo          : OperationStopped: (VirtualAlloc fa...might be free).:String) [Invoke-Command], RuntimeEx
   ception
    + FullyQualifiedErrorId : VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running
    the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the ad
  dress the PE wants might be free).,Microsoft.PowerShell.Commands.InvokeCommandCommand

I tried to use -ForceASLR option and i got a powershell application crash.

Also I compiled my own simple hello world dll using msvc2008 and tried to inject it:

$PEBytes = [IO.File]::ReadAllBytes((gci ".\hello.dll").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ

I got an error:

PE is not a valid PE file.
С:\PowerSploit-3.0.0\CodeExecution\Invoke-ReflectivePEInjection.ps1:2870 sign:14
+         throw <<<<  'PE is not a valid PE file.'
    + CategoryInfo          : OperationStopped: (PE is not a valid PE file.:String) [], RuntimeException
    + FullyQualifiedErrorId : PE is not a valid PE file.

What is wrong with your Invoke-ReflectivePEInjection script? What is wrong with my hello.exe and hello.dll ? Why my builded dll is not valid PE file? How to build correct exe/dll? You might reproduce this test (look at hello.dll and hello.exe files in zip archive in attachement, or you also might build executables from hello.cpp, see build_hello_dll.bat and build_hello_exe.bat)

My system info:

OS: Windows 7 x86 SP1 6.1.7601.65536

Name Value

CLRVersion 2.0.50727.5420 BuildVersion 6.1.7601.17514 PSVersion 2.0 WSManStackVersion 2.0 PSCompatibleVersions {1.0, 2.0} SerializationVersion 1.1.0.1 PSRemotingProtocolVersion 2.1

hello_app.zip

mattifestation commented 8 years ago

Sorry you're running into issues.

Invoke-ReflectivePEInjection -PEBytes $VoidDllBytes -FuncReturnType Void -DoNotZeroMZ

I'm unable to replicate the crash in Win10 and WinXP. Feel free to include the output with -Verbose

$PEBytes = [IO.File]::ReadAllBytes((gci ".\calc.exe").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ

Again, this executed for me without issue. Please provide -Verbose output.

$PEBytes = [IO.File]::ReadAllBytes((gci ".\hello.dll").FullName)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -DoNotZeroMZ

In this example, the included hello.dll is a text file which is why you get the PE is not a valid PE file error. Try it again with an actual DLL and provide the -Verbose output if it doesn't load. It is recommended that you use the included test source code for your own testing in the PowerSploit\CodeExecution\Invoke-ReflectivePEInjection_Resources directory.

For general advice on building PEs that are purpose-built to be loaded with Invoke-ReflectivePEInjection, refer to Joe's article.

funoverip commented 8 years ago

Hi,

I'm in the middle of an exciting Pentest, but have the exactly same problem (tested on Win7 and 2008 R2).

PS C:\Users\Administrator\Downloads> $PEBytes = [IO.File]::ReadAllBytes('c:/windows/system32/notepad.exe')
PS C:\Users\Administrator\Downloads> Invoke-ReflectivePEInjection -PEBytes $PEBytes -Verbose
VERBOSE: PowerShell ProcessID: 3052
VERBOSE: Calling Invoke-MemoryLoadLibrary
VERBOSE: Getting basic PE information from the file
VERBOSE: Allocating memory for the PE and write its headers to memory
VERBOSE: Getting detailed PE information from the headers loaded in memory
VERBOSE: StartAddress: 0x0000000002840000    EndAddress: 0x0000000002875000
VERBOSE: Copy PE sections in to memory
VERBOSE: Update memory addresses based on where the PE was actually loaded in memory
VERBOSE: Import DLL's needed by the PE we are loading
Invoke-Command : New function reference is null, this is almost certainly a bug in this script. Function Ordinal: 345. Dll: COMCTL32.dll
At C:\Users\Administrator\Downloads\PowerSploit\CodeExecution\Invoke-Reflective
PEInjection.ps1:2892 char:17
+         Invoke-Command <<<<  -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
    + CategoryInfo          : OperationStopped: (New function re...l: COMCTL32.dll:String) [Invoke-Command], RuntimeException
    + FullyQualifiedErrorId : New function reference is null, this is almost certainly a bug in this script. Function Ordinal: 345. Dll: COMCTL32.dll,Microsoft.PowerShell.Commands.InvokeCommandCommand
PS C:\Users\Administrator\Downloads>

I would be honoured to give you remote access to my VM should you want to help in the troubleshooting.

Cheers. Jerome

mattifestation commented 8 years ago

Hi Jerome,

Are you getting an identical error for the EXE you're trying to load as you are for notepad.exe? I'd rather not look into an issue with loading notepad only to find that your EXE still doesn't load.

funoverip commented 8 years ago

Hi, Sorry for the wasted time. Finally the issue was only with notepad. My EXE works fine.