virusworm
commented
4 years ago @pfinn1977
You can SysWOW64.
This example below: %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File payload.ps1
Open pfinn1977 opened 5 years ago
virusworm
commented
4 years ago @pfinn1977
You can SysWOW64.
This example below: %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File payload.ps1
I am trying to inject the 64bit version of autoruns into explorer.
$PEBytes = [System.Convert]::FromBase64String($global:output) Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs “-a -c -s -h -t -m ” -ProcName explorer -ComputerName $global:compName
I am getting the Arch error below: PE platform doesn’t match the architecture of the process it is being loaded in (32/64bit) At C:\Users\pf48\Documents\Work Docs\Scripts\Powershell\ForensicCollection-InjectionTest.ps1:2858 char:3
doing some searching other people who have run into this issue have tried using the the 32bit version of powershell but I still get the same error. I have verified that explorer on the machine I am working with is a 64bit process and I have verified that I am using the 64bit version of autorunsc. Any other thoughts on fixing this issue?