Closed mathurin68 closed 3 years ago
Just saw this issue by chance.
This is actually not an misconfiguration with PowerShellArmoury. The script is loaded and executed successfully. You can take a look at the variable $ScriptPath after loading the script. When loading Invoke-Privesccheck from an URL via IEX it contains the URL value, and in this case it will contain some invalid charackters. Just change the line if (Test-Path $ScriptPath)
to for example if ("1" -eq "2")
if you don´t need the module imports.
Hi @mathurin68, thanks for your question. @S3cur3Th1sSh1t is correct. I just want to add that PrivescCheck does contain a couple of different functions if you scroll down a bit in the source code. The stuff at the beginning of the file are the various declarations of native APIs the script is using. And just to add some background: you do not actually "need" a function for PSArmoury. If you run "cat -raw .\priv_armour.ps1 | iex" the loader will decrypt your content (PrivescCheck) and then itself just pipe everything into invoke-expression. Now everything that's inside a function block will be defined and you can use it later, meaning that you can decide when to execute that code. Everything that's not inside a function block will be executed right away and that might not be what you want.
I created a little gist for you to try here: https://gist.github.com/cfalta/afe271fca9bcbbdcc1925610237ab909
Try to run it with PSArmoury and check out the source to see the difference between function block and non function block :-)
@cfalta Everything that's not inside a function block will be executed right away and that might not be what you want. "not inside function block"
Got it...thank you!!
Hey Cristoph,
(Bear in mind I still have no PS skills and no idea what I'm looking at) I was curious about something... I found this great script - https://github.com/itm4n/PrivescCheck it appears to be a script and not a function...but it seems to work OK.
I download it and build the Armoury file - . .\New-PSArmoury New-PSArmoury -Fromfile .\PrivescCheck.ps1 -Path .\priv_armour.ps1 -EnhancedArmour
I load the .\priv-armour.ps1 file (twice to avoid any non-MS EDR) cat -raw .\priv_armour.ps1 | iex
and except for an illegal character error it seems to run OK and give me the results -
But, this appears to be a script, since it doesn't have a function block around it like all the others that work so easily. In fact, if I try to add a function block to the beginning it it doesn't work at all.
I was just curious, why this seems to work.
Keep up the great work and stay safe!!