Clik here to view.
Deep Reflection - Defining Structs and Enums in PowerShell
One of the reasons PowerShell is so powerful is in its ability to access to .NET framework. In theory, this should make the transition for C# developers seamless. Unfortunately, PowerShell is not quite...
View ArticleClik here to view.
Surgical .NET Dissection - Using PowerShell Proxy Functions to Extend Get-Member
Download: 'Get-Member' proxy functiontl:dr versionUsing proxy functions in PowerShell, a '-Private' parameter can be added to the Get-Member cmdlet which will expose all non-public .NET members. This...
View ArticleClik here to view.
Why I Choose PowerShell as an Attack Platform
Since the inception of PowerShell, it has been a blessing for Windows administrators everywhere. As Don Jones so eloquently puts it, "you can either learn PowerShell, or learn to ask, 'would you like...
View ArticleClik here to view.
PowerSploit - Inject-Shellcode Update
PowerSploit RepoI just released an updated version of Inject-Shellcode. Significant portions of the code have been cleaned up and its parameters were simplified. While I hate to change the original...
View ArticleClik here to view.
PowerShell v3 Cmdlet: Get-CourseraVideos
For those who haven't been through any of Coursera's free online courses, I cannot recommend them highly enough. For a while now, I've been wanting to download all of a classes videos to disk. Doing...
View ArticleClik here to view.
Get-MethodAddress - A Tool For Comparing .NET MSIL and ASM Method...
Download: Get-MethodAddressLately, as part of my research, I've found myself wanting to learn more about how MSIL (Microsoft Intermediate Language) opcodes in .NET assemblies get translated to assembly...
View ArticleClik here to view.
In-Memory Managed Dll Loading With PowerShell
Download: Out-CompressedDllThe .NET framework has a very handy method which loads a managed executable as a byte array – [System.Reflection.Assembly]::Load(byte[] rawAssembly). From the perspective of...
View ArticleDumping Strong-Name Keypair Paths Used by Microsoft
When you want to sign a managed assembly with a strong name, you must do so with a key pair in the form of an snk file. Microsoft's assemblies are no exception. After seeing a few assemblies signed by...
View ArticleList All Win32/Native Functions Declared/Used By PowerShell
The PowerShell v3 command below will list every P/Invoke declaration made by the assemblies loaded in your PowerShell session. This knowledge may be useful for those seeking to avoid performing their...
View ArticleGet-PEB – A Tool to Dump the Process Environment Block (PEB) of Any Process
Download: Get-PEBRecently, I made the mistake of volunteering to undertake the creation of a process environment block parsing tool in PowerShell. Several painstaking days of work later, Get-PEB was...
View ArticleClik here to view.
Windows File Confusion: Masquerading Unsigned Binaries as Signed Ones
Could it be? A non-PowerShell related blog post?A while ago, Mark Baggett (@MarkBaggett) tipped me off to a technique that he had seen malware using in the wild. He explained that if you could manage...
View ArticleParsing Binary File Formats with PowerShell
I'm giving a presentation on "Parsing Binary File Formats with PowerShell" for MiSec on Tuesday, March 26. For those who will not be attending, the slides and code are available for download.In the...
View ArticlePractical Persistence with PowerShell
Download: Persistence ModuleAs I've preached continuously, PowerShell is the ideal post-exploitation tool in a Windows environment. A PowerShell-based payload can accomplish the same tasks of any...
View ArticleClik here to view.
Shellcode Execution in .NET using MSIL-based JIT Overwrite
Download: Invoke-ShellcodeMSILWhile investigating MSIL opcodes a while back, I uncovered a useful opcode - Cpblk. Cpblk is the MSIL equivalent of a memcpy. After writing a .NET method that utilized...
View ArticleClik here to view.
Working with Unmanaged Callback Functions in PowerShell
tl;dr versionWith a little bit of work, you can bind a scriptblock to an unmanaged callback function in PowerShell. The key to accomplishing this is by casting a scriptblock as a non-generic delegate...
View ArticleClik here to view.
Undocumented NtQuerySystemInformation Structures (Updated for Windows 8)
Those familiar with Windows internals are likely to have used the NtQuerySystemInformation function in ntdll. This function is extremely valuable for getting system information that would otherwise not...
View ArticleClik here to view.
Windows RT ARMv7-based Shellcode Development
Recently, I've taken an interest in gaining code execution on my Surface RT tablet. I have found Windows RT to be rather enticing since Microsoft has made a concerted effort to prevent the execution of...
View ArticleClik here to view.
Writing Optimized Windows Shellcode in C
Download: PIC_BindshellIntroductionI’ll be the first to admit: writing shellcode sucks. While you have the advantage of employing some cool tricks to minimize the size of your payload, writing...
View ArticleClik here to view.
Simple CIL Opcode Execution in PowerShell using the DynamicMethod Class and...
tl:dr versionIt is possible to assemble .NET methods with CIL opcodes (i.e. .NET bytecode) in PowerShell in only a few lines of code using dynamic methods and delegates.I’ll admit, I have a love/hate...
View ArticleClik here to view.
Reverse Engineering InternalCall Methods in .NET
Often times, when attempting to reverse engineer a particular .NET method, I will hit a wall because I’ll dig in far enough into the method’s implementation that I’ll reach a private method marked...
View Article