forked from EmpireProject/Empire
-
-
Notifications
You must be signed in to change notification settings - Fork 579
/
Invoke-Assembly.ps1
66 lines (57 loc) · 1.76 KB
/
Invoke-Assembly.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Function Invoke-Assembly {
<#
.SYNOPSIS
Loads the compiled .NET code stored in the $asm_data variable and executes the
Main() method. Arguments can be passed to the loaded assembly.
Powershell port of https://gitlab.com/KevinJClark/csharper
.EXAMPLE
This script is not meant to be run outside of Empire. Instead, use
the standalone version found here:
https://gitlab.com/KevinJClark/csharptoolbox/-/blob/master/Invoke-Assembly.ps1
.LINK
https://www.mike-gualtieri.com/posts/red-team-tradecraft-loading-encrypted-c-sharp-assemblies-in-memory
#>
[CmdletBinding()]
Param (
[Parameter()]
[String[]]$ASMdata = "",
[Parameter()]
[String[]]$Arguments = ""
)
$foundMain = $false
try {
$assembly = [Reflection.Assembly]::Load([byte[]][Convert]::FromBase64String($ASMdata))
}
catch {
Write-Output "[!] Could not load assembly. Is it in COFF/MSIL/.NET format?"
}
foreach($type in $assembly.GetExportedTypes()) {
foreach($method in $type.GetMethods()) {
if($method.Name -eq "Main") {
$foundMain = $true
if($Arguments[0] -eq "") {
Write-Output "Attempting to load assembly with no arguments"
}
else {
Write-Output "Attempting to load assembly with arguments: $Arguments"
}
$a = (,[String[]]@($Arguments))
$prevConOut = [Console]::Out
$sw = [IO.StringWriter]::New()
[Console]::SetOut($sw)
try {
$method.Invoke($null, $a)
}
catch {
Write-Output "[!] Could not invoke assembly or program crashed during execution"
}
[Console]::SetOut($PrevConOut)
$output = $sw.ToString()
Write-Output $output
}
}
}
if(!$foundMain) {
Write-Output "[!] Could not find public Main() function. Did you set the namespace as public?"
}
}