|
1 | | -# Shellcode-Loader |
2 | | -This is way to load a shellcode, and obfuscate it, so it avoids scantime detection. |
| 1 | +### Overview |
| 2 | + |
| 3 | +This PowerShell script demonstrates advanced techniques including shellcode injection, dynamic function invocation, and PowerShell script obfuscation. Let's break down its components: |
| 4 | + |
| 5 | + |
| 6 | +### Native Function Lookup and Invocation |
| 7 | + |
| 8 | +#### `LookupFunc` Function |
| 9 | + |
| 10 | +This function is responsible for dynamically locating and invoking native functions from the Windows API (`kernel32.dll`). Here's how it works: |
| 11 | + |
| 12 | +- It first retrieves the `Microsoft.Win32.UnsafeNativeMethods` type from the loaded assemblies. |
| 13 | +- Using reflection, it finds methods like `GetProcAddress` and `GetModuleHandle`. |
| 14 | +- It attempts to invoke `GetProcAddress` to retrieve the memory addresses of functions like `VirtualAlloc`, `CreateThread`, and `WaitForSingleObject` from `kernel32.dll`. |
| 15 | + |
| 16 | +#### `getDelegateType` Function |
| 17 | + |
| 18 | +This function is used to create a custom delegate type dynamically. It defines a delegate that matches the signature of the native functions being invoked. |
| 19 | + |
| 20 | +### Shellcode Execution |
| 21 | + |
| 22 | +- **VirtualAlloc**: Allocates memory in the process's virtual address space to store and execute shellcode. |
| 23 | +- **CreateThread**: Creates a new thread in the process, starting execution at the address of the allocated shellcode. |
| 24 | +- **WaitForSingleObject**: Waits indefinitely for the created thread to finish executing. |
| 25 | + |
| 26 | +### PowerShell Script Obfuscation |
| 27 | + |
| 28 | +#### `Invoke-PsPayCrypt` Function |
| 29 | + |
| 30 | +This function handles the obfuscation of PowerShell scripts: |
| 31 | + |
| 32 | +- If no script path is provided, it prompts the user to enter a path or uses a default path. |
| 33 | +- It reads the contents of the specified PowerShell script file (`$Path`), converts it to Base64, and then sorts and shuffles the Base64 string to obfuscate it. |
| 34 | +- Generates random variables (`$Var1` and `$Var2`) and constructs an obfuscated PowerShell script that decodes and executes the Base64-encoded script content. |
| 35 | +- Saves the obfuscated script to a file with a randomly generated name. |
| 36 | +- Use this to obfuscate shellcode. |
| 37 | + |
| 38 | +### Conclusion |
| 39 | + |
| 40 | +This script showcases how PowerShell can be used for both offensive (shellcode injection) and defensive (script obfuscation) purposes, illustrating the flexibility and power of the language in automation, administration, and unfortunately, exploitation contexts. |
| 41 | + |
| 42 | + |
| 43 | +## With PsPayCrypt: |
| 44 | + |
| 45 | + |
| 46 | +## Without |
| 47 | + |
| 48 | + |
| 49 | + |
0 commit comments