Accessing the Windows API in PowerShell via internal .NET methods and reflection

tl:dr version

It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.

---

This journey started for me upon releasing my PowerShell shellcode execution scripts and noticing that even if I issued C# compiler parameters to compile in memory, csc.exe would still write temporary files to disk. This is unacceptible for any attacker. The venerable Lee Holmes mentioned to me that the only way to achieve true memory-residence in .NET is through the System.Reflection namespace. Reflection is an extremely powerful technique used to generate dynamic code. In .NET, you can achieve fine-tuned control over generated code even to the MSIL bytecode level. Before I get too deep in the weeds, let me tell you a story about rifiling through .NET assemblies.

At one point, I was interested in auditing .NET methods that manipulated data/memory in a possibly unsafe fashion. To find some potential targets in Powershell I enumerated the exported types of every loaded .NET assembly via the following commands:

# Get a list of every loaded assembly
$Assemblies = [AppDomain]::CurrentDomain.GetAssemblies()
# Dump every unsafe class whose methods manipulate Int pointers in some fashion
$Assemblies |
   ForEach-Object {
      $_.GetTypes()|
         ForEach-Object {
            $_ | Get-Member -Static| Where-Object {
               $_.Definition.Contains('System.IntPtr') -And $_.TypeName.Contains('Unsafe')
            }
         }  2> $null
   }

This search yielded some very interesting methods. The ones that were of the most immediate value to me were those contained within Microsoft.Win32.UnsafeNativeMethods:

   TypeName: Microsoft.Win32.UnsafeNativeMethods

Name                        MemberType Definition
----                        ---------- ----------
CreateWindowEx              Method     static System.IntPtr CreateWindowEx(int exStyle, string lpszClassName, string lpszWindowName, int style, int x, int y, int width, int height, System.Runtime....
DefWindowProc               Method     static System.IntPtr DefWindowProc(System.IntPtr hWnd, int msg, System.IntPtr wParam, System.IntPtr lParam)
GetDC                       Method     static System.IntPtr GetDC(System.Runtime.InteropServices.HandleRef hWnd)
GetModuleHandle             Method     static System.IntPtr GetModuleHandle(string modName)
GetProcAddress              Method     static System.IntPtr GetProcAddress(System.Runtime.InteropServices.HandleRef hModule, string lpProcName)
GetProcessWindowStation     Method     static System.IntPtr GetProcessWindowStation()
GetStdHandle                Method     static System.IntPtr GetStdHandle(int type)
MsgWaitForMultipleObjectsEx Method     static int MsgWaitForMultipleObjectsEx(int nCount, System.IntPtr pHandles, int dwMilliseconds, int dwWakeMask, int dwFlags)
PostMessage                 Method     static bool PostMessage(System.Runtime.InteropServices.HandleRef hwnd, int msg, System.IntPtr wparam, System.IntPtr lparam)
SelectObject                Method     static System.IntPtr SelectObject(System.Runtime.InteropServices.HandleRef hDC, System.Runtime.InteropServices.HandleRef hObject)
SendMessage                 Method     static System.IntPtr SendMessage(System.Runtime.InteropServices.HandleRef hWnd, int msg, System.IntPtr wParam, System.IntPtr lParam)
SetClassLong                Method     static System.IntPtr SetClassLong(System.Runtime.InteropServices.HandleRef hWnd, int nIndex, System.IntPtr dwNewLong)
SetClassLongPtr32           Method     static System.IntPtr SetClassLongPtr32(System.Runtime.InteropServices.HandleRef hwnd, int nIndex, System.IntPtr dwNewLong)
SetClassLongPtr64           Method     static System.IntPtr SetClassLongPtr64(System.Runtime.InteropServices.HandleRef hwnd, int nIndex, System.IntPtr dwNewLong)
SetTimer                    Method     static System.IntPtr SetTimer(System.Runtime.InteropServices.HandleRef hWnd, System.Runtime.InteropServices.HandleRef nIDEvent, int uElapse, System.Runtime.I...
SetWindowLong               Method     static System.IntPtr SetWindowLong(System.Runtime.InteropServices.HandleRef hWnd, int nIndex, System.Runtime.InteropServices.HandleRef dwNewLong)
SetWindowLongPtr32          Method     static System.IntPtr SetWindowLongPtr32(System.Runtime.InteropServices.HandleRef hWnd, int nIndex, System.Runtime.InteropServices.HandleRef dwNewLong)
SetWindowLongPtr64          Method     static System.IntPtr SetWindowLongPtr64(System.Runtime.InteropServices.HandleRef hWnd, int nIndex, System.Runtime.InteropServices.HandleRef dwNewLong)
VerQueryValue               Method     static bool VerQueryValue(System.Runtime.InteropServices.HandleRef pBlock, string lpSubBlock, System.IntPtr&, mscorlib, Version=2.0.0.0, Culture=neutral, Pub...

Microsoft.Win32.UnsafeNativeMethods is an internal class that cannot be referenced through any direct means. If you try to reference the class, you will get an error stating that its module is not loaded. Microsoft.Win32.UnsafeNativeMethods is implemented within System.dll in the GAC.

Of the methods listed above, GetModuleHandle and GetProcAddress were the most interesting to me since these two methods form the basis for calling any other function in the Windows API. How do you access these methods you ask? I wrote the following PowerShell function to demonstrate:

function Get-ProcAddress {
Param (
    [Parameter(Position = 0, Mandatory = $True)] [String] $Module,
    [Parameter(Position = 1, Mandatory = $True)] [String] $Procedure
)

    # Get a reference to System.dll in the GAC
    $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
        Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
    $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
    # Get a reference to the GetModuleHandle and GetProcAddress methods
    $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
    $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
    # Get a handle to the module specified
    $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
    $tmpPtr = New-Object IntPtr
    $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
    # Return the address of the function
    return $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}

The function first gets a list of all loaded assemblies in PowerShell. It then gets a reference to System.dll, which contains Microsoft.Win32.UnsafeNativeMethods. I then call the GetMethod method on 'GetModuleHandle' and 'GetProcAddress'. I then invoke GetModuleHandle. Normally, in PowerShell, you would invoke this .NET method like this: 

[Microsoft.Win32.UnsafeNativeMethods]::GetModuleHandle('kernel32.dll')

That syntax would generate an error though because it is not a public class. I then get a reference to the returned handle. This is necessary because the managed version of GetProcAddress requires it. Finally, I call GetProcAddress on the function I'm interested in. As an example, the following command will return the address for VirtualAlloc:

Get-ProcAddress kernel32.dll VirtualAlloc

Now, having the address to VirtualAlloc is great and all, but what can be done with it? Conveniently, the System.Runtime.InteropServices.Marshal class contains a very handy method called GetDelegateForFunctionPointer. For those unfamiliar with delegates, think of them as function pointers. GetDelegateForFunctionPointer takes two parameters: a pointer (what was returned from Get-ProcAddress) and a type (a method signature). In C#, defining a method signature is trivial. You just use the delegate keyword. Therefore if you wanted to create a method signature for VirtualAlloc in C#, you could write something like the following:

IntPtr delegate VirtualAllocSig(IntPtr lpAddress, UInt32 dwSize, UInt32 flAllocationType, UInt32 flProtect);

Unfortunately, PowerShell has no equivalent to the 'delegate' keyword. This is where reflection and a handy article circa 2004 come into play. Using reflection, you can do the equivalent of compiling the C# code snippet above. This process is far from straightforward but can be accomplished via the function below:

function Get-DelegateType
{
    Param
    (
        [OutputType([Type])]
            
        [Parameter( Position = 0)]
        [Type[]]
        $Parameters = (New-Object Type[](0)),
            
        [Parameter( Position = 1 )]
        [Type]
        $ReturnType = [Void]
    )

    $Domain = [AppDomain]::CurrentDomain
    $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
    $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
    $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
    $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
    $MethodBuilder.SetImplementationFlags('Runtime, Managed')
        
    Write-Output $TypeBuilder.CreateType()
}

So to create the equivalent of the C# code that creates a delegate type, you can issue the following command now:

$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])

Note that if a function passes a parameter by reference, you can still get a proper delegate type by using the MakeByRefType method:

$ByRefDelegate = Get-DelegateType @([String].MakeByRefType()) ([Void])

Coming back full-circle now, we now have everything GetDelegateForFunctionPointer needs to get a 'managed function pointer' to any Windows API function. So lets say you wanted to allocate some RWX memory. This can now be achieved:

$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])
$VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
$AllocatedMemory = $VirtualAlloc.Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)

Last but not least, it is worth noting that this method will only execute functions that use the StdCall calling convention. Also, if anyone is familiar with Lee Holmes' awesome Invoke-WindowsApi script, you might have noticed that these techniques offer similar functionality to his script. The main difference is that this technique does not use P/Invoke and because you're calling a function from an address, you not just limited to exported functions. You can call non-exported StdCall functions.

Now, you're limited only by your imagination as to what you can achieve in Powershell and all without touching the disk! For example, soon I'll be modifying PowerSyringe to take advantage of these techniques. Also, expect more features to be added to PowerSyringe in the near future...

Extracting hard-coded credentials using managed code debugging techniques in Windbg

tl;dr version

Using some simple managed code debugging techniques, you can easily pull out hard-coded credentials from a binary claiming to protect them.

---

A friend of mine (@Obscuresec) referred me to a blog post from a software vendor claiming that if you absolutely have to hard-code credentials into a PowerShell script, that you'd at least be safer by using their product to wrap the script into a binary. If all reverse engineers were monkeys this might be true... and there are a lot of monkeys out there. To their credit, they advise their readers to never hard-code credentials into scripts. However, this monkey, when armed with a debugger will dispute (i.e. throw feces at) the vendor's claim that their product offers an additional layer of security.

Today, I'll be analyzing WMIQueryPS1.exe which can be obtained via the link above. WMIQueryPS1.exe is simply a .NET-compiled binary wrapper for a PowerShell script. The script used in this example passes domain credentials to a remote machine in order to execute a WMI query. The goal of this exercise is to pull out the credentials without decompiling the binary. Here's my step-by-step walk-though of how this was achieved.

1) Fire up the executable in WinDbg.

2) Load the CLR debugging extension for WinDbg - SOS.dll.

0:000> .load C:\Windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll

SOS.dll is a WinDbg extension used to aid in debugging managed code. More details on SOS.dll can be found here.

3) Let the program run its course and see what happens.

0:000> g
...
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=032e0504 ecx=00000000 edx=00000000 esi=02f3acd0 edi=02c85d50
eip=004c2297 esp=0031eba4 ebp=0031ebd4 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
004c2297 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????????

Lol. We have a null-pointer dereference and conveniently, a good place to stop and inspect the CLR environment.

4) First, let's see what method in managed code triggered the exception:

0:000> !IP2MD @eip
MethodDesc: 001c6200
Method Name: PoshExeHostCmd.VBSPoSH.GetValue(System.String)
Class: 003706b8
MethodTable: 001c6234
mdToken: 060000b4
Module: 001c2c5c
IsJitted: yes
CodeAddr: 004c21f8

The !IP2MD command will tell you what method a particular JITed address belongs to. In this example, an exception was thrown in the PoshExeHostCmd.VBSPoSH.GetValue method.

5) Now let's see the CLR call stack and get some context as to how we got to where we did:

0:000> !CLRStack
OS Thread Id: 0x9f4 (0)
ESP       EIP    
0031eba4 004c2297 PoshExeHostCmd.VBSPoSH.GetValue(System.String)
0031ebdc 004c1e2d PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
0031ec1c 004c0ba9 PoshExeHostCmd.Program.RunPowerShell(System.String[])
0031ed54 004c011c PoshExeHostCmd.Program.Main(System.String[])
0031ef88 6d2d1b4c [GCFrame: 0031ef88]

Considering this binary just wraps an obfuscated PowerShell script, it has to pass the deobfuscated script block as a parameter at some point. PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[]) looks like a good candidate method worth inspecting. Let's launch the assembly again and set a managed breakpoint on that method

6) In WinDbg, you can only set breakpoints on native code. To break on managed code, you rely upon the !bpmd command. Note: You cannot execute CLR debugger extension commands until mscorwks.dll has been loaded. Therefore, I'll set a conditional breakpoint upon the loading of a module and set a breakpoint for the managed method in a single instruction.

0:000> sxe -c "!bpmd WMIQueryPS1.exe PoshExeHostCmd.VBSPoSH.Execute; g" ld
0:000> sx
  ct - Create thread - ignore
  et - Exit thread - ignore
 cpr - Create process - ignore
 epr - Exit process - break
  ld - Load module - break
       Command: "!bpmd WMIQueryPS1.exe PoshExeHostCmd.VBSPoSH.Execute; g"
  ud - Unload module - ignore
 ser - System error - ignore
 ibp - Initial breakpoint - break
 iml - Initial module load - ignore
 out - Debuggee output - output
...

The sx command confirms that my 'conditional' breakpoint was set. Now, let the program run and it will break on the method in question.

0:000> g
JITTED PoshExeHostCmd!PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
Setting breakpoint: bp 016A1B98 [PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])]
Breakpoint 0 hit
eax=013d61ac ebx=029b6a10 ecx=029b6a10 edx=0309f09c esi=00000000 edi=0309f608
eip=016a1b98 esp=002aed24 ebp=002aee5c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
016a1b98 55              push    ebp

7) Here we are. Let's check out the string that was passed to the method as an argument.

0:000> !CLRStack -p
OS Thread Id: 0xfe4 (0)
ESP       EIP    
002aed24 016a1b98 PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
    PARAMETERS:
        this = 0x029b6a10
        command = 0x0309f09c
        args = 0x029b1f84

002aed2c 016a0ba9 PoshExeHostCmd.Program.RunPowerShell(System.String[])
    PARAMETERS:
        args = <no data>

002aee64 016a011c PoshExeHostCmd.Program.Main(System.String[])
    PARAMETERS:
        args = <no data>

002af090 6d2d1b4c [GCFrame: 002af090]

8) After poking around a bit, it turns out that the address of the 'command' object (0x0309f09c) is what we want to dump

0:000> !DumpObj -nofields 0x0309f09c
Name: System.String
MethodTable: 6ca40ae8
EEClass: 6c7fd65c
Size: 1386(0x56a) bytes
 (C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: # ==============================================================================================
# 
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2012
# 
# NAME: 
# 
# AUTHOR: Alex , Toshiba
# DATE  : 4/24/2012
# 
# COMMENT: 
# 
# ==============================================================================================

$pass = ConvertTo-SecureString "SUPERSTRONGPASSWORD" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "SUPERADMINUSER",$pass

Get-WmiObject -Credential $credentials -query "Select * from Win32_DiskDrive" -computername "SUPERSECRETSERVER"

9) Boom! All your creds are belong to me! I've just dumped the secret credentials that this vendor is claiming to protect. Not a difficult exercise.

I could have used these techniques in conjunction with a tool like .NET Reflector to decompile the method (SimpleDecodeData) that pulls the obfuscated scriptblock from the PE file's resource section and then deobfuscate the Powershell scriptblock but that would just be redundant. That, and the vendor might not appreciate it that much.

So what's the lesson in all this? Do not ever, EVER hard-code credentials into a file! If someone wants them bad enough (me), they will get them.