Saturday, May 26, 2012

PowerSploit - A PowerShell Post-Exploitation Framework

PowerSploit Repo

After recently reviewing my code for Powersyringe, I realized it was total crap. Although it worked and got the job done in most cases, it was ugly. Also, upon discovering how to achieve true memory-residence when working with Win32 functions, I decided it was time to dismember Powersyringe. Behold... PowerSploit. PowerSploit retains much of the same functionality of Powersyringe but I decided to split each payload into a separate script according to functionality. Currently, PowerSploit is comprised of the following scripts:

  • Invoke-DllInjection
  • Invoke-Shellcode
  • Encrypt-Script

Also, I've finally given my code a good home on Github. Moving forward, any new functionality and scripts will be hosted under the PowerSploit repo.

Here's a highlight of the changes I made to the original Powersyringe:
  • All the features of PowerSyringe have now been split up into separate scripts which now fall under the PowerSploit project.
  • Completely rewrote the PowerSyringe code from scratch.
  • All scripts are now in conformance with proper PowerShell verb-noun agreement.
  • All the scripts are entirely memory-resident now. This feature is possible through reflection. For more information on the implementation details, read my blog post.
  • Improved error handing. Error handlers should pick up on every fault now.
  • Added calls to VirtualFree for proper cleanup.
  • Detailed output is now displayed when the -Verbose option is enabled.
  • CreateThread assembly stub is now implemented in a function and is much more readable.

As always, let me know if you have any legitimate issues with any of the scripts.