After recently reviewing my code for Powersyringe, I realized it was total crap. Although it worked and got the job done in most cases, it was ugly. Also, upon discovering how to achieve true memory-residence when working with Win32 functions, I decided it was time to dismember Powersyringe. Behold... PowerSploit. PowerSploit retains much of the same functionality of Powersyringe but I decided to split each payload into a separate script according to functionality. Currently, PowerSploit is comprised of the following scripts:
- Invoke-DllInjection
- Invoke-Shellcode
- Encrypt-Script
Also, I've finally given my code a good home on Github. Moving forward, any new functionality and scripts will be hosted under the PowerSploit repo.
Here's a highlight of the changes I made to the original Powersyringe:
- All the features of PowerSyringe have now been split up into separate scripts which now fall under the PowerSploit project.
- Completely rewrote the PowerSyringe code from scratch.
- All scripts are now in conformance with proper PowerShell verb-noun agreement.
- All the scripts are entirely memory-resident now. This feature is possible through reflection. For more information on the implementation details, read my blog post.
- Improved error handing. Error handlers should pick up on every fault now.
- Added calls to VirtualFree for proper cleanup.
- Detailed output is now displayed when the -Verbose option is enabled.
- CreateThread assembly stub is now implemented in a function and is much more readable.
As always, let me know if you have any legitimate issues with any of the scripts.