This PowerShell script demonstrates advanced techniques including shellcode injection, dynamic function invocation, and PowerShell script obfuscation. Let's break down its components:
This function is responsible for dynamically locating and invoking native functions from the Windows API (kernel32.dll). Here's how it works:
- It first retrieves the
Microsoft.Win32.UnsafeNativeMethodstype from the loaded assemblies. - Using reflection, it finds methods like
GetProcAddressandGetModuleHandle. - It attempts to invoke
GetProcAddressto retrieve the memory addresses of functions likeVirtualAlloc,CreateThread, andWaitForSingleObjectfromkernel32.dll.
This function is used to create a custom delegate type dynamically. It defines a delegate that matches the signature of the native functions being invoked.
- VirtualAlloc: Allocates memory in the process's virtual address space to store and execute shellcode.
- CreateThread: Creates a new thread in the process, starting execution at the address of the allocated shellcode.
- WaitForSingleObject: Waits indefinitely for the created thread to finish executing.
This function handles the obfuscation of PowerShell scripts:
- If no script path is provided, it prompts the user to enter a path or uses a default path.
- It reads the contents of the specified PowerShell script file (
$Path), converts it to Base64, and then sorts and shuffles the Base64 string to obfuscate it. - Generates random variables (
$Var1and$Var2) and constructs an obfuscated PowerShell script that decodes and executes the Base64-encoded script content. - Saves the obfuscated script to a file with a randomly generated name.
- Use this to obfuscate shellcode.
This script showcases how PowerShell can be used for both offensive (shellcode injection) and defensive (script obfuscation) purposes, illustrating the flexibility and power of the language in automation, administration, and unfortunately, exploitation contexts.
