Still the issue with Invoke-DllInjection.ps1 about powersploit HOT 12 CLOSED

So if you are getting that error and you are running a 64-bit OS, then my 64-bit OS detection logic is flawed. That error is only designed to display if you are trying to load a non 32-bit DLL on a 32-bit OS. To gain compatibility with XP, I changed the OS detection logic to checking for the presence of the ProgramFiles(x86) environment variable. I've never tested Invoke-DllInjection on a Chinese language pack OS though. Does that environment variable exist on your system?

from powersploit.

Here is my test OS,win8 x64

from powersploit.

Thank you for the screenshot. That's helpful but would you mind telling me if the ProgramFiles(x86) environment variable is available? Either ${Env:ProgramFiles(x86)} in PowerShell or echo %ProgramFiles(x86)% cmd.exe. If it's not present on your system, then I'll have to use another, more robust method for checking the bitness of the OS that works across all versions.

Thanks,
Matt

from powersploit.

As you can see,the ProgramFiles(x86) environment variable has been set.
:)

from powersploit.

Just to double check, in your repository (https://github.com/3gstudent/Code-Execution-and-Process-Injection/tree/master/7-Process%20Injection-dll), it appears that DemoDLL.DLL is x86. You can't inject an x86 DLL into a 64-bit process with Invoke-DllInjection. If that is the case, the bug might be in the parsing of the DLL's PE header, not in the OS detection.

from powersploit.

@leechristensen
When I test it on win8 x64,I use the DemoDLLx64.dll.(https://github.com/3gstudent/Code-Execution-and-Process-Injection/blob/master/7-Process%20Injection-dll/DemoDLLx64.dll)
It is an x64 DLL,because it is success on win7 x64.

:)

from powersploit.

Testing this, my architecture detection appears to be fine.

function Get-PEArchitecture
{
    Param
    (
        [Parameter( Position = 0,
                    Mandatory = $True )]
        [String]
        $Path
    )

    # Parse PE header to see if binary was compiled 32 or 64-bit
    $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)

    [Byte[]] $MZHeader = New-Object Byte[](2)
    $FileStream.Read($MZHeader,0,2) | Out-Null

    $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
    if ($Header -ne 'MZ')
    {
        $FileStream.Close()
        Throw 'Invalid PE header.'
    }

    # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
    $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null

    [Byte[]] $lfanew = New-Object Byte[](4)

    # Read offset to the PE Header (will be read in reverse)
    $FileStream.Read($lfanew,0,4) | Out-Null
    $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))

    # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
    $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
    [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)

    # Read compiled architecture
    $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
    $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
    $FileStream.Close()

    if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
    {
        Throw 'Invalid PE header or unsupported architecture.'
    }

    if ($Architecture -eq '014C')
    {
        Write-Output 'X86'
    }
    elseif ($Architecture -eq '8664')
    {
        Write-Output 'X64'
    }
    else
    {
        Write-Output 'OTHER'
    }
}

Get-PEArchitecture -Path "$($Env:SystemRoot)\System32\kernel32.dll"
Get-PEArchitecture -Path "$($Env:SystemRoot)\SysWow64\kernel32.dll"

from powersploit.

ahah,
on win8 x64:
Get-PEArchitecture -Path "$($Env:SystemRoot)\System32\kernel32.dll" can get the right result.
And on win7 x64,it is same.

good job :)

------Update----
It's my mistake.Your mearning is just to test the Get-PEArchitecture

from powersploit.

So Get-PEArchitecture returns a X64 DLL yet you're still getting the issue?

from powersploit.

I just tested your new version again.
Here is the screenshot.
(1)shows the dll is x64.
(2)shows your old version's error(Link:https://github.com/3gstudent/Code-Execution-and-Process-Injection/blob/master/7-Process%20Injection-dll/7-Process%20Injection-dll.ps1)
(3)shows your new version has solved the problem.
And I will update my github.
Thanks you so much.

from powersploit.

It sounds like you issue has been resolved.

Cheers,
Matt

from powersploit.

Maybe it can be used in PowerSploit.
https://github.com/3gstudent/Javascript-Backdoor

:)

from powersploit.