Comments (12)
So if you are getting that error and you are running a 64-bit OS, then my 64-bit OS detection logic is flawed. That error is only designed to display if you are trying to load a non 32-bit DLL on a 32-bit OS. To gain compatibility with XP, I changed the OS detection logic to checking for the presence of the ProgramFiles(x86)
environment variable. I've never tested Invoke-DllInjection on a Chinese language pack OS though. Does that environment variable exist on your system?
from powersploit.
from powersploit.
Thank you for the screenshot. That's helpful but would you mind telling me if the ProgramFiles(x86)
environment variable is available? Either ${Env:ProgramFiles(x86)}
in PowerShell or echo %ProgramFiles(x86)%
cmd.exe. If it's not present on your system, then I'll have to use another, more robust method for checking the bitness of the OS that works across all versions.
Thanks,
Matt
from powersploit.
As you can see,the ProgramFiles(x86) environment variable has been set.
:)
from powersploit.
Just to double check, in your repository (https://github.com/3gstudent/Code-Execution-and-Process-Injection/tree/master/7-Process%20Injection-dll), it appears that DemoDLL.DLL is x86. You can't inject an x86 DLL into a 64-bit process with Invoke-DllInjection. If that is the case, the bug might be in the parsing of the DLL's PE header, not in the OS detection.
from powersploit.
@leechristensen
When I test it on win8 x64,I use the DemoDLLx64.dll.(https://github.com/3gstudent/Code-Execution-and-Process-Injection/blob/master/7-Process%20Injection-dll/DemoDLLx64.dll)
It is an x64 DLL,because it is success on win7 x64.
:)
from powersploit.
Testing this, my architecture detection appears to be fine.
function Get-PEArchitecture
{
Param
(
[Parameter( Position = 0,
Mandatory = $True )]
[String]
$Path
)
# Parse PE header to see if binary was compiled 32 or 64-bit
$FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
[Byte[]] $MZHeader = New-Object Byte[](2)
$FileStream.Read($MZHeader,0,2) | Out-Null
$Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
if ($Header -ne 'MZ')
{
$FileStream.Close()
Throw 'Invalid PE header.'
}
# Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
$FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $lfanew = New-Object Byte[](4)
# Read offset to the PE Header (will be read in reverse)
$FileStream.Read($lfanew,0,4) | Out-Null
$PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
# Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
$FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
# Read compiled architecture
$FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
$Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
$FileStream.Close()
if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
{
Throw 'Invalid PE header or unsupported architecture.'
}
if ($Architecture -eq '014C')
{
Write-Output 'X86'
}
elseif ($Architecture -eq '8664')
{
Write-Output 'X64'
}
else
{
Write-Output 'OTHER'
}
}
Get-PEArchitecture -Path "$($Env:SystemRoot)\System32\kernel32.dll"
Get-PEArchitecture -Path "$($Env:SystemRoot)\SysWow64\kernel32.dll"
from powersploit.
ahah,
on win8 x64:
Get-PEArchitecture -Path "$($Env:SystemRoot)\System32\kernel32.dll"
can get the right result.
And on win7 x64,it is same.
good job :)
------Update----
It's my mistake.Your mearning is just to test the Get-PEArchitecture
from powersploit.
So Get-PEArchitecture returns a X64 DLL yet you're still getting the issue?
from powersploit.
I just tested your new version again.
Here is the screenshot.
(1)shows the dll is x64.
(2)shows your old version's error(Link:https://github.com/3gstudent/Code-Execution-and-Process-Injection/blob/master/7-Process%20Injection-dll/7-Process%20Injection-dll.ps1)
(3)shows your new version has solved the problem.
And I will update my github.
Thanks you so much.
from powersploit.
It sounds like you issue has been resolved.
Cheers,
Matt
from powersploit.
Maybe it can be used in PowerSploit.
https://github.com/3gstudent/Javascript-Backdoor
:)
from powersploit.
Related Issues (20)
- Powerup missing security check
- Invoke-ReflectivePEInjection Cascade of errors HOT 5
- Full QualifiedErrorId when using the command 'get-Netuser' : BadEnumeration HOT 1
- Invoke-Mimikatz + Windows 10 (1909) HOT 2
- It is possible to use Invoke-ReflectivePEInjection with Pyinstaller .exe?
- Get-ObjectAcl resolve SID in SecurityIdentifier
- Simple authentication instead of SASL
- PowerUp gives a lot of errors HOT 2
- Get-NetLocalGroup access
- delete
- Searching files by content
- Constrained Delegation
- Invoke-mimikatz in one ligne
- Cryptodome error?
- Get-NetLoggedon and Get-NetSession data displayed incorrectly
- Invoke-ReflectivePEInjection with meterpreter exe payload quits powershell
- Get-DomainPolicyData is not recognized when importing PowerSploit.psm1 module HOT 1
- The Commands (for example Get-NetDomain, Get-DomainPolicy) don't show any output, and continue to the next command line HOT 1
- please can we get an update on invoke-mimikatz?
- Remove-Comment doesnt seem to work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from powersploit.