TestPc Posted May 29, 2019 Share Posted May 29, 2019 (edited) function Emit-UNICODE_STRING { param( [IntPtr]$hProcess, [IntPtr]$lpBaseAddress, [UInt32]$dwSize, [String]$data ) # Set access protections -> PAGE_EXECUTE_READWRITE [UInt32]$lpflOldProtect = 0 $CallResult = [Kernel32]::VirtualProtectEx($hProcess, $lpBaseAddress, $dwSize, 0x40, [ref]$lpflOldProtect) # Create replacement struct $UnicodeObject = New-Object UNICODE_STRING $UnicodeObject_Buffer = $data [UInt16]$UnicodeObject.Length = $UnicodeObject_Buffer.Length*2 [UInt16]$UnicodeObject.MaximumLength = $UnicodeObject.Length+1 [IntPtr]$UnicodeObject.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($UnicodeObject_Buffer) [IntPtr]$InMemoryStruct = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($dwSize) [system.runtime.interopservices.marshal]::StructureToPtr($UnicodeObject, $InMemoryStruct, $true) # Overwrite PEB UNICODE_STRING struct [UInt32]$lpNumberOfBytesWritten = 0 $CallResult = [Kernel32]::WriteProcessMemory($hProcess, $lpBaseAddress, $InMemoryStruct, $dwSize, [ref]$lpNumberOfBytesWritten) # Free $InMemoryStruct [System.Runtime.InteropServices.Marshal]::FreeHGlobal($InMemoryStruct) } https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Masquerade-PEB.ps1 Find. http://theoven.org/index.php?topic=1338.msg33232#msg33232 ;; http://theoven.org/index.php?topic=1338.msg33232#msg33232 Func MasqueradePEB($sFakeName = @WindowsDir & '\explorer.exe') Local $t_PBI = DllStructCreate('ptr[6]') Local $iCall = DllCall('kernel32.dll', 'ptr', 'GetModuleHandleW', 'ptr', 0) Local $hModule = $iCall[0] Local $US1 = DllStructCreate("word Length; word MaxLength; ptr Buffer") Local $US2 = DllStructCreate("word Length; word MaxLength; ptr Buffer") DllCall('ntdll', 'int', 'RtlCreateUnicodeString', 'struct*', $US1, 'WSTR', $sFakeName) DllCall('ntdll', 'int', 'RtlCreateUnicodeString', 'struct*', $US2, 'WSTR', StringRegExpReplace($sFakeName, "^.*\\", "")) $iCall = DllCall('ntdll', 'int', 'NtQueryInformationProcess', 'ptr', -1, 'int', 0, 'struct*', $t_PBI, 'int', DllStructGetSize($t_PBI), 'int*', 0) If Not @error And $iCall[0] = 0 Then Local $pPEB = DllStructGetData($t_PBI, 1, 2) Local $tPEB_Small = DllStructCreate("byte[4]; ptr[2]; ptr LoaderData", $pPEB) Local $pPEB_LDR_DATA = DllStructGetData($tPEB_Small, "LoaderData") Local $tPEB_LDR_DATA = DllStructCreate("byte[8]; ptr; ptr InLoadOrderModuleList[2]; ptr InMemoryOrderModuleList[2]; ptr[2];", $pPEB_LDR_DATA) Local $pPointer = DllStructGetData($tPEB_LDR_DATA, "InMemoryOrderModuleList", 2) Local $pEnd = $pPointer, $tTABLE_ENTRY While 1 $tTABLE_ENTRY = DllStructCreate("ptr[7]; word Length1; word MaxLength1; ptr Buffer1; word Length2; word MaxLength2; ptr Buffer2;", $pPointer) $pPointer = DllStructGetData($tTABLE_ENTRY, 1, 2) If $pPointer = $pEnd Then ExitLoop If $hModule = DllStructGetData($tTABLE_ENTRY, 1, 5) Then DllStructSetData($tTABLE_ENTRY, "Length1", DllStructGetData($US1, "Length")) DllStructSetData($tTABLE_ENTRY, "MaxLength1", DllStructGetData($US1, "MaxLength")) DllStructSetData($tTABLE_ENTRY, "Buffer1", DllStructGetData($US1, "Buffer")) DllStructSetData($tTABLE_ENTRY, "Length2", DllStructGetData($US2, "Length")) DllStructSetData($tTABLE_ENTRY, "MaxLength2", DllStructGetData($US2, "MaxLength")) DllStructSetData($tTABLE_ENTRY, "Buffer2", DllStructGetData($US2, "Buffer")) ExitLoop EndIf WEnd EndIf EndFunc Windows 10 prevented the Pin Verbs from being used in the script. Now, Verbs can be used as a script. It is very useful in Windows pe. Edited May 31, 2019 by TestPc Link to comment Share on other sites More sharing options...
Earthshine Posted May 29, 2019 Share Posted May 29, 2019 Is there a question here or are you asking for someone else to code it for you? My resources are limited. You must ask the right questions Link to comment Share on other sites More sharing options...
TestPc Posted May 29, 2019 Author Share Posted May 29, 2019 I want to replace it with an autoit code, Some parts do not know the corresponding code. Link to comment Share on other sites More sharing options...
Earthshine Posted May 29, 2019 Share Posted May 29, 2019 (edited) Have you read the help file? It’s the best way to learn the language We are here to help you learn so please post your autoIT code if you want further help, And show a willingness to learn Edited May 29, 2019 by Earthshine My resources are limited. You must ask the right questions Link to comment Share on other sites More sharing options...
TestPc Posted May 30, 2019 Author Share Posted May 30, 2019 Find. http://theoven.org/index.php?topic=1338.msg33232#msg33232 Link to comment Share on other sites More sharing options...
Developers Jos Posted May 30, 2019 Developers Share Posted May 30, 2019 ... and the purpose of this link is ? Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
TestPc Posted May 31, 2019 Author Share Posted May 31, 2019 (edited) 3 hours ago, Jos said: ... and the purpose of this link is ? Jos Windows 10 prevented the Pin Verbs from being used in the script. Now, Verbs can be used as a script. It is very useful in Windows pe. Edited May 31, 2019 by TestPc Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now