https://github.com/mrale98/psinline

in-process powershell runner for BRC4
https://github.com/mrale98/psinline

brute-ratel red-team-tools

Last synced: 2 months ago
JSON representation

in-process powershell runner for BRC4

• Host: GitHub
• URL: https://github.com/mrale98/psinline
• Owner: MrAle98
• Created: 2023-09-24T19:31:10.000Z (about 2 years ago)
• Default Branch: master
• Last Pushed: 2023-10-31T16:35:48.000Z (almost 2 years ago)
• Last Synced: 2023-10-31T17:34:50.760Z (almost 2 years ago)
• Topics: brute-ratel, red-team-tools
• Language: C
• Homepage:
• Size: 78.1 KB
• Stars: 32
• Watchers: 1
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# psinline

BOF compatible with BRC4, for executing powershell directly in current process memory, avoiding process injections. Takes as input PS.exe, an assembly running base64-encoded powershell commands. Code mostly taken from [Havoc](https://github.com/HavocFramework/Havoc),

for hardware breakpoints and [InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly) for running assemblies through BOF.

## How it works 

Takes as input the following parameters:

1. PS.exe: Assembly that executes base64 encoded powershell

2. Powershell script: A powershell script (.ps1 file). In case you don't need to provide it, you can just create a dummy powershell script with just one line.

3. powershell command.

The BOF concatenates your powershell command to the powershell script, base64 encode the concatenation and finally pass the base64 blob as argument to PS.exe that executes it. It uses hardware breakpoints for AMSI/ETW bypass.

**Be careful that psinline accepts ASCII and may have issues with other encodings**. In case you have issues with loading scripts like PowerUpSQL.ps1, open the script in VSCode, select all, copy all and then paste in a new file. The new file now should be ASCII encoded, and psinline accepts it.  

 ## How to build

For building the BOF just run:

```

make -f MakeFile release

```

For building the debug version run:

```

make -f MakeFile debug

```

For building PS.exe import it in visual studio and compile release version.

## Pre-Compiled binaries

Pre-compiled binaries are available in the release package.

## Examples

### Run PowerView cmdlet

First use coff_args to set PowerView.ps1 as powershell script to load and then use coffexec to execute **Get-NetLocalGroup**:

```

=> set_coffargs /path/to/PS.exe /path/to/PowerView.ps1

2023/09/25 13:51:49 CEST [sent 1842868 bytes]

[*] CoffExec Arguments Updated

+-------------------------------------------------------------------+

=> coffexec /path/to/psinline.x64.o Get-NetLocalGroup | fl *

2023/09/25 13:52:35 CEST [sent 41592 bytes]

[*] Task-0 [Thread: 6164]

[*] Coffexec Output:

[*] Using .NET version v4.0.30319

ComputerName : DESKTOP-URP43TK

GroupName    : Access Control Assistance Operators

Comment      : Members of this group can remotely query authorization attributes and permissions for resources on this 

               computer.

ComputerName : DESKTOP-URP43TK

GroupName    : Administrators

Comment      : Administrators have complete and unrestricted access to the computer/domain

[...]

[+] psinline Finished

```

![image](https://github.com/MrAle98/psinline/assets/74059030/45478a52-8b01-424b-a9fa-1f140f05354c)

### Run generic powershell command

Set script to import a dummy powershell script and then run **ls** command with coffexec. You can find an example of dummy powershell script in the release package, named dummy.ps1:

```

=> set_coffargs /path/to/PS.exe /path/to/dummy.ps1 

2023/09/25 14:28:26 CEST [sent 17032 bytes]

[*] CoffExec Arguments Updated

+-------------------------------------------------------------------+

=> coffexec /home/kali/CLionProjects/psinline/psinline.x64.o ls

[*] Coffexec Output:

[*] Using .NET version v4.0.30319

    Directory: C:\temp\inceptor\inceptor\inceptor

Mode                 LastWriteTime         Length Name                                                                  

----                 -------------         ------ ----                                                                  

d-----         5/23/2023  12:07 AM                artifacts                                                             

d-----         5/23/2023  12:07 AM                certs                                                                 

d-----         6/11/2023   9:14 AM                compilers                                                             

d-----          6/2/2023   5:00 PM                config                                                                

d-----          6/2/2023   5:00 PM                converters                                                            

d-----          6/2/2023   5:00 PM                demo

[...]

[+] psinline Finished

```

![image](https://github.com/MrAle98/psinline/assets/74059030/f50e3139-f834-4e52-a9db-ee45decd071c)

## Notes

Everytime you launch psinline, **wait for it to finish before launching it again**. Having **two threads running psinline at same time will break things and kill your process**.

## Credits

- [@C5pider](https://github.com/Cracked5pider)

- [@anthemtotheego](https://github.com/anthemtotheego)