In my recent and somewhat surprising exploration of Windows PowerShell (stay tuned for a longer post on this subject) I have produced a patch for the Invoke-Shellcode cmdlet distributed with the PowerSploit post-exploitation framework. Invoke-Shellcode injects shellcode into a process of your choosing or within the context of the running PowerShell process. It’s a popular penetration testing tool, also included in the Empire post-exploitation agent.
My patch subtly changes the way shellcode is injected into memory. Instead of directly allocating a memory region with full RWX (read, write, execute) permissions, which might not work in all scenarios and could potentially be marked as malicious behavior by modern anti-malware protections, when invoked with the -Stealth command line switch the patched Invoke-Shellcode cmdlet will first allocate memory with RW permissions via the VirtualAlloc()/VirtualAllocEx() Windows API functions, and then change memory permissions to RX via VirtualProtect()/VirtualProtectEx() after the shellcode has been copied. Of course, this will not work with shellcodes that need RW access to their buffer in memory during execution (e.g. Metasploit Framework’s Meterpreter payloads).