A patch for PowerSploit’s Invoke-Shellcode.ps1

In my recent and somewhat surprising exploration of Windows PowerShell (stay tuned for a longer post on this subject) I have produced a patch for the Invoke-Shellcode cmdlet distributed with the PowerSploit post-exploitation framework. Invoke-Shellcode injects shellcode into a process of your choosing or within the context of the running PowerShell process. It’s a popular penetration testing tool, also included in the Empire post-exploitation agent.

My patch subtly changes the way shellcode is injected into memory. Instead of directly allocating a memory region with full RWX (read, write, execute) permissions, which might not work in all scenarios and could potentially be marked as malicious behavior by modern anti-malware protections, when invoked with the -Stealth command line switch the patched Invoke-Shellcode cmdlet will first allocate memory with RW permissions via the VirtualAlloc()/VirtualAllocEx() Windows API functions, and then change memory permissions to RX via VirtualProtect()/VirtualProtectEx() after the shellcode has been copied. Of course, this will not work with shellcodes that need RW access to their buffer in memory during execution (e.g. Metasploit Framework’s Meterpreter payloads).

The modified cmdlet is available here. I also made a pull request to the original project on GitHub.