时间戳

首页 > 解决方案 > Powershell 无法处理大字符串

powershell - Powershell 无法处理大字符串

问题描述

我有一个需要加载 base64 exe 文件的脚本,它碰巧字符串太大,powershell 无法处理,因此会破坏程序

我想知道是否有绕过这个powershell限制的方法

据我了解,这取决于 powershell 作为一种语言和 microsoft 作为背后的操作系统如何将文件名转换为二进制代码

我在这里需要一些帮助

脚本是这个https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

我运行exe的方式是

$InputString = '...........'

$PEBytes = [System.Convert]::FromBase64String($InputString)

Invoke-ReflectivePEInjection -PEBytes $PEBytes

谢谢

标签: powershell

解决方案

获取对该GetProcAddress方法的引用会引发异常

$UnsafeNativeMethods.GetMethod('GetProcAddress')

Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."

让我们找到正确的语法模式

$GetProcAddresses = $UnsafeNativeMethods.GetMethods() |
    Where-Object Name -Match 'GetProcAddress'
$GetProcAddresses | 
    ForEach-Object { $_.ReturnTypeCustomAttributes | 
                        Select-Object -Property Member }

Member                                                                        
------                                                                        
IntPtr GetProcAddress(IntPtr, System.String)                                  
IntPtr GetProcAddress(System.Runtime.InteropServices.HandleRef, System.String)

要获得对该GetProcAddress方法的引用:使用任一 

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',
    [type[]]('IntPtr', 'System.String'))

或者

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',
    [type[]]('System.Runtime.InteropServices.HandleRef', 'System.String'))

示例代码(在PowerShell 5.1中测试):

Remove-Variable -Name Get* -ErrorAction SilentlyContinue
# Get a reference to System.dll in the GAC
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -and $_.Location -and (
        ( $_.Location -split '\\' )[-1] -eq 'System.dll') }
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle method
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')

# Let's find correct syntax pattern
$GetProcAddresses = $UnsafeNativeMethods.GetMethods() |
    Where-Object Name -Match 'GetProcAddress'
$GetProcAddresses | 
    ForEach-Object { $_.ReturnTypeCustomAttributes | 
                        Select-Object -Property Member }

# Get a reference to the GetProcAddress method: use either 
$GetProcAddress1 = $UnsafeNativeMethods.GetMethod('GetProcAddress',
    [type[]]('IntPtr', 'System.String'))
# or
$GetProcAddress2 = $UnsafeNativeMethods.GetMethod('GetProcAddress',
    [type[]]('System.Runtime.InteropServices.HandleRef', 'System.String'))

Get-Variable -Name Get*, SystemAssembly, UnsafeNativeMethods | 
    Format-List -Property Name, Value

输出D:\PShell\SO\60820994.ps1

Member
------
IntPtr GetProcAddress(IntPtr, System.String)
IntPtr GetProcAddress(System.Runtime.InteropServices.HandleRef,System.String)


Name  : GetModuleHandle
Value : IntPtr GetModuleHandle(System.String)

Name  : GetProcAddress1
Value : IntPtr GetProcAddress(IntPtr, System.String)

Name  : GetProcAddress2
Value : IntPtr GetProcAddress(System.Runtime.InteropServices.HandleRef, System.String)

Name  : GetProcAddresses
Value : {IntPtr GetProcAddress(IntPtr, System.String), IntPtr GetProcAddress(System.Runtime.InteropServices.HandleRef, System.String)}

Name  : SystemAssembly
Value : System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Name  : UnsafeNativeMethods
Value : Microsoft.Win32.UnsafeNativeMethods

题外话:代码不在PowerShell Core中运行,因为System.dll默认情况下没有安装到全局程序集缓存 (GAC) 中。

推荐阅读