Author: 10N351R
PowerMove is a fileless process injector written in PowerShell for injecting shellcode and migrating your shell to new processes. PowerMove uses common WINAPIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to perform simple process injections. This combination of WINAPIs are often detected by anti-virus solutions when stored on disk but will bypass these protections when executed exclusively in memory.
Tested on PowerShell version: 5.1.19041.4522
To use PowerMove in an existing PowerShell shell
- Copy the contents of PowerMove.ps1 into a text editor
- Edit the
$targetPidvariable with the PID of the target process to inject into - Edit the
$shellcodevariable with the payload you wish to inject - Copy the contents from the beginning
###to the end###to your clipboard - Paste the contents into your existing PowerShell shell and press
Enter - Enjoy the benifits fileless process injection
Ethical Use: PowerMove is provided for educational and lawful purposes only. The author is not responsible for any misuse or damaged caused by this tool. By using this tool, you agree to use it ethically and comply with all applicable laws and regulations. Unauthorized use of this tool is strictly prohibited and may result in severe legal consequences.
Use Of Artificial Intelligence: This tool was partially developed with the assistance of Artificial Intelligence (AI), and contains portions of code generated using OpenAI's ChatGPT, an AI language model.