Invoke-NinjaCopy: Errors on Windows 10 x64

[okazymyrov]

When I'm running

Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "$Env:TEMP\SAM"

as evaluated user on Windows 10 x64 the following errors occur

Specified cast is not valid.
At line:2208 char:7
+         if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_D ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException

Specified cast is not valid.
At line:2266 char:7
+         if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_D ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException

In spite of the error, the file is copied.

[HarmJ0y]

Thanks for the information. We will be doing a refactor of a chunk of PowerSploit code at some point after BlackHat and we will dive into this cast issue then.

[leechristensen]

Until/if this module is refactored, consider using PowerForensics to pull the file as it uses the same technique (https://github.com/Invoke-IR/PowerForensics)

[FuzzySecurity]

@okazymyrov can you please have a look at the change I pushed to the dev branch:
bd6fe64

This should resolve the issue!

[okazymyrov]

@FuzzySecurity the changes work on Windows 10.0.14393.

[FuzzySecurity]

@okazymyrov ok cool! For now it's in Dev but in a week or two the change should have been pushed to master.