Clarification of docs concerning DLL entry points #9
Comments
|
Hi, So there is a very good reason for this and not one I personally know how to overcome. So you understand the two entry points which is great for when you run the DLL manually via RunDLL32 but when you either reflectively load or load the DLL into a running process it will call 'Process Attach' and not a dedicated entry point, therefore I needed to create two separate DLLs for those cases. I guess I can remove the VoidFunc2 and VoidFunc from each of the DLLs and only have one entry point for each to be easier but I thought for ease you can take one DLL and run it manually on a host with both versions. Does that make sense? |
|
Thank you for the reply. So if I understand correctly, one DLL (presumably the "v4" DLL) is designed to be reflectively loaded, and the other isn't, but they both retain the entry points? It would be great if the documentation were updated with this info about the two DLLs. I really like Posh and am writing a blog series using it as the implant in order to demonstrate Windows AD techniques. So I'm concerned about being accurate in what I document. |
|
I completely get that, i'll look at updating the documentation when I get chance. I might even remove the multiple entry points to avoid confusion when I'm next modifying that part of the code. Looking forward to seeing your blog series. |
|
Hi, I have now reconstructed the DLL's and Shellcode so that it only has one entry point for each DLL to make this clearer. Also it now has scriptblock logging bypass for v4 and some transcript logging evasion, not full bypass. |
So I'm confused by the documentation where it talks about
VoidFuncandVoidFunc2in the DLL payloads.It makes sense that you'd have two entry points so that you can do PowerShell v2 downgrade.
What I don't understand is now, there are Posh_v2_x64.dll and Posh_v4_x64.dll in my payloads directory, but they both still have the same pair of entry points.
I tried it out, and when invoked manually from a test system with
rundll32.exethe implants call back, withVoidFuncreturning theImplant-Core.ps1warning about logging and AMSI, andVoidFunc2lacking those warnings. But the behavior is the same, seemingly, between the two DLLs.Can we get some clarity on what the difference between these DLLs is, and why the v2 even has the
VoidFunc2entry point to begin with? Shouldn't it only haveVoidFuncand only return the v2 PowerShell environment?The text was updated successfully, but these errors were encountered: