如何从 PowerShell 获取 CreateTransaction 地址
How to get CreateTransaction address from PowerShell
我想在 PowerShell 中获取函数 CreateTransaction 的地址。
我知道如何用 C++ 实现:
#include "stdafx.h"
#include <Windows.h>
typedef NTSTATUS(NTAPI *CreateTransaction)
(
IN LPSECURITY_ATTRIBUTES lpTransactionAttributes OPTIONAL,
IN LPGUID UOW OPTIONAL,
IN DWORD CreateOptions OPTIONAL,
IN DWORD IsolationLevel OPTIONAL,
IN DWORD IsolationFlags OPTIONAL,
IN DWORD Timeout OPTIONAL,
IN LPWSTR Description OPTIONAL
);
int main()
{
HMODULE hKtmw32 = GetModuleHandle(L"Ktmw32.dll");
CreateTransaction createTransaction = (CreateTransaction)GetProcAddress(hKtmw32, "CreateTransaction");
return 0;
}
如何在 PowerShell 中执行此操作?
我试着用下面的函数来做。
它适用于其他功能,但不适用于 CreateTransaction。
function Local:Get-ProcAddress
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
# Get a reference to System.dll in the GAC
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$hexAddrs = [convert]::ToString($Kern32Handle.ToInt32(), 16)
Write-Host "[*] Got $($Module) at 0x$($hexAddrs)"
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
# Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
Get-ProcAddress Ktmw32.dll CreateTransaction # => DOES NOT WORK
Get-ProcAddress ntdll.dll NtCreateSection # => WORKS
参考:
https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Get-System.ps1
我不知道为什么 return 我没有 CreateTransaction 的地址。
我有调用该函数的解决方法,但我仍然对如何使用 PowerShell 获取函数地址感兴趣:
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
namespace PInvoke {
public class Program
{
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES {
int nLength;
IntPtr lpSecurityDescriptor;
int bInheritHandle;
}
[DllImport("Ktmw32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern IntPtr CreateTransaction(
SECURITY_ATTRIBUTES securityAttributes,
IntPtr guid, int options, int isolationLevel, int isolationFlags,
int milliSeconds, string description
);
}
}
"@
$Class1 = New-Object PInvoke.Program
$struct = New-Object PInvoke.Program+SECURITY_ATTRIBUTES
[PInvoke.Program]::CreateTransaction($struct, 0, 0, 0, 0, 0, "notepad.exe")
I don't know why it doesn't return me the address of CreateTransaction.
很可能,它没有 return 地址,因为 它不存在 - 我想不出 PowerShell 中的单个模块或工具这取决于 KtmW32.dll,因此假设它会被 powershell.exe 加载似乎很天真。
您可以通过查询当前进程的 Modules 属性 来检查:
(Get-Process -Id $PID).Modules
作为 Add-Type 的替代方法,您可以通过 SafeNativeMethods.LoadLibrary():
手动将库加载到进程中
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') } |Select -First 1
$SafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.SafeNativeMethods')
$KtmW32 = $SafeNativeMethods::LoadLibrary('KtmW32.dll')
现在您可以像示例中那样使用 Get-ProcAddress,或者直接使用由 LoadLibrary 编辑的模块句柄 return:
# Same as before
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$tmpPtr = New-Object IntPtr
# Now use the module handle from LoadLibrary instead
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $KtmW32)
$GetProcAddress.Invoke($null,@([System.Runtime.InteropServices.HandleRef]$handleref,'CreateTransaction'))
我想在 PowerShell 中获取函数 CreateTransaction 的地址。
我知道如何用 C++ 实现:
#include "stdafx.h"
#include <Windows.h>
typedef NTSTATUS(NTAPI *CreateTransaction)
(
IN LPSECURITY_ATTRIBUTES lpTransactionAttributes OPTIONAL,
IN LPGUID UOW OPTIONAL,
IN DWORD CreateOptions OPTIONAL,
IN DWORD IsolationLevel OPTIONAL,
IN DWORD IsolationFlags OPTIONAL,
IN DWORD Timeout OPTIONAL,
IN LPWSTR Description OPTIONAL
);
int main()
{
HMODULE hKtmw32 = GetModuleHandle(L"Ktmw32.dll");
CreateTransaction createTransaction = (CreateTransaction)GetProcAddress(hKtmw32, "CreateTransaction");
return 0;
}
如何在 PowerShell 中执行此操作?
我试着用下面的函数来做。
它适用于其他功能,但不适用于 CreateTransaction。
function Local:Get-ProcAddress
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
# Get a reference to System.dll in the GAC
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
# Get a handle to the module specified
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$hexAddrs = [convert]::ToString($Kern32Handle.ToInt32(), 16)
Write-Host "[*] Got $($Module) at 0x$($hexAddrs)"
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
# Return the address of the function
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
Get-ProcAddress Ktmw32.dll CreateTransaction # => DOES NOT WORK
Get-ProcAddress ntdll.dll NtCreateSection # => WORKS
参考:
https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Get-System.ps1
我不知道为什么 return 我没有 CreateTransaction 的地址。
我有调用该函数的解决方法,但我仍然对如何使用 PowerShell 获取函数地址感兴趣:
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
namespace PInvoke {
public class Program
{
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES {
int nLength;
IntPtr lpSecurityDescriptor;
int bInheritHandle;
}
[DllImport("Ktmw32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern IntPtr CreateTransaction(
SECURITY_ATTRIBUTES securityAttributes,
IntPtr guid, int options, int isolationLevel, int isolationFlags,
int milliSeconds, string description
);
}
}
"@
$Class1 = New-Object PInvoke.Program
$struct = New-Object PInvoke.Program+SECURITY_ATTRIBUTES
[PInvoke.Program]::CreateTransaction($struct, 0, 0, 0, 0, 0, "notepad.exe")
I don't know why it doesn't return me the address of CreateTransaction.
很可能,它没有 return 地址,因为 它不存在 - 我想不出 PowerShell 中的单个模块或工具这取决于 KtmW32.dll,因此假设它会被 powershell.exe 加载似乎很天真。
您可以通过查询当前进程的 Modules 属性 来检查:
(Get-Process -Id $PID).Modules
作为 Add-Type 的替代方法,您可以通过 SafeNativeMethods.LoadLibrary():
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') } |Select -First 1
$SafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.SafeNativeMethods')
$KtmW32 = $SafeNativeMethods::LoadLibrary('KtmW32.dll')
现在您可以像示例中那样使用 Get-ProcAddress,或者直接使用由 LoadLibrary 编辑的模块句柄 return:
# Same as before
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$tmpPtr = New-Object IntPtr
# Now use the module handle from LoadLibrary instead
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $KtmW32)
$GetProcAddress.Invoke($null,@([System.Runtime.InteropServices.HandleRef]$handleref,'CreateTransaction'))