Write-HijackDll
SYNOPSIS
Patches in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
SYNTAX
Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
[[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]
DESCRIPTION
First builds a self-deleting .bat file that executes the specified -Command or local user, to add and writes the.bat out to -BatPath. The BatPath is then patched into a pre-compiled C++ DLL that is built to be hijackable by the IKEEXT service. There are two DLLs, one for x86 and one for x64, and both are contained as base64-encoded strings. The DLL is then written out to the specified OutputFile.
EXAMPLES
Example 1
{{ Add example description here }}
PARAMETERS
-DllPath
File name to write the generated DLL out to.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Architecture
The Architecture to generate for the DLL, x86 or x64. If not specified, PowerUp will try to automatically determine the correct architecture.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-BatPath
Path to the .bat for the DLL to launch.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-UserName
The [domain\]username to add. If not given, it defaults to "john". Domain users are not created, only added to the specified localgroup.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
-Password
The password to set for the added user. If not given, it defaults to "Password123!"
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
-LocalGroup
Local group name to add the user to (default of 'Administrators').
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
-Credential
A [Management.Automation.PSCredential] object specifying the user/password to add.
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: 7
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
-Command
Custom command to execute instead of user creation.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 8
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
OUTPUTS
- PowerUp.HijackableDLL