Loading and Running modules

Any PowerShell script can be loaded by the PowerShell implant and executed in memory:

loadmodule MyPowerShellScript.ps1
Invoke-MyCmdlet

Or similarly for Python Implant

loadmodule MyPythonScript.py
my_python_function("arg")

The C# Implant also has the ability to load and execute modules in memory, but these modules are C#.NET executables. These modules are invoked through .NET reflection and do not touch disk, and PoshC2 requires a few extra bits of information.

  • The Namespace of the class containing the Main method
  • The Class name of the class containing the Main method
  • The Assembly name
loadmodule MySharpStuff.exe
run-exe Namespace.Class Assembly <args>

For example, if the below code was compiled into an executable:

using System;

namespace ConsoleApp1
{
    class MySuperProgram
    {
        static void Main(string[] args)
        {
            if (args.Length >= 1)
            {
                Console.WriteLine(args[0]);
            }
        }
    }
}

Then we can see the namespace is ConsoleApp1, and the class is MySuperProgram

The Assembly Name can be found in Visual Studio by right-clicking the project (not the solution) and choosing Properties

../_images/assemblyname1.png

Alternatively it can be found in the Projects .csproj file:

../_images/assemblyname21.png

In this case the Assembly Name is PwnStuff.

The command then to run the executable and print “PoshC2Rocks” would be:

run-exe ConsoleApp1.MySuperProgram PwnStuff PoshC2Rocks
../_images/run-exe1.png

There is also a run-dll command which works exactly the same way as run-exe for C#.NET DLLs, however there is one additional argument which specifies the entry point (and the class and namespace must match that of this entrypoint):

run-dll ConsoleApp1.MySuperProgram PwnStuff MyEntryMethod PoshC2Rocks

Finally, there is also the run-exe-background command which operates in the exact same way as above, except it runs the command in the background in the implant as opposed to the foreground.