Clarification of docs concerning DLL entry points about poshc2 HOT 4 CLOSED

Hi,

I have now reconstructed the DLL's and Shellcode so that it only has one entry point for each DLL to make this clearer. Also it now has scriptblock logging bypass for v4 and some transcript logging evasion, not full bypass.

from poshc2.

Hi,

So there is a very good reason for this and not one I personally know how to overcome. So you understand the two entry points which is great for when you run the DLL manually via RunDLL32 but when you either reflectively load or load the DLL into a running process it will call 'Process Attach' and not a dedicated entry point, therefore I needed to create two separate DLLs for those cases. I guess I can remove the VoidFunc2 and VoidFunc from each of the DLLs and only have one entry point for each to be easier but I thought for ease you can take one DLL and run it manually on a host with both versions.

Does that make sense?

from poshc2.

Thank you for the reply.

So if I understand correctly, one DLL (presumably the "v4" DLL) is designed to be reflectively loaded, and the other isn't, but they both retain the entry points?

It would be great if the documentation were updated with this info about the two DLLs.

I really like Posh and am writing a blog series using it as the implant in order to demonstrate Windows AD techniques. So I'm concerned about being accurate in what I document.

from poshc2.

I completely get that, i'll look at updating the documentation when I get chance. I might even remove the multiple entry points to avoid confusion when I'm next modifying that part of the code. Looking forward to seeing your blog series.

from poshc2.