CLR MD: .NET Crash Dump and Live Process Inspection
tl;dr - I turned InstallUtil.exe into debugger to unlock PowerShell, and remove ConstrainedLanguage
Ever since I read this excellent blog post,
PowerShell ♥ the Blue Team
I've been puzzling over the way to get past ConstrainedLanguage, when enforced by AppLocker.
This post starts from the point that you can execute commands on a system. How you get there is up to you.
First: How does ConstrainedLanguage Mode hinder our actions?
It limits which types of objects you can create, which methods you can call, and which properties on an object you can set. This limits the effectiveness of arbitrary PowerShell.
My goal was to be able to unlock my PowerShell process as a normal user, no exploit, using trusted tools.
I am leveraging two Signed Microsoft binaries and known patterns to do this.
2. Microsoft.Diagnostics.Runtime (clrmd)
3. .NET Reflection
The way this tool works is as follows.
1. Unpack and load the Microsoft Diagnostics Assembly Into the InstallUtil address space
-I really need to Compress, First, but I leave that for you to do.
2. Input the ProcessID for the PowerShell process you wish to Unlock
3. Attach to the PowerShell Process
4. Locate the System.Management.Automation.ExecutionContext object
5. Write a value of Zero to this Property
Since we know that InstallUtil.exe will likely bypass many Whitelisting Tools already. We can leverage this to complete the unlock.
To defend against this, you should probably block/prevent InstallUtil.exe in the first place. I've been saying that for a while.
I learned a ton, and hope to explore further use cases for CLR MD! You can see some examples here:
Microsoft.Diagnostics.Runtime "CLR MD"
CLR Memory Diagnostics (ClrMD) 0.8.31-beta
Here you go. Take it for a spin, feedback welcome as always.
Remove PowerShell ConstrainedLanguage Mode
Ok, Thats all I got.