PSDetour

0.1.1

en-US/about_PSDetourSessions.help.txt

                                TOPIC

    about_psdetoursessions

SHORT DESCRIPTION

    As well as providing a mechanism to hook C function calls in PowerShell,

    PSDetour also provides a mechanism to provide remote hooking in other

    processes on the same system. This is done through embedding a PowerShell

    instance in the target process and exposes a normal PSRemoting session that

    can be used with `Enter-PSSession` or `Invoke-Command`. This feature is

    experimental and can have side effects in the target process. If done

    incorrectly, the hook can cause the process to crash.

    Note that creating a session in a process is an irreversible action. Once

    PowerShell has been loaded it will continue to run for the lifetime of the

    process and cannot be stopped.

LONG DESCRIPTION

    A remote PSDetour session is split into 2 parts:

    * PowerShell injection into other process

    * PSRemoting through named pipes

    The PSRemoting component is a standard feature since PowerShell 5.1 and is

    simply the `PSHost` named pipe that every PowerShell process creates when it

    starts. This named pipe is used after PowerShell is injected to provide the

    remoting features that can be used with `Enter-PSSession` and `Invoke-Command`.

    PowerShell injection into non-PowerShell processes is the more complex

    component to PSDetour remoting. Included with this library is a basic x64

    DLL that is remotely loaded into the target process. This DLL will create a

    new dotnet host that loads the PowerShell assembly and then starts the named

    pipe for use with PSRemoting. As this is an x64 compiled DLL, this can

    currently only be used with x64 processes. Further architectures will be

    available in the future.

    To create a PSDetour session, use the

    New-PSDetourSession

    cmdlet. This is a simple cmdlet that accepts either a process id, process

    object, or a process name (as long as there is only one process with that

    name). The output object is a `PSSession` object that can be used with any

    builtin cmdlet that uses the PSSession `-Session` parameter like

    `Invoke-Command` and `Enter-PSSession`.

    For example to start a PSDetour hook in notepad.exe, the process would look

    something like

    $session = New-PSDetourSession -ProcessId notepad

    Invoke-Command -Session $session -ScriptBlock {

        # The PSDetour module may need to be re-imported depending on where it is installed

        $hook = New-PSDetourHook -DllName Kernel32 -MethodName GetCurrentProcessId -Action {

            [OutputType([int])]

            param ()

            $this.Invoke()

        }

        Start-PSDetour -Hook $hook

        ... code that waits until the hook needs to be stopped

        Stop-PSDetour

    }

    It can also be used interactively with `Enter-PSSession` which gives the

    caller more control over when the hooks start and stop.

    Once the session is no longer needed, use `Remove-PSSession` to close the

    connection. Remember that once a process has been tainted with PSDetour it

    will still continue to run the listener in the background until the process

    ends.