Invoke-ReflectivePEInjection - PE platform doesn’t match the architecture

Question

Invoke-ReflectivePEInjection - PE platform doesn’t match the architecture

pfinn1977 opened this issue 6 years ago · 1 comments

pfinn1977 commented 6 years ago

I am trying to inject the 64bit version of autoruns into explorer.

$PEBytes = [System.Convert]::FromBase64String($global:output)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs “-a * -c -s -h -t -m *” -ProcName explorer -ComputerName $global:compName

I am getting the Arch error below:
PE platform doesn’t match the architecture of the process it is being loaded in (32/64bit)
At C:\Users\pf48\Documents\Work Docs\Scripts\Powershell\ForensicCollection-InjectionTest.ps1:2858 char:3

Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList …
CategoryInfo : OperationStopped: (PE platform doe…d in (32/64bit):String) [], RuntimeException
FullyQualifiedErrorId : PE platform doesn’t match the architecture of the process it is being loaded in (32/64bit)

doing some searching other people who have run into this issue have tried using the the 32bit version of powershell but I still get the same error. I have verified that explorer on the machine I am working with is a 64bit process and I have verified that I am using the 64bit version of autorunsc. Any other thoughts on fixing this issue?

Answer 1 · 2020-02-27T13:45:05.000Z

@pfinn1977
You can SysWOW64.

This example below:
%windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File payload.ps1