Tuesday, October 3, 2017

Obfuscating Powershell script with Powershell

Hi Mates,
I was intrigued by a book that I was reading about Pen Testing. The author wrote a Python script used, together with other functions, to obfuscate a Powershell script.
Since I love Powershell and I’m trying to learn Python I was just curious to see if I was able to re-create the Python script in Powershell.
On the web there are many example but most of them didn’t work (for me). In fact most of them don’t clean the script from some useless chars (CR, BOM, Comments and so on).
I decided to try….. I’ve learned what is BOM and how to get a raw file at the end of some steps.
If the original file respect some specifications (I’ll illustrate later) the obfuscation should happen without any issue.

So practically the script ask for the path and the file name to transform.
Then it removes all comments and create an intermediate file.
After this first task it removes any carriage return substituting them with the semi-colon “;”…..and creates a new file.
The third job removes the BOM (Byte Order Mark - https://en.wikipedia.org/wiki/Byte_order_mark ) chars  and creates the final temporary file to be encoded.
Finally the script encode the RAW file with a previous declared function.
The last steps delete the temporary files. I used them to understand what was “disturbing” the transformation…..they helped me a lot figuring out which chars to delete and where was the “block”.
Below you can see one of the script I’ve used as cavy : this could help to have clear some syntax rule to respect to have a good encoded result.




Below there’s the result of the first step : comment deletion
I’ve opened it in Notepad++ to show you the CR symbol still present


The second step removes CR and add semicolon :



The last one removes BOM chars. To be honest I was not able to show them in Notepad++.
I was able with VIM -b : vim -b filename.ps1
What I was able to see is the following : highlighted (top left side) BOM chars :



Opening in the same way the last one, before encoding but after BOM cleaning step, you can see that the “strange” chars disappeared :



The final result will be a file named : “powershell_script_encoded”
Copy and paste the content after the following line in command prompt for example and let see what happens --> powershell.exe -enc and then paste the encoded string




If everything went fine the script should execute without any stop.
Here below the script :

Hope this helps.
See you soon

One useful Link :

ObfuscatedEmpire
Mike Robbins : simple obfuscation
Pubblicato da a
Etichette: ,

1 comment:

  1. hire someone write my assignmentJune 17, 2021 at 2:37 PM

    someone to write your essay is a great way of relieving your academic stress. hire someone write my assignment Despite this fact, many students are still skeptical about hiring someone to do their assignment and homework.

    ReplyDelete

Subscribe to: Post Comments (Atom)