-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfs_deobfuscator.ps1
94 lines (74 loc) · 2.73 KB
/
fs_deobfuscator.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<#
.SYNOPSIS
Deobfuscate scripts or files that have been obfuscated using reordered format strings.
.DESCRIPTION
This PowerShell script deobfuscates other PowerShell scripts that have been obfuscated using a technique where format strings are reordered. See: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/
.NOTES
Use at your own risk.
.LINK
https://github.com/bobby-tablez/Format-String-Deobfuscator
.Parameter f
Specifies the PowerShell file name to deobfuscate. The deobfuscated lines will appear as console output. Lines with no format strings will be ignored.
.Example
# Example: Deobfuscate a file using the -f parameter:
fs_deobfuscator.ps1 -f oobfuscated_file.ps1
.Parameter s
Specifies the script to deobfuscate. Supply a format string directly as a parameter.
.Example
# Example: Deobfuscate a script one-liner using the -s parameter:
fs_deobfuscator.ps1 -s '( "{0}{3}{4}{1}{2}" -f "S","Mo","de","et-Stri","ct")'
.Parameter b
Specifies the script to deobfuscate that is base64 encoded. This is useful when quotation marks could potentially break formatting when reading in parameters in PowerShell.
.Example
# Example: Deobfuscate a script one-liner that is base64 encoded using the -b parameter:
fs_deobfuscator.ps1 -b KCAiIHswfXszfXs0fXsxfXsyfSAiIC1mICdTJywnTW8nLCdkZScsJ2V0LVN0cmlkJywnY3QnICk=
#>
Param(
[Parameter(Mandatory=$false)]
[string]$f,
[Parameter(Mandatory=$false)]
[string]$s,
[Parameter(Mandatory=$false)]
[string]$b
)
Function formatString ($line, $lineNum) {
$parser = '\(\s*"\s*\{(.+?)\}\s*"\s*-f\s*(.+?)\s*\)'
$fsLine = [regex]::Matches($line, $parser)
Foreach($match in $fsLine) {
$formatExp = $match.Value
Try {
$deobfuscated = Invoke-Expression $formatExp
If ($lineNum -eq 0 ) {
Write-Host -f Yellow "`nDeobfuscated string`:"
Write-Host $deobfuscated
} Else {
Write-Host -f Yellow "`nLine $lineNum`:"
Write-Host $deobfuscated
}
} Catch {
Write-Host -f Red "A format string detected, but an error occured at line: $lineNum $formatExp`n"
}
Write-Host ""
}
}
If ($f) {
If (-not (Test-Path $f)) {
Throw "File not found: $f"
}
$inFile = Get-Content -Path $f
$lineNum = 0
Foreach($line in $inFile){
$lineNum++
formatString $line $lineNum
}
}
Elseif ($s) {
formatString $s 0
}
Elseif ($b) {
$decode = [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($b))
formatString $decode 0
}
Else {
Throw "Please provide a valid parameter -f (file) -s (string) -b (base64 string)."
}