npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
Overview
PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes.
When to Use
- When performing authorized security testing that involves deobfuscating powershell obfuscated malware
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
Prerequisites
- Python 3.9+ with
base64,re,subprocessmodules - PowerShell 5.1+ or PowerShell 7+ (for AST access)
- PSDecode (
Install-Module PSDecode) - PowerDecode (https://github.com/Malandrone/PowerDecode)
- Isolated VM or sandbox for safe script execution
- CyberChef for manual encoding transformations
- Understanding of PowerShell AST and Invoke-Expression patterns
Key Concepts
Common Obfuscation Techniques
PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables ($a='In'+'voke'). Base64 encoding wraps entire scripts in -EncodedCommand parameters. Character code arrays use [char] casting ([char[]](73,69,88)|%{$r+=$_}). Environment variable abuse reads substrings from $env: paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (Invoke-Expression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys.
AST-Based Deobfuscation
PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results.
Dynamic Execution Tracing
By replacing Invoke-Expression (IEX) with Write-Output, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed.
Workflow
Step 1: Identify Obfuscation Layers
#!/usr/bin/env python3
"""Identify and classify PowerShell obfuscation techniques."""
import re
import base64
import sys
def analyze_obfuscation(script_content):
"""Identify obfuscation techniques used in PowerShell script."""
techniques = []
# Check for Base64 encoded command
b64_pattern = re.compile(
r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
re.IGNORECASE
)
if b64_pattern.search(script_content):
techniques.append("Base64 EncodedCommand")
# Check for FromBase64String
if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE):
techniques.append("Base64 FromBase64String")
# Check for string concatenation
concat_count = script_content.count("'+'") + script_content.count('"+"')
if concat_count > 3:
techniques.append(f"String Concatenation ({concat_count} joins)")
# Check for char array construction
if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE):
techniques.append("Character Code Array")
# Check for Invoke-Expression variants
iex_patterns = [
r'Invoke-Expression',
r'\bIEX\b',
r'\.\s*\(\s*\$',
r'&\s*\(\s*\$',
r'\|\s*IEX',
r'\|\s*Invoke-Expression',
]
for pattern in iex_patterns:
if re.search(pattern, script_content, re.IGNORECASE):
techniques.append(f"Invoke-Expression variant: {pattern}")
# Check for tick-mark obfuscation
tick_count = script_content.count('`')
if tick_count > 5:
techniques.append(f"Tick-mark Insertion ({tick_count} backticks)")
# Check for environment variable abuse
if re.search(r'\$env:', script_content, re.IGNORECASE):
env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE)
if len(env_refs) > 2:
techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)")
# Check for SecureString
if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE):
techniques.append("SecureString Encryption")
# Check for compression
if re.search(r'IO\.Compression|DeflateStream|GZipStream',
script_content, re.IGNORECASE):
techniques.append("Compression (Deflate/GZip)")
# Check for XOR encoding
if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE):
techniques.append("XOR Encoding")
# Check for Replace chain
replace_count = len(re.findall(r'\.Replace\(', script_content))
if replace_count > 2:
techniques.append(f"Replace Chain ({replace_count} replacements)")
return techniques
def decode_base64_command(script_content):
"""Extract and decode Base64 encoded commands."""
b64_match = re.search(
r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
script_content, re.IGNORECASE
)
if b64_match:
encoded = b64_match.group(1)
try:
decoded = base64.b64decode(encoded).decode('utf-16-le')
return decoded
except Exception:
return None
return None
def remove_tick_marks(script_content):
"""Remove PowerShell tick-mark obfuscation."""
# Remove backticks that are not escape sequences
escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'}
result = []
i = 0
while i < len(script_content):
if script_content[i] == '`' and i + 1 < len(script_content):
pair = script_content[i:i+2]
if pair in escape_chars:
result.append(pair)
i += 2
else:
# Skip the backtick, keep the next char
result.append(script_content[i+1])
i += 2
else:
result.append(script_content[i])
i += 1
return ''.join(result)
def resolve_string_concat(script_content):
"""Resolve simple string concatenation patterns."""
# Pattern: 'str1' + 'str2'
pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'")
while pattern.search(script_content):
script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'",
script_content)
# Pattern: "str1" + "str2"
pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"')
while pattern.search(script_content):
script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"',
script_content)
return script_content
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <powershell_script>")
sys.exit(1)
with open(sys.argv[1], 'r', errors='replace') as f:
content = f.read()
print("[+] Obfuscation Analysis")
print("=" * 60)
techniques = analyze_obfuscation(content)
for t in techniques:
print(f" - {t}")
# Attempt automatic deobfuscation
print("\n[+] Attempting Deobfuscation")
print("=" * 60)
# Layer 1: Remove tick marks
deobfuscated = remove_tick_marks(content)
# Layer 2: Resolve string concatenation
deobfuscated = resolve_string_concat(deobfuscated)
# Layer 3: Decode Base64
b64_decoded = decode_base64_command(deobfuscated)
if b64_decoded:
print("[+] Base64 decoded content:")
print(b64_decoded[:2000])
deobfuscated = b64_decoded
print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars")
output_file = sys.argv[1] + ".deobfuscated.ps1"
with open(output_file, 'w') as f:
f.write(deobfuscated)
print(f"[+] Saved to {output_file}")Step 2: Multi-Layer IEX Replacement
import subprocess
import tempfile
import os
def iex_replacement_deobfuscate(script_content, max_layers=10):
"""Iteratively replace IEX with Write-Output to unwrap layers."""
# IEX replacement patterns
replacements = [
(r'\bInvoke-Expression\b', 'Write-Output'),
(r'\bIEX\b', 'Write-Output'),
(r'\|\s*IEX\b', '| Write-Output'),
]
current = script_content
layers = []
for layer_num in range(max_layers):
# Apply IEX replacements
modified = current
for pattern, replacement in replacements:
modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE)
if modified == current and layer_num > 0:
print(f" [+] No more IEX layers found at layer {layer_num}")
break
# Write to temp file and execute in constrained PowerShell
with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1',
delete=False) as tmp:
tmp.write(modified)
tmp_path = tmp.name
try:
result = subprocess.run(
['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass',
'-File', tmp_path],
capture_output=True, text=True, timeout=30
)
output = result.stdout.strip()
if output and output != current:
print(f" [+] Layer {layer_num + 1}: Unwrapped "
f"{len(output)} chars")
layers.append({
"layer": layer_num + 1,
"technique": "IEX replacement",
"content_length": len(output),
})
current = output
else:
break
except subprocess.TimeoutExpired:
print(f" [!] Layer {layer_num + 1}: Execution timeout")
break
finally:
os.unlink(tmp_path)
return current, layersStep 3: Extract IOCs from Deobfuscated Script
def extract_iocs_from_script(deobfuscated_content):
"""Extract indicators of compromise from deobfuscated PowerShell."""
iocs = {
"urls": [],
"ips": [],
"domains": [],
"file_paths": [],
"registry_keys": [],
"commands": [],
"base64_blobs": [],
}
# URLs
url_pattern = re.compile(
r'https?://[^\s\'"<>)\]]+', re.IGNORECASE
)
iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content)))
# IP addresses
ip_pattern = re.compile(
r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
)
iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content)))
# File paths
path_pattern = re.compile(
r'[A-Za-z]:\\[^\s\'"<>|]+|'
r'\\\\[^\s\'"<>|]+|'
r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*',
re.IGNORECASE
)
iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content)))
# Registry keys
reg_pattern = re.compile(
r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+',
re.IGNORECASE
)
iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content)))
# Suspicious commands
suspicious_cmds = [
'New-Object Net.WebClient',
'DownloadString', 'DownloadFile', 'DownloadData',
'Start-Process', 'Invoke-WebRequest',
'New-Object IO.MemoryStream',
'Reflection.Assembly',
'Add-MpPreference -ExclusionPath',
'Set-MpPreference -DisableRealtimeMonitoring',
'New-ScheduledTask', 'Register-ScheduledTask',
]
for cmd in suspicious_cmds:
if cmd.lower() in deobfuscated_content.lower():
iocs["commands"].append(cmd)
return iocsValidation Criteria
- All obfuscation layers identified and classified correctly
- Base64 encoded commands decoded to readable PowerShell
- Tick-mark and string concatenation obfuscation resolved
- IEX replacement reveals next-stage payloads
- URLs, IPs, and file paths extracted from final deobfuscated stage
- Deobfuscated script matches observed malware behavior in sandbox
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.4 KB
PowerShell Deobfuscation — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| re | stdlib | Regex pattern matching for obfuscation detection |
| base64 | stdlib | Base64 decoding of encoded commands |
| pySigma | pip install pySigma |
Sigma rule generation for detections |
Common Obfuscation Techniques
| Technique | Pattern | Example |
|---|---|---|
| Base64 Encoding | -EncodedCommand <b64> |
powershell -enc SQBFAFgA... |
| String Concatenation | 'str1'+'str2' |
'Inv'+'oke'+'-Exp'+'ression' |
| Character Codes | [char]73+[char]69 |
[char]73 = I, [char]69 = E |
| Backtick Escape | `I`E`X |
Backtick breaks keyword detection |
| Variable Substitution | $env:COMSPEC |
Use env vars as execution paths |
| Compression | IO.Compression.DeflateStream |
Compressed + Base64 payload |
Detection Event IDs
| Source | Event ID | Description |
|---|---|---|
| PowerShell | 4104 | Script block logging (deobfuscated content) |
| Sysmon | 1 | Process creation with command line |
| Defender | 1116 | Malware detection |
External References
standards.md1.9 KB
Standards and Frameworks Reference
PowerShell Obfuscation Taxonomy
Layer Classification
| Layer | Technique | Example |
|---|---|---|
| L1 | Base64 EncodedCommand | powershell -enc SQBFAFgA... |
| L2 | String Concatenation | $a='Inv'+'oke'+'-Ex'+'pression' |
| L3 | Character Code Array | [char[]](73,69,88)-join'' |
| L4 | Tick-Mark Insertion | I`nv`oke-Exp`ress`ion |
| L5 | Environment Variable | $env:COMSPEC[4,15,25]-join'' |
| L6 | SecureString | ConvertTo-SecureString ... -Key |
| L7 | Compression + Base64 | IO.Compression.DeflateStream |
| L8 | XOR Encoding | `$bytes |
| L9 | Replace Chain | .Replace('abc','I').Replace(...) |
| L10 | Format String | ("{2}{0}{1}" -f 'ke-','Ex','Invo') |
MITRE ATT&CK Mappings
| Technique | ID | Description |
|---|---|---|
| Command and Scripting Interpreter: PowerShell | T1059.001 | Malicious PowerShell execution |
| Obfuscated Files or Information | T1027 | Encoding/encryption of scripts |
| Deobfuscate/Decode Files | T1140 | Runtime deobfuscation |
| Ingress Tool Transfer | T1105 | Downloading payloads via PS |
| System Binary Proxy Execution | T1218 | Using trusted binaries |
PowerShell AST Node Types for Analysis
Key Expression Nodes
CommandExpression: Direct command invocationsInvokeMemberExpression: Method calls on objectsBinaryExpression: String concatenation operatorsArrayExpression: Character array constructionSubExpression: Nested expression evaluationExpandableStringExpression: String interpolation
References
workflows.md2.3 KB
PowerShell Deobfuscation Workflows
Workflow 1: Automated Multi-Layer Deobfuscation
[Obfuscated Script] --> [Identify Techniques] --> [Remove Tick Marks]
|
v
[Resolve Concatenation]
|
v
[Decode Base64 Layers]
|
v
[IEX -> Write-Output]
|
v
[Extract Final Payload]Workflow 2: AST-Based Analysis
[Script Input] --> [Parse AST] --> [Walk Expression Nodes] --> [Evaluate Expressions]
|
v
[Reconstruct Commands]
|
v
[Extract IOCs]Workflow 3: Dynamic Sandbox Deobfuscation
[Obfuscated Script] --> [Execute in Sandbox] --> [Capture ScriptBlock Logs]
|
v
[Event ID 4104 Analysis]
|
v
[Reconstruct Execution Chain]Steps:
- Enable Logging: Enable PowerShell ScriptBlock logging (Event ID 4104)
- Execute: Run obfuscated script in isolated sandbox
- Collect: Gather all ScriptBlock log entries
- Reconstruct: Assemble deobfuscated script from logged blocks
- Extract: Pull IOCs from the reconstructed clear-text script
Scripts 2
agent.py5.1 KB
#!/usr/bin/env python3
"""PowerShell obfuscated malware deobfuscation agent."""
import json
import argparse
import re
import base64
from datetime import datetime
def decode_base64_commands(script_content):
"""Find and decode Base64 encoded PowerShell commands."""
decoded = []
b64_pattern = re.compile(r'-[eE](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})')
for match in b64_pattern.finditer(script_content):
encoded = match.group(1)
try:
raw = base64.b64decode(encoded)
text = raw.decode("utf-16-le", errors="replace")
decoded.append({"encoded": encoded[:60] + "...", "decoded": text[:500]})
except Exception:
pass
standalone_b64 = re.compile(r'["\']([A-Za-z0-9+/]{40,}={0,2})["\']')
for match in standalone_b64.finditer(script_content):
try:
raw = base64.b64decode(match.group(1))
text = raw.decode("utf-8", errors="replace")
if text.isprintable() or "http" in text.lower():
decoded.append({"encoded": match.group(1)[:60] + "...", "decoded": text[:500]})
except Exception:
pass
return decoded
def deobfuscate_string_concatenation(script_content):
"""Resolve string concatenation obfuscation."""
concat_pattern = re.compile(r"(?:'[^']*'\s*\+\s*){2,}'[^']*'")
resolved = []
for match in concat_pattern.finditer(script_content):
original = match.group(0)
parts = re.findall(r"'([^']*)'", original)
result = "".join(parts)
resolved.append({"obfuscated": original[:80], "resolved": result[:500]})
return resolved
def detect_obfuscation_techniques(script_content):
"""Identify obfuscation techniques used in the script."""
techniques = []
checks = [
(r'-[eE](?:nc(?:odedcommand)?)', "Base64 encoded command", "HIGH"),
(r'\[(?:char|int)\]\s*\d+', "Character code conversion", "MEDIUM"),
(r'(?:iex|invoke-expression)', "Invoke-Expression (IEX) execution", "HIGH"),
(r'\$\{[^}]+\}', "Variable name obfuscation with braces", "LOW"),
(r'\.(?:replace|split|reverse)\(', "String manipulation methods", "MEDIUM"),
(r'-(?:join|split)\s', "Array join/split obfuscation", "MEDIUM"),
(r'(?:Net\.WebClient|DownloadString|DownloadFile)', "Web download cradle", "CRITICAL"),
(r'(?:Start-Process|Invoke-Item|cmd\s*/c)', "Process execution", "HIGH"),
(r'\[System\.Convert\]::FromBase64String', ".NET Base64 decode", "HIGH"),
(r'(?:gci|ls|dir)\s+env:', "Environment variable access", "LOW"),
]
for pattern, name, severity in checks:
if re.search(pattern, script_content, re.IGNORECASE):
techniques.append({"technique": name, "severity": severity})
return techniques
def extract_iocs(script_content):
"""Extract indicators of compromise from deobfuscated content."""
iocs = {"urls": [], "ips": [], "domains": [], "file_paths": []}
url_pattern = re.compile(r'https?://[^\s"\'<>]+')
ip_pattern = re.compile(r'\b(?:\d{1,3}\.){3}\d{1,3}\b')
path_pattern = re.compile(r'[A-Z]:\\[\w\\]+\.\w{2,4}|/(?:tmp|var|etc)/[\w/]+')
iocs["urls"] = list(set(url_pattern.findall(script_content)))
iocs["ips"] = list(set(ip_pattern.findall(script_content)))
iocs["file_paths"] = list(set(path_pattern.findall(script_content)))
return iocs
def run_analysis(script_path):
"""Execute PowerShell deobfuscation analysis."""
print(f"\n{'='*60}")
print(f" POWERSHELL MALWARE DEOBFUSCATION")
print(f" File: {script_path}")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
with open(script_path, "r", errors="replace") as f:
content = f.read()
techniques = detect_obfuscation_techniques(content)
print(f"--- OBFUSCATION TECHNIQUES ({len(techniques)}) ---")
for t in techniques:
print(f" [{t['severity']}] {t['technique']}")
b64 = decode_base64_commands(content)
print(f"\n--- BASE64 DECODED ({len(b64)}) ---")
for d in b64[:5]:
print(f" {d['decoded'][:100]}")
concat = deobfuscate_string_concatenation(content)
print(f"\n--- STRING CONCAT RESOLVED ({len(concat)}) ---")
for c in concat[:5]:
print(f" {c['resolved'][:100]}")
all_decoded = content
for d in b64:
all_decoded += "\n" + d["decoded"]
iocs = extract_iocs(all_decoded)
print(f"\n--- IOCs ---")
print(f" URLs: {iocs['urls'][:5]}")
print(f" IPs: {iocs['ips'][:5]}")
print(f" Paths: {iocs['file_paths'][:5]}")
return {"techniques": techniques, "decoded_b64": b64, "concat": concat, "iocs": iocs}
def main():
parser = argparse.ArgumentParser(description="PowerShell Deobfuscation Agent")
parser.add_argument("--script", required=True, help="Path to obfuscated PowerShell script")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_analysis(args.script)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py10.7 KB
#!/usr/bin/env python3
"""
PowerShell Malware Deobfuscation Script
Identifies and removes multiple layers of PowerShell obfuscation
to reveal the underlying malicious payload and extract IOCs.
Requirements:
pip install regex
Usage:
python process.py --file obfuscated.ps1 --output deobfuscated.ps1
python process.py --file obfuscated.ps1 --extract-iocs
"""
import argparse
import base64
import json
import re
import sys
from pathlib import Path
class PowerShellDeobfuscator:
"""Multi-layer PowerShell deobfuscation engine."""
def __init__(self):
self.layers = []
self.iocs = {
"urls": set(),
"ips": set(),
"domains": set(),
"file_paths": set(),
"registry_keys": set(),
"suspicious_commands": set(),
}
def analyze(self, content):
"""Identify obfuscation techniques present."""
techniques = []
checks = [
(r'-[Ee]nc(?:odedcommand)?\s+[A-Za-z0-9+/=]{20,}',
"Base64 EncodedCommand"),
(r'\[Convert\]::FromBase64String', "FromBase64String"),
(r"'\s*\+\s*'", "String Concatenation (single-quote)"),
(r'"\s*\+\s*"', "String Concatenation (double-quote)"),
(r'\[char\]\s*\d+', "Character Code Casting"),
(r'\[char\[\]\]\s*\([\d,\s]+\)', "Character Array"),
(r'`[a-zA-Z]', "Tick-Mark Insertion"),
(r'Invoke-Expression', "Invoke-Expression"),
(r'\bIEX\b', "IEX Alias"),
(r'\|\s*IEX', "Pipeline IEX"),
(r'IO\.Compression', "Compression Stream"),
(r'-bxor\s+\d+', "XOR Encoding"),
(r'\.Replace\(', "Replace Chain"),
(r'ConvertTo-SecureString', "SecureString"),
(r'\$env:', "Environment Variable"),
(r'-f\s+[\'"]', "Format String Operator"),
(r'New-Object\s+IO\.MemoryStream', "MemoryStream"),
]
for pattern, name in checks:
matches = re.findall(pattern, content, re.IGNORECASE)
if matches:
techniques.append({"technique": name, "count": len(matches)})
return techniques
def deobfuscate(self, content):
"""Apply all deobfuscation layers iteratively."""
current = content
iteration = 0
while iteration < 20:
previous = current
# Layer: Remove tick marks
current = self._remove_ticks(current)
# Layer: Resolve string concatenation
current = self._resolve_concat(current)
# Layer: Decode Base64 EncodedCommand
current = self._decode_base64_command(current)
# Layer: Decode FromBase64String calls
current = self._decode_frombase64(current)
# Layer: Resolve character arrays
current = self._resolve_char_arrays(current)
# Layer: Resolve format strings
current = self._resolve_format_strings(current)
# Layer: Decompress streams
current = self._decompress_streams(current)
if current == previous:
break
self.layers.append({
"iteration": iteration + 1,
"length_before": len(previous),
"length_after": len(current),
})
iteration += 1
# Extract IOCs from final result
self._extract_iocs(current)
return current
def _remove_ticks(self, content):
"""Remove backtick obfuscation."""
escape_sequences = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'}
result = []
i = 0
while i < len(content):
if content[i] == '`' and i + 1 < len(content):
pair = content[i:i+2]
if pair in escape_sequences:
result.append(pair)
i += 2
else:
result.append(content[i+1])
i += 2
else:
result.append(content[i])
i += 1
return ''.join(result)
def _resolve_concat(self, content):
"""Resolve string concatenation."""
# Single-quoted concatenation
pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'")
while pattern.search(content):
content = pattern.sub(r"'\1\2'", content)
# Double-quoted concatenation
pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"')
while pattern.search(content):
content = pattern.sub(r'"\1\2"', content)
return content
def _decode_base64_command(self, content):
"""Decode -EncodedCommand Base64 arguments."""
pattern = re.compile(
r'-[Ee]nc(?:odedcommand)?\s+([A-Za-z0-9+/=]{20,})',
re.IGNORECASE
)
match = pattern.search(content)
if match:
try:
decoded = base64.b64decode(match.group(1)).decode('utf-16-le')
content = pattern.sub(decoded, content)
except Exception:
pass
return content
def _decode_frombase64(self, content):
"""Decode [Convert]::FromBase64String calls."""
pattern = re.compile(
r"\[Convert\]::FromBase64String\(\s*['\"]([A-Za-z0-9+/=]+)['\"]\s*\)",
re.IGNORECASE
)
for match in pattern.finditer(content):
try:
decoded = base64.b64decode(match.group(1))
decoded_str = decoded.decode('utf-8', errors='replace')
content = content.replace(match.group(0), f"'{decoded_str}'")
except Exception:
pass
return content
def _resolve_char_arrays(self, content):
"""Resolve [char] and [char[]] expressions."""
# [char]NN patterns
pattern = re.compile(r'\[char\]\s*(\d+)', re.IGNORECASE)
for match in pattern.finditer(content):
try:
char_val = chr(int(match.group(1)))
content = content.replace(match.group(0), f"'{char_val}'")
except (ValueError, OverflowError):
pass
return content
def _resolve_format_strings(self, content):
"""Resolve PowerShell format string operator."""
pattern = re.compile(
r"\(?\s*['\"](\{[\d\}{\s]+[^'\"]*)['\"]"
r"\s*-f\s*([^)]+)\)?",
re.IGNORECASE
)
for match in pattern.finditer(content):
try:
fmt_str = match.group(1)
args_str = match.group(2)
args = [a.strip().strip("'\"") for a in args_str.split(",")]
resolved = fmt_str
for i, arg in enumerate(args):
resolved = resolved.replace(f"{{{i}}}", arg)
content = content.replace(match.group(0), f"'{resolved}'")
except Exception:
pass
return content
def _decompress_streams(self, content):
"""Attempt to decode compressed Base64 payloads."""
import zlib
import io
b64_pattern = re.compile(r'[A-Za-z0-9+/=]{100,}')
for match in b64_pattern.finditer(content):
try:
raw = base64.b64decode(match.group(0))
# Try deflate
decompressed = zlib.decompress(raw, -zlib.MAX_WBITS)
decoded = decompressed.decode('utf-8', errors='replace')
if len(decoded) > 50:
content = content.replace(match.group(0), decoded)
except Exception:
try:
# Try gzip
raw = base64.b64decode(match.group(0))
decompressed = zlib.decompress(raw, zlib.MAX_WBITS | 16)
decoded = decompressed.decode('utf-8', errors='replace')
if len(decoded) > 50:
content = content.replace(match.group(0), decoded)
except Exception:
pass
return content
def _extract_iocs(self, content):
"""Extract IOCs from deobfuscated content."""
# URLs
for url in re.findall(r'https?://[^\s\'"<>)\]]+', content, re.I):
self.iocs["urls"].add(url)
# IPs
for ip in re.findall(r'\b(?:\d{1,3}\.){3}\d{1,3}\b', content):
self.iocs["ips"].add(ip)
# File paths
for path in re.findall(
r'[A-Za-z]:\\[^\s\'"<>|]+', content, re.I
):
self.iocs["file_paths"].add(path)
# Registry keys
for key in re.findall(
r'(?:HKLM|HKCU|HKCR)(?:\\[^\s\'"<>|]+)+', content, re.I
):
self.iocs["registry_keys"].add(key)
# Suspicious commands
for cmd in ['DownloadString', 'DownloadFile', 'Invoke-WebRequest',
'Start-Process', 'New-ScheduledTask', 'Add-MpPreference',
'Reflection.Assembly']:
if cmd.lower() in content.lower():
self.iocs["suspicious_commands"].add(cmd)
def get_report(self):
"""Generate analysis report."""
return {
"layers_processed": len(self.layers),
"layer_details": self.layers,
"iocs": {k: sorted(v) for k, v in self.iocs.items()},
}
def main():
parser = argparse.ArgumentParser(
description="PowerShell Malware Deobfuscator"
)
parser.add_argument("--file", required=True, help="Input PS1 file")
parser.add_argument("--output", help="Output deobfuscated file")
parser.add_argument("--extract-iocs", action="store_true",
help="Extract IOCs from result")
parser.add_argument("--report", help="Save JSON report")
args = parser.parse_args()
with open(args.file, 'r', errors='replace') as f:
content = f.read()
deob = PowerShellDeobfuscator()
print("[+] Analyzing obfuscation techniques...")
techniques = deob.analyze(content)
for t in techniques:
print(f" - {t['technique']} ({t['count']} occurrences)")
print(f"\n[+] Deobfuscating ({len(content)} chars)...")
result = deob.deobfuscate(content)
print(f"[+] Result: {len(result)} chars")
if args.output:
with open(args.output, 'w') as f:
f.write(result)
print(f"[+] Saved to {args.output}")
report = deob.get_report()
if args.extract_iocs or args.report:
print(f"\n[+] Extracted IOCs:")
for category, values in report["iocs"].items():
if values:
print(f" {category}:")
for v in values:
print(f" - {v}")
if args.report:
with open(args.report, 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved to {args.report}")
if __name__ == "__main__":
main()