‹ 首页

deobfuscating-powershell-obfuscated-malware

@adriannoes · 收录于 1 周前

Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.

适合你,如果经常分析混淆的PowerShell恶意代码

/ 下载安装
deobfuscating-powershell-obfuscated-malware.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add adriannoes/awesome-vibe-coding/deobfuscating-powershell-obfuscated-malware
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- adriannoes/awesome-vibe-coding/deobfuscating-powershell-obfuscated-malware
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify adriannoes/awesome-vibe-coding/deobfuscating-powershell-obfuscated-malware
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
44GitHub stars
~2.5K最小装载
~2.5K含声明引用
~3.6K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · e4ed3a9

Deobfuscating PowerShell Obfuscated Malware

Overview

PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes.

When to Use
  • When performing authorized security testing that involves deobfuscating powershell obfuscated malware
  • When analyzing malware samples or attack artifacts in a controlled environment
  • When conducting red team exercises or penetration testing engagements
  • When building detection capabilities based on offensive technique understanding
Prerequisites
  • Python 3.9+ with base64, re, subprocess modules
  • PowerShell 5.1+ or PowerShell 7+ (for AST access)
  • PSDecode (Install-Module PSDecode)
  • PowerDecode (https://github.com/Malandrone/PowerDecode)
  • Isolated VM or sandbox for safe script execution
  • CyberChef for manual encoding transformations
  • Understanding of PowerShell AST and Invoke-Expression patterns
Key Concepts
Common Obfuscation Techniques

PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables ($a='In'+'voke'). Base64 encoding wraps entire scripts in -EncodedCommand parameters. Character code arrays use [char] casting ([char[]](73,69,88)|%{$r+=$_}). Environment variable abuse reads substrings from $env: paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (Invoke-Expression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys.

AST-Based Deobfuscation

PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results.

Dynamic Execution Tracing

By replacing Invoke-Expression (IEX) with Write-Output, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed.

Workflow
Step 1: Identify Obfuscation Layers
#!/usr/bin/env python3
"""Identify and classify PowerShell obfuscation techniques."""
import re
import base64
import sys


def analyze_obfuscation(script_content):
    """Identify obfuscation techniques used in PowerShell script."""
    techniques = []

    # Check for Base64 encoded command
    b64_pattern = re.compile(
        r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
        re.IGNORECASE
    )
    if b64_pattern.search(script_content):
        techniques.append("Base64 EncodedCommand")

    # Check for FromBase64String
    if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE):
        techniques.append("Base64 FromBase64String")

    # Check for string concatenation
    concat_count = script_content.count("'+'") + script_content.count('"+"')
    if concat_count > 3:
        techniques.append(f"String Concatenation ({concat_count} joins)")

    # Check for char array construction
    if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE):
        techniques.append("Character Code Array")

    # Check for Invoke-Expression variants
    iex_patterns = [
        r'Invoke-Expression',
        r'\bIEX\b',
        r'\.\s*\(\s*\$',
        r'&\s*\(\s*\$',
        r'\|\s*IEX',
        r'\|\s*Invoke-Expression',
    ]
    for pattern in iex_patterns:
        if re.search(pattern, script_content, re.IGNORECASE):
            techniques.append(f"Invoke-Expression variant: {pattern}")

    # Check for tick-mark obfuscation
    tick_count = script_content.count('`')
    if tick_count > 5:
        techniques.append(f"Tick-mark Insertion ({tick_count} backticks)")

    # Check for environment variable abuse
    if re.search(r'\$env:', script_content, re.IGNORECASE):
        env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE)
        if len(env_refs) > 2:
            techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)")

    # Check for SecureString
    if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE):
        techniques.append("SecureString Encryption")

    # Check for compression
    if re.search(r'IO\.Compression|DeflateStream|GZipStream',
                 script_content, re.IGNORECASE):
        techniques.append("Compression (Deflate/GZip)")

    # Check for XOR encoding
    if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE):
        techniques.append("XOR Encoding")

    # Check for Replace chain
    replace_count = len(re.findall(r'\.Replace\(', script_content))
    if replace_count > 2:
        techniques.append(f"Replace Chain ({replace_count} replacements)")

    return techniques


def decode_base64_command(script_content):
    """Extract and decode Base64 encoded commands."""
    b64_match = re.search(
        r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
        script_content, re.IGNORECASE
    )
    if b64_match:
        encoded = b64_match.group(1)
        try:
            decoded = base64.b64decode(encoded).decode('utf-16-le')
            return decoded
        except Exception:
            return None
    return None


def remove_tick_marks(script_content):
    """Remove PowerShell tick-mark obfuscation."""
    # Remove backticks that are not escape sequences
    escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'}
    result = []
    i = 0
    while i < len(script_content):
        if script_content[i] == '`' and i + 1 < len(script_content):
            pair = script_content[i:i+2]
            if pair in escape_chars:
                result.append(pair)
                i += 2
            else:
                # Skip the backtick, keep the next char
                result.append(script_content[i+1])
                i += 2
        else:
            result.append(script_content[i])
            i += 1
    return ''.join(result)


def resolve_string_concat(script_content):
    """Resolve simple string concatenation patterns."""
    # Pattern: 'str1' + 'str2'
    pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'")
    while pattern.search(script_content):
        script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'",
                                      script_content)
    # Pattern: "str1" + "str2"
    pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"')
    while pattern.search(script_content):
        script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"',
                                      script_content)
    return script_content


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <powershell_script>")
        sys.exit(1)

    with open(sys.argv[1], 'r', errors='replace') as f:
        content = f.read()

    print("[+] Obfuscation Analysis")
    print("=" * 60)
    techniques = analyze_obfuscation(content)
    for t in techniques:
        print(f"  - {t}")

    # Attempt automatic deobfuscation
    print("\n[+] Attempting Deobfuscation")
    print("=" * 60)

    # Layer 1: Remove tick marks
    deobfuscated = remove_tick_marks(content)

    # Layer 2: Resolve string concatenation
    deobfuscated = resolve_string_concat(deobfuscated)

    # Layer 3: Decode Base64
    b64_decoded = decode_base64_command(deobfuscated)
    if b64_decoded:
        print("[+] Base64 decoded content:")
        print(b64_decoded[:2000])
        deobfuscated = b64_decoded

    print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars")
    output_file = sys.argv[1] + ".deobfuscated.ps1"
    with open(output_file, 'w') as f:
        f.write(deobfuscated)
    print(f"[+] Saved to {output_file}")
Step 2: Multi-Layer IEX Replacement
import subprocess
import tempfile
import os

def iex_replacement_deobfuscate(script_content, max_layers=10):
    """Iteratively replace IEX with Write-Output to unwrap layers."""
    # IEX replacement patterns
    replacements = [
        (r'\bInvoke-Expression\b', 'Write-Output'),
        (r'\bIEX\b', 'Write-Output'),
        (r'\|\s*IEX\b', '| Write-Output'),
    ]

    current = script_content
    layers = []

    for layer_num in range(max_layers):
        # Apply IEX replacements
        modified = current
        for pattern, replacement in replacements:
            modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE)

        if modified == current and layer_num > 0:
            print(f"  [+] No more IEX layers found at layer {layer_num}")
            break

        # Write to temp file and execute in constrained PowerShell
        with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1',
                                          delete=False) as tmp:
            tmp.write(modified)
            tmp_path = tmp.name

        try:
            result = subprocess.run(
                ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass',
                 '-File', tmp_path],
                capture_output=True, text=True, timeout=30
            )

            output = result.stdout.strip()
            if output and output != current:
                print(f"  [+] Layer {layer_num + 1}: Unwrapped "
                      f"{len(output)} chars")
                layers.append({
                    "layer": layer_num + 1,
                    "technique": "IEX replacement",
                    "content_length": len(output),
                })
                current = output
            else:
                break

        except subprocess.TimeoutExpired:
            print(f"  [!] Layer {layer_num + 1}: Execution timeout")
            break
        finally:
            os.unlink(tmp_path)

    return current, layers
Step 3: Extract IOCs from Deobfuscated Script
def extract_iocs_from_script(deobfuscated_content):
    """Extract indicators of compromise from deobfuscated PowerShell."""
    iocs = {
        "urls": [],
        "ips": [],
        "domains": [],
        "file_paths": [],
        "registry_keys": [],
        "commands": [],
        "base64_blobs": [],
    }

    # URLs
    url_pattern = re.compile(
        r'https?://[^\s\'"<>)\]]+', re.IGNORECASE
    )
    iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content)))

    # IP addresses
    ip_pattern = re.compile(
        r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
    )
    iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content)))

    # File paths
    path_pattern = re.compile(
        r'[A-Za-z]:\\[^\s\'"<>|]+|'
        r'\\\\[^\s\'"<>|]+|'
        r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*',
        re.IGNORECASE
    )
    iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content)))

    # Registry keys
    reg_pattern = re.compile(
        r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+',
        re.IGNORECASE
    )
    iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content)))

    # Suspicious commands
    suspicious_cmds = [
        'New-Object Net.WebClient',
        'DownloadString', 'DownloadFile', 'DownloadData',
        'Start-Process', 'Invoke-WebRequest',
        'New-Object IO.MemoryStream',
        'Reflection.Assembly',
        'Add-MpPreference -ExclusionPath',
        'Set-MpPreference -DisableRealtimeMonitoring',
        'New-ScheduledTask', 'Register-ScheduledTask',
    ]
    for cmd in suspicious_cmds:
        if cmd.lower() in deobfuscated_content.lower():
            iocs["commands"].append(cmd)

    return iocs
Validation Criteria
  • All obfuscation layers identified and classified correctly
  • Base64 encoded commands decoded to readable PowerShell
  • Tick-mark and string concatenation obfuscation resolved
  • IEX replacement reveals next-stage payloads
  • URLs, IPs, and file paths extracted from final deobfuscated stage
  • Deobfuscated script matches observed malware behavior in sandbox
References
按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。