Last Updated: 2020-11-30 10:55:03 UTC
by Didier Stevens (Version: 1)
PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, …
And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES.
The command I use in the video is:
base64dump.py -n 20 -s 2 -d example.ps1.vir | translate.py -e "keybase64 = b'zDYGjpptXWqJootb7OdcR/JaGJswRA3EywKlPTHHZMQ='" -s decrypt.py -f "Decrypt" | translate.py -f "GzipD"
The content of decrypt.py I use in the video is here:
from Crypto.Cipher import AES
from Crypto.Util import Padding
iv = data[0:16]
ciphertext = data[16:]
key = binascii.a2b_base64(keybase64)
oAES = AES.new(key, AES.MODE_CBC, iv)
return Padding.unpad(oAES.decrypt(ciphertext), 16)
This small script uses crypto functions from pycryptodome.
If you want to try for yourself, I shared the example PowerShell script on pastebin.