Decrypting PowerShell Payloads (video)

Published: 2020-11-30
Last Updated: 2020-11-30 10:55:03 UTC
by Didier Stevens (Version: 1)
1 comment(s)

PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, …

And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES.

In a video I created, I show how to decrypt a typical encrypted payload with my tools base64dump and translate.

The command I use in the video is: -n 20 -s 2 -d example.ps1.vir | -e "keybase64 = b'zDYGjpptXWqJootb7OdcR/JaGJswRA3EywKlPTHHZMQ='" -s -f "Decrypt" | -f "GzipD"

The content of I use in the video is here:

from Crypto.Cipher import AES
from Crypto.Util import Padding

def Decrypt(data):
    iv = data[0:16]
    ciphertext = data[16:]
    key = binascii.a2b_base64(keybase64)
    oAES =, AES.MODE_CBC, iv)
    return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

If you want to try for yourself, I shared the example PowerShell script on pastebin.


Didier Stevens
Senior handler
Microsoft MVP

1 comment(s)


Nicely done, thank you.

Diary Archives