Decrypting PowerShell Payloads (video)

PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, …

And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES.

In a video I created, I show how to decrypt a typical encrypted payload with my tools base64dump and translate.

The command I use in the video is: -n 20 -s 2 -d example.ps1.vir | -e "keybase64 = b'zDYGjpptXWqJootb7OdcR/JaGJswRA3EywKlPTHHZMQ='" -s -f "Decrypt" | -f "GzipD"

The content of I use in the video is here:

from Crypto.Cipher import AES
from Crypto.Util import Padding

def Decrypt(data):
    iv = data[0:16]
    ciphertext = data[16:]
    key = binascii.a2b_base64(keybase64)
    oAES =, AES.MODE_CBC, iv)
    return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

If you want to try for yourself, I shared the example PowerShell script on pastebin.


Didier Stevens
Senior handler
Microsoft MVP


676 Posts
ISC Handler
Nov 30th 2020
Nicely done, thank you.

Sign Up for Free or Log In to start participating in the conversation!