thewhiteninja / deobshell Goto Github PK

the function opt_type_constraint_case(ast) is getting stuck at "Fix typename case from 'string' to 'String'"
It looks like the Element isn't getting replaced properly

Hello! I'm very thankful you've created deobshell; I was in disbelief that a PowerShell formatter seems to be so difficult to find.

I'm encountering an issue with the "." character as part of a CommandAST node. The original code looks like this:

function Sprjtemalinger($skolepigen) {
    . ($Skkestolens) ($skolepigen);
}

The AST looks like this:

<FunctionDefinitionAst Name="Sprjtemalinger">
  <Parameters>
    <ParameterAst Name="$skolepigen" StaticType="System.Object">
      <Attributes />
      <VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
    </ParameterAst>
  </Parameters>
  <ScriptBlockAst>
    <Attributes />
    <UsingStatements />
    <NamedBlockAst>
      <Statements>
        <PipelineAst>
          <PipelineElements>
            <CommandAst>
              <CommandElements>
                <ParenExpressionAst StaticType="System.Object">
                  <PipelineAst>
                    <PipelineElements>
                      <CommandExpressionAst>
                        <VariableExpressionAst VariablePath="Skkestolens" StaticType="System.Object" />
                        <Redirections />
                      </CommandExpressionAst>
                    </PipelineElements>
                  </PipelineAst>
                </ParenExpressionAst>
                <ParenExpressionAst StaticType="System.Object">
                  <PipelineAst>
                    <PipelineElements>
                      <CommandExpressionAst>
                        <VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
                        <Redirections />
                      </CommandExpressionAst>
                    </PipelineElements>
                  </PipelineAst>
                </ParenExpressionAst>
              </CommandElements>
              <Redirections />
            </CommandAst>
          </PipelineElements>
        </PipelineAst>
      </Statements>
    </NamedBlockAst>
  </ScriptBlockAst>
</FunctionDefinitionAst>

And the reconstructed code looks like this:

function Sprjtemalinger($skolepigen){
   ($Skkestolens) ($skolepigen);
}
;

Note that the "." character has not been added. I don't have much experience with PowerShell but at a glance, I can't even tell if the generated AST has any provision for this character, so I'm not sure how you could infer that it's meant to be there. I've attached the malicious script in question as a .zip file with the password "infected".
deobshell_format_missing_dot_character.zip

Obviously this is not a major issue, I can just re-add the character after deobfuscation, but I wanted to make this issue in case you know of a solution. Thank you again for making this tool!

cst_string_node.text can be None, so trying to do
member = cst_string_node.text.lower() will crash in this case

Fix:
just insert
if cst_string_node.text is None: continue
inbetween
for cst_string_node in node.findall("StringConstantExpressionAst"):
and
member = cst_string_node.text.lower()

Hi again,

Encountered another issue with a specific sample.

[git_134.ps1.txt](https://github.com/thewhiteninja/deobshell/files/10772069/git_134.ps1.txt

See Trace Below:

[02-17-2023 17:32:44] [DEBUG] Replace pipeline with single elements by CommandAst
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'False'
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'False'
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'ServiceName'
Traceback (most recent call last):
  File "deobshell\main.py", line 86, in <module>
    main()
  File "deobshell\main.py", line 75, in main
    deob(OPTIONS['input'])
  File "deobshell\main.py", line 52, in deob
    o.optimize(ast)
  File "deobshell\modules\optimize.py", line 78, in optimize
    while optimize_pass(ast):
  File "deobshell\modules\optimize.py", line 63, in optimize_pass
    if opt(ast):
  File "deobshell\modules\optimizations\binary_expressions.py", line 75, in opt_binary_expression_replace
    formatted = target.replace(argument_values[0], argument_values[1])
AttributeError: 'NoneType' object has no attribute 'replace'

Please let me know if there is any way I can help.

Hello TheWhiteNinja,
Thanks for the great project!

I'm trying to use this and finding that some common malware samples aren't being handled. Specifically things like this:

(New-Object System.IO.StreamReader 
   @(
     (New-Object System.IO.Compression.DeflateStream 
       @([System.IO.MemoryStream][Convert]::FromBase64String("...base64-string..."), 
         [IO.Compression.CompressionMode]::Decompress
        )
     ),
     [System.Text.Encoding]::ASCII
    )
).ReadToEnd() | Invoke-Expression;

I've been thinking about how to add support for this. After digging a bit, I think there are two problems:

• there is support for Invoke-Expression but it is currently only expecting script body in the first argument
• there is no support for applying base64 decoding and decompressions statically

I'm going to try to add these in some way. But if you have any hints or thoughts about how this would best fit into the current code, I would very much appreciate a hint!

For the pipeline input into Invoke-Expression I think the easiest way would be to add support in opt_invoke_expression to match parent nodes of the AST to see if it's a member of a pipeline, and if the preceding element is a string constant. Actually, this could just be a separate optimization to rewrite this to Invoke-Expression("...the-string-constant...") | ... <the rest of pipeline>.
Or maybe it would be best as a pipeline optimization? Any pipeline of the form string-constant | command rewrites to command string-constant?

I haven't yet decided what to do with the base64+deflate -> string constant step.