thewhiteninja / deobshell Goto Github PK
View Code? Open in Web Editor NEWPowershell script deobfuscation using AST in Python
License: MIT License
Powershell script deobfuscation using AST in Python
License: MIT License
the function opt_type_constraint_case(ast) is getting stuck at "Fix typename case from 'string' to 'String'"
It looks like the Element isn't getting replaced properly
Hello! I'm very thankful you've created deobshell; I was in disbelief that a PowerShell formatter seems to be so difficult to find.
I'm encountering an issue with the "." character as part of a CommandAST node. The original code looks like this:
function Sprjtemalinger($skolepigen) {
. ($Skkestolens) ($skolepigen);
}
The AST looks like this:
<FunctionDefinitionAst Name="Sprjtemalinger">
<Parameters>
<ParameterAst Name="$skolepigen" StaticType="System.Object">
<Attributes />
<VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
</ParameterAst>
</Parameters>
<ScriptBlockAst>
<Attributes />
<UsingStatements />
<NamedBlockAst>
<Statements>
<PipelineAst>
<PipelineElements>
<CommandAst>
<CommandElements>
<ParenExpressionAst StaticType="System.Object">
<PipelineAst>
<PipelineElements>
<CommandExpressionAst>
<VariableExpressionAst VariablePath="Skkestolens" StaticType="System.Object" />
<Redirections />
</CommandExpressionAst>
</PipelineElements>
</PipelineAst>
</ParenExpressionAst>
<ParenExpressionAst StaticType="System.Object">
<PipelineAst>
<PipelineElements>
<CommandExpressionAst>
<VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
<Redirections />
</CommandExpressionAst>
</PipelineElements>
</PipelineAst>
</ParenExpressionAst>
</CommandElements>
<Redirections />
</CommandAst>
</PipelineElements>
</PipelineAst>
</Statements>
</NamedBlockAst>
</ScriptBlockAst>
</FunctionDefinitionAst>
And the reconstructed code looks like this:
function Sprjtemalinger($skolepigen){
($Skkestolens) ($skolepigen);
}
;
Note that the "." character has not been added. I don't have much experience with PowerShell but at a glance, I can't even tell if the generated AST has any provision for this character, so I'm not sure how you could infer that it's meant to be there. I've attached the malicious script in question as a .zip file with the password "infected".
deobshell_format_missing_dot_character.zip
Obviously this is not a major issue, I can just re-add the character after deobfuscation, but I wanted to make this issue in case you know of a solution. Thank you again for making this tool!
cst_string_node.text can be None, so trying to do
member = cst_string_node.text.lower() will crash in this case
Fix:
just insert
if cst_string_node.text is None: continue
inbetween
for cst_string_node in node.findall("StringConstantExpressionAst"):
and
member = cst_string_node.text.lower()
Hi again,
Encountered another issue with a specific sample.
[git_134.ps1.txt](https://github.com/thewhiteninja/deobshell/files/10772069/git_134.ps1.txt
See Trace Below:
[02-17-2023 17:32:44] [DEBUG] Replace pipeline with single elements by CommandAst
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'False'
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'False'
[02-17-2023 17:32:44] [DEBUG] Remove unassigned variable use 'ServiceName'
Traceback (most recent call last):
File "deobshell\main.py", line 86, in <module>
main()
File "deobshell\main.py", line 75, in main
deob(OPTIONS['input'])
File "deobshell\main.py", line 52, in deob
o.optimize(ast)
File "deobshell\modules\optimize.py", line 78, in optimize
while optimize_pass(ast):
File "deobshell\modules\optimize.py", line 63, in optimize_pass
if opt(ast):
File "deobshell\modules\optimizations\binary_expressions.py", line 75, in opt_binary_expression_replace
formatted = target.replace(argument_values[0], argument_values[1])
AttributeError: 'NoneType' object has no attribute 'replace'
Please let me know if there is any way I can help.
Hello TheWhiteNinja,
Thanks for the great project!
I'm trying to use this and finding that some common malware samples aren't being handled. Specifically things like this:
(New-Object System.IO.StreamReader
@(
(New-Object System.IO.Compression.DeflateStream
@([System.IO.MemoryStream][Convert]::FromBase64String("...base64-string..."),
[IO.Compression.CompressionMode]::Decompress
)
),
[System.Text.Encoding]::ASCII
)
).ReadToEnd() | Invoke-Expression;
I've been thinking about how to add support for this. After digging a bit, I think there are two problems:
I'm going to try to add these in some way. But if you have any hints or thoughts about how this would best fit into the current code, I would very much appreciate a hint!
For the pipeline input into Invoke-Expression I think the easiest way would be to add support in opt_invoke_expression to match parent nodes of the AST to see if it's a member of a pipeline, and if the preceding element is a string constant. Actually, this could just be a separate optimization to rewrite this to Invoke-Expression("...the-string-constant...") | ... <the rest of pipeline>
.
Or maybe it would be best as a pipeline optimization? Any pipeline of the form string-constant | command
rewrites to command string-constant
?
I haven't yet decided what to do with the base64+deflate -> string constant step.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.