Created
August 24, 2023 16:04
-
-
Save 0xToxin/1358478a6cedf7e3ad69af5decd67028 to your computer and use it in GitHub Desktop.
Metamorfo PowerShell script cleaner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Tested on the sample (Sha256): | |
70e303792d1699fc53b9b3251faf7fc66a070a981972ab64783a1a368e4c96f8 | |
''' | |
import re | |
from base64 import b64decode | |
pattern = r'(\$\(\[Text\.Encoding\].*FromBase64String(\(.*\'\))\)\))' | |
file_handle = open('metamorfo_stage.ps1', 'r').readlines() | |
for line in file_handle: | |
match = re.findall(pattern,line) | |
if match: | |
b64String = match[0][1] | |
line = re.sub(pattern,b64decode(match[0][1]).decode(),line) | |
open('metamorfo_stage_cln.ps1','a').write(line.replace('\0','')) | |
else: | |
open('metamorfo_stage_cln.ps1','a').write(line) | |
pattern2 = r'^(\$.*) \= (.*)$' | |
file_handle = open('metamorfo_stage_cln.ps1', 'r').readlines() | |
replace_list = [] | |
for line in file_handle: | |
match = re.findall(pattern2,line) | |
if match: | |
replace_list.append([match[0][0],match[0][1]]) | |
final = open('metamorfo_stage_cln.ps1', 'r').read() | |
for replaceArg in replace_list: | |
final = final.replace(replaceArg[0],replaceArg[1]) | |
#print(replaceArg[0]) | |
open('metamorfo_stage_cln.ps1', 'w').write(final) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment