Created
July 21, 2022 07:03
-
-
Save dungsaga/ade08b43ea1d41d4429ed087fe07b70c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Original command that was run | |
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command "& {function Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1860}" | |
#Deobfuscated command | |
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoProfile -Command | |
# & is similar to Invoke-Expression except it will create an additional scope | |
& { | |
function Run-Server(){ | |
#$h has a string value of 1860 passed from the below Run-Server -h 1860 call | |
param([string]$h) | |
#Creates a new byte array with 8 elements with values of 0 | |
$b = New-Object byte[] 8 | |
#Creates a new anonymouse pipe object stored in $p passing two arguements | |
#[System.IO.Pipes.PipeDirection]::In - this specifies the directionality of the pipe is In | |
#$h sets the value of the pipeHandleAsString which is an IntPtr object that represents the pre-existing pipeHandleAsString to use - 1860 | |
#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.anonymouspipeclientstream.-ctor?view=netframework-4.7.2#System_IO_Pipes_AnonymousPipeClientStream__ctor_System_IO_Pipes_PipeDirection_System_String_ | |
#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipedirection?view=netframework-4.7.2#System_IO_Pipes_PipeDirection_In | |
$p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h) | |
#if $p was created and is not False | |
if ($p) { | |
#Sets $l equal to he value of the .Read() $b is the byte array, offset 0, and the number of bytes to read of 8 | |
#https://docs.microsoft.com/en-us/dotnet/api/system.io.pipes.pipestream.read?view=netframework-4.7.2#System_IO_Pipes_PipeStream_Read_System_Byte___System_Int32_System_Int32_ | |
$l = $p.Read($b, 0, 8) | |
#As long as there is 8 bytes in $l it will continue to loop and exit when there are no more bytes to read from | |
while ($l -gt 7) { | |
#Returns a 32-bit signed integer from four bytes at a specified position in a byte array | |
#https://docs.microsoft.com/en-us/dotnet/api/system.bitconverter.toint32?view=netframework-4.7.2 | |
$c = [System.BitConverter]::ToInt32($b, 0) | |
$l = [System.BitConverter]::ToInt32($b, 4) | |
#Sets $t to $null | |
$t = $null | |
#As long as the last four bytes in the byte array are greater than 0 it executes | |
if ($l -gt 0) { | |
#Sets $t1 equal to a new byte array object with the value of $l | |
$t1 = New-Object byte[] $l | |
#Reads in the byte array $t1 with offset 0 and length of $t1 | |
$l = $p.Read($t1, 0, $t1.Length) | |
#Converts the binary bytes into UTF8 characters because the pipe takes in bytes and needs to be converted to string characters in order to execute the commands with Invoke-Expression | |
$t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) | |
} | |
#If $c is equal to int 1 it then Invokes the expression stored in $t - $t is the string characters of the converted binary bytes | |
if ($c -eq 1) { | |
Invoke-Expression $t | |
#if $c is equal to 9 it will break out of the loop and dispose of the anonymous pipe | |
} elseif ($c -eq 9) { | |
break | |
} | |
#Reads the next 8 bytes into the stream and stores them in $l | |
$l = $p.Read($b, 0, 8) | |
} | |
#Releases all resources used by the stream | |
#https://docs.microsoft.com/en-us/dotnet/api/system.io.stream.dispose?view=netframework-4.7.2#System_IO_Stream_Dispose | |
$p.Dispose() | |
} | |
} | |
#Calls the Run-Server function with a handle value of 1860 | |
Run-Server -h 1860 | |
}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This code belongs to Snow Inventory Agent from Snow Software.
Ref: