Malandrone
commented
2 years ago Thanks a lot for the feedback!
In order for a script to be successfully de-obfuscated by PowerDecode, there must be no errors in the code.
In this case, code contains some errors that trigger at runtime:
1-iex's argument is not specified correctly
2-"\" string there must not be at the end
Applying these corrections to the script, PowerDecode generates this report: PowerDecode_report_32c25eb9-eedc-4296-9797-943b4fb8ec0d.txt As you can see, 2 obfuscation layers have been removed. The last layer contains plaintext PowerShell code, but some instructions are hidden in variables. PowerDecode actually does not handle these cases on the automatic mode, but I am thinking of a solution to automatically replace variable names with their contents.
Hi,
First off, fantastic idea and I hope this is successful as I'm sure it will be.
However, it seems like it doesn't support a number of different obfuscating techniques, such as character replacement via variables or it doesn't appear to interpret ampersands correctly etc PowerDecode_report_94e0dfb6-898b-4000-8199-f804f9017a5a.txt
Appreciate feedback, willing to help improve the tool. P.S. I've just attached one example but there's others.
Thanks