search

Malandrone / PowerDecode

PowerDecode is a PowerShell-based tool that allows to deobfuscate PowerShell scripts obfuscated across multiple layers. The tool performs code dynamic analysis, extracting malware hosting URLs and checking http response.It can also detect if the malware attempts to inject shellcode into memory.
GNU General Public License v3.0
147 stars 14 forks source link

File Reading breaks Syntax #2

Open mpass99 opened 10 months ago

mpass99 commented 10 months ago

Great tool! It makes the hassle of deobfuscation so much easier. The main functionality of deobfuscation worked great. However, I had to spend quite some time debugging the tool itself...

As a reference feel free to have a look at the PS script of the HackTheBox "Red Failure" Challenge.

  1. Whenever selecting the file, the tool throws a syntax error. Not because the original script contains such a syntax error, but because when loading the file every line break gets removed. See: https://github.com/Malandrone/PowerDecode/blob/5200a9812c484326c1a66f40ef6093c94753ecdd/package/GetScriptFromFileFunctions.ps1#L36-L38
  2. Some of the tests produce errors that should be handled/communicated in a more helpful manner.
  3. When printing the variable content, long contents get truncated (even in the report itself)
Malandrone commented 9 months ago

Hi mpass99! Thank you so much for your feedback. I am aware both of the syntax errors related to putting the script to one line than truncated values on variables content.
I'm currently finishing testing version 2.7 where all these problems have been solved.

Malandrone commented 9 months ago

Here the PS script of the HackTheBox "Red Failure" Challenge analyzed with PowerDecode v2.7 PowerDecode_report_ED54D942215A20864C12DFBE35944D8049705E5072C73228B2BDEF15C14EABAC.txt

mpass99 commented 9 months ago

That's awesome! Thanks for your response! Love to hear that this tool is still being improved!