PowerDecode is a PowerShell-based tool for de-obfuscating PowerShell scripts obfuscated across multiple layers in different obfuscation forms including:
- String concatenate/reorder/reverse/replace
- Base64 encoding
- ASCII encoding
- Compression deflate/GZIP
The tool performs also code dynamic analysis, gathering useful informations about malware activity including:
- HTTP response status of URLs
- Declared variables
- Payloads download attempts
- Attempts to start processes
- Shellcode injection attempts
WARNING:
- Dynamic analysis requires script execution. Use the tool only in a isolated execution environment ( VirtualBox for example)
- Before de-obfuscating make sure the script is executable (automatic de-obfuscation process fails if script contains some syntax errors)
- Windows Defender might avoid the tool from working properly. Disable it temporarily if necessary.
REQUIREMENTS:
- Windows PowerShell v5.1
- OS Windows 10 64 bit
-
Enable scripts execution: launch PowerShell as Administrator and run the command:
Set-ExecutionPolicy bypass
-
If it doesn't work, open Registry Editor as Administrator and go to:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Set the parameter "ExecutionPolicy" on value "Bypass"
-
Disable any antivirus software in order to allow the tool to analyze malware without interruption.
-
Click on PowerDecode.bat to start the GUI
PowerDecode can work in two different modes:
- Automatic decode mode
- Manual decode mode
Obfuscation layers of an input script are automatically detected and removed. A dynamic analysis is performed on the final layer. The following options are available:
- [1]-Decode a script from a single file: takes as input a file to analyze and a folder to save the report file (if this last is not set, report file will be saved in the PowerDecode folder)
- [2]-Decode multiple scripts from a folder: takes as input a folder containg some files to analyze and a folder to save the report files (if this last is not set, report files will be saved in the PowerDecode folder)
- [0]-Go back: returns to the previous menu
User can select a set of tasks to perform on an input script to manually remove obfuscation layers. The following options are available:
- [1]-Decode script by regex: regular expression supported by PowerDecode are applied to the input string to remove a single obfuscation layer
- [2]-Decode script by IEX overriding: input string is executed in a local environment where Invoke-Expression cmdlet is replaced with Write-Output cmdlet (might execute malicious actions!)
- [3]-Decode base64 encoding: removes base64 encoding
- [4]-Decode deflate payload: removes deflatestream compression
- [5]-Decode GZIP payload: removes GZIPstream compression
- [6]-Replace a string (raw): replaces a piece of the loaded script with a substring entered by the user
- [7]-Replace a string (evaluate): replaces a piece of the loaded script with its execution output (might execute malicious actions!)
- [8]-URLs analysis: extracts URLs and checks their HTTP response status code
- [9]-Get variables content: extracts declared variables and shows their names and contents (might execute malicious actions!)
- [10]-Shellcode check: extracts shellcode as hexadecimal instructions. This feature could be efficiently integrated with SCDBG. In order to activate the debugger, the scdbg.exe file must be placed on the PowerDecode\ folder
- [11]-Perform static analysis and get VirusTotal rating: Analyzes the code without executing it and provides a description of the malware. If the API key is set shows the VirusTotal rating of the malware via API call
- [12]-Undo last decoding task: deletes the last layer of code obtained
- [13]-Report preview: shows all collected data as it will be saved on the report file
- [14]-Store and export report file: saves all collected data on a .txt report file and stores the sample in the MalwareRepository.db
- [0]-Go back: returns to the previous menu
PowerDecode includes a malware database( MalwareRepository.db) based on LiteDB. On this section, following options are available:
- [1]-Query DB for a script: checks if a script from an input file is stored on DB and if it is present, shows its de-obfuscated version
- [2]-Query DB for a URL: checks if an input URL is stored on DB and also shows stored malwares that connect to it
- [3]-Query DB for a shellcode: checks if an input shellcode(string of hex values) is stored on DB and if it is present shows stored malwares that inject it
- [4]-Malware statistics: shows some statistics about malware samples stored on MalwareRepository.db
- [5]-Export all original scripts: allows to export all orginal malware samples from MalwareRepository.db to an output folder. Each sample will be saved on a .txt file. WARNING: use this feature only on a isolated execution environment, exported files are malicious!
- [6]-Export all URLs: allows to export all stored URLs from MalwareRepository.db to an output file
- [6]-Export all Shellcodes: allows to export all stored shellcodes from MalwareRepository.db to an output folder. Each sample will be saved on a .txt file
- [0]-Go back: returns to the previous menu
Following parameters can be set:
- [1]-Switch storage mode: if it is set to "Enabled" analyzed scripts will be stored on MalwareRepository.db
- [2]-Switch step-by-step mode: if it is set to "Enabled", decoding multiple scripts from a folder, the user is asked for confirmation before continuing with the analysis of the next file
- [3]-Set VirusTotal API key: allows to load a VirusTotal API key to interact with the VirusTotal API
- [4]-Set execution timeout: allows to set the maximum time limit in seconds of script execution during de-obfuscation process
- [5]-Switch logging mode: if it is set to "Enabled" log files are saved on the package\logs folder
GPL-3.0
G. M. Malandrone, G. Virdis, G. Giacinto , D. Maiorca. PowerDecode: a PowerShell Script Decoder Dedicated to Malware Analysis. 5th Italian Conference on CyberSecurity (ITASEC), 2021.