PowderShell 1.0.3
dotnet add package PowderShell --version 1.0.3
NuGet\Install-Package PowderShell -Version 1.0.3
<PackageReference Include="PowderShell" Version="1.0.3" />
paket add PowderShell --version 1.0.3
#r "nuget: PowderShell, 1.0.3"
// Install PowderShell as a Cake Addin #addin nuget:?package=PowderShell&version=1.0.3 // Install PowderShell as a Cake Tool #tool nuget:?package=PowderShell&version=1.0.3
PowderShell
PowderShell is a powerful tool designed to deobfuscate PowerShell scripts. It quickly and effectively removes layers of obfuscation, revealing the original code for easier analysis and understanding. Ideal for cybersecurity professionals and malware analysts, PowderShell simplifies the process of dissecting and interpreting complex, obfuscated scripts, saving time and improving accuracy in threat detection and response.
Features
- AST Parsing: Leverage the official PowerShell source code parser to generate an Abstract Syntax Tree (AST) from obfuscated scripts.
- Node Analysis: Traverses the AST to identify and address common obfuscation patterns such as string encoding, concatenation, and variable renaming.
- Partial evaluation: Current techniques include:
- Expression Simplification: Simplifies complex expressions to their basic forms.
- Command Resolution: Replaces encoded or obfuscated command invocations with their original commands.
- Reconstruction: Reconstructs the script from the modified AST, producing a cleaned and readable version of the original script.
- Output: Provides the deobfuscated script in a readable format, ready for analysis.
Command Line Interface (CLI) Options
PowderShell can be run from the command line with the following options:
Options
-p, --path
: Specifies the path of the directory or script file(s) to be deobfuscated. You can provide multiple paths.--stdin
: Indicates that the input should be read from the standard input (stdin).-o, --output
: Specifies the output file or directory where the deobfuscated script(s) will be saved. If not provided, the output will be displayed in the console.
Example Usage
Deobfuscate a Single Script File
To deobfuscate a single PowerShell script file and print the output to the console:
powdershell -p "path\to\obfuscated\script.ps1" -o "path\to\output\directory\result.ps1"
Upcoming Features
Partial Evaluation
PowderShell will soon incorporate partial evaluation features. This advanced technique involves executing parts of the script that are safe to run during the deobfuscation process. By evaluating static expressions and known values, the tool can further simplify the script, making it even more readable and accurate in revealing the script's true intent.
How It Works
AST Parsing: The tool parses the obfuscated PowerShell script using the PowerShell SDK parser, generating an AST. This tree structure represents the script's syntax and semantics in a hierarchical manner.
Node Analysis: PowderShell traverses the AST nodes, identifying common obfuscation patterns such as string encoding, concatenation, and variable renaming.
** Partial Evaluation, Semantic Simplification, Code Emulation **:
- String Decryption: Identifies and decodes obfuscated strings, replacing them with their cleartext equivalents.
- Variable Resolution: Resolves and replaces obfuscated variable names with their original or more meaningful names.
- Expression Simplification: Simplifies complex expressions, often used to hide malicious intent, to their basic forms.
- Command Resolution: Replaces encoded or obfuscated command invocations with their original commands.
Reconstruction: Once the obfuscation is removed, PowderShell reconstructs the script from the modified AST, producing a cleaned and readable version of the original script.
Output: The deobfuscated script is then outputted in a readable format, ready for analysis.
Contact
For any questions or suggestions, please open an issue on GitHub
License
This project is licensed under the MIT License - see the LICENSE file for details.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net8.0
- MathNet.Symbolics (>= 0.25.0)
- Microsoft.PowerShell.SDK (>= 7.4.2)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.