Jump to content

Obfuscating Powershell Scripts


qdba

Recommended Posts

EncDecFiles.ps1

  • Author: (c) 2017 by QDBA
  • Version 1.0

Description

EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it.

  • Usage:
  •    EncDecFiles.ps1  
    
  •                     < -Encrypt | -Decrypt >      # encrypt or decrypt a file
    
  •                     < -In Filename >             # Input File
    
  •                     [ -Out Filename ]            # Output File
    
  •                     [ -Pass Password ]           # Password
    

Example 1

- encdecfiles.ps1 -In c:\test.ps1 -encrypt
	Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.enc 

Example 2

- encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret
	Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.enc 

Example 3

- encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret
	Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aes

Example 4

- encdecfiles.ps1 -In c:\Test.enc -decrypt
	Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny"

How to run the encrypted powershell script

In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password

Download

https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles

  • Upvote 1
Link to comment
Share on other sites

Powershellmafia did something like this here in Powersploit under "Out-EncryptedScript.ps1".

https://github.com/PowerShellMafia/PowerSploit/tree/master/ScriptModification

 

I used their out-encodedcommand.ps1.  Used parts on it in the BBTPS project I built and made a utility script people to use that will output just the base64 of the compressed script.

PowershellMafias encoded scripts uses a password and a salt to encrypt it.  The output is a function that when ran with the password and salt will expose the plaintext script on output.  Run the output with invoke-expression and there is your script.

 

Link to comment
Share on other sites

@PoSHMagiC0de Thanks for your comment. 

This comes from not searching enough. :cool::ohmy::rolleyes:

But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV.

I just started with powershell scripting so it was good for learning.


 
Edited by qdba
Link to comment
Share on other sites

11 hours ago, qdba said:

@PoSHMagiC0de Thanks for your comment. 

This comes from not searching enough. :cool::ohmy::rolleyes:

But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV.

I just started with powershell scripting so it was good for learning.



 

100% agree.  I will never say to not rewrite something to learn about it or improve it.  I rewrite scripts all the time to better suite me and it helps me understand what is going on.  I rewrote reflectivedllinjection and several other inject scripts dozens of times just to see what is happening and trying to duplicate it to see if I understand what is happening.  It is what separates you from being a script kitty.  Keep on scripting everything.  Hard part you will come across (if you are running Powershell higher than 2.0) is making your scripts 2.0 compatible which is ideal for exploiting since you are not sure what PSVersion the victim is on but know 2.0 is installed by default on all Win7 and higher machines (exception to Windows 10 which has the option to remove it and comes with PS5 by default).  To test your code in a 2.0 environment when you are on PSVersion 4.0 or 5 you will have to start the environment with:

powershell -version 2.0

Then when you run your code you will see what is not PSVersion2 compliant.

Keep at it.  :-)

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...