qdba Posted April 24, 2017 Share Posted April 24, 2017 EncDecFiles.ps1 Author: (c) 2017 by QDBA Version 1.0 Description EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it. Usage: EncDecFiles.ps1 < -Encrypt | -Decrypt > # encrypt or decrypt a file < -In Filename > # Input File [ -Out Filename ] # Output File [ -Pass Password ] # Password Example 1 - encdecfiles.ps1 -In c:\test.ps1 -encrypt Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.enc Example 2 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.enc Example 3 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aes Example 4 - encdecfiles.ps1 -In c:\Test.enc -decrypt Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny" How to run the encrypted powershell script In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password Download https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles 1 Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 24, 2017 Share Posted April 24, 2017 Powershellmafia did something like this here in Powersploit under "Out-EncryptedScript.ps1". https://github.com/PowerShellMafia/PowerSploit/tree/master/ScriptModification I used their out-encodedcommand.ps1. Used parts on it in the BBTPS project I built and made a utility script people to use that will output just the base64 of the compressed script. PowershellMafias encoded scripts uses a password and a salt to encrypt it. The output is a function that when ran with the password and salt will expose the plaintext script on output. Run the output with invoke-expression and there is your script. Quote Link to comment Share on other sites More sharing options...
qdba Posted April 25, 2017 Author Share Posted April 25, 2017 (edited) @PoSHMagiC0de Thanks for your comment. This comes from not searching enough. But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV. I just started with powershell scripting so it was good for learning. Edited April 25, 2017 by qdba Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 25, 2017 Share Posted April 25, 2017 11 hours ago, qdba said: @PoSHMagiC0de Thanks for your comment. This comes from not searching enough. But now there are 2 scripts for encrypting code. This helps to hide some code from detecting by AV. I just started with powershell scripting so it was good for learning. 100% agree. I will never say to not rewrite something to learn about it or improve it. I rewrite scripts all the time to better suite me and it helps me understand what is going on. I rewrote reflectivedllinjection and several other inject scripts dozens of times just to see what is happening and trying to duplicate it to see if I understand what is happening. It is what separates you from being a script kitty. Keep on scripting everything. Hard part you will come across (if you are running Powershell higher than 2.0) is making your scripts 2.0 compatible which is ideal for exploiting since you are not sure what PSVersion the victim is on but know 2.0 is installed by default on all Win7 and higher machines (exception to Windows 10 which has the option to remove it and comes with PS5 by default). To test your code in a 2.0 environment when you are on PSVersion 4.0 or 5 you will have to start the environment with: powershell -version 2.0 Then when you run your code you will see what is not PSVersion2 compliant. Keep at it. :-) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.