The first chunk of Base64 data that we decoded contains a framework used to perform injection of code into another process: We use the same technique to dump the shellcode into a file:Īnd we have a shellcode! The next step will be to have a look at this shellcode! We have two interesting ones: '$Shellcode32' and '$Shellcode64'. Just execute the code without any breakpoint and have a look at the new variables.
The code is nicely obfuscated but we won't take too much time on this. Tthe code is executed by IEX (obfuscated and marked in the red rectangle): To be able to debug it, save it as 'payload2.ps1'.
Copy this code and paste it into a new tab. Once again, we see a new bunch of PowerShell instructions (that are normally executed). Replace 'iex' with 'echo', put a breakpoint at line 20 (we can't set a breakpoint on a blank line), and launch the debugger again: At the end of line 18, you see that the extracted code is executed with an 'IEX' command ("Invoke-Expression"). Let's decode this! Stop the debugger, remove all breakpoints. It refers to an object '' which is used to store encrypted data (I wrote a diary about this technique). With the help of WriteAllBytes(), we dump the contain of $PARtYINVITEpREtTY into a file 'payload.ps1'. It's a new set of PowerShell instructions! Let's dump them into a file: We can interact with the script and use more PowerCommand to, by example, display the content of variable or, better, dump it into a file for further analysis: Once the debugger reached the breakpoint, it displays a message on the console and the line becomes yellow. Now, launch the script via the menu 'Debug / Run / Continue" or press F5. Once the breakpoint set, the line color is switched to red: Where? By reading the script, you see that a good candidate is line 13 because, at line 12, we see a reference to Base64String. Let's decode this from PowerShell ISE.įirst, define a breakpoint via the menu "Debug / Toggle a breakpoint" or press F9. You see that the first Base64 payload is based on a concatenation of strings. You can see that the script has some chunks of Base64 data (some of them based on format strings). Let's load the file into PowerShell ISE: (note: the file must have the extension. !\ Warning: Do NOT debug malicious scripts on sensitive or corporate computers, setup a lab to avoid mistakes and execute the script without breakpoint! /!\ The malicious script that I'd like to use contains a lot of references to "Ibiza" (hence the title of this diary). When you're facing a strongly obfuscated scripts, you could speed up the analysis with the help of carefully placed breakpoints. Let's have a look at a practical example. all of these features are available while you keep control of the environment to interact with the script through the help of other PowerShell commands. From a malware analysis point of view, ISE offers a key feature: an interactive debugger! It provides all the classic features that you can expect from a debugger: breakpoints, step in, step over, step out.
#Powershell script debugger windows#
This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter).
Today, I would like to talk about PowerShell ISE or "Integration Scripting Environment".
0 kommentar(er)
