thewhiteninja/deobshell

GitHub: thewhiteninja/deobshell

利用 Python 对 PowerShell 脚本的 AST 进行规则驱动的去混淆与重建,帮助分析师还原混淆代码的原始逻辑。

Stars: 73 | Forks: 19

# DeobShell [![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE.MIT) [![语言: Python](https://img.shields.io/badge/Language-Python-brightgreen.svg?tyle=flat-square)](#) [![跨平台](https://img.shields.io/badge/Platform-All-0078d7.svg)](#) [![v1.0](https://img.shields.io/badge/Version-1.0-ff5733.svg)](#)
DeobShell 是一个 PoC,旨在使用 Python 中的抽象语法树 (AST) 操作来对 Powershell 进行去混淆。 AST 是通过调用 `System.Management.Automation.Language.Parser` 的 Powershell 脚本提取的,并且 将相关节点写入 XML 文件中。 AST 操作和优化基于一组规则(例如:拼接常量字符串、应用格式化操作符等)。 从去混淆的 AST 中,使用 Python 重建 ps1 脚本。 请参阅下图。 :information_source: 目前仅支持 Powershell 的一个子集,但欢迎提交 PR :) :warning: [data/](data/) 文件夹包含真实的恶意软件样本! ## 原理

diagram

### 规则示例 - 移除空节点 - 移除未使用的变量 - 移除对未初始化变量的使用 - 简化表达式 - join、plus、format、replace 操作符 - split、reverse、invoke-expression - 类型转换为 type、string、char、array - 用值替换常量变量 - 修正特殊词的大小写 - ... 示例:format 操作符的 BinaryExpressionAst 节点 ##### 输入 ``` {0}{1} c AcA ``` ##### 输出 ``` cAcA ``` ### 示例 CTF 挑战赛 ##### 输入 ``` $mRSp73 = [ChaR[] ]" ))43]raHc[]gNIRtS[,)38]raHc[+98]raHc[+611]raHc[((eCAlper.)421]raHc[]gNIRtS[,'5IP'(eCAlper.)'$',)09]raHc[+99]raHc[+701]raHc[((eCAlper.)93]raHc[]gNIRtS[,'vzW'(eCAlper.)' 2halB.tcejboZck tuptuO-etirW 7halB.tcejboZck +'+' 6halB.tcejboZck + halB.tc'+'ejboZck '+'= 2galFFT'+'C:'+'vneZck SYt!eciNSYt = 1galFFTC:vneZck SYt...aedi dab yre'+'v'+' ,yre'+'v a yllacipyt svzWtaht ,ton fI .ti gninnur erofeb siht detacsufbo-ed uoy epoh ISYt eulaV- 2halB emaN- '+'ytreporPetoN epy'+'TrebmeM- rebmeM-ddA 5IP tcejboZck SYt'+'.uoy tresed dna dnuora nur annog reveNSYt eulaV- 9hal'+'B emaN- ytreporPetoN epyTrebmeM- rebmeM-ddA 5'+'IP tcejboZck SYt.nwod uo'+'y tel annog '+'re'+'veN .'+'pu uoy evig annog reveNSYt eulaV- 8halB emaN- ytreporPetoN epyTrebm'+'eM- rebmeM-d'+'dA 5IP tcejboZck SYt}f1j9kdSYt eulaV- 7halB emaN- y'+'treporPetoN ep'+'yTrebmeM- rebmeM-ddA 5IP tcejboZck SYtg4lf_3ht_t0nSYt eulaV- 4halB emaN- yt'+'reporPetoN epyTrebmeM- rebmeM-ddA 5IP tcejboZck SYt1#f!J{SYt eulaV- 6halB emaN- ytreporPetoN epyTrebmeM- rebmeM-'+'ddA 5IP tcejboZck SYtgalF,ehT,toN,oslASYt eulaV- 5halB emaN- ytreporPetoN epyTrebmeM- rebmeM-ddA 5IP tcejboZck SY'+'t}fdjfkslfdSYt eulaV- 3halB emaN- ytrepor'+'PetoN e'+'pyTrebmeM- rebmeM-ddA 5IP tcejboZ'+'ck SYtgalfSYt eulaV- halB em'+'aN- ytreporPetoN e'+'pyTrebmeM- rebmeM-ddA 5IP tcej'+'boZck tc'+'ejbO'+'SP tcejbO-weN = tc'+'ejboZck'( ()''nioJ-'x'+]3,1[)eCNERefErpESoBreV$]GniRTS[( (. " ;[aRRAy]::REVerse($MrSp73);. ( 'IeX') ( -JoiN$MrSp73) ``` ##### 输出 ``` $object = New-Object PSObject; $object | Add-Member NoteProperty Blah "flag"; $object | Add-Member NoteProperty Blah3 "dflskfjdf}"; $object | Add-Member NoteProperty Blah5 "Also,Not,The,Flag"; $object | Add-Member NoteProperty Blah6 "{J!f`#1"; $object | Add-Member NoteProperty Blah4 "n0t_th3_fl4g"; $object | Add-Member NoteProperty Blah7 "dk9j1f}"; $object | Add-Member NoteProperty Blah8 "Never gonna give you up. Never gonna let you down."; $object | Add-Member NoteProperty Blah9 "Never gonna run around and desert you."; $object | Add-Member NoteProperty Blah2 "I hope you de-obfuscated this before running it. If not, that''s typically a very, very bad idea..."; $env:CTFFlag1 = "Nice!"; $env:CTFFlag2 = $object.Blah + $object.Blah6 + $object.Blah7; Write-Output $object.Blah2; ``` ### 参考文献 - https://github.com/R3MRUM/PSDecode - https://robwillis.info/2020/08/invoke-decoder-a-powershell-script-to-decode-deobfuscate-malware-samples/ - https://www.varonis.com/blog/adventures-malware-free-hacking-part-ii/ - https://gist.github.com/notdodo/3d5ac56cd837c3f79d2c687f3e75cac1
标签:AI合规, DAST, DNS 反向解析, IPv6, OpenCanary, PowerShell, Python, 代码反混淆, 恶意软件分析, 无后门, 逆向工具