Module refinery.units.obfuscation.ps1.b64convert

Classes

class deob_ps1_b64convert

Expand source code Browse git

class deob_ps1_b64convert(Deobfuscator):

    _SENTINEL = re.compile('\\s*'.join(
        (re.escape('[System.Convert]::FromBase64String'), '\\(', '({s})', '\\)')
    ).format(s=formats.ps1str), flags=re.IGNORECASE)

    def deobfuscate(self, data):
        strlit = Ps1StringLiterals(data)

        def replacer(match: re.Match[str]):
            if strlit.get_container(match.start()):
                return match[0]
            try:
                string, = string_unquote(match[1])
            except ValueError:
                return match[0]
            try:
                bytes = base64.b64decode(string)
            except Exception:
                return match[0]
            return '@({})'.format(','.join(F'0x{b:02X}' for b in bytes))

        return self._SENTINEL.sub(replacer, data)

Ancestors

• Deobfuscator
• Unit
• UnitBase
• Entry

Class variables

var required_dependencies

var optional_dependencies

Methods

def deobfuscate(self, data)

Expand source code Browse git

def deobfuscate(self, data):
    strlit = Ps1StringLiterals(data)

    def replacer(match: re.Match[str]):
        if strlit.get_container(match.start()):
            return match[0]
        try:
            string, = string_unquote(match[1])
        except ValueError:
            return match[0]
        try:
            bytes = base64.b64decode(string)
        except Exception:
            return match[0]
        return '@({})'.format(','.join(F'0x{b:02X}' for b in bytes))

    return self._SENTINEL.sub(replacer, data)

Inherited members

• Deobfuscator:
  • Arg
  • assemble
  • filter
  • finish
  • handles
  • labelled
  • log_debug
  • log_detach
  • log_fail
  • log_info
  • log_level
  • log_warn
  • nozzle
  • read
  • read1
  • reverse
  • run
  • source
  • superinit
• UnitBase:
  • process