Simple Obfuscation with PowerShell using Base64 Encoding
I recently received a question from someone wanting to know how I encoded a string of text on my
blog site. Back in January of 2013, I competed in Jeff Hicks PowerShell Challenge that was held by
TrainSignal. One of the questions had an encoded command which you were to decode. I figured out
that the EncodedCommand
parameter of PowerShell.exe
could not only be used to run commands that
are encoded with Base64, that it could also be used to easily decode a string of text that was
encoded with Base64.
1powershell.exe /?
1...
2-EncodedCommand
3 Accepts a base-64-encoded string version of a command. Use this parameter
4 to submit commands to Windows PowerShell that require complex quotation
5 marks or curly braces.
6...
The help for PowerShell.exe
also shows you how to encode a command with Base64:
1...
2 # To use the -EncodedCommand parameter:
3 $command = 'dir "c:\program files" '
4 $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
5 $encodedCommand = [Convert]::ToBase64String($bytes)
6 powershell.exe -encodedCommand $encodedCommand
Encoding something like the domain name for this blog site is easy enough:
1[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'mikefrobbins.com'"))
1JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA
While it could be decoded within PowerShell:
1[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA'))
1'mikefrobbins.com'
Adding quotes around the domain name also allows it to be decoded with PowerShell.exe
using the EncodedCommand
parameter without having to encode it with a command such as Write-Output
:
1powershell.exe -encodedCommand JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA
1mikefrobbins.com
The code shown in the previous example specifies the NoProfile
parameter but it's not required.
µ