-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Executing decoder #12
Comments
Interesting. The size value of 12190 refers to the maximum byte limit for any script block you can pass to Powershell. It appears that I should, instead, be using the max command-line length of 8191 for Windows XP and above. I'll update the code to respect command-line max length which should fix this issue. |
Bug Fix: Changed encoded command length check to write to temp file if length of encoded command is less than 8k bytes. The previous value (12190) referred to the max length of script blocks permitted by PowerShell. However, for Windows XP+, the max command-line length is 8191 bytes, which is the value that should be respected. Addresses Issue #12
I've updated the module. Can you pull the new version and confirm that the fix works for you? |
Thank you for the fast response. Yes it is working now. |
Hi there,
Thanks for this great work, it is inspiring. But I come across a little issue. For an Emotet sample, the script was giving "Decoder script returned non-zero exit code but no error message was sent to stderr. This is likely the result of the malware intentionally terminating its own execuion rather than some kind of decoding failure". Since I knew that wasn't the case I tried to debug it. I don't know PS very well, so I disabled the $b64_decoder.length control and wrote the decoder-script in a temp file for debugging and surprise. That script from the temp file worked as expected.
So this code does not work for me which starts the process using EncodedCommand param:
But, this one works which starts the process using a temp file:
What could be the reason for that, do you have any suggestions?
The text was updated successfully, but these errors were encountered: