Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing decoder #12

Closed
sefai opened this issue Dec 30, 2019 · 3 comments
Closed

Executing decoder #12

sefai opened this issue Dec 30, 2019 · 3 comments

Comments

@sefai
Copy link

sefai commented Dec 30, 2019

Hi there,

Thanks for this great work, it is inspiring. But I come across a little issue. For an Emotet sample, the script was giving "Decoder script returned non-zero exit code but no error message was sent to stderr. This is likely the result of the malware intentionally terminating its own execuion rather than some kind of decoding failure". Since I knew that wasn't the case I tried to debug it. I don't know PS very well, so I disabled the $b64_decoder.length control and wrote the decoder-script in a temp file for debugging and surprise. That script from the temp file worked as expected.

So this code does not work for me which starts the process using EncodedCommand param:

        if($b64_decoder.length -le 12190){
            $pinfo.Arguments = "-EncodedCommand $($b64_decoder)"
        }
        else{
            $tmp_file = [System.IO.Path]::GetTempPath() + [GUID]::NewGuid().ToString() + ".ps1"; 
            Write-Verbose "Output script is too large. Writing temp file to: $($tmp_file)"
            Base64_Decode($b64_decoder) | Out-File $tmp_file
            $pinfo.Arguments = "-File $($tmp_file)"
        }

But, this one works which starts the process using a temp file:

        #if($b64_decoder.length -le 12190){
        #    $pinfo.Arguments = "-EncodedCommand $($b64_decoder)"
        #}
        #else{
		$tmp_file = [System.IO.Path]::GetTempPath() + [GUID]::NewGuid().ToString() + ".ps1"; 
		Write-Verbose "Output script is too large. Writing temp file to: $($tmp_file)"
		Base64_Decode($b64_decoder) | Out-File $tmp_file
		$pinfo.Arguments = "-File $($tmp_file)"
        #}

What could be the reason for that, do you have any suggestions?
@R3MRUM
Copy link
Owner

R3MRUM commented Dec 30, 2019

Interesting. The size value of 12190 refers to the maximum byte limit for any script block you can pass to Powershell. It appears that I should, instead, be using the max command-line length of 8191 for Windows XP and above. I'll update the code to respect command-line max length which should fix this issue.

R3MRUM added a commit that referenced this issue Dec 30, 2019
@R3MRUM
PSDecode v5.1
8415ca3 
Bug Fix: Changed encoded command length check to write to temp file if length of encoded command is less than 8k bytes. The previous value (12190) referred to the max length of script blocks permitted by PowerShell. However, for Windows XP+, the max command-line length is 8191 bytes, which is the value that should be respected. Addresses Issue #12
@R3MRUM
Copy link
Owner

R3MRUM commented Dec 30, 2019

I've updated the module. Can you pull the new version and confirm that the fix works for you?

@sefai
Copy link
Author

sefai commented Dec 30, 2019

Thank you for the fast response. Yes it is working now.

@R3MRUM R3MRUM closed this as completed Dec 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sefai @R3MRUM