Simple Obfuscation with PowerShell using Base64 Encoding
I recently received a question from someone wanting to know how I encoded a string of text on my blog site. Back in January of 2013, I competed in Jeff Hicks PowerShell Challenge that was held by TrainSignal. One of the questions had an encoded command which you were to decode. I figured out that the -EncodedCommandparameter of PowerShell.exe could not only be used to run commands that are encoded with Base64, that it could also be used to easily decode a string of text that was encoded with Base64.
1
|
powershell.exe /?
|
The help for PowerShell.exe also shows you how to encode a command with Base64:
Encoding something like the domain name for this blog site is easy enough:
1
|
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(“‘mikefrobbins.com'”))
|
While it could be decoded within PowerShell:
1
|
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA’))
|
Adding quotes around the domain name also allows it to be decoded with PowerShell.exe using the -EncodedCommand parameter without having to encode it with a command such as Write-Output:
1
|
powershell.exe -encodedCommand JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA
|
The code shown in the previous example specifies the -NoProfile parameter but it’s not required. I’ve added it since calling PowerShell.exe with my profile displays the Packt Publishing free eBook of the day.
µ