Merge pull request #302 from kevross33/patch-52

Add decoding for UTF-16 into powershell sig
ctxis · Mar 4, 2019 · a38a38d · a38a38d
2 parents fe77b84 + fb3de97
commit a38a38d
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/modules/signatures/powershell_command.py b/modules/signatures/powershell_command.py
@@ -87,17 +87,31 @@ def run(self):
                 if "-e " in lower or "/e " in lower or "-en " in lower or "/en " in lower or "-enc" in lower or "/enc" in lower:
                     b64strings = re.findall(r'[-\/][eE][nNcCoOdDeEmMaA]{0,13}\ (\S+)', cmdline)
                     for b64string in b64strings:
+                        b64 = True
                         encoded = str(b64string)
-                        if re.match('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$', encoded):
+                        try:
+                            base64.b64decode(encoded)
+                        except binascii.Error:
+                            b64 = False
+                        if b64:
                             decoded = base64.b64decode(encoded)
+                            if "\\x00" in decoded:
+                                decoded = base64.b64decode(encoded).decode('UTF-16') 
                             self.data.append({"decoded_base64_string" : convert_to_printable(decoded)})
 
                 if "frombase64string(" in lower:
                     b64strings = re.findall(r'[fF][rR][oO][mM][bB][aA][sS][eE]64[sS][tT][rR][iI][nN][gG]\([\"\'](\S+)[\"\']\)', cmdline)
                     for b64string in b64strings:
+                        b64 = True
                         encoded = str(b64string)
-                        if re.match('^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$', encoded):
+                        try:
+                            base64.b64decode(encoded)
+                        except binascii.Error:
+                            b64 = False
+                        if b64:
                             decoded = base64.b64decode(encoded)
+                            if "\\x00" in decoded:
+                                decoded = base64.b64decode(encoded).decode('UTF-16') 
                             self.data.append({"decoded_base64_string" : convert_to_printable(decoded)})
 
         return ret
@@ -166,6 +180,8 @@ def run(self):
                             ret = True
                             self.data.append({"command" : cmdline})
                             decoded = base64.b64decode(encoded)
+                            if "\\x00" in decoded:
+                                decoded = base64.b64decode(encoded).decode('UTF-16')
                             self.data.append({"decoded_base64_string" : convert_to_printable(decoded)})
 
                 if "frombase64string(" in lower:
@@ -176,6 +192,8 @@ def run(self):
                             ret = True
                             self.data.append({"command" : cmdline})
                             decoded = base64.b64decode(encoded)
+                            if "\\x00" in decoded:
+                                decoded = base64.b64decode(encoded).decode('UTF-16')
                             self.data.append({"decoded_base64_string" : convert_to_printable(decoded)})
 
         return ret