From 8fac1cacf5501c2b0c37d57336aa12212169180e Mon Sep 17 00:00:00 2001 From: gdesmar <75089569+gdesmar@users.noreply.github.com> Date: Wed, 16 Oct 2024 14:52:42 +0000 Subject: [PATCH] Stripping quotes in get_pwsh_cmd --- src/multidecoder/decoders/shell.py | 8 +++++++- tests/test_decoders/test_shell.py | 9 +++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/multidecoder/decoders/shell.py b/src/multidecoder/decoders/shell.py index 60b866f..6caa9da 100644 --- a/src/multidecoder/decoders/shell.py +++ b/src/multidecoder/decoders/shell.py @@ -181,4 +181,10 @@ def get_cmd_command(cmd: bytes) -> bytes: def get_powershell_command(powershell: bytes) -> bytes: match = re.match(POWERSHELL_ARGS_RE, powershell) - return powershell[match.end() :] if match else powershell + if not match: + return powershell + command = powershell[match.end() :] + # Strip if the command starts and end with a double quote (34) or single quote (39) + if len(command) > 1 and command[0] in [34, 39] and command[0] == command[-1]: + command = command[1:-1] + return command diff --git a/tests/test_decoders/test_shell.py b/tests/test_decoders/test_shell.py index 982cd65..256a3c4 100644 --- a/tests/test_decoders/test_shell.py +++ b/tests/test_decoders/test_shell.py @@ -343,3 +343,12 @@ def test_get_powershell_command_exe(): def test_get_powershell_command_args(): assert get_powershell_command(b"powershell -arg1 -arg2 command") == b"command" + + +def test_get_powershell_command_quotes(): + assert ( + get_powershell_command( + b"powershell.exe -c \"&{'p8ArwZsj8ZO+Zy/dHPeI';$BxQ='';$KOKN='';$KOKN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($GBUus));$GBUus=$xCyRLo;iex($GBUus)}\"" + ) + == b"&{'p8ArwZsj8ZO+Zy/dHPeI';$BxQ='';$KOKN='';$KOKN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($GBUus));$GBUus=$xCyRLo;iex($GBUus)}" + )