Understanding Invoke- “X” Special Character Encoding

I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in
Invoke-Dosfucation.

We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi where they demonstrate a “Hello World” encoded string. I had to translate the post to view it. You can find the post here .

We can also find the link to the site in the Invoke-Obfuscation master folder in the script “Out-EncodedSpecialCharOnlyCommand.ps1”.

The script we are going to be working with today is from another Twitter thread on September 12 2018 located Here . It is a pastebin link from @James_inthe_box.

Here is what this script looks like.

FullScript

And a smaller sample view.

Top

Just looking at this it looks like total junk code.

After reading the other blog post we have a few ideas of how to work with this so lets clean this up a bit. The first thing we want to remember is that the character “;” is used as a command separator so let separate these to a new line to make it easier to read.

1 

Now that we have the commands on there own line we need to understand what the first one is doing.

2

What this first command is doing is creating a hash table to contain the values on the left side of the “= ++” to the hash table name of “${‘].}” on the right hand side.

As it goes down the list it will set the index position in the has table equal to the value Inside of “{ }” on the left.

What this will do next , or as it sets the values it will do a string replace or “lookup” of the value and the string like “${$}” will get replaced with the number 0 on the rest of the script.

Here we see what happens when we replace each value with the index number.

4

(I’ve restored our left hand values after doing the replacements. Always do replacements on a copy)

Now lets take a look at the next command and see what it is doing.

5

As we can see we now have some number inside of the “[]” like this “$(@{})”[  7  ]”

The best I understand is that this taking the the hash function name of “System.Collections.Hashtable” and in this case  taking the 7th character to build a string.

So if we take a indexed list of that string and get the 7th Character we end up with “C”.

6

So we go thru and replace the 3 characters and then get to this one.

7

In Short the “$?” will evaluate to true or false if something succeeds or failed. In this case what it gives us is the string “True” and then we take the character at index 1 of that string which  = “r”.

So now that gives us. “${*@}  =  “[Char]”  ;” and we can do the replacements for that.

8

Our next line will do replacements similar to the one we just did so lets do those.

9

So now we can see that it decoded to the string “insert”. But the way it is called it will set the value of “${‘].}” to the Signature of the function in the form of 
“string Insert (int startIndex, string value)” and you can find a list here.

So now we have 2 “+” on this next line. The first 2 are like the last 2 lines so lets do those replacements.

10

Now for the last value we are setting the value of  “${‘].}” to (“ie” + the Insert Sig.) character at index 27.

11

So index number 27 = “x”  so that makes our string now “iex”

12

So the last step for this level of encoding is to do the char code replacements.

There are multiple ways to get the char codes decoded from this point but I will go thru and format it so I can just run it thru my tool.

13

You may also notice that there is a “|” and the variable name for “iex’ at the end here.

14

The Final Decode.

15

In the usual fashion after going thru this by hand I like to build a programs to be able to just copy paste the encoded string , click a button and get the decoded value back.

16

As you can see from the output, the decoding for this piece of malware is far from being complete but this is as far as we will go with it in this post though.

Thanks for reading.

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, PowerShell, Programming, security and tagged , . Bookmark the permalink.