Advertisement
dissectmalware

Decoding Encoded base64 string using MSIL

Nov 21st, 2018
779
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $test = @"
  2. using System;
  3. using System.Text;
  4. using System.Reflection;
  5. using System.Reflection.Emit;
  6. using System.Globalization;
  7. public class Wrapper {
  8.    // Declare a delegate type that can be used to execute the completed dynamic method.
  9.    private delegate string BaseDelegate(string input);
  10.  
  11.    public static void WOW(string input)
  12.    {
  13.        // Create a dynamic method with the name "Base", a return type of string, and one string parameter
  14.        DynamicMethod baseDM = new DynamicMethod("Base",typeof(string),new Type[] { typeof(string) }, typeof(string).Module);
  15.        
  16.        MethodInfo base64Convertor = typeof(System.Convert).GetMethods()[308]; // System.Convert.FromBase64String
  17.        MethodInfo getUTF8Encoding = typeof(System.Text.Encoding).GetMethod("get_UTF8", new Type[] { });
  18.        MethodInfo getString = System.Text.Encoding.UTF8.GetType().GetMethod("GetString", new Type[] { typeof(byte[]) });
  19.  
  20.        ILGenerator il = baseDM.GetILGenerator(512);
  21.        // Get UTF8 object
  22.        il.EmitCall(OpCodes.Call, getUTF8Encoding, null);
  23.        // Load the first argument, which is a string, onto the stack.
  24.        il.Emit(OpCodes.Ldarg_0);
  25.        // Call Convert.FromBase64String
  26.        il.EmitCall(OpCodes.Call, base64Convertor, null);
  27.        // Call UTF8.GetString
  28.        il.EmitCall(OpCodes.Callvirt, getString, null);
  29.        // Return the top value on the evaluation stack
  30.        il.Emit(OpCodes.Ret);
  31.  
  32.        // Create a delegate that represents the dynamic method. This
  33.        // action completes the method. Any further attempts to
  34.        // change the method are ignored.
  35.        BaseDelegate bbb = (BaseDelegate)baseDM.CreateDelegate(typeof(BaseDelegate));
  36.  
  37.        var ccc= bbb(input);
  38.        Console.WriteLine(ccc);
  39.  
  40.    }
  41. }
  42. "@
  43.  
  44. Add-Type -TypeDefinition $test
  45.  
  46. [Wrapper]::WOW("dGhpcyBpcyBhIHRlc3Q=")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement