Powershell output does not include "." character in some scenarios

Question

Powershell output does not include "." character in some scenarios

Opened this issue 8 months ago · 0 comments

Hello! I'm very thankful you've created deobshell; I was in disbelief that a PowerShell formatter seems to be so difficult to find.

I'm encountering an issue with the "." character as part of a CommandAST node. The original code looks like this:

function Sprjtemalinger($skolepigen) {
    . ($Skkestolens) ($skolepigen);
}

The AST looks like this:

<FunctionDefinitionAst Name="Sprjtemalinger">
  <Parameters>
    <ParameterAst Name="$skolepigen" StaticType="System.Object">
      <Attributes />
      <VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
    </ParameterAst>
  </Parameters>
  <ScriptBlockAst>
    <Attributes />
    <UsingStatements />
    <NamedBlockAst>
      <Statements>
        <PipelineAst>
          <PipelineElements>
            <CommandAst>
              <CommandElements>
                <ParenExpressionAst StaticType="System.Object">
                  <PipelineAst>
                    <PipelineElements>
                      <CommandExpressionAst>
                        <VariableExpressionAst VariablePath="Skkestolens" StaticType="System.Object" />
                        <Redirections />
                      </CommandExpressionAst>
                    </PipelineElements>
                  </PipelineAst>
                </ParenExpressionAst>
                <ParenExpressionAst StaticType="System.Object">
                  <PipelineAst>
                    <PipelineElements>
                      <CommandExpressionAst>
                        <VariableExpressionAst VariablePath="skolepigen" StaticType="System.Object" />
                        <Redirections />
                      </CommandExpressionAst>
                    </PipelineElements>
                  </PipelineAst>
                </ParenExpressionAst>
              </CommandElements>
              <Redirections />
            </CommandAst>
          </PipelineElements>
        </PipelineAst>
      </Statements>
    </NamedBlockAst>
  </ScriptBlockAst>
</FunctionDefinitionAst>

And the reconstructed code looks like this:

function Sprjtemalinger($skolepigen){
   ($Skkestolens) ($skolepigen);
}
;

Note that the "." character has not been added. I don't have much experience with PowerShell but at a glance, I can't even tell if the generated AST has any provision for this character, so I'm not sure how you could infer that it's meant to be there. I've attached the malicious script in question as a .zip file with the password "infected".
deobshell_format_missing_dot_character.zip

Obviously this is not a major issue, I can just re-add the character after deobfuscation, but I wanted to make this issue in case you know of a solution. Thank you again for making this tool!