PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts

PowerShell is a powerful and versatile task automation tool. Unfortunately, it is also widely abused by cyber attackers. To bypass malware detection and hinder threat analysis, attackers often employ diverse techniques to obfuscate malicious PowerShell scripts. Existing deobfuscation tools suffer from the limitation of static analysis, which fails to simulate the real deobfuscation process accurately. Accurate, complete, and robust PowerShell script deobfuscation is still a challenging problem. In this paper, we propose PowerPeeler. To the best of our knowledge, it is the first dynamic PowerShell script deobfuscation approach at the instruction level. It utilizes expression-related Abstract Syntax Tree (AST) nodes to identify potential obfuscated script pieces. Then, PowerPeeler correlates the AST nodes with their corresponding instructions and monitors the script's entire execution process. Subsequently, PowerPeeler dynamically tracks the execution of these instructions and records their execution results. Finally, PowerPeeler stringifies these results to replace the corresponding obfuscated script pieces and reconstruct the deobfuscated script. To evaluate the effectiveness of PowerPeeler, we collect 1,736,669 real-world malicious PowerShell samples and distill two high-quality datasets with diversity obfuscation methods: D-Script with 4,264 obfuscated script files and D-Cmdline with 381 obfuscated samples using PowerShell command-line interface. We compare Power-Peeler with five state-of-the-art deobfuscation tools and GPT-4.