Set-Alias support

[leumasme]

Currently, deobfuscation seems to hardcode commands to simplify, which can be completely circumvented with Set-Alias.
This is already used in real malware, see: https://minusone.skyblue.team/script/3f4aab4b-df6c-40fc-845f-0aa9eb4e0e43

Example:

 -join ((97, 98, 99) | foreach-object { [Char]$_; })

gets simplified to
"abc"
but

Set-Alias foobar "foreach-object"
 -join ((97, 98, 99) | foobar { [Char]$_; })

does not get simplified, but also evaluates to abc in powershell.

It seems like Set-Alias can only point to a single command/executable without arguments, so it isn't a delayed "eval".

[leumasme]

As a sidenote, a list of defined aliases can be retrieved via Get-Alias
This also lists inbuilt aliases which you currently hardcode, like:

Alias           % -> ForEach-Object                                           
Alias           foreach -> ForEach-Object                                     

[dolphinau]

Adding alias support is definitely interesting !
I'll start to PoC something 🏗️

[dolphinau]

There is also a big potential of obfuscation with Get-Alias

[dolphinau]

Notes for building this:

• The idea is to have a get_command_name that extract command name from a command expression, check if its known, check if an alias exists, and tries to resolve wildcard if any
• To do so, the command/alias context need to be available globally, not only in the scope of the Alias rule
• Maybe it's time to have a ScopeManager attached to the DeobufscationEngine, alongside with the storage. It could manage aliases, variables, transactions, ...
• Otherwise, we could build a Command rule like Var with it's scopemanager that resolves all the commands
• In any case, ScopeManager has to be redesigned to be more generic, ie not only handling Var

[leumasme]

Note that aliases are resolved at alias invocation time, not alias creation, so something like this is valid:

Set-Alias foo "bar" 
Set-Alias bar "echo"
foo Hello
# -> echos Hello

Not saying that you have to support this in minusone and I haven't seen an obfuscator abuse this, but it's something to keep in mind if you want to build your alias tracking in a strictly correct way from the start.