As PowerShell power user James Honeycutt points out, PowerShell supports Base64 encoding and decoding of data:
Here it is in text form:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Let's break down this command piece-by-piece:
- [System.Text.Encoding]::Unicode.GetString(: Reference the System.Text.Encoding class by putting it inside square brackets; call the Unicode.GetString static method (static methods can be called using ::; they are accessible without having to create a new instance of an object from a class, like System.Text.Encoding). Essentially, this take an array of byte values and converts it into a Unicode string object.
- [System.Convert]::FromBase64String(: Reference the [System.Convert] class and call the FromBase64String static method.
- $EncodedText: This variable represents the Base64 string to decode; to use this one-liner, you would have previously declared $EncodedText = BASE64STRING (where BASE64STRING is the Base64 string you want to decode).
- ): End the FromBase64String static method.
- ): End the Unicode.GetString static method.
Yeah, I'll remember that off the top of my head. 🤦♂️
If you need to decode Base64 content often (for example, you work in threat intel, or malware analysis, or incident response), this is not terribly convenient to type. This is a good candidate to be summarized with a simple PowerShell function that you load in your default PowerShell profile.
A PowerShell profile is a script that runs automatically when you launch PowerShell. It allows you to customize your environment to suit your needs, but it requires that you permit PowerShell script execution policy on your system (which is disabled by default, for silly reasons; you can change the policy to allow local script execution, but not allow scripts downloaded from the internet by running Set-ExecutionPolicy RemoteSigned -Force in an administrative PowerShell session).
To create a handy function to simply Base64 decoding, open your PowerShell profile in Notepad or your favorite editor using the $profile variable:
PS C:\Users\Sec504> notepad $profile PS C:\Users\Sec504>
Next, paste in the following functions to add ConvertFrom-Base64 and ConvertTo-Base64 as PowerShell commands:
Function ConvertFrom-Base64($base64) {
return [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($base64))
}
Function ConvertTo-Base64($plain) {
return [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($plain))
}
Next, reload your PowerShell profile using the & call operator (or, close and open a new PowerShell session):
PS C:\Users\Sec504> & $profile PS C:\Users\Sec504>
Now you can use the function names ConvertFrom-Base64 and ConvertTo-Base64 as PowerShell commands to work with Base64 data!
PS C:\Users\Sec504> ConvertTo-Base64("Hello Base64")
SGVsbG8gQmFzZTY0
PS C:\Users\Sec504> ConvertFrom-Base64("SGVsbG8gQmFzZTY0")
Hello Base64
PS C:\Users\Sec504>
In these simple functions, I am converting the data to ASCII strings, which is normally what I want. If you are working with data that needs another form of conversion (such as decompressing data), then I'll probably just copy-paste [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) from my Obsidian notebook.
-Joshua Wright
Return to Getting Started With PowerShell
p.s. My #monthofpowershell collaborator Mick Douglas is wrapping up his article on customizing your PowerShell profile in amazing ways. Stay tuned for that to publish soon!
Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.
