Encode techniques

← maldev README · docs/index

The encode/ package provides transport-safe byte transformations: Base64 (standard + URL-safe), UTF-16LE, ROT13, and the PowerShell -EncodedCommand format. Encoding is never confidentiality — it survives channels that mangle arbitrary bytes (HTTP headers, JSON strings, PowerShell command lines, stdin pipes).

TL;DR

flowchart LR
    PT[plaintext] -->|encrypt| ENC[crypto.EncryptAESGCM]
    ENC -->|then encode| B64[encode.Base64Encode]
    B64 --> WIRE[ship over HTTP / JSON / PS]
    WIRE -.unwrap.-> B64D[encode.Base64Decode]
    B64D --> DEC[crypto.DecryptAESGCM]
    DEC --> PAYLOAD[shellcode]

Encrypt first, then encode. Decode last, then decrypt.

Packages

PackageTech pageDetectionOne-liner
encodeencode.mdvery-quietBase64 (std + URL), UTF-16LE, ROT13, PowerShell -EncodedCommand

Quick decision tree

You want to…Use
…embed a binary blob in Go source / JSON / HTTP headerencode.Base64Encode
…pass a payload through a URL or filenameencode.Base64URLEncode
…feed a Windows API that takes UTF-16 LPWSTRencode.ToUTF16LE
…run a PowerShell script via -EncodedCommandencode.PowerShell
…break a static string signature on Win32 API namesencode.ROT13 (novelty)

MITRE ATT&CK

T-IDNamePackagesD3FEND counter
T1027Obfuscated Files or Informationencode (PowerShell, Base64)D3-SEA
T1027.013Encrypted/Encoded Fileencode (Base64 wrapper for ciphertext)D3-FCR
T1140Deobfuscate/Decode Files or Informationencode.Base64Decode, encode.Base64URLDecodeD3-FCR

See also