Instrument for obfuscating PowerShell scripts written in Go. The principle goal of this program is to obfuscate PowerShell code to make its evaluation and detection harder. The script presents 5 ranges of obfuscation, from primary obfuscation to script fragmentation. This enables customers to tailor the obfuscation degree to their particular wants.
./psobf -h██████╗ ███████╗ ██████╗ ██████╗ ███████╗
██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝
██████╔╝███████╗██║ ██║██████╔╝█████╗
██╔═══╝ ╚════██║██║ ██║██╔══██╗██╔══╝
██║ ███████║╚██████╔╝██████╔╝██║
╚═╝ ╚══════╝ ╚═════╝ ╚═════╝ ╚═╝
@TaurusOmar
v.1.0
Utilization: ./obfuscator -i -o -level <1|2|3|4|5>
Choices:
-i string
Identify of the PowerShell script file.
-level int
Obfuscation degree (1 to five). (default 1)
-o string
Identify of the output file for the obfuscated script. (default "obfuscated.ps1")
Obfuscation ranges:
1: Fundamental obfuscation by splitting the script into particular person characters.
2: Base64 encoding of the script.
3: Different Base64 encoding with a unique PowerShell decoding technique.
4: Compression and Base64 encoding of the script will likely be decoded and decompressed at runtime.
5: Fragmentation of the script into a number of elements and reconstruction at runtime.
Options:
- Obfuscation Ranges: 4 ranges of obfuscation, every extra advanced than the earlier one.
- Degree 1 obfuscation by splitting the script into particular person characters.
- Degree 2 Base64 encoding of the script.
- Degree 3 Different Base64 encoding with a unique PowerShell decoding technique.
- Degree 4 Compression and Base64 encoding of the script will likely be decoded and decompressed at runtime.
- Degree 5 Fragmentation of the script into a number of elements and reconstruction at runtime.
- Compression and Encoding: Degree 4 consists of script compression earlier than encoding it in base64.
- Variable Obfuscation: A operate was added to obfuscate the names of variables within the PowerShell script.
- Random String Era: Random strings are generated for variable title obfuscation.
Set up
go set up github.com/TaurusOmar/psobf@newest
Instance of Obfuscation Ranges
The obfuscation ranges are divided into 5 choices. First, you want to have a PowerShell file that you just need to obfuscate. Let’s assume you’ve a file named script.ps1 with the next content material:
Write-Host "Howdy, World!"
Degree 1: Fundamental Obfuscation
Run the script with degree 1 obfuscation.
./obfuscator -i script.ps1 -o obfuscated_level1.ps1 -level 1
This may generate a file named obfuscated_level1.ps1 with the obfuscated content material. The outcome will likely be a model of your script the place every character is separated by commas and mixed at runtime.
Consequence (degree 1)
$obfuscated = $([char[]]("`W`,`r`,`i`,`t`,`e`,`-`,`H`,`o`,`s`,`t`,` `,`"`,`H`,`e`,`l`,`l`,`o`,`,` `,`W`,`o`,`r`,`l`,`d`,`!`,`"`") -join ''); Invoke-Expression $obfuscated
Degree 2: Base64 Encoding
Run the script with degree 2 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level2.ps1 -level 2
This may generate a file named obfuscated_level2.ps1 with the content material encoded in base64. When executing this script, it is going to be decoded and run at runtime.
Consequence (degree 2)
$obfuscated = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('V3JpdGUtSG9zdCAiSGVsbG8sIFdvcmxkISI=')); Invoke-Expression $obfuscated
Degree 3: Different Base64 Encoding
Execute the script with degree 3 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level3.ps1 -level 3
This degree makes use of a barely completely different type of base64 encoding and decoding in PowerShell, including an extra layer of obfuscation.
Consequence (degree 3)
$e = [System.Convert]::FromBase64String('V3JpdGUtSG9zdCAiSGVsbG8sIFdvcmxkISI='); $obfuscated = [System.Text.Encoding]::UTF8.GetString($e); Invoke-Expression $obfuscated
Degree 4: Compression and Base64 Encoding
Execute the script with degree 4 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level4.ps1 -level 4
This degree compresses the script earlier than encoding it in base64, making evaluation extra difficult. The outcome will likely be decoded and decompressed at runtime.
Consequence (degree 4)
$compressed = 'H4sIAAAAAAAAC+NIzcnJVyjPL8pJUQQAlRmFGwwAAAA='; $bytes = [System.Convert]::FromBase64String($compressed); $stream = New-Object IO.MemoryStream(, $bytes); $decompressed = New-Object IO.Compression.GzipStream($stream, [IO.Compression.CompressionMode]::Decompress); $reader = New-Object IO.StreamReader($decompressed); $obfuscated = $reader.ReadToEnd(); Invoke-Expression $obfuscated
Degree 5: Script Fragmentation
Run the script with degree 5 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level5.ps1 -level 5
This degree fragments the script into a number of elements and reconstructs it at runtime.
Consequence (degree 5)
$fragments = @(
'Write-',
'Output "',
'Howdy,',
' Wo',
'rld!',
'"'
);
$script = $fragments -join '';
Invoke-Expression $script
This program is supplied for academic and analysis functions. It shouldn’t be used for malicious actions.
