Instrument for obfuscating PowerShell scripts written in Go. The principle goal of this program is to obfuscate PowerShell code to make its evaluation and detection harder. The script presents 5 ranges of obfuscation, from fundamental obfuscation to script fragmentation. This permits customers to tailor the obfuscation stage to their particular wants.
./psobf -h██████╗ ███████╗ ██████╗ ██████╗ ███████╗
██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝
██████╔╝███████╗██║ ██║██████╔╝█████╗
██╔═══╝ ╚════██║██║ ██║██╔══██╗██╔══╝
██║ ███████║╚██████╔╝██████╔╝██║
╚═╝ ╚══════╝ ╚═════╝ ╚═════╝ ╚═╝
@TaurusOmar
v.1.0
Utilization: ./obfuscator -i -o -level <1|2|3|4|5>
Choices:
-i string
Identify of the PowerShell script file.
-level int
Obfuscation stage (1 to five). (default 1)
-o string
Identify of the output file for the obfuscated script. (default "obfuscated.ps1")
Obfuscation ranges:
1: Fundamental obfuscation by splitting the script into particular person characters.
2: Base64 encoding of the script.
3: Different Base64 encoding with a distinct PowerShell decoding methodology.
4: Compression and Base64 encoding of the script can be decoded and decompressed at runtime.
5: Fragmentation of the script into a number of components and reconstruction at runtime.
Options:
- Obfuscation Ranges: 4 ranges of obfuscation, every extra advanced than the earlier one.
- Stage 1 obfuscation by splitting the script into particular person characters.
- Stage 2 Base64 encoding of the script.
- Stage 3 Different Base64 encoding with a distinct PowerShell decoding methodology.
- Stage 4 Compression and Base64 encoding of the script can be decoded and decompressed at runtime.
- Stage 5 Fragmentation of the script into a number of components and reconstruction at runtime.
- Compression and Encoding: Stage 4 consists of script compression earlier than encoding it in base64.
- Variable Obfuscation: A perform was added to obfuscate the names of variables within the PowerShell script.
- Random String Era: Random strings are generated for variable identify obfuscation.
Set up
go set up github.com/TaurusOmar/psobf@newest
Instance of Obfuscation Ranges
The obfuscation ranges are divided into 5 choices. First, you should have a PowerShell file that you just need to obfuscate. Let’s assume you will have a file named script.ps1 with the next content material:
Write-Host "Whats up, World!"
Stage 1: Fundamental Obfuscation
Run the script with stage 1 obfuscation.
./obfuscator -i script.ps1 -o obfuscated_level1.ps1 -level 1
This can generate a file named obfuscated_level1.ps1 with the obfuscated content material. The outcome can be a model of your script the place every character is separated by commas and mixed at runtime.
Outcome (stage 1)
$obfuscated = $([char[]]("`W`,`r`,`i`,`t`,`e`,`-`,`H`,`o`,`s`,`t`,` `,`"`,`H`,`e`,`l`,`l`,`o`,`,` `,`W`,`o`,`r`,`l`,`d`,`!`,`"`") -join ''); Invoke-Expression $obfuscated
Stage 2: Base64 Encoding
Run the script with stage 2 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level2.ps1 -level 2
This can generate a file named obfuscated_level2.ps1 with the content material encoded in base64. When executing this script, it will likely be decoded and run at runtime.
Outcome (stage 2)
$obfuscated = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('V3JpdGUtSG9zdCAiSGVsbG8sIFdvcmxkISI=')); Invoke-Expression $obfuscated
Stage 3: Different Base64 Encoding
Execute the script with stage 3 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level3.ps1 -level 3
This stage makes use of a barely completely different type of base64 encoding and decoding in PowerShell, including an extra layer of obfuscation.
Outcome (stage 3)
$e = [System.Convert]::FromBase64String('V3JpdGUtSG9zdCAiSGVsbG8sIFdvcmxkISI='); $obfuscated = [System.Text.Encoding]::UTF8.GetString($e); Invoke-Expression $obfuscated
Stage 4: Compression and Base64 Encoding
Execute the script with stage 4 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level4.ps1 -level 4
This stage compresses the script earlier than encoding it in base64, making evaluation extra sophisticated. The outcome can be decoded and decompressed at runtime.
Outcome (stage 4)
$compressed = 'H4sIAAAAAAAAC+NIzcnJVyjPL8pJUQQAlRmFGwwAAAA='; $bytes = [System.Convert]::FromBase64String($compressed); $stream = New-Object IO.MemoryStream(, $bytes); $decompressed = New-Object IO.Compression.GzipStream($stream, [IO.Compression.CompressionMode]::Decompress); $reader = New-Object IO.StreamReader($decompressed); $obfuscated = $reader.ReadToEnd(); Invoke-Expression $obfuscated
Stage 5: Script Fragmentation
Run the script with stage 5 obfuscation:
./obfuscator -i script.ps1 -o obfuscated_level5.ps1 -level 5
This stage fragments the script into a number of components and reconstructs it at runtime.
Outcome (stage 5)
$fragments = @(
'Write-',
'Output "',
'Whats up,',
' Wo',
'rld!',
'"'
);
$script = $fragments -join '';
Invoke-Expression $script
This program is offered for instructional and analysis functions. It shouldn’t be used for malicious actions.