Invoke-Obfuscation(psh代码混淆)

启动

git clone https://github.com/danielbohannon/Invoke-Obfuscation.git

cd Invoke-Obfuscation

powershell

Import-Module ./Invoke-Obfuscation.psd1

Invoke-Obfuscation

使用

set

设置要混淆的powershell代码位置

set scriptpath C:\Users\nathan\Desktop\1.ps1

set scriptpath http://192.168.1.121/1.ps1

set scriptblock powershell -nop -w -hidden -e (此处为混淆的powershell的代码)

tutorial

1.加载scriptblock(set scriptblock)或脚本路径/URL(set SCRIPTPATH)

2.黄色选项为混淆菜单导航，绿色选项应用混淆

输入'back/cd'到上一个菜单和HOME/MAIN到HOME菜单

输入'encoding'，然后输入5，应用SecureString混淆

3.

输入'TEST/EXEC'在本地测试混淆的命令

输入'SHOW'以查看当前混淆的命令

4.

输入'COPY/CLIP'将命令复制到剪贴板

输入'OUT'将混淆命令写入键盘

5.

输入'RESET'以消除所有混淆并重新开始

输入'UNDO'以撤销上次混淆

输入'HELP/?'显示帮助菜单

help

帮助菜单

工具使用教程 TUTORIAL

显示帮助菜单 HELP,GET-HELP,?,/?,MENU

显示要混淆的payload选项 SHOW OPTIONS,SHOW,OPTIONS

清屏 CLEAR,CLEAR-HOST.CLS

在本地执行混淆的命令 EXEC,EXECUTE,TEST,RUN

复制混淆命令到剪切板 COPY,CLIP,CLIPBOARD

写入混淆命令到磁盘 OUT

重置混淆命令的所有混淆 RESET

撤销混淆命令的上次混淆 UNDO

回到先前的混淆菜单 BACK,CD ..

退出Invoke-Obfuscation QUIT,EXIT

返回主菜单 HOME,MAIN

可用选项

TOKEN 混淆PowerShell命令token

AST 混淆PowerShell AST节点(PS3,0+)

STRING 将整个命令混淆为字符串

ENCODING 通过编码混淆整个命令

COMPRESS 将整个命令转换为一行程序并进行压缩

LAUNCHER 用启动器技术混淆命令参数（在结束时运行一次）

token

TOKEN\STRING 混淆字符串tokens(建议先运行)

TOKEN\COMMAND 混淆命令tokens

TOKEN\ARGUMENT 混淆参数tokens

TOKEN\MEMBER 混淆成员tokens

TOKEN\VARIABLE 混淆变量tokens

TOKEN\TYPE 混淆类型tokens

TOKEN\COMMENT 删除所有注释tokens

TOKEN\WHITESPACE 传入随即空格(建议后运行)

TOKEN\ALL 从上面选择所有选项(随即选项)

TOKEN\ALL\1 执行所有token混淆技术(随即顺序)

AST

AST\NamedAttributeArgumentAst      Obfuscate NamedAttributeArgumentAst nodes

AST\ParamBlockAst                   Obfuscate ParamBlockAst nodes

AST\ScriptBlockAst                  Obfuscate ScriptBlockAst nodes

AST\AttributeAst                     Obfuscate AttributeAst nodes

AST\BinaryExpressionAst              Obfuscate BinaryExpressionAst nodes

AST\HashtableAst                     Obfuscate HashtableAst nodes

AST\CommandAst                     Obfuscate CommandAst nodes

AST\AssignmentStatementAst           Obfuscate AssignmentStatementAst nodes

AST\TypeExpressionAst                Obfuscate TypeExpressionAst nodes

AST\TypeConstraintAst                Obfuscate TypeConstraintAst nodes

AST\ALL                              Select All choices from above

string

STRING\1    Concatenate entire command

STRING\2    Reorder entire command after concatenating

STRING\3    Reverse entire command after concatenating

encoding

ENCODING\1          将整个命令编码为ASCII

ENCODING\2          将整个命令编码为Hex

ENCODING\3          将整个命令编码为Octal

ENCODING\4          将整个命令编码为Binary

ENCODING\5          将整个命令编码为SecureString (AES)

ENCODING\6          将整个命令编码为BXOR

ENCODING\7          将整个命令编码为Special Characters

ENCODING\8          将整个命令编码为Whitespace

compress

COMPRESS\1 将整个命令转换为一行程序并进行压缩

launcher

[*] LAUNCHER\PS         PowerShell

[*] LAUNCHER\CMD        Cmd + PowerShell

[*] LAUNCHER\WMIC       Wmic + PowerShell

[*] LAUNCHER\RUNDLL     Rundll32 + PowerShell

LAUNCHER\VAR+       Cmd + set Var && PowerShell iex Var

LAUNCHER\STDIN+     Cmd + Echo | PowerShell - (stdin)

LAUNCHER\CLIP+      Cmd + Echo | Clip && PowerShell iex clipboard

LAUNCHER\VAR++      Cmd + set Var && Cmd && PowerShell iex Var

LAUNCHER\STDIN++    Cmd + set Var && Cmd Echo | PowerShell - (stdin)

LAUNCHER\CLIP++     Cmd + Echo | Clip && Cmd && PowerShell iex clipboard

LAUNCHER\RUNDLL++   Cmd + set Var && Rundll32 && PowerShell iex Var

LAUNCHER\MSHTA++    Cmd + set Var && Mshta && PowerShell iex Var

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！