Some Encoding tecniques slow down script execution

danielbohannon / Invoke-Obfuscation

PowerShell Obfuscator

Apache License 2.0

3.59k stars 759 forks source link

Some Encoding tecniques slow down script execution #23

Closed ilgrank closed 6 years ago

ilgrank commented 6 years ago

Hi Daniel,

Thanks for this awesome project!

I've experienced that on moderately long PS1 scripts (~50kb) , some of the encoding 'schemes' slow down script execution considerably.

I've tracked down the 'offending' code down to

 FAST - >$BaseScriptArray += "[$CharStr[]]" + ' '*(Get-Random -Input @(0,1)) + $Enc[...]
SLOW ->$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + "'" + $Delimit[...]
SLOW -> #$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + "'" + $Delimit[...]
SLOW ->$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray [...]

danielbohannon commented 6 years ago

Thanks for the feedback! Are you saying that the obfuscation is slowing considerably, or that the execution of the post-obfuscated script is executing slower for payloads obfuscated with the latter three options?

ilgrank commented 6 years ago

Hi Sorry for being unclear: the obfuscated code is very slow during execution.

danielbohannon commented 6 years ago

Alright, that's interesting. The first syntax is an array, but all the others are massive strings of the encoded command with several randomly-selected delimiters.

Thanks for the info. So it sounds like it's not a bug in Invoke-Obfuscation, but just a performance impact to be aware of for large payloads for certain encoding syntaxes. Obfuscation was never meant to be the fastest or most performant, just very randomized :)