Open G-e-V-e opened 6 years ago
cobbr
commented
6 years ago @Geeeert Can you post the exact Invoke-Obfuscation command you are running, and the version of PowerShell you are using?
I can't seem to reproduce the issue with:
PS > Invoke-Obfuscation -ScriptPath .\Test-ADPassword.ps1 -Command 'Token\All\1,Encoding\6,String\2' -Quiet
G-e-V-e
commented
6 years ago Hi,
$PSVersionTable returns:
PSVersion 5.1.14409.1012
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1012
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
I do more or less the same as you do: $Scriptpath = "C:\Users\Geeeert\Documents\Functions\Function New-ADPassword.ps1" $Obfuscate = 'TOKEN\ALL\1,ENCODING\6,STRING\2' Invoke-Obfuscation -ScriptPath $ScriptPath -Command $Obfuscate -Quiet | Out-File $OutPath
The funny thing is... I had the same error twice in a row but now I can't reproduce it again on that same laptop. Judging from the result, I suppose a lot of randomizing is going on in these Out-xxx scripts, so maybe it's just a matter of chance whether it hits or not?
I leave it up to you if you investigate more time or just drop it. I noticed that some of these obfuscated scripts don't run successfully either. After all, this module is supposed to be a demo of the power of obfuscating powershell, right?
Kind regards, Geeeert
danielbohannon
commented
6 years ago "I noticed that some of these obfuscated scripts don't run successfully either."
Can you provide any more information regarding the errors you are seeing when running the obfuscated scripts? Or can you provide these resultant scripts?
G-e-V-e
commented
6 years ago Hi,
It depends very much on which obfuscation-command being given whether the resulting script(s) get obfuscated at all or run successfully after obfuscation. I had a runtime error while running the obfuscated equivalent of one of the smallest functions I know:
Function Get-ShortName {BEGIN {$fso = New-Object -ComObject Scripting.FileSystemObject} PROCESS {if ($.psiscontainer) {$fso.getfolder($.fullname).ShortName} else {$fso.getfile($_.fullname).ShortName} } } Get-Childitem "C:\Users\Geeeert\Documents\any existing file.txt" | Get-ShortName
Sometimes the resulting script works after obfuscation, sometimes it doesn't.
I ran the same bulk obfuscation command again, and I got up to 3 errors out of 48 scripts being obfuscated. The command was 'TOKEN\ALL\1,ENCODING\6,STRING\2'
2 errors had this errortext: Exception calling "NewScriptBlock" with "1" argument(s): "At line:1 char:8178
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ParseExceptionOut-ObfuscatedStringCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the c ommand again. At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1246 char:108
+ CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommand1 error had this errortext: Exception calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ParseExceptionOut-ObfuscatedTokenCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the co mmand again. At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1238 char:108
+ CategoryInfo : InvalidData: (:) [Out-ObfuscatedTokenCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedTokenCommandException calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ParseExceptionOut-EncodedBXORCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the comman d again. At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1270 char:108
+ CategoryInfo : InvalidData: (:) [Out-EncodedBXORCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Out-EncodedBXORCommandException calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ParseExceptionOut-ObfuscatedStringCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the c ommand again. At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1246 char:108
+ CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommandSo, instead of attaching the scripts getting an error while being obfuscated, I attach the snippet of PowerShell code I use to do the bulk obfuscation. It's not perfect, I know, but it may give you the opportunity to find out four yourself where, when and why things go wrong. Obfuscating "Function Test-ADPassword.ps1" (as passed in the original issue) still results in error quite often.
For me, this invoke-obfuscation module is just demo stuff: it doesn't have to be working 100% of the time. It would be nice if it does though. Btw, there are other ways to add to PowerShell obfuscation, such as code injection.
Kind regards, Geeeert Obfuscate-Script.zip
While doing bulk obfuscations using -Command 'TOKEN\ALL\1,ENCODING\6,STRING\2' I got an error while calling "Out-ObfuscatedStringCommand" at line 1246 in "Invoke-Obfuscation.ps1". Only 1 PowerShell function out of 44 had that issue, but it has it consistently.
$error[0]|select *
PSMessageDetails : Exception : System.Management.Automation.ParameterBindingValidationException: Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provi de an argument that is not null or empty, and then try the command again. ---> System.Management.Automation.ValidationMetadataException: The argument is nu ll or empty. Provide an argument that is not null or empty, and then try the command again. at System.Management.Automation.ValidateNotNullOrEmptyAttribute.Validate(Object arguments, EngineIntrinsics engineIntrinsics) at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Parame terBindingFlags flags) --- End of inner exception stack trace --- at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Parame terBindingFlags flags) at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter paramete r, ParameterBindingFlags flags) at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCom mandParameter parameter, ParameterBindingFlags flags) at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection, : line 1
PipelineIterationInfo : {}
1 arguments) at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection1 arguments) at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection1 arguments) at System.Management.Automation.CommandProcessor.BindCommandLineParameters() at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues) at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream) at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[ ] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext) at lambda_method(Closure , Object[] , StrongBox1[] , InterpretedFrame ) TargetObject : CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommand ErrorDetails : InvocationInfo : System.Management.Automation.InvocationInfo ScriptStackTrace : at Show-Menu, G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1: line 1246 at Invoke-Obfuscation, G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1: line 532 atHere is the (zipped) input PowerShell script triggering that error: Function Test-ADPassword.zip
Kind regards, Geeeert