danielbohannon
commented
6 years ago Yes, the LAUNCHER options in the current Invoke-Obfuscation version only handle escaping for cmd.exe and not necessarily for the commands copied into batch files.
I originally built several additional context-specific LAUNCHER options like macros, C#, etc. but decided not to release them as I felt that they deserved more attention as standalone projects -- and ultimately for me it fell outside my scope of spreading awareness of PowerShell obfuscation capabilities.
BUT, I think it might make an interesting LAUNCHER option to add copies of the launchers you use and have a BATSTDIN++ perhaps that handles this additional layer of escaping. It might be as simple as just adding additional % characters to the line https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-PowerShellLauncher.ps1#L939 (copied into its own block for the separate BATCH version).
kmackinley
Hello, I've been troubleshooting an issue with Powershell Empire that uses Invoke-Obfuscation.
(https://github.com/EmpireProject/Empire/issues/869)
When Obfuscating the stager windows\launcher_bat using command 'Token\All\1,Launcher\STDIN++\12467' the agent doesnt connect. After troubleshooting a bit, I found that the outputted stager code while obfuscated is not escaping the % character with another % as needed for .bat files. When I place another % next to any %'s in the code and run it as a .bat, it works properly.
I believe the issue resides in Out-PowerShellLauncher.ps1 as I can see other characters being escaped but not % however I am unsure.
Let me know what you think and I'd be glad to assist where I can if you can point me in the right direction. Thanks!