The Out-ObfuscatedCommandArgumentTokenLevel3 treats function names as special CommandArgument tokens that can't be concatenated. I believe that filters should be treated the same way.
I discovered this issue while attempting to obfuscate modules in the Empire project.
This error specifically was found while attempting to obfuscate powerview.ps1
Steps to reproduce
PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/situational_awareness/network/powerview.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
[*] Validating necessary commands are loaded into current PowerShell session.
[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation
[*] All modules loaded and ready to run Invoke-Obfuscation
PS> Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out
Obfuscating powerview.ps1
[*] Obfuscating 747 Comment tokens.
[*] 600 Comment tokens remaining to obfuscate.
[*] 500 Comment tokens remaining to obfuscate.
[*] 400 Comment tokens remaining to obfuscate.
[*] 300 Comment tokens remaining to obfuscate.
[*] 200 Comment tokens remaining to obfuscate.
[*] 100 Comment tokens remaining to obfuscate.
[*] Obfuscating 1990 String tokens.
[*] 1800 String tokens remaining to obfuscate.
[*] 1700 String tokens remaining to obfuscate.
[*] 1600 String tokens remaining to obfuscate.
[*] 1500 String tokens remaining to obfuscate.
[*] 1400 String tokens remaining to obfuscate.
[*] 1300 String tokens remaining to obfuscate.
[*] 1200 String tokens remaining to obfuscate.
[*] 1100 String tokens remaining to obfuscate.
[*] 1000 String tokens remaining to obfuscate.
[*] 900 String tokens remaining to obfuscate.
[*] 800 String tokens remaining to obfuscate.
[*] 700 String tokens remaining to obfuscate.
[*] 600 String tokens remaining to obfuscate.
[*] 500 String tokens remaining to obfuscate.
[*] 400 String tokens remaining to obfuscate.
[*] 300 String tokens remaining to obfuscate.
[*] 200 String tokens remaining to obfuscate.
[*] 100 String tokens remaining to obfuscate.
[*] Obfuscating 531 Argument tokens.
[*] 400 Argument tokens remaining to obfuscate.
[*] 300 Argument tokens remaining to obfuscate.
[*] 200 Argument tokens remaining to obfuscate.
[*] 100 Argument tokens remaining to obfuscate.
Exception calling "Create" with "1" argument(s): "At line:445 char:7
+ filter ("{0}{2}{1}{3}{4}"-f 'E','t-','xpor','PowerViewCS','V') {
+ ~
Missing name after filter keyword.
(errors continue)
The error message makes it pretty clear that there is a problem with the obfuscated filter name.
The powerview.ps1 file makes use of filters extensively.
Solution
It seems that the issue is that filter names should be treated as a special case, just like function names.
The following code:
# Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations.
# For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality.
If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function'))
{
$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token
Return $ScriptString
}
becomes:
# Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations.
# For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality.
# This is also true of the 'filter' keyword
If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter'))
{
$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token
Return $ScriptString
}
Problem
The Out-ObfuscatedCommandArgumentTokenLevel3 treats function names as special CommandArgument tokens that can't be concatenated. I believe that filters should be treated the same way.
I discovered this issue while attempting to obfuscate modules in the Empire project.
This error specifically was found while attempting to obfuscate powerview.ps1
Steps to reproduce
The error message makes it pretty clear that there is a problem with the obfuscated filter name.
The powerview.ps1 file makes use of filters extensively.
Solution
It seems that the issue is that filter names should be treated as a special case, just like function names.
The following code:
becomes:
This fixed the issue for me.