search

danielbohannon / Invoke-Obfuscation

PowerShell Obfuscator
Apache License 2.0
3.62k stars 763 forks source link

Out-ObfuscatedTokenCommand 'ignorecase' member token should only be obfuscated with RandomCase #5

Closed cobbr closed 7 years ago

cobbr commented 7 years ago

Problem

When obfuscating Member tokens in Out-ObfuscatedTokenCommand, an additional member token , 'ignorecase', should only be obfuscated with RandomCase.

I discovered this issue while attempting to obfuscate modules in the Empire project.

This error specifically was found while attempting to obfuscate Invoke-Shellcode.ps1

Steps to reproduce

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/code_execution/Invoke-Shellcode.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\Invoke-Shellcode.ps1 | Out-File out
Obfuscating Invoke-Shellcode.ps1

[*] Obfuscating 75 Comment tokens.

[*] Obfuscating 98 String tokens.

[*] Obfuscating 88 Command tokens.

[*] Obfuscating 128 Member tokens.
Exception calling "Create" with "1" argument(s): "At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
Missing closing ')' in expression.
At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
Parameter declarations are a comma-separated list of variable names with optional initializer expressions.
At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
(errors continue)

It seems as if the IgnoreCase member token should only be obfuscated with RandomCase.

Solution

Simply adding 'ignorecase' to the $MemberTokensToOnlyRandomCase list fixes the problem, resulting in the following list.

# The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens.
# Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx
$MemberTokensToOnlyRandomCase  = @()
$MemberTokensToOnlyRandomCase += 'mandatory'
$MemberTokensToOnlyRandomCase += 'position'
$MemberTokensToOnlyRandomCase += 'parametersetname'
$MemberTokensToOnlyRandomCase += 'valuefrompipeline'
$MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname'
$MemberTokensToOnlyRandomCase += 'valuefromremainingarguments'
$MemberTokensToOnlyRandomCase += 'helpmessage'
$MemberTokensToOnlyRandomCase += 'alias'
# Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx
$MemberTokensToOnlyRandomCase += 'confirmimpact'
$MemberTokensToOnlyRandomCase += 'defaultparametersetname'
$MemberTokensToOnlyRandomCase += 'helpuri'
$MemberTokensToOnlyRandomCase += 'supportspaging'
$MemberTokensToOnlyRandomCase += 'supportsshouldprocess'
$MemberTokensToOnlyRandomCase += 'positionalbinding'

$MemberTokensToOnlyRandomCase += 'ignorecase'

This seems to fix the issue for me.

danielbohannon commented 7 years ago

Issue fixed in d419d0b4a0592c0cd48d7a22d462477f4b976970 release.