Closed cobbr closed 7 years ago
When obfuscating Member tokens in Out-ObfuscatedTokenCommand, an additional member token , 'ignorecase', should only be obfuscated with RandomCase.
I discovered this issue while attempting to obfuscate modules in the Empire project.
This error specifically was found while attempting to obfuscate Invoke-Shellcode.ps1
PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/code_execution/Invoke-Shellcode.ps1 PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1 [*] Validating necessary commands are loaded into current PowerShell session. [*] Function Loaded :: Out-ObfuscatedTokenCommand [*] Function Loaded :: Out-ObfuscatedStringCommand [*] Function Loaded :: Out-EncodedAsciiCommand [*] Function Loaded :: Out-EncodedHexCommand [*] Function Loaded :: Out-EncodedOctalCommand [*] Function Loaded :: Out-EncodedBinaryCommand [*] Function Loaded :: Out-SecureStringCommand [*] Function Loaded :: Out-EncodedBXORCommand [*] Function Loaded :: Out-PowerShellLauncher [*] Function Loaded :: Invoke-Obfuscation [*] All modules loaded and ready to run Invoke-Obfuscation PS> Out-ObfuscatedTokenCommand -Path .\Invoke-Shellcode.ps1 | Out-File out Obfuscating Invoke-Shellcode.ps1 [*] Obfuscating 75 Comment tokens. [*] Obfuscating 98 String tokens. [*] Obfuscating 88 Command tokens. [*] Obfuscating 128 Member tokens. Exception calling "Create" with "1" argument(s): "At line:18 char:52 + ("{0}{1}{2}"-f'I','gnore','Case') = $True )] + ~ Missing closing ')' in expression. At line:18 char:52 + ("{0}{1}{2}"-f'I','gnore','Case') = $True )] + ~ Parameter declarations are a comma-separated list of variable names with optional initializer expressions. At line:18 char:52 + ("{0}{1}{2}"-f'I','gnore','Case') = $True )] + ~ (errors continue)
It seems as if the IgnoreCase member token should only be obfuscated with RandomCase.
Simply adding 'ignorecase' to the $MemberTokensToOnlyRandomCase list fixes the problem, resulting in the following list.
# The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase'
This seems to fix the issue for me.
Issue fixed in d419d0b4a0592c0cd48d7a22d462477f4b976970 release.
Problem
When obfuscating Member tokens in Out-ObfuscatedTokenCommand, an additional member token , 'ignorecase', should only be obfuscated with RandomCase.
I discovered this issue while attempting to obfuscate modules in the Empire project.
This error specifically was found while attempting to obfuscate Invoke-Shellcode.ps1
Steps to reproduce
It seems as if the IgnoreCase member token should only be obfuscated with RandomCase.
Solution
Simply adding 'ignorecase' to the $MemberTokensToOnlyRandomCase list fixes the problem, resulting in the following list.
This seems to fix the issue for me.