search

danielbohannon / Invoke-Obfuscation

PowerShell Obfuscator
Apache License 2.0
3.59k stars 759 forks source link

Malware in your code. #52

Closed ryantkasher closed 4 years ago

ryantkasher commented 4 years ago

root@kali:~/Downloads/Invoke-Obfuscation-master# clamscan -v -i Scanning /root/Downloads/Invoke-Obfuscation-master/Invoke-Obfuscation.psd1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedAsciiCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedOctalCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-PowerShellLauncher.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/README.md Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedBXORCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-SecureStringCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedWhitespaceCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/LICENSE Scanning /root/Downloads/Invoke-Obfuscation-master/Out-CompressedCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedHexCommand.ps1 /root/Downloads/Invoke-Obfuscation-master/Out-EncodedHexCommand.ps1: Win.Downloader.WannaMine-6442440-2 FOUND Scanning /root/Downloads/Invoke-Obfuscation-master/Out-ObfuscatedTokenCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Invoke-Obfuscation.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedBinaryCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Invoke-Obfuscation.psm1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-ObfuscatedAst.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-ObfuscatedStringCommand.ps1 Scanning /root/Downloads/Invoke-Obfuscation-master/Out-EncodedSpecialCharOnlyCommand.ps1

----------- SCAN SUMMARY ----------- Known viruses: 6257036 Engine version: 0.101.2 Scanned directories: 1 Scanned files: 18 Infected files: 1 Data scanned: 2.07 MB Data read: 1.29 MB (ratio 1.61:1) Time: 46.536 sec (0 m 46 s)

ryantkasher commented 4 years ago

Looks as tho the .Example section contains malware. Remove the following...

.EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr "('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T436fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT ''-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$) ,16))) })|IEX

myhashs commented 4 years ago

nah dont use it i found alot of malware code insert in every file be a ware !

ryantkasher commented 4 years ago

Same. Clever little bird that one.

cobbr commented 4 years ago

@myhashs @ryantkasher Just in case you guys aren't joking:

Invoke-Obfuscator is an obfuscator and does what it claims to do. Some AV providers choose to mark obfuscators as malicious, but calling it malicious doesn't make it so.

HurstLabs commented 4 years ago

I really hope that they are joking, however I'm leaning towards they think Kali makes them hackers and expert malware reverse engineers.

ryantkasher commented 4 years ago

I really hope that they are joking, however I'm leaning towards they think Kali makes them hackers and expert malware reverse engineers.

@HurstLabs Nope. Definitely malware. There are several items across the full repo. And Kali is a toolbox for those who need it, a toybox for those who know it, and a maze for scriptkiddies LOL. Thanks for that tho.

wethenorthcvv commented 4 years ago

@ryantkasher Lol...still can't tell... If your serious, why not try putting the tools away and un-obfuscate your self without the fancy scriptkiddy tools, then you can stop spreading misinformation.. unless u are joking then by all means troll how you please

ryantkasher commented 4 years ago

Ha. Do with the info as you please, either way, it's as simple as removing the example code or don't. But hey, every one of you keyboard commandos wants their 5 min in the ring right? Trolls gonna troll... XD