infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ObfuscatedEmpire

mdns
cobbr 2017-06-21 20:37:06 -05:00
parent c691830ddd
commit 4876227d23
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/powershell/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1
View File

@ -735,7 +735,12 @@ http://www.danielbohannon.com
} }
ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' '))
{ {
$ObfuscatedToken = $TokenContent If($ContainsVariableSpecialCases) {
$ObfuscatedToken = '"' + $TokenContent + '"'
}
Else {
$ObfuscatedToken = $TokenContent
}
} }
ElseIf($ObfuscatedToken.StartsWith('"') -AND $ObfuscatedToken.EndsWith('"') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) ElseIf($ObfuscatedToken.StartsWith('"') -AND $ObfuscatedToken.EndsWith('"') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f'))
{ {
@ -855,7 +860,9 @@ http://www.danielbohannon.com
[Int] [Int]
$ObfuscationLevel $ObfuscationLevel
) )
if($Token.Type -ne 'Command') {
$ScriptString
}
# Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token.
$TokenContent = $Token.Content $TokenContent = $Token.Content
@ -1183,6 +1190,7 @@ http://www.danielbohannon.com
-OR ($Token.Content.ToLower() -eq 'computehash') ` -OR ($Token.Content.ToLower() -eq 'computehash') `
-OR ($Token.Content.ToLower() -eq 'tobase64string') ` -OR ($Token.Content.ToLower() -eq 'tobase64string') `
-OR ($Token.Content.ToLower() -eq 'getstring') ` -OR ($Token.Content.ToLower() -eq 'getstring') `
-OR ($Token.Content.ToLower() -eq 'getconstructor') `
-OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) `
-OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) `
-AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')')))))))
@ -1636,7 +1644,7 @@ http://www.danielbohannon.com
) )
# Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}}
If($ScriptString.SubString($Token.Start,2) -eq '${') If($ScriptString.SubString($Token.Start,2) -eq '${' -OR $ScriptString.SubString($Token.Start,1) -eq '@')
{ {
Return $ScriptString Return $ScriptString
} }