Module: Rex::Exploitation::Powershell::Obfu

Included in:

Function, Script

Defined in:

lib/rex/exploitation/powershell/obfu.rb

Constant Summary

MULTI_LINE_COMMENTS_REGEX =

Regexp.new(/<#(.*?)#>/m)

SINGLE_LINE_COMMENTS_REGEX =

Regexp.new(/^\s*#(?!.*region)(.*$)/i)

WINDOWS_EOL_REGEX =

Regexp.new(/[\r\n]+/)

UNIX_EOL_REGEX =

Regexp.new(/[\n]+/)

WHITESPACE_REGEX =

Regexp.new(/\s+/)

EMPTY_LINE_REGEX =

Regexp.new(/^$|^\s+$/)

Instance Method Summary

• #standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))) ⇒ String

  Perform standard substitutions.

• #strip_comments ⇒ String

  Remove comments.

• #strip_empty_lines ⇒ String

  Remove empty lines.

• #strip_whitespace ⇒ String

  Remove whitespace This can break some codes using inline .NET.

• #sub_funcs ⇒ String

  Identify function names and replace them.

• #sub_vars ⇒ String

  Identify variables and replace them.

Instance Method Details

#standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))) ⇒ String

Perform standard substitutions

Returns:

• (String) —

  code with standard substitution methods applied

# File 'lib/rex/exploitation/powershell/obfu.rb', line 84

def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
  # Save us the trouble of breaking injected .NET and such
  subs.delete('strip_whitespace') unless get_string_literals.empty?
  # Run selected modifiers
  subs.each do |modifier|
    send(modifier)
  end
  code.gsub!(EMPTY_LINE_REGEX, '')

  code
end

#strip_comments ⇒ String

Remove comments

Returns:

• (String) —

  code without comments

# File 'lib/rex/exploitation/powershell/obfu.rb', line 20

def strip_comments
  # Multi line
  code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
  # Single line
  code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')

  code
end

#strip_empty_lines ⇒ String

Remove empty lines

Returns:

• (String) —

  code without empty lines

# File 'lib/rex/exploitation/powershell/obfu.rb', line 33

def strip_empty_lines
  # Windows EOL
  code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
  # UNIX EOL
  code.gsub!(UNIX_EOL_REGEX, "\n")

  code
end

#strip_whitespace ⇒ String

Remove whitespace This can break some codes using inline .NET

Returns:

• (String) —

  code with whitespace stripped

# File 'lib/rex/exploitation/powershell/obfu.rb', line 47

def strip_whitespace
  code.gsub!(WHITESPACE_REGEX, ' ')

  code
end

#sub_funcs ⇒ String

Identify function names and replace them

Returns:

• (String) —

  code with function names replaced with unique values

# File 'lib/rex/exploitation/powershell/obfu.rb', line 71

def sub_funcs
  # Find out function names, make map
  get_func_names.each do |var, _sub|
    code.gsub!(var, @rig.init_var(var))
  end

  code
end

#sub_vars ⇒ String

Identify variables and replace them

Returns:

• (String) —

  code with variable names replaced with unique values

# File 'lib/rex/exploitation/powershell/obfu.rb', line 57

def sub_vars
  # Get list of variables, remove reserved
  get_var_names.each do |var, _sub|
    code.gsub!(var, "$#{@rig.init_var(var)}")
  end

  code
end