git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
cd Invoke-Obfuscation
powershell
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation
设置要混淆的powershell代码位置
set scriptpath C:\Users\nathan\Desktop\1.ps1
set scriptpath http://192.168.1.121/1.ps1
set scriptblock powershell -nop -w -hidden -e (此处为混淆的powershell的代码)
1.加载scriptblock(set scriptblock)或脚本路径/URL(set SCRIPTPATH)
2.黄色选项为混淆菜单导航,绿色选项应用混淆
输入'back/cd'到上一个菜单和HOME/MAIN到HOME菜单
输入'encoding',然后输入5,应用SecureString混淆
3.
输入'TEST/EXEC'在本地测试混淆的命令
输入'SHOW'以查看当前混淆的命令
4.
输入'COPY/CLIP'将命令复制到剪贴板
输入'OUT'将混淆命令写入键盘
5.
输入'RESET'以消除所有混淆并重新开始
输入'UNDO'以撤销上次混淆
输入'HELP/?'显示帮助菜单
帮助菜单
工具使用教程 TUTORIAL
显示帮助菜单 HELP,GET-HELP,?,/?,MENU
显示要混淆的payload选项 SHOW OPTIONS,SHOW,OPTIONS
清屏 CLEAR,CLEAR-HOST.CLS
在本地执行混淆的命令 EXEC,EXECUTE,TEST,RUN
复制混淆命令到剪切板 COPY,CLIP,CLIPBOARD
写入混淆命令到磁盘 OUT
重置混淆命令的所有混淆 RESET
撤销混淆命令的上次混淆 UNDO
回到先前的混淆菜单 BACK,CD ..
退出Invoke-Obfuscation QUIT,EXIT
返回主菜单 HOME,MAIN
可用选项
TOKEN 混淆PowerShell命令token
AST 混淆PowerShell AST节点(PS3,0+)
STRING 将整个命令混淆为字符串
ENCODING 通过编码混淆整个命令
COMPRESS 将整个命令转换为一行程序并进行压缩
LAUNCHER 用启动器技术混淆命令参数(在结束时运行一次)
TOKEN\STRING 混淆字符串tokens(建议先运行)
TOKEN\COMMAND 混淆命令tokens
TOKEN\ARGUMENT 混淆参数tokens
TOKEN\MEMBER 混淆成员tokens
TOKEN\VARIABLE 混淆变量tokens
TOKEN\TYPE 混淆类型tokens
TOKEN\COMMENT 删除所有注释tokens
TOKEN\WHITESPACE 传入随即空格(建议后运行)
TOKEN\ALL 从上面选择所有选项(随即选项)
TOKEN\ALL\1 执行所有token混淆技术(随即顺序)
AST\NamedAttributeArgumentAst Obfuscate NamedAttributeArgumentAst nodes
AST\ParamBlockAst Obfuscate ParamBlockAst nodes
AST\ScriptBlockAst Obfuscate ScriptBlockAst nodes
AST\AttributeAst Obfuscate AttributeAst nodes
AST\BinaryExpressionAst Obfuscate BinaryExpressionAst nodes
AST\HashtableAst Obfuscate HashtableAst nodes
AST\CommandAst Obfuscate CommandAst nodes
AST\AssignmentStatementAst Obfuscate AssignmentStatementAst nodes
AST\TypeExpressionAst Obfuscate TypeExpressionAst nodes
AST\TypeConstraintAst Obfuscate TypeConstraintAst nodes
AST\ALL Select All choices from above
STRING\1 Concatenate entire command
STRING\2 Reorder entire command after concatenating
STRING\3 Reverse entire command after concatenating
ENCODING\1 将整个命令编码为ASCII
ENCODING\2 将整个命令编码为Hex
ENCODING\3 将整个命令编码为Octal
ENCODING\4 将整个命令编码为Binary
ENCODING\5 将整个命令编码为SecureString (AES)
ENCODING\6 将整个命令编码为BXOR
ENCODING\7 将整个命令编码为Special Characters
ENCODING\8 将整个命令编码为Whitespace
COMPRESS\1 将整个命令转换为一行程序并进行压缩
[*] LAUNCHER\PS PowerShell
[*] LAUNCHER\CMD Cmd + PowerShell
[*] LAUNCHER\WMIC Wmic + PowerShell
[*] LAUNCHER\RUNDLL Rundll32 + PowerShell
LAUNCHER\VAR+ Cmd + set Var && PowerShell iex Var
LAUNCHER\STDIN+ Cmd + Echo | PowerShell - (stdin)
LAUNCHER\CLIP+ Cmd + Echo | Clip && PowerShell iex clipboard
LAUNCHER\VAR++ Cmd + set Var && Cmd && PowerShell iex Var
LAUNCHER\STDIN++ Cmd + set Var && Cmd Echo | PowerShell - (stdin)
LAUNCHER\CLIP++ Cmd + Echo | Clip && Cmd && PowerShell iex clipboard
LAUNCHER\RUNDLL++ Cmd + set Var && Rundll32 && PowerShell iex Var
LAUNCHER\MSHTA++ Cmd + set Var && Mshta && PowerShell iex Var