I have written a PowerShell script in many hours and days and would like to obfuscate it, but so that the code is no longer readable or decompilable, but the script can still be executed. Is there something like that?
-
It is possible, what have you tried? Normally you would think about this BEFORE writing your script.shadow2020– shadow20202020-03-30 17:31:16 +00:00Commented Mar 30, 2020 at 17:31
-
@shadow2020 I haven't tried anything yet. What would you suggest?Crow– Crow2020-03-30 17:36:51 +00:00Commented Mar 30, 2020 at 17:36
-
2@Crow - try google? [grin] there are several such articles that show up. ///// HOWEVER ... if you turn on auditing of PoSh scripts you will get all of that info showing up in the audit transcripts. plus, of course, anyone who wants to "decompile/de-obfuscate" the code can just monitor what shows up in memory since most methods mean the script MUST be converted to something the PoSh engine can run.Lee_Dailey– Lee_Dailey2020-03-30 17:54:41 +00:00Commented Mar 30, 2020 at 17:54
-
As for this --- 'so that the code is no longer readable or decompilable', this is not possible, period. The PowerShell host must decompile to run the code. It's all base-64 and easily reversed anyway. All one has to do is enable PowerShell Auditing, to get at the code. It is why it exists, and why all should be on PSv5 and higher because earlier versions could not do this. It is this way, because hackers regularly use obfuscation to hide their efforts. Most enterprise orgs, look for obfuscated script and block them anyway.postanote– postanote2020-03-30 22:55:26 +00:00Commented Mar 30, 2020 at 22:55
Add a comment
|
3 Answers
With regards to actually obfuscating an entire powershell script, this site seems to do just that.
I tested a script a little over a year ago and here are some of my findings:
- Windows10: The obfuscated script worked on Windows 10. I dont remember the Powershell version I had back then.
- macOS: Confirmed it also works on Macs (if you have powershell installed), but I remember there were some errors spat out.
I just tested another script a few minutes ago on a Windows Server 2016 (PSVersion:5.1./Desktop) system. No issues so far.
Now, as was already mentioned by previous posters, it is important to note that any obfuscation can be hacked into. It's just a matter of incentive for the hacker.
I say "any" specifically because you dont control the hosts on which your powershell script will be used. And as such, those who do, if inclined, can alter the binary of the powershell program to get it to spit out everything that it does. How easy that is, I do not know. But a quick google search suggests there are settings available that, if turned on, can log the entire execution of your powershell script, obfuscated or not.
A couple of links that touches on Powershell logging:
Comments
There is a thing named Powershell Constrained language.
Quoting from here: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
Constrained language mode is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs.
In Constrained mode, these are not supported:
- COM objects
- Unapproved .NET types
- XAML based workflows
- PowerShell classes
It's best for running administrative tasks, still it's not better for daily uses. To start it use:
$ExecutionContext.SessionState.LanguageMode = 'ConstrainedLanguage'
Read more here: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
The Invoke-Obsufcation wrote by Daniel Bohmann is much better for this purpose. Link: https://github.com/danielbohannon/Invoke-Obfuscation
Usage Guide: https://blog.vonhewitt.com/2017/08/obfuscating-powershell-commands-using/
Comments
If you want something to obfuscate your powershell code to make it unreadable but keep it working you should check a project called Invoke-Obfuscationation done by Daniel Bohannan. You should check his talk about powershell obfuscation where he presented the tool.