From 3619e161b20a70952475c4b087d6c5c23e657321 Mon Sep 17 00:00:00 2001 From: Daniel Bohannon Date: Thu, 2 Mar 2017 22:37:13 -0500 Subject: [PATCH] v1.7 - Added RUNDLL and MSHTA Launchers Added 3 new LAUNCHER options: RUNDLL RUNDLL++ MSHTA++ --- Invoke-Obfuscation.ps1 | 232 +++++++++++++++++++++----------- Out-EncodedAsciiCommand.ps1 | Bin 46196 -> 46188 bytes Out-EncodedBXORCommand.ps1 | Bin 48738 -> 48730 bytes Out-EncodedBinaryCommand.ps1 | Bin 50282 -> 50274 bytes Out-EncodedHexCommand.ps1 | Bin 48594 -> 48586 bytes Out-EncodedOctalCommand.ps1 | Bin 48120 -> 48112 bytes Out-ObfuscatedStringCommand.ps1 | Bin 100074 -> 100082 bytes Out-PowerShellLauncher.ps1 | Bin 161294 -> 195242 bytes Out-SecureStringCommand.ps1 | Bin 49844 -> 49836 bytes README.md | 8 +- 10 files changed, 156 insertions(+), 84 deletions(-) diff --git a/Invoke-Obfuscation.ps1 b/Invoke-Obfuscation.ps1 index 935cb2b..f2020ed 100644 --- a/Invoke-Obfuscation.ps1 +++ b/Invoke-Obfuscation.ps1 @@ -197,7 +197,7 @@ http://www.danielbohannon.com $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate tokens') - $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') + $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select choices from above (random order)') @@ -252,19 +252,22 @@ http://www.danielbohannon.com $MenuLevel_Encoding += , @($LineSpacing, '4' , "`tEncode entire command as " , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , "`tEncrypt entire command as (AES)" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , "`tEncode entire command as " , @('Out-EncodedBXORCommand' , '', '')) - + # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , "`t") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , ' + PowerShell') + $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + | Clip && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set && Cmd | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + | Clip && Cmd && PowerShell iex ') - + $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && && PowerShell iex Var') + $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && && PowerShell iex Var') + $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) @@ -301,77 +304,113 @@ http://www.danielbohannon.com $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) + $MenuLevel_Launcher_RUNDLL = @() + $MenuLevel_Launcher_RUNDLL += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) + $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) + ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) - ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) - ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) - ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) - ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , "`tNO EXECUTION FLAGS" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , "`t-NoExit" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , "`t-NonInteractive" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , "`t-NoLogo" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , "`t-NoProfile" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , "`t-Command" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , "`t-WindowStyle Hidden" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , "`t-ExecutionPolicy Bypass" , @('Out-PowerShellLauncher', '', '8')) - ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , "`t-Wow64 (to path 32-bit powershell.exe)" , @('Out-PowerShellLauncher', '', '8')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , "`tNO EXECUTION FLAGS" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , "`t-NoExit" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , "`t-NonInteractive" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , "`t-NoLogo" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , "`t-NoProfile" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , "`t-Command" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , "`t-WindowStyle Hidden" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , "`t-ExecutionPolicy Bypass" , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , "`t-Wow64 (to path 32-bit powershell.exe)" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '9')) - ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '9')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) + ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) + + ${MenuLevel_Launcher_RUNDLL++} = @() + ${MenuLevel_Launcher_RUNDLL++} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) + ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) + + ${MenuLevel_Launcher_MSHTA++} = @() + ${MenuLevel_Launcher_MSHTA++} += , @("Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n", '' , '' , @('', '', '')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) + ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , " of how to use this tool `t " ) @@ -424,15 +463,13 @@ http://www.danielbohannon.com { $UserResponse = ([String]$UserResponse).Trim() - # Keep previous response for scenarios like $MenuInputOptions. If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } - $LastUserResponse = $UserResponse # Display menu if it is defined in a menu variable with $UserResponse in the variable name. - If(Get-Variable "MenuLevel$UserResponse" -ErrorAction SilentlyContinue) + If(Test-Path ('Variable:' + "MenuLevel$UserResponse")) { $UserResponse = Show-Menu (Get-Variable "MenuLevel$UserResponse").Value $UserResponse $Script:OptionsMenu } @@ -539,10 +576,46 @@ http://www.danielbohannon.com } If($MenuName -ne '') { + # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. + $BreadCrumbOCD = @() + $BreadCrumbOCD += , @('ps' ,'PS') + $BreadCrumbOCD += , @('cmd' ,'Cmd') + $BreadCrumbOCD += , @('wmic' ,'Wmic') + $BreadCrumbOCD += , @('rundll' ,'RunDll') + $BreadCrumbOCD += , @('var+' ,'Var+') + $BreadCrumbOCD += , @('stdin+' ,'StdIn+') + $BreadCrumbOCD += , @('clip+' ,'Clip+') + $BreadCrumbOCD += , @('var++' ,'Var++') + $BreadCrumbOCD += , @('stdin++' ,'StdIn++') + $BreadCrumbOCD += , @('clip++' ,'Clip++') + $BreadCrumbOCD += , @('rundll++','RunDll++') + $BreadCrumbOCD += , @('mshta++' ,'Mshta++') + $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { - $BreadCrumbArray += $Crumb.SubString(0,1).ToUpper() + $Crumb.SubString(1).ToLower() + # Perform casing substitutions for any matches in $BreadCrumbOCD array. + $StillLookingForSubstitution = $TRUE + ForEach($Substitution in $BreadCrumbOCD) + { + If($Crumb.ToLower() -eq $Substitution[0]) + { + $BreadCrumbArray += $Substitution[1] + $StillLookingForSubstitution = $FALSE + } + } + + # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. + If($StillLookingForSubstitution) + { + $BreadCrumbArray += $Crumb.SubString(0,1).ToUpper() + $Crumb.SubString(1).ToLower() + + # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. + If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) + { + Write-Warning "No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation." + } + } } $BreadCrumb = $BreadCrumbArray -Join '\' } @@ -694,7 +767,7 @@ http://www.danielbohannon.com # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. - If((($MenuLevel | ForEach-Object {$_[1]}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) + If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } @@ -743,7 +816,7 @@ http://www.danielbohannon.com @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') - #If($TempUserInput.Length -gt 0) + If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. @@ -762,7 +835,7 @@ http://www.danielbohannon.com # See if there are any filtered matches in the current menu. Try { - $MenuFiltered = ($Menu | Where-Object {($_[1] -Match $UserInput) -AND ($_[1].Length -gt 0)} | ForEach-Object {$_[1]}) + $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { @@ -1020,12 +1093,15 @@ http://www.danielbohannon.com '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} - '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} - '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} - '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} - '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} - '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} - '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} + '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} + '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} + '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} + '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} + '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} + '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} + '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} + '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} + '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error "An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE."; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. @@ -1302,6 +1378,7 @@ http://www.danielbohannon.com { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() + Write-Host '' } Else { @@ -1367,22 +1444,13 @@ C:\Windows\Notepad.exe $OutputFilePath Write-Host " SHOW OPTIONS" -NoNewLine -ForegroundColor Yellow Write-Host " and look at ObfuscatedCommand." } - ElseIf($Script:ObfuscatedCommand.Length -gt $CmdMaxLength) - { - Write-Host "`n`nWARNING:" -NoNewLine -ForegroundColor Red - Write-Host " ObfuscatedCommand length (" -NoNewLine - Write-Host "$($Script:ObfuscatedCommand.Length)" -NoNewLine -ForegroundColor Yellow - Write-Host ") exceeds cmd.exe limit ($CmdMaxLength).`n Enter" -NoNewLine - Write-Host " OUT" -NoNewLine -ForegroundColor Yellow - Write-Host " to write ObfuscatedCommand out to disk." -NoNewLine - } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { - $null = [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") + $Null = [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) @@ -1409,7 +1477,7 @@ C:\Windows\Notepad.exe $OutputFilePath Else { Write-Host "`n`nWARNING: " -NoNewLine -ForegroundColor Red - Write-Host $ErrorMessage -NoNewLine + Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } @@ -2024,7 +2092,7 @@ http://www.danielbohannon.com Write-Host "`tTwitter :: @danielhbohannon" -ForegroundColor Magenta Write-Host "`tBlog :: http://danielbohannon.com" -ForegroundColor Magenta Write-Host "`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation" -ForegroundColor Magenta - Write-Host "`tVersion :: 1.6" -ForegroundColor Magenta + Write-Host "`tVersion :: 1.7" -ForegroundColor Magenta Write-Host "`tLicense :: Apache License, Version 2.0" -ForegroundColor Magenta Write-Host "`tNotes :: If(!`$Caffeinated) {Exit}" -ForegroundColor Magenta } \ No newline at end of file diff --git a/Out-EncodedAsciiCommand.ps1 b/Out-EncodedAsciiCommand.ps1 index ad118379cbd5ed16182bf7e03d5e46494aec349b..283878118bc122abd060a2f9f4606db19d555450 100644 GIT binary patch delta 26 icmezJg6Yi*rVV!Wlg-QpCdWncOrGG*wmGAo#}ojlUkcLz delta 22 ecmaF!g6Yc(rVV!WlMmEzOg?8Qu-UI(&J+NN!U}Ex diff --git a/Out-EncodedBXORCommand.ps1 b/Out-EncodedBXORCommand.ps1 index 1d90e1f8a753910e2971cecb6ad956cbfb7f5ede..2a80263c2c2368c3dcea755937ca120b68306fcc 100644 GIT binary patch delta 18 acmaF#hw0WIrVT2clb|hbaK7;|nhU diff --git a/Out-EncodedBinaryCommand.ps1 b/Out-EncodedBinaryCommand.ps1 index 3bc6414b0c9d41431e2fed450e15b7a99686ff76..ae9893efc363bd6ab06a80dd856a95696fff0cb5 100644 GIT binary patch delta 22 ecmaFW!ThL$d4oy+X+E|xCX`^HUQZ04Wj@6 delta 29 lcmey=%l4|5tziqJM8o70^LQqIc)~WhAzE&GKm+3A{Yc6e-cDc4(yF#lbI0{b&YgX1JJhz0O1^iviFe@~lR;(cBFk}W^XSHCf zH95+wm0`a%tJ14^4Ks|`i-YsLTDbutOc#$9W24;}c+%S7z%A~~z?}^3 z>e32$?KW*2_cPp}(~%)OcWFzt9lTCkkXRY+rxSUQyMKcPPc5E-4L^v*e;ss@|3xUk zs)A^&nU|h;IZqL6y^Np|a~EDTHPTa{ zo|nr@d|j+1ER!{w3lERl@inxpkd3Zp3WTaorlFT95L!fHUkf{4by>F4s}=GiIIERn zhW=xHDC~{`u*FkCrUYEtbO?QM+Ppg%o-XpVAIiT;YBNt5hNF zZ8znSEgw<>_q4{E=r6Oug04N$^xBo&^^2{`A;B;QliF8hbSoUqVH|G8@6vcpT-feh zb@pf}AK~lx4MXw2vteXRXg+5I_ioFNU&S)nD)Pap?X?*@LaiW1Sv$P?rIFEz>xQ9t zRs=?;DLCIaBI}YZ8LXJnzJ|IFLNZphd+@Gyvub3xS(SINs!v=*SnzoJ?X299M`uee zuH9xUjP!=K+r&(4W95wyqHm>d+ru&Xzc;pd3yrJjY}(1Iw=oT8%?oVa4(18+%I%*y zp*`M{fnEKv)Zv47(08rXz+7j)*U-`d<8W91yZGczYoOuU4-(j1m!r4FK|>x>%7H#G z2X4DDCknfcO(UBFW={zn*71Y+bi52^;OY-oP7QYQS)LKJM0tUsTb4}ukET5fkr}M~)c7ViGfKH}1y2`yE{Jrm!5%^x{HeVP^9~-86}qwRK;D6Ju%>x~ zHnfdL#D>Z=W*9wD1RF2CoX>B!vM*ON?oPHuEy`x=WU$p{;C!|iyZP6}PEA_!7IB{- z)O+@@9Vo`*H_vi<*fC!KBU_XbwkS7Le+eARHC zkU}GO!>oWA?=gLSN#f8gMSb9E#5a`c0UjQ{*MVpL88_A72gG+^(x=5Z z=8jGjH3<2WC79HgotCe{#&a;y;ZFD)4!rM4^abUobO{%J=D_-8=Io#rGDB22oI`N?)mjpCs>{xGh zEK?v?vm^~Wrn+>nJ3!%sCX$GC~)MA&-7KaFzGB;sKW9*4(p0IP_|In!z}-f6sUpWhfMI9jm$YPAIokk z82-!-Rx>@c0JaQo&w(-*%)!wEc~r*Z!)F%2rf;%3TLD?L8EC`-?X;{FY~;HZQiiv- zK&pjo7TB+jBW?A=%3%&0Y{~S|1F%2{BPPr;JhlZMNZKosE8@3TP7l9JxfS{^{gP1` zd!*erp+`53MwpPXH1>(zZ!^r3b=b7lgcp;JiDZQ0`yvBrdc@ztutsvlMi9SfDW|v`Q%bd- z+RLzR^PBlhH1hwDqm?vMe2PR2jDo)spK%V)U+HV5eNB)}tJgss{>o{?lz|xm{}x{aG+D)h-+4?_{<+zEaf zxgIPuV8!7IEfd@|cpR6tGq2QXci!n<~h)8!VSdblIaONS^QF zm^@fS3fF8Te-9OC1y+1(H;ofWIiOA3#Z|jKF=_bRQ8)R%02dU{3wOfq^BGp0d8`Nt7|aYAzn|LUJDH;X|D; z1rpa8VKJfaqU?N5ZH)6vxfMzq^6^BOo$EsHs8UQ6$ILjo*MYC?Oi##X=ISwYK5I-~ z7-)**MSaZBq{r=e+phHZU|X9A=2)i$*35#~$plM%m{U5+^+8saP$c5l2c>`-99B3S zvJ{>=X;ZEdtDZ{6vOieudJ#xZCMD75LI55*npPqQV)6}2Kp@cVDq-x!(aH?$7+Sr5 zLoBZUX|t+qWlfwNVUE<_UyS!=c+SEfhQR7u9ZYBn+XpxLUM*1Q7GD4z6T%*xUp-rz z6fr$boZ$&(jyysf$UU0_`p%THFv1`|XwlnzKzm<-92{9}mQ8Z)sEB+Ib4lj)_!Qc* z7IG3pB^Ie4w~)8glz{_#ZCS0%s!rCfNX{*-;-n{sPR4y-!l!iK|EJaRPCp^|vs ziICCE%Zj=;WA0no2{IygGaUMf)Qg2IY3<-g?rHdfhv$XL1dR+UEs=bqgoC-*TbztH zK2fxPLmV}nVXrVh#*`XU&%_jC^&>4xvFV{0Qz_Rtxi3tl+_qFm$`F(Uhh?8a^c1l# ze4z34`wqIk-emEHiX0tGwNNCSk#JP5!Xn((jhGa*8VORtp3uj-F5BhOA;Cv1^Jkv1 zWw&V8FqSqBX$6NWZ1N1f@a3gZfWq+Ejjs)cz?FEy&qA!QgwCQ!oo#L^mL0XwGao{7 zbuTNT)Xs!iSMw{?vk+-QzQ|gX$v7^upFm+6`CGxQ4uWsQny^}JSJmEd^eQI}Z8A-d zD(5T2!Gkkt`^Qj)uHk7+%B+?!p}fLIwm`CLJ)+;tWy>`|O62qza5Ai3RVWGTj9kS` z237)kyYG5tVZV=_6@wIT6bGJ>Nt&-rZNqP6PdV}g2aUkHYq6NPdHQ3LL?|M z%+wciVaOqagrq=t*@N0lAmqYD2#G|Hxr`RMXcH}Z-zSkg-nra&&bja0!eyv|e9)kQpVLbV8o_{CbwaAPK_^^<2*0EkIQ}X3wN3n? zejJ^_*M%s}A z_fe;oHRj`uapUli@>hV5x85k{sWE4fPj%P8eDy;=jH_$1pT?$eUo#zdJN7l#VGu?w z_CtI@v2}?$o=Rvglf9)T45~TG3l)4WQNX{%b((0!Jo-7#vMKr*bHty-y4_4uC}!{M z(#nMb!mh82o890j7V&L({p@aSQlUO#7k|vHl-(pEbuV{ZU*^eIn zK7D~!oT%~8T@8JdpNr)b$zwf|Ij|ck(uOxpex64jRmyP>b~C=a8KlWo^vcWtb|9@^ zL2ojMVVa!Ab-7iA8xAV*U<-|Y$7(VjV4ifhAk*ksGX`ZOj9ms5hA}2>{n*3M;Cu5` z=BVEWE%jm0vPorIa*_U(1u6U#>nRXJ8>JU9$}=$=1yX2`f0sq%<^paUJ+LV69O;y^ Z?=Wejw^JA*^<6+F*D!Tbrp`0x>R%M>%!vR1 diff --git a/Out-SecureStringCommand.ps1 b/Out-SecureStringCommand.ps1 index 66e53414799b8b3cd3146256fae14655780fca22..32226fc3fc7f67b69ae6fe39bfdde0ddd2daa9c0 100644 GIT binary patch delta 22 dcmdne%DkqPd4pQ-WV1e*$$gG&n*(}NOaW>R2-pAs delta 26 icmZ3}%DknOd4pQ-