Module refinery.lib.scripts.ps1.deobfuscation
PowerShell AST deobfuscation transforms.
Expand source code Browse git
"""
PowerShell AST deobfuscation transforms.
"""
from refinery.lib.scripts.pipeline import DeobfuscationPipeline, TransformerGroup
from refinery.lib.scripts.ps1.deobfuscation.aliases import Ps1AliasInlining
from refinery.lib.scripts.ps1.deobfuscation.constants import Ps1ConstantInlining, Ps1NullVariableInlining
from refinery.lib.scripts.ps1.deobfuscation.deadcode import Ps1DeadCodeElimination
from refinery.lib.scripts.ps1.deobfuscation.emulator import Ps1ForEachPipeline, Ps1FunctionEvaluator
from refinery.lib.scripts.ps1.deobfuscation.expandable import Ps1ExpandableStringHoist
from refinery.lib.scripts.ps1.deobfuscation.folding import Ps1ConstantFolding
from refinery.lib.scripts.ps1.deobfuscation.iexinline import Ps1IexInlining
from refinery.lib.scripts.ps1.deobfuscation.securestring import Ps1SecureStringDecryptor
from refinery.lib.scripts.ps1.deobfuscation.simplify import Ps1Simplifications
from refinery.lib.scripts.ps1.deobfuscation.typecast import Ps1TypeCasts
from refinery.lib.scripts.ps1.deobfuscation.typenames import Ps1TypeSystemSimplifications
from refinery.lib.scripts.ps1.deobfuscation.wildcards import Ps1WildcardResolution
from refinery.lib.scripts.ps1.model import Ps1Script
_pipeline = DeobfuscationPipeline(
groups=[
TransformerGroup(
'normalize',
Ps1Simplifications,
Ps1AliasInlining,
Ps1WildcardResolution,
Ps1TypeSystemSimplifications,
),
TransformerGroup(
'fold',
Ps1ConstantFolding,
Ps1DeadCodeElimination,
Ps1ConstantInlining,
Ps1ExpandableStringHoist,
Ps1TypeCasts,
Ps1NullVariableInlining,
),
TransformerGroup(
'evaluate',
Ps1ForEachPipeline,
Ps1FunctionEvaluator,
),
TransformerGroup(
'finalize',
Ps1SecureStringDecryptor,
Ps1IexInlining,
),
],
dependencies={
'fold': {'normalize'},
'evaluate': {'fold'},
'finalize': {'evaluate'},
},
invalidates={
'normalize': set(),
'fold': {'normalize', 'evaluate', 'finalize'},
},
)
def deobfuscate(ast: Ps1Script, max_steps: int = 0) -> int:
"""
Apply all available deobfuscators to the input.
"""
Ps1NullVariableInlining.enabled = False
steps = _pipeline.run(ast, max_steps=max_steps)
Ps1NullVariableInlining.enabled = True
steps += _pipeline.run(ast, max_steps=max_steps)
return stepsSub-modules
refinery.lib.scripts.ps1.deobfuscation.aliases-
Inline command aliases defined via Set-Alias / New-Alias.
refinery.lib.scripts.ps1.deobfuscation.constants-
Inline constant variable references in PowerShell scripts.
refinery.lib.scripts.ps1.deobfuscation.deadcode-
Eliminate dead code from PowerShell scripts after constant folding.
refinery.lib.scripts.ps1.deobfuscation.emulator-
Evaluate user-defined PowerShell functions called with constant arguments.
refinery.lib.scripts.ps1.deobfuscation.expandable-
Hoist void subexpressions out of expandable strings, replacing the expandable string with a plain string literal of its text parts. The hoisted …
refinery.lib.scripts.ps1.deobfuscation.folding-
PowerShell constant folding transforms.
refinery.lib.scripts.ps1.deobfuscation.iexinline-
Inline constant IEX (Invoke-Expression) and [scriptblock]::Create() calls by parsing the string argument …
refinery.lib.scripts.ps1.deobfuscation.securestring-
PowerShell SecureString decryption transformer.
refinery.lib.scripts.ps1.deobfuscation.simplify-
PowerShell syntax normalization transforms.
refinery.lib.scripts.ps1.deobfuscation.typecast-
PowerShell type cast simplification transforms.
refinery.lib.scripts.ps1.deobfuscation.typenames-
.NET type member database for PowerShell deobfuscation …
refinery.lib.scripts.ps1.deobfuscation.wildcards-
Resolve wildcard-based obfuscation patterns in PowerShell scripts …
Functions
def deobfuscate(ast, max_steps=0)-
Apply all available deobfuscators to the input.
Expand source code Browse git
def deobfuscate(ast: Ps1Script, max_steps: int = 0) -> int: """ Apply all available deobfuscators to the input. """ Ps1NullVariableInlining.enabled = False steps = _pipeline.run(ast, max_steps=max_steps) Ps1NullVariableInlining.enabled = True steps += _pipeline.run(ast, max_steps=max_steps) return steps