Module `refinery.lib.scripts.vba.deobfuscation`

VBA AST deobfuscation transforms.

Expand source code Browse git

"""
VBA AST deobfuscation transforms.
"""
from __future__ import annotations

from refinery.lib.scripts.pipeline import DeobfuscationPipeline, TransformerGroup
from refinery.lib.scripts.vba.deobfuscation.constants import VbaConstantInlining
from refinery.lib.scripts.vba.deobfuscation.deadcode import (
    VbaDeadVariableRemoval,
    VbaEmptyProcedureRemoval,
)
from refinery.lib.scripts.vba.deobfuscation.emulator import VbaFunctionEvaluator
from refinery.lib.scripts.vba.deobfuscation.simplify import VbaSimplifications
from refinery.lib.scripts.vba.model import VbaModule

_pipeline = DeobfuscationPipeline(
    groups=[
        TransformerGroup(
            'fold',
            VbaSimplifications,
            VbaConstantInlining,
            VbaDeadVariableRemoval,
            VbaEmptyProcedureRemoval,
        ),
        TransformerGroup(
            'evaluate',
            VbaFunctionEvaluator,
        ),
    ],
    dependencies={
        'evaluate': {'fold'},
    },
)


def deobfuscate(ast: VbaModule, max_steps: int = 0) -> int:
    """
    Apply all available deobfuscators to the input.
    """
    return _pipeline.run(ast, max_steps=max_steps)

Sub-modules

refinery.lib.scripts.vba.deobfuscation.builtins: VBA built-in numeric constants …
refinery.lib.scripts.vba.deobfuscation.constants: VBA constant inlining: substitutes single-assignment constant variables with their literal values.
refinery.lib.scripts.vba.deobfuscation.deadcode: VBA dead code removal: removes assignments to unread variables and empty uncalled procedures.
refinery.lib.scripts.vba.deobfuscation.emulator: Evaluate user-defined VBA functions called with constant arguments.
refinery.lib.scripts.vba.deobfuscation.helpers: Shared AST utilities for VBA deobfuscation transforms.
refinery.lib.scripts.vba.deobfuscation.names: VBA name constants, dispatch tables, and builtin evaluation functions used by multiple deobfuscation transforms.
refinery.lib.scripts.vba.deobfuscation.simplify: VBA expression simplification and constant folding transforms.

Functions

def deobfuscate(ast, max_steps=0)

Apply all available deobfuscators to the input.

Expand source code Browse git

def deobfuscate(ast: VbaModule, max_steps: int = 0) -> int:
    """
    Apply all available deobfuscators to the input.
    """
    return _pipeline.run(ast, max_steps=max_steps)