Module refinery.units.obfuscation.ps1.cases
Expand source code Browse git
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
from refinery.units.obfuscation import Deobfuscator, outside
from refinery.lib.patterns import formats
class deob_ps1_cases(Deobfuscator):
_NAMES = [
'-BXor',
'-Exec Bypass',
'-NoLogo',
'-NonInter',
'-Replace',
'-Windows Hidden',
'.Invoke',
'Assembly',
'Byte',
'Char',
'ChildItem',
'CreateThread',
'Get-Variable',
'GetType',
'IntPtr',
'Invoke-Expression',
'Invoke',
'Length',
'Net.WebClient',
'PowerShell',
'PSVersionTable',
'Set-Item',
'Set-Variable',
'Start-Sleep',
'ToString',
'Type',
'Value',
'Void',
]
@outside(formats.ps1str)
def deobfuscate(self, data):
for name in self._NAMES:
data = re.sub(RF'\b{re.escape(name)}\b', name, data, flags=re.IGNORECASE)
return dataClasses
class deob_ps1_cases-
Expand source code Browse git
class deob_ps1_cases(Deobfuscator): _NAMES = [ '-BXor', '-Exec Bypass', '-NoLogo', '-NonInter', '-Replace', '-Windows Hidden', '.Invoke', 'Assembly', 'Byte', 'Char', 'ChildItem', 'CreateThread', 'Get-Variable', 'GetType', 'IntPtr', 'Invoke-Expression', 'Invoke', 'Length', 'Net.WebClient', 'PowerShell', 'PSVersionTable', 'Set-Item', 'Set-Variable', 'Start-Sleep', 'ToString', 'Type', 'Value', 'Void', ] @outside(formats.ps1str) def deobfuscate(self, data): for name in self._NAMES: data = re.sub(RF'\b{re.escape(name)}\b', name, data, flags=re.IGNORECASE) return dataAncestors
Class variables
var required_dependenciesvar optional_dependencies
Methods
def deobfuscate(self, data)-
Expand source code Browse git
def wrapper(self, data): with io.StringIO() as out: cursor = 0 for m in re.finditer(exclusion, data, re.DOTALL): out.write(method(self, data[cursor:m.start()])) out.write(m[0]) cursor = m.end() out.write(method(self, data[cursor:])) return out.getvalue()
Inherited members