Author: Tim Peck (bobby_tablez)

  • VBScrambler – A Python-Based VBScript Code Obfuscator

    VBScrambler – A Python-Based VBScript Code Obfuscator

    VBScrambler is a Python based VBScript code obfuscator which essentially takes VBScript as a form of input, either file or inline code, and provides an obfuscated VBScript one liner as output. The obfuscation works by taking the original VBScript, performing…

  • Playing With Process Handles

    Playing With Process Handles

    Process handle overview Let’s talk Handles! A process handle is simply an identifier handled by the system which allows Windows processes to reference and manipulate other processes within the OS environment. It’s essentially a pointer or an access token granted…

  • Bypass AMSI Using Combined Unicode Characters

    Bypass AMSI Using Combined Unicode Characters

    Y̸͎͊ȍ̴̟̺ȗ̸̬r̵̺̔̑ ̶̰͠n̵̺̅͋ȩ̵̢̈́͝ẘ̵̨ ̶̙͓̅̆f̵̮́̚ą̶̼̈́v̴̟̈́̏o̷̢̗̾̆r̴͕̅i̵̩̭͌t̵̞̫͛e̴̙͛́ ̸͍̭͛À̷̧̰̈́M̸̱͙̒̈́S̵͓̓I̵̗̥̿ ̷̝͗ḅ̵͔͋y̵̖̗̋p̴̧̫͆ä̵͓̫́̒s̵̬͊̀s̶̪̉̌.̸̮͂̆͜.̸̬̎͑͜.̷͖̯̕ Okay, this is a strange one. For those of you who are unaware, there are certain Unicode characters that exist that when combined with another similar class of character, they will combine to form two…

  • Deobfuscating PowerShell Code Using Sublime Text

    Deobfuscating PowerShell Code Using Sublime Text

    When we think of malware analysis, especially when it comes to the analysis of malicious scripts, we generally don’t think of our noble text editors of anything but… well, text editors. While there are many ways of deobfuscating PowerShell and…

  • Windows Sandbox – Flare VM

    Windows Sandbox – Flare VM

    This config file will automatically convert a temporary Windows Sandbox environment into a Flare VM for malware analysis. Useful for standing up a “quick” flare-vm test environment on the fly. Additionally, enhanced logging telemetry is also enabled on the host.…

  • Reordered Format String Deobfuscator

    Reordered Format String Deobfuscator

    This script simply deobfuscates obfuscated PowerShell files or commands which leverage “Format String Reordering” in order to hide its original code. For more information on this obfuscation technique, see: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/ The script has the ability to deobfuscate format strings in an…