├── Obfuscator.py └── README.md /Obfuscator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import random, sys, string 4 | 5 | #We need 3 params 6 | #Script-name, input-file, output-file 7 | if len(sys.argv) <> 3: 8 | print "Usage: python obfuscator.py inFile.vbs outFile.vbs" 9 | sys.exit() 10 | 11 | #Splitter is set to be the "*" symbol, 12 | #since we are not using it in obfuscation 13 | splitter = str(chr(42)) 14 | 15 | #Randomly capitalize each character 16 | def randCapitalization(characters): 17 | capicharacter = "" 18 | for character in characters: 19 | lowup = random.randrange(0,2) 20 | if lowup == 0: 21 | capicharacter += character.upper() 22 | if lowup == 1: 23 | capicharacter += character.lower() 24 | return capicharacter 25 | 26 | 27 | #Random function names 28 | NUM_OF_CHARS = random.randrange(5, 60) 29 | pld = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 30 | array = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 31 | temp = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 32 | x = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 33 | 34 | #Random Sub names 35 | subOne = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 36 | subTwo = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS)) 37 | 38 | #Function to fill encBody variable 39 | #with the obfuscated content 40 | def obfu(body): 41 | encBody = "" 42 | for i in range(0, len(body)): 43 | if encBody == "": 44 | encBody += expr(ord(body[i])) 45 | else: 46 | encBody += "*" + expr(ord(body[i])) 47 | return encBody 48 | 49 | #Random mathematical expression decision 50 | def expr(char): 51 | range = random.randrange(100, 10001) 52 | exp = random.randrange(0, 3) 53 | 54 | if exp == 0: 55 | print "Char " + str(char) + " -> " + str((range+char)) + "-" + str(range) 56 | return str((range+char)) + "-" + str(range) 57 | if exp == 1: 58 | print "Char " + str(char) + " -> " + str((char-range)) + "+" + str(range) 59 | return str((char-range)) + "+" + str(range) 60 | if exp == 2: 61 | print "Char " + str(char) + " -> " + str((char*range)) + "/" + str(range) 62 | return str((char*range)) + "/" + str(range) 63 | 64 | #Open the source and destination files 65 | clear_text_file = open(sys.argv[1], "r") 66 | obfuscated_file = open(sys.argv[2], "w") 67 | 68 | #Write to destination file 69 | obfuscated_file.write(randCapitalization("Dim " + pld + ", " + array + ", " + temp) + "\n") 70 | obfuscated_file.write(randCapitalization("Sub " + subOne) + "\n") 71 | obfuscated_file.write(randCapitalization(pld + " = ") + chr(34) + obfu(clear_text_file.read()) + chr(34) + "\n") 72 | obfuscated_file.write(randCapitalization(array + " = Split(" + pld + ", chr(eval(") + obfu(splitter) + ")))\n") 73 | obfuscated_file.write(randCapitalization("for each " + x + " in " + array) + "\n") 74 | obfuscated_file.write(randCapitalization(temp + " = " + temp + " & chr(eval(" + x) + "))\n") 75 | obfuscated_file.write(randCapitalization("next") + "\n") 76 | obfuscated_file.write(randCapitalization(subTwo) + "\n") 77 | obfuscated_file.write(randCapitalization("End Sub") + "\n") 78 | obfuscated_file.write(randCapitalization("Sub " + subTwo) + "\n") 79 | obfuscated_file.write(randCapitalization("eval(execute(" + temp) + "))\n") 80 | obfuscated_file.write(randCapitalization("End Sub") + "\n") 81 | obfuscated_file.write(randCapitalization(subOne) + "\n") 82 | 83 | #Close file handles before exit 84 | clear_text_file.close() 85 | obfuscated_file.close() 86 | 87 | print "Done!" 88 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | VBS-Obfuscator-in-Python 2 | ======================== 3 | 4 | VBScript obfuscation to allow PenTesters bypass countermeasures. 5 | 6 | 7 | Sample Script Output 8 | ======================== 9 | ``` 10 | C:\tools>python obfuscator.py test.vbs out.vbs 11 | Char 109 -> 5505-5396 12 | Char 115 -> 1113775/9685 13 | Char 103 -> 540853/5251 14 | Char 98 -> -2629+2727 15 | Char 111 -> 291-180 16 | Char 120 -> 826320/6886 17 | Char 32 -> 118016/3688 18 | Char 34 -> -2379+2413 19 | Char 72 -> 2401-2329 20 | Char 101 -> -1347+1448 21 | Char 108 -> 759780/7035 22 | Char 108 -> 5391-5283 23 | Char 111 -> 743700/6700 24 | Char 32 -> 7654-7622 25 | Char 87 -> 636927/7321 26 | Char 111 -> -46+157 27 | Char 114 -> 7591-7477 28 | Char 108 -> -9028+9136 29 | Char 100 -> 285800/2858 30 | Char 33 -> 5241-5208 31 | Char 34 -> 7209-7175 32 | Char 44 -> 234080/5320 33 | Char 32 -> 104352/3261 34 | Char 118 -> -3369+3487 35 | Char 98 -> -7575+7673 36 | Char 79 -> -9140+9219 37 | Char 107 -> 4317-4210 38 | Char 79 -> -5433+5512 39 | Char 110 -> -1294+1404 40 | Char 108 -> 6672-6564 41 | Char 121 -> 1109-988 42 | Char 32 -> 166080/5190 43 | Char 43 -> 95675/2225 44 | Char 32 -> 3156-3124 45 | Char 118 -> -9572+9690 46 | Char 98 -> -3093+3191 47 | Char 73 -> 53947/739 48 | Char 110 -> -2239+2349 49 | Char 102 -> 554982/5441 50 | Char 111 -> 4953-4842 51 | Char 114 -> 907440/7960 52 | Char 109 -> 3406-3297 53 | Char 97 -> 3570-3473 54 | Char 116 -> 3624-3508 55 | Char 105 -> 137130/1306 56 | Char 111 -> 632-521 57 | Char 110 -> 8712-8602 58 | Char 44 -> 94468/2147 59 | Char 32 -> 14176/443 60 | Char 34 -> 884/26 61 | Char 84 -> -9768+9852 62 | Char 104 -> -5195+5299 63 | Char 105 -> 706335/6727 64 | Char 115 -> 6469-6354 65 | Char 32 -> 250304/7822 66 | Char 105 -> -9605+9710 67 | Char 115 -> 771190/6706 68 | Char 32 -> -1319+1351 69 | Char 97 -> 674053/6949 70 | Char 32 -> -6907+6939 71 | Char 109 -> 3365-3256 72 | Char 101 -> 170791/1691 73 | Char 115 -> 17020/148 74 | Char 115 -> 3217-3102 75 | Char 97 -> -6948+7045 76 | Char 103 -> -9545+9648 77 | Char 101 -> 9670-9569 78 | Char 98 -> 926002/9449 79 | Char 111 -> 130869/1179 80 | Char 120 -> 255600/2130 81 | Char 34 -> -1384+1418 82 | Char 42 -> 1784-1742 83 | Done! 84 | ``` 85 | 86 | Results (comparison) 87 | ======================== 88 | 89 | First output 90 | ``` 91 | Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG 92 | SzVeVmXkoEZx = "6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*5179-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-6681+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*741684/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-6336*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*128533/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-5364*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*3171-3055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-3164+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*330840/2757*-2407+2441" 93 | LALrsGQYjZtj = Split(SzVeVmXkoEZx, chr(eval(261366/6223))) 94 | for each SKhxsIKQEybA in LALrsGQYjZtj 95 | kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA)) 96 | next 97 | execute(kLTOaGJfsmSG) 98 | ``` 99 | 100 | Second output 101 | ``` 102 | Dim wEQHvB, vsSBaV, pwgtko 103 | wEQHvB = "-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938-818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+5058*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9482*347644/7901*181536/5673*198712/1684*615734/6283*779-700*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*1276-1171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-773+884*546720/4556*5235-5201" 104 | vsSBaV = Split(wEQHvB, chr(eval(1039-997))) 105 | for each KxRKRt in vsSBaV 106 | pwgtko = pwgtko & chr(eval(KxRKRt)) 107 | next 108 | execute(pwgtko) 109 | ``` 110 | --------------------------------------------------------------------------------