PSAmsi icon indicating copy to clipboard operation
PSAmsi copied to clipboard

Published 20 hours ago verified publisher icon cobbr

PSAmsi cannot obfuscate Invoke-Mimikatz.ps1 (obfuscation fails)

Open magnusstubman opened this issue 6 years ago • 3 comments

The obfuscation functionality fails and this line is reached:

# If we've run through all the strings and the string is still flagged, obfuscation fails
If (($TokenIndex -ge ($MatchingTokens.Count-1))) { $DoneObfuscating = $True }

(https://github.com/cobbr/PSAmsi/blob/master/PSAmsiClient.ps1#L3177)

magnusstubman avatar Oct 27 '18 19:10 magnusstubman

@magnusstubman @cobbr just tried on my machine and the script throws a stack overflow exception

phra avatar Dec 31 '18 16:12 phra

I can look into the stack overflow if you have details @phra.

@magnusstubman It's always a possibility that automated obfuscation could fail depending upon signatures, which looks like it might be the case here. Automated obfuscation is nice, but the real value of PSAmsi is in identifying the signatures. I'd recommend using PSAmsi to identify signatures and try to obfuscate around those manually. If you do have ideas on how to better automate obfuscation, I'm certainly open to ideas. (Apologies for the very late response)

cobbr avatar Jan 13 '19 01:01 cobbr

@cobbr No worries - no apologies needed for delays when it comes to OSS, I'm just happy people as skilled as yourself actually share their awesome projects with the rest of us :)

I'm afraid I don't have any good ideas, sorry.

I'm leaving this issue open, should someone else stumble upon the same issue.

magnusstubman avatar Feb 19 '19 12:02 magnusstubman