public List <DeobfuscationResult> ReverseTraverseCheckSubtreeWithExperimentalOutput(AstTree tree) { AstNode node = tree.root; Queue <AstNode> unvisitedNodeQueue = new Queue <AstNode>(); unvisitedNodeQueue.Enqueue(node); Stack <AstNode> pipeNodeStack = new Stack <AstNode>(); while (unvisitedNodeQueue.Count > 0) { AstNode n = unvisitedNodeQueue.Dequeue(); if (n.ast.GetType().ToString() == "System.Management.Automation.Language.PipelineAst") { pipeNodeStack.Push(n); } foreach (AstNode nc in n.childList) { unvisitedNodeQueue.Enqueue(nc); } } InstancePF psIns = new InstancePF(); List <DeobfuscationResult> outputList = new List <DeobfuscationResult>(); while (pipeNodeStack.Count > 0) { AstNode n = pipeNodeStack.Pop(); Classifier.ClassifierResult result = c.testWithModel(AstTree.Tree2Feature(n)); DeobfuscationResult output = new DeobfuscationResult(); output.originalScript = AstNode.GetShapedScript(n.ast.Extent.Text); if (result != Classifier.ClassifierResult.unobfuscated) { string returnScript = psIns.addScript(n.ast.Extent.Text); Console.Out.WriteLine(String.Format("Script:{0}, result:{1}, Deobfuscation:{2}", n.ast.Extent.Text, result, returnScript)); output.obfuscated = 1; output.deobfuscatedScript = AstNode.GetShapedScript(returnScript); if (returnScript.Length != 0) { tree.RemoveSubTree(n, n.childList[0]); } tree.AddSubTree(n, returnScript); } else { Console.Out.WriteLine(String.Format("Script:{0}, result:{1}", n.ast.Extent.Text, result)); } outputList.Add(output); } return(outputList); }
public void ReverseTraverseCheckSubtree(AstTree tree) { AstNode node = tree.root; Queue <AstNode> unvisitedNodeQueue = new Queue <AstNode>(); unvisitedNodeQueue.Enqueue(node); Stack <AstNode> pipeNodeStack = new Stack <AstNode>(); while (unvisitedNodeQueue.Count > 0) { AstNode n = unvisitedNodeQueue.Dequeue(); if (n.ast.GetType().ToString() == "System.Management.Automation.Language.PipelineAst") { pipeNodeStack.Push(n); } foreach (AstNode nc in n.childList) { unvisitedNodeQueue.Enqueue(nc); } } while (pipeNodeStack.Count > 0) { AstNode n = pipeNodeStack.Pop(); Classifier.ClassifierResult result = c.testWithModel(AstTree.Tree2Feature(n)); if (result != Classifier.ClassifierResult.unobfuscated) { // what to do with the obfuscated sub-tree string returnScript = psIns.addScript(n.ast.Extent.Text); Console.Out.WriteLine(String.Format("Script:{0}, result:{1}, Deobfuscation:{2}", n.ast.Extent.Text, result, returnScript)); tree.AddSubTree(n, returnScript); } else { Console.Out.WriteLine(String.Format("Script:{0}, result:{1}", n.ast.Extent.Text, result)); } } }
public void TraverseCheckSubtree(AstNode node) { Queue <AstNode> unvisitedNodeQueue = new Queue <AstNode>(); unvisitedNodeQueue.Enqueue(node); while (unvisitedNodeQueue.Count > 0) { AstNode n = unvisitedNodeQueue.Dequeue(); if (n.ast.GetType().ToString() == "System.Management.Automation.Language.PipelineAst") { AstData data = AstTree.Tree2Feature(n); Classifier.ClassifierResult result = c.testWithModel(data); Console.Out.WriteLine(String.Format("Script:{0}, result:{1}", n.ast.Extent.Text, result.ToString())); } foreach (AstNode nc in n.childList) { unvisitedNodeQueue.Enqueue(nc); } } }