Exemplo n.º 1
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        foreach (CommandAst targetAst in ast.FindAll(testAst => testAst is CommandAst, true))
            // Extract the AST object value.
            // If InvocationOperator is "Unknown" then the cmdlet will be the first object in CommandElements.
            // (i.e. most likely a cmdlet like Invoke-Expression, Write-Output, etc.)
            // Otherwise it will be the name of the invocation operator.
            string cmdlet = null;
            if (targetAst.InvocationOperator.ToString() == "Unknown")
                cmdlet = targetAst.CommandElements[0].Extent.Text;
                // Convert InvocationOperator name to the operator value (using ? for UNKNOWN).
                switch (targetAst.InvocationOperator.ToString())
                case "Dot": cmdlet = "."; break;

                case "Ampersand": cmdlet = "&"; break;

                default: cmdlet = "?"; break;

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstCmdletMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Initialize Dictionary with common array counts initialized to 0.
        Dictionary <String, Double> astGroupedUnaryExpressionOperatorsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);

        astGroupedUnaryExpressionOperatorsDictionary["Exclaim"]           = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Not"]               = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Minus"]             = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Plus"]              = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Bnot"]              = 0;
        astGroupedUnaryExpressionOperatorsDictionary["PlusPlus"]          = 0;
        astGroupedUnaryExpressionOperatorsDictionary["MinusMinus"]        = 0;
        astGroupedUnaryExpressionOperatorsDictionary["PostfixPlusPlus"]   = 0;
        astGroupedUnaryExpressionOperatorsDictionary["PostfixMinusMinus"] = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Join"]              = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Isplit"]            = 0;
        astGroupedUnaryExpressionOperatorsDictionary["Csplit"]            = 0;
        astGroupedUnaryExpressionOperatorsDictionary["UNKNOWN"]           = 0;

        // Return all targeted AST objects by Count and Percent across the entire input AST object.
                   targetAst => {
            return ((UnaryExpressionAst)targetAst).TokenKind.ToString();
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <string> stringList = new List <string>();

        foreach (TypeConstraintAst targetAst in ast.FindAll(testAst => testAst is TypeConstraintAst, true))
            // Extract the AST object value.
            string targetName = targetAst.Extent.Text;

            // Trim off the single leading and trailing square brackets of the Convert Expression type value.
            // Avoid using Trim so that square brackets will remain in select situations (e.g. [Char[]] --> Char[]).
            if (targetName.Length > 2)
                stringList.Add(targetName.Substring(1, targetName.Length - 2));

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstTypeConstraintMetrics"));
Exemplo n.º 4
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        // Set entire script into a variable so we can perform regex (if necessary) to remove code signature block.
        string scriptContent = ast.Extent.Text;

        // Only perform regex removal of signature blocks if the signature block header and tail syntax exist.
        if (scriptContent.Contains("# SIG # Begin signature block") && scriptContent.Contains("# SIG # End signature block"))
            string pattern     = "(?s)# SIG # Begin signature block.*?# SIG # End signature block\\s*$";
            string replacement = "";
            Regex  regExp      = new Regex(pattern);
            scriptContent = regExp.Replace(scriptContent, replacement);

        // Add each line of the input script to stringList.
        foreach (String curLine in scriptContent.Split(new String[] { Environment.NewLine }, StringSplitOptions.None))

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "LineByLineMetrics"));
Exemplo n.º 5
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        // Create required variables for tokenization.
        Token[]      tokens      = new Token[] {};
        ParseError[] parseErrors = new ParseError[] {};

        // Tokenize the entire input script. We must tokenize (instead of AST) to retrieve function values with obfuscation (like ticks) intact.
        Parser.ParseInput(ast.Extent.Text, out tokens, out parseErrors);

        // Iterate each token returned from above tokenization.
        foreach (Token token in tokens)
            // If token is a function name then add to stringList.
            if ((token.Kind.ToString() == "Generic") && (token.TokenFlags.ToString() == "None"))

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstFunctionNameMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        foreach (StringConstantExpressionAst targetAst in ast.FindAll(testAst => testAst is StringConstantExpressionAst, true))
            if (targetAst.StringConstantType.ToString() != "BareWord")
                // Extract the AST object value.
                String targetName = targetAst.Extent.Text.Replace("\n", "");

                // Trim off the leading and trailing single- or double-quote for the current string.
                if (targetName.Length > 2)
                    stringList.Add(targetName.Substring(1, targetName.Length - 2));

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstStringMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Initialize Dictionary with common array count ranges initialized to 0.
        Dictionary <String, Double> astArrayElementCountsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);

        astArrayElementCountsDictionary["0-10"]    = 0;
        astArrayElementCountsDictionary["10-20"]   = 0;
        astArrayElementCountsDictionary["20-30"]   = 0;
        astArrayElementCountsDictionary["30-40"]   = 0;
        astArrayElementCountsDictionary["40-50"]   = 0;
        astArrayElementCountsDictionary["50-60"]   = 0;
        astArrayElementCountsDictionary["60-70"]   = 0;
        astArrayElementCountsDictionary["70-80"]   = 0;
        astArrayElementCountsDictionary["80-90"]   = 0;
        astArrayElementCountsDictionary["90-100"]  = 0;
        astArrayElementCountsDictionary["UNKNOWN"] = 0;

        // Return all targeted AST objects by Count Ranges and Percent across the entire input AST object.
                   targetAst => {
            return (((int)((((ArrayLiteralAst)targetAst).Elements.Count / 10) * 10)).ToString() + "-" + (((int)((((ArrayLiteralAst)targetAst).Elements.Count / 10) * 10) + 10)).ToString());
Exemplo n.º 8
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <string> stringList = new List <string>();

        foreach (MemberExpressionAst targetAst in ast.FindAll(testAst => testAst is MemberExpressionAst, true))
            // Extract the AST object value.

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstMemberMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        foreach (CommandAst targetAst in ast.FindAll(testAst => testAst is CommandAst, true))
            // Extract the AST object value.
            if (targetAst.InvocationOperator.ToString() != "Unknown")

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstInvocationOperatorInvokedObjectMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Initialize Dictionary with common array counts initialized to 0.
        Dictionary <String, Double> astGroupedAssignmentStatementsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);

        astGroupedAssignmentStatementsDictionary["Equals"]          = 0;
        astGroupedAssignmentStatementsDictionary["PlusEquals"]      = 0;
        astGroupedAssignmentStatementsDictionary["MinusEquals"]     = 0;
        astGroupedAssignmentStatementsDictionary["MultiplyEquals"]  = 0;
        astGroupedAssignmentStatementsDictionary["DivideEquals"]    = 0;
        astGroupedAssignmentStatementsDictionary["RemainderEquals"] = 0;
        astGroupedAssignmentStatementsDictionary["UNKNOWN"]         = 0;

        // Return all targeted AST objects by Count and Percent across the entire input AST object.
        return(RevokeObfuscationHelpers.AstValueGrouper(ast, typeof(AssignmentStatementAst), astGroupedAssignmentStatementsDictionary, "AstGroupedAssignmentStatements",
                                                        targetAst => { return ((AssignmentStatementAst)targetAst).Operator.ToString(); }));
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <string> stringList = new List <string>();

        foreach (ConstantExpressionAst targetAst in ast.FindAll(testAst => testAst is ConstantExpressionAst, true))
            // Extract the AST object value.
            // If StaticType name starts with "Int" or "Double" then extract the value for metrics.
            // We use .Extent.Text for value since it preserves non-numerical representations (e.g., 0x001F0FFF --> 2035711, 0x52 --> 82).
            if ((targetAst.StaticType.Name.Substring(0, 3) == "Int") || (targetAst.StaticType.Name.Substring(0, 6) == "Double"))

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstIntegerAndDoubleMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        foreach (Ast targetAst in ast.FindAll(testAst => testAst is VariableExpressionAst, true))
            // Extract the AST object value.
            String targetName = targetAst.Extent.Text;

            // Trim off the single leading "$" in the variable name.
            if (targetName.Length > 0)
                stringList.Add(targetName.Substring(1, targetName.Length - 1));

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstVariableNameMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Build string list of all AST object values that will be later sent to StringMetricCalculator.
        List <String> stringList = new List <String>();

        // Set entire script into a variable so we can perform regex (if necessary) to remove code signature block.
        string scriptContent = ast.Extent.Text;

        // Only perform regex removal of signature blocks if the signature block header and tail syntax exist.
        if (scriptContent.Contains("# SIG # Begin signature block") && scriptContent.Contains("# SIG # End signature block"))
            string pattern     = "(?s)# SIG # Begin signature block.*?# SIG # End signature block\\s*$";
            string replacement = "";
            Regex  regExp      = new Regex(pattern);
            scriptContent = regExp.Replace(scriptContent, replacement);

        // Create required variables for tokenization.
        Token[]      tokens      = new Token[] {};
        ParseError[] parseErrors = new ParseError[] {};

        // Tokenize the entire input script. We must tokenize (instead of AST) to retrieve comment tokens.
        Parser.ParseInput(scriptContent, out tokens, out parseErrors);

        // Iterate each token returned from above tokenization.
        foreach (Token token in tokens)
            // If token is a comment then add to stringList.
            if (token.Kind.ToString() == "Comment")

        // Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
        return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstCommentMetrics"));
    public static IDictionary AnalyzeAst(Ast ast)
        // Initialize Dictionary with common array counts initialized to 0.
        Dictionary <String, Double> astGroupedBinaryExpressionOperatorsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);

        astGroupedBinaryExpressionOperatorsDictionary["And"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Or"]           = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Is"]           = 0;
        astGroupedBinaryExpressionOperatorsDictionary["IsNot"]        = 0;
        astGroupedBinaryExpressionOperatorsDictionary["As"]           = 0;
        astGroupedBinaryExpressionOperatorsDictionary["DotDot"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Multiply"]     = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Divide"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Rem"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Plus"]         = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Minus"]        = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Format"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Xor"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Shl"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Shr"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Band"]         = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Bor"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Bxor"]         = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Join"]         = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ieq"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ine"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ige"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Igt"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ilt"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ile"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ilike"]        = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Inotlike"]     = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Imatch"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Inotmatch"]    = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ireplace"]     = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Icontains"]    = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Inotcontains"] = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Iin"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Inotin"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Isplit"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ceq"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cne"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cge"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cgt"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Clt"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cle"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Clike"]        = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cnotlike"]     = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cmatch"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cnotmatch"]    = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Creplace"]     = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Ccontains"]    = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cnotcontains"] = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cin"]          = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Cnotin"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["Csplit"]       = 0;
        astGroupedBinaryExpressionOperatorsDictionary["UNKNOWN"]      = 0;

        // Return all targeted AST objects by Count and Percent across the entire input AST object.
                   targetAst => {
            return ((BinaryExpressionAst)targetAst).Operator.ToString();
Exemplo n.º 15
    //public static List<KeyValuePair<String, Double>> AnalyzeAst(Ast ast)
    public static IDictionary AnalyzeAst(Ast ast)
        // Initialize Dictionary with all known AST object types initialized to 0.
        Dictionary <String, Double> astTypeDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);

        astTypeDictionary["Ast"] = 0;
        astTypeDictionary["SequencePointAst"]          = 0;
        astTypeDictionary["ErrorStatementAst"]         = 0;
        astTypeDictionary["ErrorExpressionAst"]        = 0;
        astTypeDictionary["ScriptBlockAst"]            = 0;
        astTypeDictionary["ParamBlockAst"]             = 0;
        astTypeDictionary["NamedBlockAst"]             = 0;
        astTypeDictionary["NamedAttributeArgumentAst"] = 0;
        astTypeDictionary["AttributeBaseAst"]          = 0;
        astTypeDictionary["AttributeAst"]      = 0;
        astTypeDictionary["TypeConstraintAst"] = 0;
        astTypeDictionary["ParameterAst"]      = 0;
        astTypeDictionary["StatementBlockAst"] = 0;
        astTypeDictionary["StatementAst"]      = 0;
        astTypeDictionary["TypeDefinitionAst"] = 0;
        astTypeDictionary["UsingStatementAst"] = 0;
        astTypeDictionary["MemberAst"]         = 0;
        astTypeDictionary["PropertyMemberAst"] = 0;
        astTypeDictionary["FunctionMemberAst"] = 0;
        astTypeDictionary["CompilerGeneratedMemberFunctionAst"] = 0;
        astTypeDictionary["FunctionDefinitionAst"]             = 0;
        astTypeDictionary["IfStatementAst"]                    = 0;
        astTypeDictionary["DataStatementAst"]                  = 0;
        astTypeDictionary["LabeledStatementAst"]               = 0;
        astTypeDictionary["LoopStatementAst"]                  = 0;
        astTypeDictionary["ForEachStatementAst"]               = 0;
        astTypeDictionary["ForStatementAst"]                   = 0;
        astTypeDictionary["DoWhileStatementAst"]               = 0;
        astTypeDictionary["DoUntilStatementAst"]               = 0;
        astTypeDictionary["WhileStatementAst"]                 = 0;
        astTypeDictionary["SwitchStatementAst"]                = 0;
        astTypeDictionary["CatchClauseAst"]                    = 0;
        astTypeDictionary["TryStatementAst"]                   = 0;
        astTypeDictionary["TrapStatementAst"]                  = 0;
        astTypeDictionary["BreakStatementAst"]                 = 0;
        astTypeDictionary["ContinueStatementAst"]              = 0;
        astTypeDictionary["ReturnStatementAst"]                = 0;
        astTypeDictionary["ExitStatementAst"]                  = 0;
        astTypeDictionary["ThrowStatementAst"]                 = 0;
        astTypeDictionary["PipelineBaseAst"]                   = 0;
        astTypeDictionary["PipelineAst"]                       = 0;
        astTypeDictionary["CommandElementAst"]                 = 0;
        astTypeDictionary["CommandParameterAst"]               = 0;
        astTypeDictionary["CommandBaseAst"]                    = 0;
        astTypeDictionary["CommandAst"]                        = 0;
        astTypeDictionary["CommandExpressionAst"]              = 0;
        astTypeDictionary["RedirectionAst"]                    = 0;
        astTypeDictionary["MergingRedirectionAst"]             = 0;
        astTypeDictionary["FileRedirectionAst"]                = 0;
        astTypeDictionary["AssignmentStatementAst"]            = 0;
        astTypeDictionary["ConfigurationDefinitionAst"]        = 0;
        astTypeDictionary["DynamicKeywordStatementAst"]        = 0;
        astTypeDictionary["ExpressionAst"]                     = 0;
        astTypeDictionary["BinaryExpressionAst"]               = 0;
        astTypeDictionary["UnaryExpressionAst"]                = 0;
        astTypeDictionary["BlockStatementAst"]                 = 0;
        astTypeDictionary["AttributedExpressionAst"]           = 0;
        astTypeDictionary["ConvertExpressionAst"]              = 0;
        astTypeDictionary["MemberExpressionAst"]               = 0;
        astTypeDictionary["InvokeMemberExpressionAst"]         = 0;
        astTypeDictionary["BaseCtorInvokeMemberExpressionAst"] = 0;
        astTypeDictionary["TypeExpressionAst"]                 = 0;
        astTypeDictionary["VariableExpressionAst"]             = 0;
        astTypeDictionary["ConstantExpressionAst"]             = 0;
        astTypeDictionary["StringConstantExpressionAst"]       = 0;
        astTypeDictionary["ExpandableStringExpressionAst"]     = 0;
        astTypeDictionary["ScriptBlockExpressionAst"]          = 0;
        astTypeDictionary["ArrayLiteralAst"]                   = 0;
        astTypeDictionary["HashtableAst"]                      = 0;
        astTypeDictionary["ArrayExpressionAst"]                = 0;
        astTypeDictionary["ParenExpressionAst"]                = 0;
        astTypeDictionary["SubExpressionAst"]                  = 0;
        astTypeDictionary["UsingExpressionAst"]                = 0;
        astTypeDictionary["IndexExpressionAst"]                = 0;
        astTypeDictionary["AssignmentTarget"]                  = 0;
        astTypeDictionary["UNKNOWN"] = 0;

        // Return all targeted AST objects by Count and Percent across the entire input AST object.
        return(RevokeObfuscationHelpers.AstValueGrouper(ast, typeof(Ast), astTypeDictionary, "AstGroupedAstTypes",
                                                        targetAst => { return ((Ast)targetAst).GetType().FullName.Replace("System.Management.Automation.Language.", "").Replace("System.", ""); }));