Exemplo n.º 1
0
        static void Deobfuscation()
        {
            string sampleScript = "";

            string scriptPath = "Data\\sample_1.ps1";
            string modelPath  = "Data\\ObfuscationClassifierModel.zip";

            FileInfo file = new FileInfo(scriptPath);

            try
            {
                FileStream fs       = new FileStream(scriptPath, FileMode.Open, FileAccess.Read);
                TextReader scriptIn = new StreamReader(fs);
                sampleScript = scriptIn.ReadToEnd();
            }
            catch
            {
                return;
            }

            AstTree tree = new AstTree(sampleScript);

            tree.InitPipeSubTree();

            TraverseSubTree traverser = new TraverseSubTree(modelPath);

            traverser.TraverseCheckPipeSubtree(tree);
            Console.Out.WriteLine(tree.root.updatedCommand);
        }
Exemplo n.º 2
0
        public int TraverseCheckPipeSubtree(AstTree tree)
        {
            int obfuscatedOrNot = 0;

            Queue <AstNode> pipeQueue = new Queue <AstNode>();
            AstTree         subtree;
            AstNode         parent;

            foreach (AstNode node in tree.nodeList)
            {
                if (node.type == AstNode.NodeType.pipeNode)
                {
                    pipeQueue.Enqueue(node);
                }
            }

            AstNode top;

            while (pipeQueue.Count != 0)
            {
                top = pipeQueue.Dequeue();
                int subtreePipeCount = -1;

                if (top.pipeNodeCount != 0)
                {
                    pipeQueue.Enqueue(top);
                }
                else
                {
                    if (c.testWithModel(AstTree.Tree2Feature(top)) == Classifier.ClassifierResult.unobfuscated)
                    {
                        top.type = AstNode.NodeType.cleanPipeNode;
                        string feature = new Script2Vector(top.command).ToAStString();
                        Console.Out.WriteLine(feature);
                        if (top.updatedCommand.Length == 0)
                        {
                            top.updatedCommand = top.command;
                        }
                    }
                    else
                    {
                        try
                        {
                            string tempCommand = "";
                            tempCommand = psIns.addScript(top.command);
                            if (tempCommand.Length == 0)
                            {
                                top.type = AstNode.NodeType.cleanPipeNode;
                                goto a;
                            }
                            else
                            {
                                tempCommand        = CheckParents(tempCommand, top);
                                top.updatedCommand = tempCommand;
                            }
                        }
                        catch
                        {
                            top.type = AstNode.NodeType.cleanPipeNode;
                            goto a;
                        }
                        obfuscatedOrNot = 1;

                        subtree = new AstTree(top.updatedCommand, AstNode.NodeType.replaceNode);
                        subtree.InitPipeSubTree();

                        tree.ReplaceSubTree(top.parent, top, subtree);

                        Queue <AstNode> newQueue = AstTree.FindAllPipeNodeInSubTree(subtree.root);
                        AstNode         node;
                        while (newQueue.Count != 0)
                        {
                            node = newQueue.Dequeue();
                        }

                        a :;
                    }

                    parent = top.parent;
                    while (!(parent.parent == null || parent.type == AstNode.NodeType.pipeNode))
                    {
                        parent = parent.parent;
                    }
                    parent.UpdateCommand(top.command, top.updatedCommand);
                    experimentOut.WriteLine(String.Format("{0}`{2}`{1}", AstNode.GetShapedScript(top.command), AstNode.GetShapedScript(top.updatedCommand), top.command != top.updatedCommand));

                    parent = top.parent;
                    while (parent.parent != null)
                    {
                        parent.pipeNodeCount += subtreePipeCount;

                        if (parent.pipeNodeCount == 0)
                        {
                            tree.Shrink(parent);
                        }

                        parent = parent.parent;
                    }
                }
            }
            return(obfuscatedOrNot);
        }