public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
foreach (CommandAst targetAst in ast.FindAll(testAst => testAst is CommandAst, true))
{
// Extract the AST object value.
// If InvocationOperator is "Unknown" then the cmdlet will be the first object in CommandElements.
// (i.e. most likely a cmdlet like Invoke-Expression, Write-Output, etc.)
// Otherwise it will be the name of the invocation operator.
string cmdlet = null;
if (targetAst.InvocationOperator.ToString() == "Unknown")
{
cmdlet = targetAst.CommandElements[0].Extent.Text;
}
else
{
// Convert InvocationOperator name to the operator value (using ? for UNKNOWN).
switch (targetAst.InvocationOperator.ToString())
{
case "Dot": cmdlet = "."; break;
case "Ampersand": cmdlet = "&"; break;
default: cmdlet = "?"; break;
}
}
stringList.Add(cmdlet);
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstCmdletMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Initialize Dictionary with common array counts initialized to 0.
Dictionary <String, Double> astGroupedUnaryExpressionOperatorsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);
astGroupedUnaryExpressionOperatorsDictionary["Exclaim"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Not"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Minus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Plus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Bnot"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["PlusPlus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["MinusMinus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["PostfixPlusPlus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["PostfixMinusMinus"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Join"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Isplit"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["Csplit"] = 0;
astGroupedUnaryExpressionOperatorsDictionary["UNKNOWN"] = 0;
// Return all targeted AST objects by Count and Percent across the entire input AST object.
return(RevokeObfuscationHelpers.AstValueGrouper(
ast,
typeof(UnaryExpressionAst),
astGroupedUnaryExpressionOperatorsDictionary,
"AstGroupedUnaryExpressionOperators",
targetAst => {
return ((UnaryExpressionAst)targetAst).TokenKind.ToString();
}
));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <string> stringList = new List <string>();
foreach (TypeConstraintAst targetAst in ast.FindAll(testAst => testAst is TypeConstraintAst, true))
{
// Extract the AST object value.
string targetName = targetAst.Extent.Text;
// Trim off the single leading and trailing square brackets of the Convert Expression type value.
// Avoid using Trim so that square brackets will remain in select situations (e.g. [Char[]] --> Char[]).
if (targetName.Length > 2)
{
stringList.Add(targetName.Substring(1, targetName.Length - 2));
}
else
{
stringList.Add(targetName);
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstTypeConstraintMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
// Set entire script into a variable so we can perform regex (if necessary) to remove code signature block.
string scriptContent = ast.Extent.Text;
// Only perform regex removal of signature blocks if the signature block header and tail syntax exist.
if (scriptContent.Contains("# SIG # Begin signature block") && scriptContent.Contains("# SIG # End signature block"))
{
string pattern = "(?s)# SIG # Begin signature block.*?# SIG # End signature block\\s*$";
string replacement = "";
Regex regExp = new Regex(pattern);
scriptContent = regExp.Replace(scriptContent, replacement);
}
// Add each line of the input script to stringList.
foreach (String curLine in scriptContent.Split(new String[] { Environment.NewLine }, StringSplitOptions.None))
{
stringList.Add(curLine);
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "LineByLineMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
// Create required variables for tokenization.
Token[] tokens = new Token[] {};
ParseError[] parseErrors = new ParseError[] {};
// Tokenize the entire input script. We must tokenize (instead of AST) to retrieve function values with obfuscation (like ticks) intact.
Parser.ParseInput(ast.Extent.Text, out tokens, out parseErrors);
// Iterate each token returned from above tokenization.
foreach (Token token in tokens)
{
// If token is a function name then add to stringList.
if ((token.Kind.ToString() == "Generic") && (token.TokenFlags.ToString() == "None"))
{
stringList.Add(token.Text);
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstFunctionNameMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
foreach (StringConstantExpressionAst targetAst in ast.FindAll(testAst => testAst is StringConstantExpressionAst, true))
{
if (targetAst.StringConstantType.ToString() != "BareWord")
{
// Extract the AST object value.
String targetName = targetAst.Extent.Text.Replace("\n", "");
// Trim off the leading and trailing single- or double-quote for the current string.
if (targetName.Length > 2)
{
stringList.Add(targetName.Substring(1, targetName.Length - 2));
}
else
{
stringList.Add(targetName);
}
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstStringMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Initialize Dictionary with common array count ranges initialized to 0.
Dictionary <String, Double> astArrayElementCountsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);
astArrayElementCountsDictionary["0-10"] = 0;
astArrayElementCountsDictionary["10-20"] = 0;
astArrayElementCountsDictionary["20-30"] = 0;
astArrayElementCountsDictionary["30-40"] = 0;
astArrayElementCountsDictionary["40-50"] = 0;
astArrayElementCountsDictionary["50-60"] = 0;
astArrayElementCountsDictionary["60-70"] = 0;
astArrayElementCountsDictionary["70-80"] = 0;
astArrayElementCountsDictionary["80-90"] = 0;
astArrayElementCountsDictionary["90-100"] = 0;
astArrayElementCountsDictionary["UNKNOWN"] = 0;
// Return all targeted AST objects by Count Ranges and Percent across the entire input AST object.
return(RevokeObfuscationHelpers.AstValueGrouper(
ast,
typeof(ArrayLiteralAst),
astArrayElementCountsDictionary,
"AstGroupedArrayElementRangeCounts",
targetAst => {
return (((int)((((ArrayLiteralAst)targetAst).Elements.Count / 10) * 10)).ToString() + "-" + (((int)((((ArrayLiteralAst)targetAst).Elements.Count / 10) * 10) + 10)).ToString());
}
));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <string> stringList = new List <string>();
foreach (MemberExpressionAst targetAst in ast.FindAll(testAst => testAst is MemberExpressionAst, true))
{
// Extract the AST object value.
stringList.Add(targetAst.Member.Extent.Text);
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstMemberMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
foreach (CommandAst targetAst in ast.FindAll(testAst => testAst is CommandAst, true))
{
// Extract the AST object value.
if (targetAst.InvocationOperator.ToString() != "Unknown")
{
stringList.Add(targetAst.CommandElements[0].ToString());
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstInvocationOperatorInvokedObjectMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Initialize Dictionary with common array counts initialized to 0.
Dictionary <String, Double> astGroupedAssignmentStatementsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);
astGroupedAssignmentStatementsDictionary["Equals"] = 0;
astGroupedAssignmentStatementsDictionary["PlusEquals"] = 0;
astGroupedAssignmentStatementsDictionary["MinusEquals"] = 0;
astGroupedAssignmentStatementsDictionary["MultiplyEquals"] = 0;
astGroupedAssignmentStatementsDictionary["DivideEquals"] = 0;
astGroupedAssignmentStatementsDictionary["RemainderEquals"] = 0;
astGroupedAssignmentStatementsDictionary["UNKNOWN"] = 0;
// Return all targeted AST objects by Count and Percent across the entire input AST object.
return(RevokeObfuscationHelpers.AstValueGrouper(ast, typeof(AssignmentStatementAst), astGroupedAssignmentStatementsDictionary, "AstGroupedAssignmentStatements",
targetAst => { return ((AssignmentStatementAst)targetAst).Operator.ToString(); }));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <string> stringList = new List <string>();
foreach (ConstantExpressionAst targetAst in ast.FindAll(testAst => testAst is ConstantExpressionAst, true))
{
// Extract the AST object value.
// If StaticType name starts with "Int" or "Double" then extract the value for metrics.
// We use .Extent.Text for value since it preserves non-numerical representations (e.g., 0x001F0FFF --> 2035711, 0x52 --> 82).
if ((targetAst.StaticType.Name.Substring(0, 3) == "Int") || (targetAst.StaticType.Name.Substring(0, 6) == "Double"))
{
stringList.Add(targetAst.Extent.Text);
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstIntegerAndDoubleMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
foreach (Ast targetAst in ast.FindAll(testAst => testAst is VariableExpressionAst, true))
{
// Extract the AST object value.
String targetName = targetAst.Extent.Text;
// Trim off the single leading "$" in the variable name.
if (targetName.Length > 0)
{
stringList.Add(targetName.Substring(1, targetName.Length - 1));
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstVariableNameMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Build string list of all AST object values that will be later sent to StringMetricCalculator.
List <String> stringList = new List <String>();
// Set entire script into a variable so we can perform regex (if necessary) to remove code signature block.
string scriptContent = ast.Extent.Text;
// Only perform regex removal of signature blocks if the signature block header and tail syntax exist.
if (scriptContent.Contains("# SIG # Begin signature block") && scriptContent.Contains("# SIG # End signature block"))
{
string pattern = "(?s)# SIG # Begin signature block.*?# SIG # End signature block\\s*$";
string replacement = "";
Regex regExp = new Regex(pattern);
scriptContent = regExp.Replace(scriptContent, replacement);
}
// Create required variables for tokenization.
Token[] tokens = new Token[] {};
ParseError[] parseErrors = new ParseError[] {};
// Tokenize the entire input script. We must tokenize (instead of AST) to retrieve comment tokens.
Parser.ParseInput(scriptContent, out tokens, out parseErrors);
// Iterate each token returned from above tokenization.
foreach (Token token in tokens)
{
// If token is a comment then add to stringList.
if (token.Kind.ToString() == "Comment")
{
stringList.Add(token.Text);
}
}
// Return character distribution and additional string metrics across all targeted AST objects across the entire input AST object.
return(RevokeObfuscationHelpers.StringMetricCalculator(stringList, "AstCommentMetrics"));
}
public static IDictionary AnalyzeAst(Ast ast)
{
// Initialize Dictionary with common array counts initialized to 0.
Dictionary <String, Double> astGroupedBinaryExpressionOperatorsDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);
astGroupedBinaryExpressionOperatorsDictionary["And"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Or"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Is"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["IsNot"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["As"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["DotDot"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Multiply"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Divide"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Rem"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Plus"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Minus"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Format"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Xor"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Shl"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Shr"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Band"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Bor"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Bxor"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Join"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ieq"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ine"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ige"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Igt"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ilt"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ile"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ilike"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Inotlike"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Imatch"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Inotmatch"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ireplace"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Icontains"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Inotcontains"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Iin"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Inotin"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Isplit"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ceq"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cne"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cge"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cgt"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Clt"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cle"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Clike"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cnotlike"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cmatch"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cnotmatch"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Creplace"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Ccontains"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cnotcontains"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cin"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Cnotin"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["Csplit"] = 0;
astGroupedBinaryExpressionOperatorsDictionary["UNKNOWN"] = 0;
// Return all targeted AST objects by Count and Percent across the entire input AST object.
return(RevokeObfuscationHelpers.AstValueGrouper(
ast,
typeof(BinaryExpressionAst),
astGroupedBinaryExpressionOperatorsDictionary,
"AstGroupedBinaryExpressionOperators",
targetAst => {
return ((BinaryExpressionAst)targetAst).Operator.ToString();
}
));
}
//public static List<KeyValuePair<String, Double>> AnalyzeAst(Ast ast)
public static IDictionary AnalyzeAst(Ast ast)
{
// Initialize Dictionary with all known AST object types initialized to 0.
Dictionary <String, Double> astTypeDictionary = new Dictionary <String, Double>(StringComparer.OrdinalIgnoreCase);
astTypeDictionary["Ast"] = 0;
astTypeDictionary["SequencePointAst"] = 0;
astTypeDictionary["ErrorStatementAst"] = 0;
astTypeDictionary["ErrorExpressionAst"] = 0;
astTypeDictionary["ScriptBlockAst"] = 0;
astTypeDictionary["ParamBlockAst"] = 0;
astTypeDictionary["NamedBlockAst"] = 0;
astTypeDictionary["NamedAttributeArgumentAst"] = 0;
astTypeDictionary["AttributeBaseAst"] = 0;
astTypeDictionary["AttributeAst"] = 0;
astTypeDictionary["TypeConstraintAst"] = 0;
astTypeDictionary["ParameterAst"] = 0;
astTypeDictionary["StatementBlockAst"] = 0;
astTypeDictionary["StatementAst"] = 0;
astTypeDictionary["TypeDefinitionAst"] = 0;
astTypeDictionary["UsingStatementAst"] = 0;
astTypeDictionary["MemberAst"] = 0;
astTypeDictionary["PropertyMemberAst"] = 0;
astTypeDictionary["FunctionMemberAst"] = 0;
astTypeDictionary["CompilerGeneratedMemberFunctionAst"] = 0;
astTypeDictionary["FunctionDefinitionAst"] = 0;
astTypeDictionary["IfStatementAst"] = 0;
astTypeDictionary["DataStatementAst"] = 0;
astTypeDictionary["LabeledStatementAst"] = 0;
astTypeDictionary["LoopStatementAst"] = 0;
astTypeDictionary["ForEachStatementAst"] = 0;
astTypeDictionary["ForStatementAst"] = 0;
astTypeDictionary["DoWhileStatementAst"] = 0;
astTypeDictionary["DoUntilStatementAst"] = 0;
astTypeDictionary["WhileStatementAst"] = 0;
astTypeDictionary["SwitchStatementAst"] = 0;
astTypeDictionary["CatchClauseAst"] = 0;
astTypeDictionary["TryStatementAst"] = 0;
astTypeDictionary["TrapStatementAst"] = 0;
astTypeDictionary["BreakStatementAst"] = 0;
astTypeDictionary["ContinueStatementAst"] = 0;
astTypeDictionary["ReturnStatementAst"] = 0;
astTypeDictionary["ExitStatementAst"] = 0;
astTypeDictionary["ThrowStatementAst"] = 0;
astTypeDictionary["PipelineBaseAst"] = 0;
astTypeDictionary["PipelineAst"] = 0;
astTypeDictionary["CommandElementAst"] = 0;
astTypeDictionary["CommandParameterAst"] = 0;
astTypeDictionary["CommandBaseAst"] = 0;
astTypeDictionary["CommandAst"] = 0;
astTypeDictionary["CommandExpressionAst"] = 0;
astTypeDictionary["RedirectionAst"] = 0;
astTypeDictionary["MergingRedirectionAst"] = 0;
astTypeDictionary["FileRedirectionAst"] = 0;
astTypeDictionary["AssignmentStatementAst"] = 0;
astTypeDictionary["ConfigurationDefinitionAst"] = 0;
astTypeDictionary["DynamicKeywordStatementAst"] = 0;
astTypeDictionary["ExpressionAst"] = 0;
astTypeDictionary["BinaryExpressionAst"] = 0;
astTypeDictionary["UnaryExpressionAst"] = 0;
astTypeDictionary["BlockStatementAst"] = 0;
astTypeDictionary["AttributedExpressionAst"] = 0;
astTypeDictionary["ConvertExpressionAst"] = 0;
astTypeDictionary["MemberExpressionAst"] = 0;
astTypeDictionary["InvokeMemberExpressionAst"] = 0;
astTypeDictionary["BaseCtorInvokeMemberExpressionAst"] = 0;
astTypeDictionary["TypeExpressionAst"] = 0;
astTypeDictionary["VariableExpressionAst"] = 0;
astTypeDictionary["ConstantExpressionAst"] = 0;
astTypeDictionary["StringConstantExpressionAst"] = 0;
astTypeDictionary["ExpandableStringExpressionAst"] = 0;
astTypeDictionary["ScriptBlockExpressionAst"] = 0;
astTypeDictionary["ArrayLiteralAst"] = 0;
astTypeDictionary["HashtableAst"] = 0;
astTypeDictionary["ArrayExpressionAst"] = 0;
astTypeDictionary["ParenExpressionAst"] = 0;
astTypeDictionary["SubExpressionAst"] = 0;
astTypeDictionary["UsingExpressionAst"] = 0;
astTypeDictionary["IndexExpressionAst"] = 0;
astTypeDictionary["AssignmentTarget"] = 0;
astTypeDictionary["UNKNOWN"] = 0;
// Return all targeted AST objects by Count and Percent across the entire input AST object.
return(RevokeObfuscationHelpers.AstValueGrouper(ast, typeof(Ast), astTypeDictionary, "AstGroupedAstTypes",
targetAst => { return ((Ast)targetAst).GetType().FullName.Replace("System.Management.Automation.Language.", "").Replace("System.", ""); }));
}