Skip to content
Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution.
C C++ C# Batchfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
BabelShellfishProfiler First blood Oct 27, 2018
Bable-Shellfish Peel PSObject in Invoke method Nov 10, 2018
Win32/Release First blood Oct 27, 2018
packages First blood Oct 27, 2018
x64/Release Add files via upload Nov 10, 2018
.gitignore Initial commit Oct 27, 2018
Babel-Shellfish.sln First blood Oct 27, 2018
Disable-Babel-Shellfish.bat First blood Oct 27, 2018
Install-Babel-Shellfish.bat First blood Oct 27, 2018
LICENSE Initial commit Oct 27, 2018
README.md Update README.md Oct 27, 2018

README.md

Babel-Shellfish

Deobfuscate Powershell scripts right before execution. Babel-Shellfish allows to both log and scan through AMSI deobfuscated scripts. If a script is found mallicious it will stop its execution.

Work In Progress

This is still a preliminary version intended as a POC. The code tested against Powershell V5.1 (only on x64 processes). I cannot recommend using it on production environment, use it on your own risk.

Usage

  • Copy the compiled Babel-Shellfish.dll.dll and BabelShellfishProfiler.dll from /x64/Release/ to a permanent folder (make sure all users have access to it).
  • Run Install-Babel-Shellfish.bat on administrator shell (see usage below).
  • Babel-Shellfish will run on every .Net process on the system. Whenever Powershell (System.Management.Automation) runs Babel-Shellfish will run with it too.
  • Note: If you ran installation batch file from command line, you will have to start a new console for environment changes to register (running powerhsell.exe from same console as the installation won't load Babel-Shellfish).
  • You can disable Babel-Shellfish by running Disable-Babel-Shellfish.bat (run batch file as administrator)

Installation Usage

  • Install-Babel-Shellfish.bat [DebugOut] [ScanWithAMSI] [LogAMSI] [BabelShellfish Path] [LogFolderPath]
  • Example: Install-Babel-Shellfish.bat 0 1 0 "c:\Babel-Shellfish\BabelShellfishProfiler.dll" "c:\Babel-Shellfish\Logs"
  • [DebugOut] - Set to 1 to send deobfuscated commands to OutputDebugString.
  • [ScanWithAMSI] - Set to 1 to scan deobfuscated scripts with AMSI.
  • [LogAMSI] - Set to 1 to log the scripts sent to AMSI (curiosity feature).
  • [BabelShellfish Path] - Path to BabelShellfishProfiler.dll
  • [LogFolderPath] - (Optional) Path to save deobfuscated scripts. Logs are saved in the same folder structure as Powershell's transcription output.

Compilation

Project was created with Visual Studio 2013. You should install Windows Platform SDK to compile it properly. Make sure NuGet Package Manager is set to download missing packages automatically.

Detailed Description

More info can be found on the DerbyCon presentation by Omer Yair (October, 2018).

Credits

  • CorProfiler by .NET Foundation
  • Eyal Ne'emany
  • Guy Franco
  • Ephraim Neuberger
  • Yossi Sassi
  • Omer Yair
You can’t perform that action at this time.