/
cases.py
45 lines (41 loc) · 1001 Bytes
/
cases.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
from refinery.units.obfuscation import Deobfuscator, outside
from refinery.lib.patterns import formats
class deob_ps1_cases(Deobfuscator):
_NAMES = [
'-BXor',
'-Exec Bypass',
'-NoLogo',
'-NonInter',
'-Replace',
'-Windows Hidden',
'.Invoke',
'Assembly',
'Byte',
'Char',
'ChildItem',
'CreateThread',
'Get-Variable',
'GetType',
'IntPtr',
'Invoke-Expression',
'Invoke',
'Length',
'Net.WebClient',
'PowerShell',
'PSVersionTable',
'Set-Item',
'Set-Variable',
'Start-Sleep',
'ToString',
'Type',
'Value',
'Void',
]
@outside(formats.ps1str)
def deobfuscate(self, data):
for name in self._NAMES:
data = re.sub(RF'\b{re.escape(name)}\b', name, data, flags=re.IGNORECASE)
return data