Finish obfu specs and use rig

Meatballs1 · Meatballs1 · commit 0177e5114808 · 2014-05-05T18:47:25.000+01:00
diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
@@ -9,22 +9,6 @@ module Powershell
 
   module Obfu
 
-    #
-    # Create hash of string substitutions
-    #
-    # @param strings [Array] array of strings to generate unique names
-    #
-    # @return [Hash] map of strings with new unique names
-    def sub_map_generate(strings)
-      map = {}
-      strings.flatten.each do |str|
-        @rig.init_var(str)
-        map[str] = @rig[str]
-      end
-
-      map
-    end
-
     #
     # Remove comments
     #
@@ -34,6 +18,8 @@ def strip_comments
       code.gsub!(/<#(.*?)#>/m,'')
       # Single line
       code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+
+      code
     end
 
     #
@@ -45,6 +31,8 @@ def strip_empty_lines
       code.gsub!(/[\r\n]+/,"\r\n")
       # UNIX EOL
       code.gsub!(/[\n]+/,"\n")
+
+      code
     end
 
     #
@@ -54,6 +42,8 @@ def strip_empty_lines
     # @return [String] code with whitespace stripped
     def strip_whitespace
       code.gsub!(/\s+/,' ')
+
+      code
     end
 
     #
@@ -62,11 +52,11 @@ def strip_whitespace
     # @return [String] code with variable names replaced with unique values
     def sub_vars
       # Get list of variables, remove reserved
-      vars = get_var_names
-      # Create map, sub key for val
-      sub_map_generate(vars).each do |var,sub|
-        code.gsub!(var,sub)
+      get_var_names.each do |var,sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
       end
+
+      code
     end
 
     #
@@ -76,10 +66,11 @@ def sub_vars
     #   values
     def sub_funcs
       # Find out function names, make map
-      # Sub map keys for values
-      sub_map_generate(get_func_names).each do |var,sub|
-        code.gsub!(var,sub)
+      get_func_names.each do |var, sub|
+        code.gsub!(var, @rig.init_var(var))
       end
+
+      code
     end
 
     #
@@ -88,7 +79,7 @@ def sub_funcs
     # @return [String] code with standard substitution methods applied
     def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
       # Save us the trouble of breaking injected .NET and such
-      subs.delete('strip_whitespace') unless string_literals.empty?
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
       # Run selected modifiers
       subs.each do |modifier|
         self.send(modifier)
diff --git a/spec/lib/rex/exploitation/powershell/obfu_spec.rb b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
@@ -10,6 +10,24 @@
 function Find-4624Logons
 {
 
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
    if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
         {
             $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
@@ -48,6 +66,25 @@
 """
 function Find-4624Logons
 {
+
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
     $some_literal = @\"
   using System;
   using System.Runtime.InteropServices;
@@ -104,24 +141,92 @@
     Rex::Exploitation::Powershell::Script.new(example_script_without_literal)
   end
 
-  describe "::sub_map_generate" do
-    it 'should return some unique variable names' do
-      map = subject.sub_map_generate(['blah','parp'])
-      map.should be
-      map.should be_kind_of Hash
-      map.empty?.should be_false
-      map.should eq map.uniq
+  describe "::strip_comments" do
+    it 'should strip a multiline comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('comment').should be_false
     end
 
-    it 'should not match upper or lowercase reserved names' do
-      initial_vars = subject.get_var_names
-      subject.code << "\r\n$SHELLID"
-      subject.code << "\r\n$ShellId"
-      subject.code << "\r\n$shellid"
-      after_vars = subject.get_var_names
-      initial_vars.should eq after_vars
+    it 'should strip a single line comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('#').should be_false
     end
   end
 
+  describe "::strip_empty_lines" do
+    it 'should strip extra windows new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should strip extra unix new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\n\n/)
+      res.should be_false
+    end
+  end
+
+  describe "::strip_whitespace" do
+    it 'should strip additional whitespace' do
+      subject.strip_whitespace
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('lots of whitespace').should be_true
+    end
+  end
+
+  describe "::sub_vars" do
+    it 'should replace variables with unique names' do
+      subject.sub_vars
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('$Logon').should be_false
+    end
+  end
+
+  describe "::sub_funcs" do
+    it 'should replace functions with unique names' do
+      subject.sub_funcs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+    end
+  end
+
+  describe "::standard_subs" do
+    it 'should run all substitutions on a script with no literals' do
+      subject_no_literal.standard_subs
+      subject_no_literal.code.should be
+      subject_no_literal.code.should be_kind_of String
+      subject_no_literal.code.include?('Find-4624Logons').should be_false
+      subject_no_literal.code.include?('lots of whitespace').should be_true
+      subject_no_literal.code.include?('$kernel32').should be_false
+      subject_no_literal.code.include?('comment').should be_false
+      res = (subject_no_literal.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should run all substitutions except strip whitespace when literals are present' do
+      subject.standard_subs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+      subject.code.include?('lots of whitespace').should be_false
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('comment').should be_false
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+  end
 end
 
