{"id":19806473,"url":"https://github.com/0xtas/0xidiz3r","last_synced_at":"2025-05-01T07:30:53.074Z","repository":{"id":62416377,"uuid":"555003136","full_name":"0xTas/0xidiz3r","owner":"0xTas","description":"Reversible Batch script obfuscation implemented in Rust","archived":false,"fork":false,"pushed_at":"2022-12-21T05:10:40.000Z","size":58,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-06T10:52:10.436Z","etag":null,"topics":["batch-obfuscation","batch-obfuscator","deobfuscation","obfuscation","obfuscation-tool","obfuscator"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xTas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-10-20T19:28:12.000Z","updated_at":"2024-10-21T17:13:31.000Z","dependencies_parsed_at":"2023-01-30T02:45:14.909Z","dependency_job_id":null,"html_url":"https://github.com/0xTas/0xidiz3r","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xTas%2F0xidiz3r","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xTas%2F0xidiz3r/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xTas%2F0xidiz3r/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xTas%2F0xidiz3r/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xTas","download_url":"https://codeload.github.com/0xTas/0xidiz3r/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251840135,"owners_count":21652286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["batch-obfuscation","batch-obfuscator","deobfuscation","obfuscation","obfuscation-tool","obfuscator"],"created_at":"2024-11-12T09:07:38.785Z","updated_at":"2025-05-01T07:30:52.815Z","avatar_url":"https://github.com/0xTas.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"### An attempt at reversible batch \u0026 powershell obfuscation using techniques inspired by John Hammond.\u003cbr\u003e\n\nBatch technique: https://www.youtube.com/watch?v=0RADvfJysuA\u003cbr\u003e\n\nPowershell technique (todo!()): https://www.youtube.com/watch?v=WJlqQYyzGi8\u003cbr\u003e\n\n## Background (Batch)\n\n**Obfuscation:**\u003cbr\u003e\n\nThis is an implementation of an interesting Batch obfuscation technique which uses variables to obfuscate Batch commands.\u003cbr\u003e\nThe basic idea is that you can obfuscate many keywords and characters in Batch using nonsensical variable names, and they will still work.\u003cbr\u003e\nThis program builds an obfuscated alphabet using random variable names, and uses those random variables to build obfuscated commands.\u003cbr\u003e\nIn my testing, this particular technique is trivial to unravel as a human analyst, but may still avoid static detection in some scenarios.\u003cbr\u003e\n\n**This program makes no guarantees about preserving the functionality of the obfuscated scripts it produces.**\u003cbr\u003e\u003cbr\u003e\n\n*Most things seem to work, however there are notable limitations:*\u003cbr\u003e\u003cbr\u003e\n**Variables:** User-defined or environment variables cannot be effectively obfuscated using this technique.\nThis is because, while Batch **can** technically double-nest variable definitions and usages **as long as** an obfuscation variable is defined on the entire line,\nthe act of defining that line as an obfuscated variable will still require printing the cleartext un-obfuscated version of that line into the output script, effectively canceling the obfuscation effect.\u003cbr\u003e\n\n**Function Labels:** Batch function labels `:EXAMPLE`, can also not be obfuscated letter-by-letter, but the `goto :EXAMPLE` commands can be.\nI have chosen to leave labels alone for now, as obfuscating the entire label with a single variable would also not really accomplish much.\u003cbr\u003e\u003cbr\u003e\n\nIf you come across keywords or patterns which fail to execute in an obfuscated state, please open an issue and I will investigate how to best handle similar cases in the program.\u003cbr\u003e\nAlternatively, if you wish to make those fixes/improvements yourself, *pull requests are welcomed*.\u003cbr\u003e\u003cbr\u003e\n\n---\n\n**Deobfuscation:**\u003cbr\u003e\n\nI was completely in the dark when implementing the deobfuscation, but I have gotten it to a point that I feel is mostly reliable.\u003cbr\u003e\nUsing Regex patterns and assumptions made about the structure of the obfuscation, I have managed to get the deobfuscator to perfectly restore all of my test input scripts to their original forms.\u003cbr\u003e\u003cbr\u003e\n\n**This program makes no guarantees about the fidelity or accuracy of the deobfuscated scripts it produces.**\u003cbr\u003e\u003cbr\u003e\n\nAs long as the input script was obfuscated using the above technique, where the obfuscated variable names contain only characters in the CharSet::GoodChars set, \nand as long as the obfuscated alphabet is mostly intact (each obfuscated variable used needs a matching definition statement), the deobfuscation **should** work.\u003cbr\u003e\n\nThat being said, I don't do much with Batch, and didn't have a wide variety of scripts to test with.\u003cbr\u003e\nSo, same as above, I am open to issues or pull requests regarding the performance of this deobfuscator.\u003cbr\u003e\n\n---\n\n\n## Disclaimer\n\n**This program is for educational purposes only. This obfuscation technique is trivial to reverse engineer.**\u003cbr\u003e\n**Don't be malicious.**\n\n---\n\n## Usage \u003cbr\u003e\u003cbr\u003e\n\n### As a Library: \u003cbr\u003e\n\nYou can use *0xidiz3r* as a library if you wish to write your own abstractions over the (currently minimal) API.\u003cbr\u003e\u003cbr\u003e\n**Obfuscation:**\u003cbr\u003e\n```rust\n// Bring the obfuscator struct into scope:\nuse oxidizer::batch::obfuscator::BatchObfuscator\n\n// Create an empty instance of a batch obfuscator:\nlet obfuscator = BatchObfuscator::new();\n\n// Initialize the obfuscator with some source commands:\nlet poc_cmd = \"start C:/Windows/System32/calc.exe\";\nobfuscator.initialize(None, None, poc_cmd.to_string());\n\n// The initialization step takes some source commands and automatically obfuscates them.\n// You can then write that obfuscated output to a file of your choice:\nlet filename = String::from(\"obfuscated.bat\");\nobfuscator.write_obfuscated_script(Some(filename));\n\n// You could also print to stdout if necessary, though it can be spammy and copy/pasting might be unreliable:\nprintln!(\"{}\", obfuscator.obfuscated_code);\n```\n\u003cbr\u003e\u003cbr\u003e\n**Deobfuscation:**\u003cbr\u003e\n```rust\n// Bring the deobfuscator struct into scope:\nuse oxidizer::batch::deobfuscator::BatchDeobfuscator;\n\n// Create an empty instance of a batch deobfuscator:\nlet deobfuscator = BatchDeobfuscator::new();\n\n// Initialize the deobfuscator with some obfuscated source (alphabet + commands):\nlet source = fs::read_to_string(\"obfuscated.bat\").unwrap();\ndeobfuscator.initialize(source);\n\n// The initialization step takes some obfuscated source commands and attempts to deobfuscate them.\n// If successful, you can write the deobfuscated output to a file:\ndeobfuscator.write_deobfuscated_script(None); // Using \"None\" causes the method to use a default filename: \"deobfuscated.bat\".\n\n// Or alternatively, to stdout:\nprintln!(\"{}\", deobfuscator.cleaned_code);\n```\n\n---\n\n### As a CLI Utility: \u003cbr\u003e\nThe following assumes that you have either downloaded a release binary or cloned the repo and built it using `cargo build --release`.\u003cbr\u003e\u003cbr\u003e\n\nA simple CLI tool is provided as an abstraction over the API for your convenience:\u003cbr\u003e\n\n**Windows:**\u003cbr\u003e\n```powershell\n# To obfuscate a source command from stdin (with -e to disable command echoing):\n.\\0xidiz3r.exe \"start C:/Windows/System32/calc.exe\" -e\n\n# To obfuscate a source file with the default configuration:\n.\\0xidiz3r.exe input.bat\n\n# To obfuscate a source file, adding \"@echo off\" and writing to a custom output file:\n.\\0xidiz3r.exe input.bat -e -o output.bat\n\n# To deobfuscate a source file:\n.\\0xidiz3r.exe -d output.bat\n```\n\u003cbr\u003e\n\n**Linux/MacOS:**\u003cbr\u003e\n```bash\n# To obfuscate a source command from stdin (with -e to disable command echoing):\n./0xidiz3r \"start C:/Windows/System32/calc.exe\" -e\n\n# To obfuscate a source file with the default configuration:\n./0xidiz3r input.bat\n\n# To obfuscate a source file, adding \"@echo off\" and writing to a custom output file:\n./0xidiz3r input.bat -e -o output.bat\n\n# To deobfuscate a source file with a custom output file-name:\n./0xidiz3r -d output.bat -o cleaned.bat\n```\n\n---\n\n## Future Plans\n\n- Improve batch obfuscation technique (recursive reuse? ascii exit codes? additional modes?)\n- Improve batch deobfuscation technique to match\n- Introduce Powershell path obfuscation module\n- Introduce Powershell path deobfuscation module (accepts script with obfuscated binary paths and attempts to deobfuscate them)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xtas%2F0xidiz3r","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xtas%2F0xidiz3r","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xtas%2F0xidiz3r/lists"}