{"id":22050302,"url":"https://github.com/klezvirus/chameleon","last_synced_at":"2025-04-05T05:05:24.223Z","repository":{"id":45131182,"uuid":"360163114","full_name":"klezVirus/chameleon","owner":"klezVirus","description":"PowerShell Script Obfuscator","archived":false,"fork":false,"pushed_at":"2023-11-02T13:09:28.000Z","size":102,"stargazers_count":523,"open_issues_count":4,"forks_count":93,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-03-29T04:09:21.019Z","etag":null,"topics":["amsi-bypass","amsi-evasion","bypass-antivirus","obfuscation","powershell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/klezVirus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-04-21T12:32:28.000Z","updated_at":"2025-03-20T09:10:18.000Z","dependencies_parsed_at":"2024-01-14T08:10:04.829Z","dependency_job_id":"fad5f67a-2f1b-4cca-8348-9e8c554c342b","html_url":"https://github.com/klezVirus/chameleon","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fchameleon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fchameleon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fchameleon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fchameleon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/klezVirus","download_url":"https://codeload.github.com/klezVirus/chameleon/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247289426,"owners_count":20914464,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amsi-bypass","amsi-evasion","bypass-antivirus","obfuscation","powershell"],"created_at":"2024-11-30T14:21:05.447Z","updated_at":"2025-04-05T05:05:24.206Z","avatar_url":"https://github.com/klezVirus.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Chameleon\n\nChameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions.\n\n![Chameleon](assets/Chameleon_green_white.svg)\n\n## Official Discord Channel (Inceptor)\n\nCome hang out on Discord!\n\n[![Inceptor](https://discordapp.com/api/guilds/1155753953108164628/widget.png?style=banner2)](https://discord.gg/Z66VdyCv)\n\n## Overview\n\nThe tool has been developed as a Python port of the [Chimera][1] project, by [tokioneon_][2]. As such, it uses \nmostly the same techniques to evade common detection signatures, such as:\n\n* comment deletion/substitution\n* string substitution (variables, functions, data-types)\n* variable concatenation\n* indentation randomization\n* semi-random backticks insertion\n* case randomization\n* encoding \n\n## Why porting it\n\nChimera was indeed a shiny project, so why did I decide to port it to Python and why you should use chameleon?\nWell, there are several reasons why I decided to build Chameleon. I wrote a more detailed post about them [here][7]. \nI've also listed below the most important ones. \n\n##### Reliability\n\nAs the author of Chimera states in the readme, the chimera script can successfully obfuscate scripts that the author\ntested personally, which are contained in the [shells][3] directory. However, the tool is not very reliable with other, \nuntested, scripts. Quoting the author:\n\n\u003e there's no telling how untested scripts will reproduce with Chimera... \n\nThis alone was a good reason to attempt to make the tool a bit more reliable, and also capable to obfuscate \nmore complex scripts.\n\n##### Speed\n\nChimera attempts several obfuscation steps, which usually requires the input to be read from a file, and stored back \nin a file again. While this is a safe approach, because each step is saved to disk (let's say there is an error at step \nn, we would still have the result of the obfuscation till n - 1), this is not really efficient. The overhead of writing \nand reading from a file at each time make the tool really slow when operating on large scripts (up to several minutes \nwith the -a option). \n\nChameleon, instead, performs all obfuscation steps in memory, meaning it is extremely faster.\n\n##### Portability\n\nChimera has been developed as a Bash Script, and heavily relies on common Linux utilities to accomplish the obfuscation.\n\nChameleon, on the other hand, is built with Python, meaning that you can use it wherever Python is installed.\n\n##### Smart evasion checking\n\nChimera offers a function to submit scripts to VirusTotal directly. While this might be considered a useful utility, \nit will expose the obfuscated script to third party threat-intelligence, weakening the obfuscation engine. \n\nTo address this issue, Chameleon uses the utility [AMSITrigger][4] by [RhytmStick][5], to check if the obfuscated result will indeed \nbypass AMSI.\n\n### Improvements\n\nSo far, we've talked about the efficiency and reliability issues of chimera, but what are the real improvements \nfrom an obfuscation standpoint? The techniques used by Chameleon are for the most the same as Chimera, with some improvements:\n\n* \"Smart\" variable scope identification (function local variables will be replaced \"carefully\" or left untouched)\n* Random backticks insertion (not just limited to a set of strings)\n* Random case switch (not just limited to a set of strings)\n* Supports an external obfuscation mapping for functions ~~and parameters~~ (TODO)\n* Additional Base64 Encoding wrapping\n\nChameleon manages to handle function and local parameters by implementing a very minimalist PowerShell \"reader\", which is\ncapable of distinguish three contexts: \n\n* Global/Main Scope\n* In-Function Scope\n    * Param() Blocks\n\nThe reader is still not a real parser, and relies on Dick Language to find relevant areas limits.\n\n### Usage\n\nUsing the tool is pretty straightforward, as observable from the help:\n\n```\nusage: chameleon.py [-h] [-l {0,1,2,3,4,5}] -o OUTPUT [-v] [-s] [-d] [-n] [-c] [-f] [-b] [--random-backticks] [-r] [-i] [-x] [-j] [-a] [--decimal] [--base64] [-z] [-F FUNCTION_MAPPING] [-K KEYWORDS] [-B BACKTICKS] [-t {r,d,h}] [--safe] [--verbose] [--about]\n                    target\n\nChameleon - PowerShell script obfuscator (Improved Python port of Chimera)\n\npositional arguments:\n  target                Script to obfuscate\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -l {0,1,2,3,4,5}, --level {0,1,2,3,4,5}\n                        String manipulation Level (1: MIN, 5: MAX, 0: RANDOM)\n  -o OUTPUT, --output OUTPUT\n                        Store the payload in a file\n  -v, --variables       Enable variable obfuscation\n  -s, --strings         Enable string obfuscation\n  -d, --data-types      Enable data types obfuscation\n  -n, --nishang         Enable Nishang scripts obfuscation\n  -c, --comments        Enable comments obfuscation\n  -f, --functions       Enable functions obfuscation\n  -b, --use-backticks   Enable use of backticks with generated strings\n  --random-backticks    Enable use of backticks randomization\n  -r, --random-cases    Enable upper/lower randomization\n  -i, --random-spaces   Enable indentation randomization\n  -x, --hex-ip          Enable indentation randomization\n  -j, --true-false-null\n                        Try and obfuscate $true, $false and $null (experimental)\n  -a, --enable-all      Enable all obfuscation types\n  --decimal             Convert obfuscated payload to decimal format\n  --base64              Convert obfuscated payload to base64 format\n  -z, --check           Check the script against AMSI Trigger (@RythmStick, @rasta-mouse)\n  -F FUNCTION_MAPPING, --function-mapping FUNCTION_MAPPING\n                        Add custom keywords to obfuscate\n  -K KEYWORDS, --keywords KEYWORDS\n                        Add custom keywords to obfuscate\n  -B BACKTICKS, --backticks BACKTICKS\n                        Add a list of words to backtick\n  -t {r,d,h}, --randomization-type {r,d,h}\n                        Type of randomization (r: Random, d: Dictionary, h: Hybrid)\n  --safe                Reduce obfuscation of certain variables\n  --verbose             Enable verbose output\n  --about               Shows additional information about the tool\n```\n\n### Notes \n\nWorth saying that, even if now Chameleon is capable of obfuscate also complex scripts, it's still not comparable with\nInvoke-Obfuscation, which actually is way more mature and is also backed-up by a fully fledged parser `Management.Automation.Language.Parser`.\n\n### Next steps\n\nMoreover, Chameleon is still not perfect and still needs further development to increase both its accuracy and improve \nits obfuscation techniques. A non-exhaustive list of planned improvements are below:\n\n* Upgrade the PowerShell reader\n* Include other encoding schemes\n* Add more obfuscation methods\n\n## Contribute\n\nIf you want to contribute, just fork the repository. Any PR is well accepted.\n\n## Credits\n\nWorth saying that Chameleon would not be a thing without the work of [tokioneon_][2] on [Chimera][1], as the most of the\nobfuscation process was ported from Bash to Python (of course with some mods).\n\n## References\n\n* [Chimera][1]\n* [Invoke-Obfuscation][6]\n* [AMSITrigger][4]\n\n[1]: https://github.com/tokyoneon/Chimera.git\n[2]: https://twitter.com/tokyoneon_\n[3]: https://github.com/tokyoneon/Chimera/tree/master/shells\n[4]: https://github.com/RythmStick/AMSITrigger\n[5]: https://github.com/RythmStick\n[6]: https://github.com/danielbohannon/Invoke-Obfuscation\n[7]: https://klezvirus.github.io/RedTeaming/AV_Evasion/BornFromAChimera/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklezvirus%2Fchameleon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fklezvirus%2Fchameleon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklezvirus%2Fchameleon/lists"}