Awesome
InvisibilityCloak
Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio project.
- Change the tool name
- Change the project GUID
- Obfuscate compatible strings in source code files based on obfuscation method entered by user
- Removes one-line comments (e.g. // this is a comment)
- Remove PDB string option for compiled release .NET assembly
String Candidates Not Obfuscated
The below string candidates are not included in obfuscation
- Strings less than 3 characters
- Strings using string interpolation (e.g.,
Console.WriteLine($"Hello, {name}! Today is {date.DayOfWeek}, it's {date:HH:mm} now.");
) - Case statements as they need to be static values
- Const vars as they need to be static values
- Strings in method signatures as they need to be static values
- Line with
" => "
as used in switch statement and needs to be static value. is
in an if statement when doing comparison as the values compared must be static- Strings within Regexes
- Override strings as they need to be static values
- The below random edge cases for strings, as they have caused issues when encoding/decoding
- String starting with or ending with
'
""'
in the line+ @"
in the line"""
in the line""
in the lineEncoding.Unicode.GetString
in the lineEncoding.Unicode.GetBytes
in the lineEncoding.ASCII.GetBytes
in the line- Line starting with
"
and ending with")]
. This is typically used for command line switches and needs to be static value.
- String starting with or ending with
Support Information
- Windows
- Linux (Debian-based systems)
- Python3
Arguments/Options
-d, --directory
- directory where your visual studio project is located-m, --method
- obfuscation method (base64, rot13, reverse)-n, --name
- name of your new tool-h, --help
- help menu--version
- get version of tool
Usage/Examples
Run InvisibilityCloak with string obfuscation
Base64 String Obfuscation
python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m base64
python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m base64
ROT13 String Obfuscation
python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m rot13
python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m rot13
Reverse String Obfuscation
python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m reverse
python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m reverse
Run InvisibilityCloak without string obfuscation
python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool"
python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool"
Signature-Based Detection Statistics
The below table shows the signature-based detection statistics between the unobfuscated and obfuscated versions of 20 popular public C# tools with InvisibilityCloak.
This is specifically for Microsoft Defender (free version), and accurate as of April 14th, 2022.
Compiled C# Tool Size Statistics
The below table shows the file sizes of 20 popular public C# tools between the unobfucated and obfuscated versions using InvisibilityCloak with various string obfuscation methods.
Roadmap
- Add support for C# projects with multiple C# project files (multi-project solutions)
- Obfuscation support for variable names and method names