OmerYa/Babel-Shellfish: Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution.
2019-05-17 00:31:25 Author: github.com(查看原文) 阅读量:140 收藏

Join GitHub today

GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.

Sign up

Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution.

Permalink

Type Name Latest commit message Commit time
Failed to load latest commit information.
BabelShellfishProfiler First blood Oct 28, 2018
Bable-Shellfish Peel PSObject in Invoke method Nov 10, 2018
Win32/Release First blood Oct 28, 2018
packages First blood Oct 28, 2018
x64/Release Add files via upload Nov 10, 2018
.gitignore Initial commit Oct 28, 2018
Babel-Shellfish.sln First blood Oct 28, 2018
Disable-Babel-Shellfish.bat First blood Oct 28, 2018
Install-Babel-Shellfish.bat First blood Oct 28, 2018
LICENSE Initial commit Oct 28, 2018
README.md Update README.md Oct 28, 2018

Deobfuscate Powershell scripts right before execution. Babel-Shellfish allows to both log and scan through AMSI deobfuscated scripts. If a script is found mallicious it will stop its execution.

This is still a preliminary version intended as a POC. The code tested against Powershell V5.1 (only on x64 processes). I cannot recommend using it on production environment, use it on your own risk.

  • Copy the compiled Babel-Shellfish.dll.dll and BabelShellfishProfiler.dll from /x64/Release/ to a permanent folder (make sure all users have access to it).
  • Run Install-Babel-Shellfish.bat on administrator shell (see usage below).
  • Babel-Shellfish will run on every .Net process on the system. Whenever Powershell (System.Management.Automation) runs Babel-Shellfish will run with it too.
  • Note: If you ran installation batch file from command line, you will have to start a new console for environment changes to register (running powerhsell.exe from same console as the installation won't load Babel-Shellfish).
  • You can disable Babel-Shellfish by running Disable-Babel-Shellfish.bat (run batch file as administrator)
  • Install-Babel-Shellfish.bat [DebugOut] [ScanWithAMSI] [LogAMSI] [BabelShellfish Path] [LogFolderPath]
  • Example: Install-Babel-Shellfish.bat 0 1 0 "c:\Babel-Shellfish\BabelShellfishProfiler.dll" "c:\Babel-Shellfish\Logs"
  • [DebugOut] - Set to 1 to send deobfuscated commands to OutputDebugString.
  • [ScanWithAMSI] - Set to 1 to scan deobfuscated scripts with AMSI.
  • [LogAMSI] - Set to 1 to log the scripts sent to AMSI (curiosity feature).
  • [BabelShellfish Path] - Path to BabelShellfishProfiler.dll
  • [LogFolderPath] - (Optional) Path to save deobfuscated scripts. Logs are saved in the same folder structure as Powershell's transcription output.

Project was created with Visual Studio 2013. You should install Windows Platform SDK to compile it properly. Make sure NuGet Package Manager is set to download missing packages automatically.

More info can be found on the DerbyCon presentation by Omer Yair (October, 2018).

  • CorProfiler by .NET Foundation
  • Eyal Ne'emany
  • Guy Franco
  • Ephraim Neuberger
  • Yossi Sassi
  • Omer Yair

文章来源: https://github.com/OmerYa/Babel-Shellfish
如有侵权请联系:admin#unsafe.sh