Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions.

Overview

Chameleon

Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. The tool has been developed as a Python port of the Chimera project, by tokioneon_. As such, it uses mostly the same techniques to evade common detection signatures, such as:

  • comment deletion/substitution
  • string substitution (variables, functions, data-types)
  • variable concatenation
  • indentation randomization
  • semi-random backticks insertion
  • case randomization
  • encoding

Why porting it

Chimera was indeed a shiny project, so why did I decided to port it to Python and why you should use chameleon? Well, there are several reasons why I decided to build Chameleon. I wrote a more detailed post about them here. I've also listed below the most important ones.

Reliability

As the author of Chimera states in the readme, the chimera script can successfully obfuscate scripts that the author tested personally, which are contained in the shells directory. However, the tool is not very reliable with other, untested, scripts. Quoting the author:

there's no telling how untested scripts will reproduce with Chimera...

This alone was a good reason to attempt to make the tool a bit more reliable, and also capable to obfuscate more complex scripts.

Speed

Chimera attempts several obfuscation steps, which usually requires the input to be read from a file, and stored back in a file again. While this is a safe approach, because each step is saved to disk (let's say there is an error at step n, we would still have the result of the obfuscation till n - 1), this is not really efficient. The overhead of writing and reading from a file at each time make the tool really slow when operating on large scripts (up to several minutes with the -a option).

Chameleon, instead, performs all obfuscation steps in memory, meaning it is extremely faster.

Portability

Chimera has been developed as a Bash Script, and heavily relies on common Linux utilities to accomplish the obfuscation.

Chameleon, on the other hand, is built with Python, meaning that you can use it wherever Python is installed.

Smart evasion checking

Chimera offers a function to submit scripts to VirusTotal directly. While this might be considered a useful utility, it will expose the obfuscated script to third party threat-intelligence, weakening the obfuscation engine.

To address this issue, Chameleon uses the utility AMSITrigger by RhytmStick, to check if the obfuscated result will indeed bypass AMSI.

Improvements

So far, we've talked about the efficiency and reliability issues of chimera, but what are the real improvements from an obfuscation standpoint? The techniques used by Chameleon are for the most the same as Chimera, with some improvements:

  • "Smart" variable scope identification (function local variables will be replaced "carefully" or left untouched)
  • Random backticks insertion (not just limited to a set of strings)
  • Random case switch (not just limited to a set of strings)
  • Supports an external obfuscation mapping for functions and parameters (TODO)
  • Additional Base64 Encoding wrapping

Chameleon manages to handle function and local parameters by implementing a very minimalist PowerShell "reader", which is capable of distinguish three contexts:

  • Global/Main Scope
  • In-Function Scope
    • Param() Blocks

The reader is still not a real parser, and relies on Dick Language to find relevant areas limits.

Usage

Using the tool is pretty straightforward, as observable from the help:

usage: chameleon.py [-h] [-l {0,1,2,3,4,5}] -o OUTPUT [-v] [-s] [-d] [-n] [-c] [-f] [-b] [--random-backticks] [-r] [-i] [-x] [-j] [-a] [--decimal] [--base64] [-z] [-F FUNCTION_MAPPING] [-K KEYWORDS] [-B BACKTICKS] [-t {r,d,h}] [--safe] [--verbose] [--about]
                    target

Chameleon - PowerShell script obfuscator (Improved Python port of Chimera)

positional arguments:
  target                Script to obfuscate

optional arguments:
  -h, --help            show this help message and exit
  -l {0,1,2,3,4,5}, --level {0,1,2,3,4,5}
                        String manipulation Level (1: MIN, 5: MAX, 0: RANDOM)
  -o OUTPUT, --output OUTPUT
                        Store the payload in a file
  -v, --variables       Enable variable obfuscation
  -s, --strings         Enable string obfuscation
  -d, --data-types      Enable data types obfuscation
  -n, --nishang         Enable Nishang scripts obfuscation
  -c, --comments        Enable comments obfuscation
  -f, --functions       Enable functions obfuscation
  -b, --use-backticks   Enable use of backticks with generated strings
  --random-backticks    Enable use of backticks randomization
  -r, --random-cases    Enable upper/lower randomization
  -i, --random-spaces   Enable indentation randomization
  -x, --hex-ip          Enable indentation randomization
  -j, --true-false-null
                        Try and obfuscate $true, $false and $null (experimental)
  -a, --enable-all      Enable all obfuscation types
  --decimal             Convert obfuscated payload to decimal format
  --base64              Convert obfuscated payload to base64 format
  -z, --check           Check the script against AMSI Trigger (@RythmStick, @rasta-mouse)
  -F FUNCTION_MAPPING, --function-mapping FUNCTION_MAPPING
                        Add custom keywords to obfuscate
  -K KEYWORDS, --keywords KEYWORDS
                        Add custom keywords to obfuscate
  -B BACKTICKS, --backticks BACKTICKS
                        Add a list of words to backtick
  -t {r,d,h}, --randomization-type {r,d,h}
                        Type of randomization (r: Random, d: Dictionary, h: Hybrid)
  --safe                Reduce obfuscation of certain variables
  --verbose             Enable verbose output
  --about               Shows additional information about the tool

Notes

Worth saying that, even if now Chameleon is capable of obfuscate also complex scripts, it's still not comparable with Invoke-Obfuscation, which actually is way more mature and is also backed-up by a fully fledged parser Management.Automation.Language.Parser.

Next steps

Moreover, Chameleon is still not perfect and still needs further development to increase both its accuracy and improve its obfuscation techniques. A non-exhaustive list of planned improvements are below:

  • Upgrade the PowerShell reader
  • Include other encoding schemes
  • Add more obfuscation methods

Contribute

If you want to contribute, just fork the repository. Any PR is well accepted.

Credits

Worth saying that Chameleon would not be a thing without the work of tokioneon_ on Chimera, as the most of the obfuscation process was ported from Bash to Python (of course with some mods).

References

You might also like...
Shortcut-Maker - It is a tool that can be set to run any tool with a single command
Shortcut-Maker - It is a tool that can be set to run any tool with a single command

Shortcut-Maker It is a tool that can be set to run any tool with a single command Coded by Dave Smith(Owner of Sl Cyber Warriors) Command list 👇 pkg

A CLI tool for searching and watching videos on youtube with no spyware and MPV and yt-dlp

A CLI tool for searching and watching videos on youtube with no spyware and MPV and yt-dlp

liquidctl – liquid cooler control Cross-platform tool and drivers for liquid coolers and other devices

Cross-platform CLI and Python drivers for AIO liquid coolers and other devices

Sink is a CLI tool that allows users to synchronize their local folders to their Google Drives. It is similar to the Git CLI and allows fast and reliable syncs with the drive.
Sink is a CLI tool that allows users to synchronize their local folders to their Google Drives. It is similar to the Git CLI and allows fast and reliable syncs with the drive.

Sink is a CLI synchronisation tool that enables a user to synchronise local system files and folders with their Google Drives. It follows a git C

A lightweight Python module and command-line tool for generating NATO APP-6(D) compliant military symbols from both ID codes and natural language names

Python military symbols This is a lightweight Python module, including a command-line script, to generate NATO APP-6(D) compliant military symbol icon

Python command line tool and python engine to label table fields and fields in data files.

Python command line tool and python engine to label table fields and fields in data files. It could help to find meaningful data in your tables and data files or to find Personal identifable information (PII).

A command line tool to hide and reveal information inside images (works for both PNGs and JPGs)
A command line tool to hide and reveal information inside images (works for both PNGs and JPGs)

Imgrerite A command line tool to hide and reveal information inside images (works for both PNGs and JPGs) Dependencies Python 3 Git Most of the Linux

gget is a free and open-source command-line tool and Python package that enables efficient querying of genomic databases.
gget is a free and open-source command-line tool and Python package that enables efficient querying of genomic databases.

gget is a free and open-source command-line tool and Python package that enables efficient querying of genomic databases. gget consists of a collection of separate but interoperable modules, each designed to facilitate one type of database querying in a single line of code.

Comments
  • Error using --base64 Option

    Error using --base64 Option

    Hey, When I use --base64 to obfuscate a script the resulting script can not be executed.

    The error is:

    Get-Command : Die Benennung "Get-Command" wurde nicht als Name eines Cmdlet, einer Funktion, einer Skriptdatei oder eines ausführbaren Programms erkannt. Überprüfen Sie die Schreibweise des Namens, oder ob der Pfad korrekt ist (sofern enthalten), und wiederholen Sie den Vorgang. In Zeile:1 Zeichen:1

    As you can see the highlighted section contains some invalid characters. Any reasons why this happens? Or am I doing something wrong?

    opened by MaxMax147 4
  • Adding random lettering in front of a function declaration

    Adding random lettering in front of a function declaration

    My simple statement is: python chameleon.py -o OUTPUT.ps1 -v Test1.ps1 . The only thing in Test1.ps1 is : -----------------------------------------------start of file function runmeforfun { Write-Host "Hey!" $variablenopurpose = "no purpose" Write-Host $variablenopurpose } #single line comment runmeforfun

    -------------------------------------------------end of file

    Unfortunately when I run the statement above I get this in the OUTPUT.ps1 file:

    -------------------------------------------------start of file function runmeforfun { Write-Host "Hey!" $obfuscatedrandomletteringnothereforpostingpurposes= "no purpose" Write-Host $obfuscatedrandomletteringnothereforpostingpurposes }

    runmeforfun -------------------------------------------------end of file

    Notice the comment is completely gone and there is now random lettering in front of the function, making the ps1 file now with errors and will not run.

    Upon further investigation it looks like the "zeroing out comments" section seems to be the problem

    Let me know if I have done something wrong or if this is an error with the python code!! Thank you!

    opened by AnnaMachovec 1
  • Improving single line commit replacement & regex for function replacement.

    Improving single line commit replacement & regex for function replacement.

    I tried to use the tool on adPEAS but got stuck on those two parts of the script. So I tried to fix those parts.

    Improving single line commit replacement & regex for function replacement.

    It now works with this example, having to test more scripts.

    opened by toxicphreAK 0
  • Functions not obfuscating

    Functions not obfuscating

    Hi! I am having trouble finding out as to why the functions are not obfuscating in my small script:

    test1.ps1--------------- function runmefor-fun { $variablenopurpose = "no purpose" Write-Host $variablenopurpose } #commment runmefor-fun #hi


    My command line is: chameleon.py -l 1 -o OUTPUT.ps1 -v -c -f Test1.ps1

    and my output file is this: --------------------------------

    function runmefor-fun { Write-Host "Hey!" $pretendreallylongobfuscationishortenedfordisplay = "no purpose" Write-Host $pretendreallylongobfuscationishortenedfordisplay

    } #commentthatislong runmefor-fun #commentthatislong

    any ideas as to why this will not work?

    bug good first issue 
    opened by AnnaMachovec 2
Owner
Lucky husband, proud father, and security researcher working for BSI
null
A very simple python script to encode and decode PowerShell one-liners.

PowerShell Encoder A very simple python script to encode and decode PowerShell one-liners. I used Raikia's PowerShell encoder ALOT, but one day it wen

John Tear 5 Jul 29, 2022
Yet another bash/zsh prompt script

Here we have yet another script for Git-aware customization of the command prompt in Bash and zsh. Unlike all the other scripts, I wrote this one, so

John T. Wodder II 5 Oct 13, 2021
Shellcode runner to execute malicious payload and bypass AV

buffshark-shellcode-runner Python Shellcode Runner to execute malicious payload and bypass AV This script utilizes mmap(for linux) and win api wrapper

Momo Lenard 9 Dec 29, 2022
Command line tool to automate transforming the effects of one color profile to another, possibly more standard one.

Finished rendering the frames of that animation, and now the colors look washed out and ugly? This terminal program will solve exactly that.

Eric Xue 1 Jan 26, 2022
🏃 Python3 Solutions of All Problems in GCJ 2022 (In Progress)

GoogleCodeJam 2022 Python3 solutions of Google Code Jam 2022. Solution begins with * means it will get TLE in the largest data set. Total computation

kamyu 12 Dec 20, 2022
Powerful yet easy command line calculator.

Powerful yet easy command line calculator.

Cruisen 1 Jul 22, 2022
Another (unofficial) Qt CLI Installer on multi-platforms

Another Qt installer(aqt) Release: Documentation: Test status: and Coverage: This is a utility alternative to the official graphical Qt installer, for

Hiroshi Miura 528 Jan 2, 2023
Command line interface to watch your childhood shows in hindi and english, designed with python

Sweet dreams: Most of your childhood shows Command line interface to watch your

Not Your Surya 3 Feb 13, 2022
A project designed to make taking notes easier than ever - by doing it all on command line

A project designed to make taking notes easier than ever - by doing it all on command line! Yes, all of your files are easily accessible through one command interface, and can be written to at any time! #ad #sponsored

null 1 Dec 10, 2021
A simple CLI based any Download Tool, that find files and let you stream or download thorugh WebTorrent CLI or Aria or any command tool

Privateer A simple CLI based any Download Tool, that find files and let you stream or download thorugh WebTorrent CLI or Aria or any command tool How

Shreyash Chavan 2 Apr 4, 2022