Error in "Out-ObfuscatedStringCommand"

[G-e-V-e]

While doing bulk obfuscations using -Command 'TOKEN\ALL\1,ENCODING\6,STRING\2' I got an error while calling "Out-ObfuscatedStringCommand" at line 1246 in "Invoke-Obfuscation.ps1". Only 1 PowerShell function out of 44 had that issue, but it has it consistently.

$error[0]|select *

PSMessageDetails :
Exception : System.Management.Automation.ParameterBindingValidationException: Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provi
de an argument that is not null or empty, and then try the command again. ---> System.Management.Automation.ValidationMetadataException: The argument is nu
ll or empty. Provide an argument that is not null or empty, and then try the command again.
at System.Management.Automation.ValidateNotNullOrEmptyAttribute.Validate(Object arguments, EngineIntrinsics engineIntrinsics)
at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Parame
terBindingFlags flags)
--- End of inner exception stack trace ---
at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Parame
terBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter paramete
r, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCom
mandParameter parameter, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection1 arguments) at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection1 arguments)
at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection1 arguments) at System.Management.Automation.CommandProcessor.BindCommandLineParameters() at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues) at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream) at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input) at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[ ] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext) at lambda_method(Closure , Object[] , StrongBox1[] , InterpretedFrame )
TargetObject :
CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException
FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Show-Menu, G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1: line 1246
at Invoke-Obfuscation, G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1: line 532
at , : line 1
PipelineIterationInfo : {}

Here is the (zipped) input PowerShell script triggering that error:
Function Test-ADPassword.zip

Kind regards, Geeeert

[cobbr]

@Geeeert Can you post the exact Invoke-Obfuscation command you are running, and the version of PowerShell you are using?

I can't seem to reproduce the issue with:

PS > Invoke-Obfuscation -ScriptPath .\Test-ADPassword.ps1 -Command 'Token\All\1,Encoding\6,String\2' -Quiet

[G-e-V-e]

Hi,

$PSVersionTable returns:

PSVersion 5.1.14409.1012
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1012
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

I do more or less the same as you do:
$Scriptpath = "C:\Users\Geeeert\Documents\Functions\Function New-ADPassword.ps1"
$Obfuscate = 'TOKEN\ALL\1,ENCODING\6,STRING\2'
Invoke-Obfuscation -ScriptPath $ScriptPath -Command $Obfuscate -Quiet | Out-File $OutPath

The funny thing is... I had the same error twice in a row but now I can't reproduce it again on that same laptop. Judging from the result, I suppose a lot of randomizing is going on in these Out-xxx scripts, so maybe it's just a matter of chance whether it hits or not?

I leave it up to you if you investigate more time or just drop it. I noticed that some of these obfuscated scripts don't run successfully either. After all, this module is supposed to be a demo of the power of obfuscating powershell, right?

Kind regards, Geeeert

[danielbohannon]

"I noticed that some of these obfuscated scripts don't run successfully either."

Can you provide any more information regarding the errors you are seeing when running the obfuscated scripts? Or can you provide these resultant scripts?

[G-e-V-e]

Hi,

It depends very much on which obfuscation-command being given whether the resulting script(s) get obfuscated at all or run successfully after obfuscation. I had a runtime error while running the obfuscated equivalent of one of the smallest functions I know:

Function Get-ShortName
{BEGIN {$fso = New-Object -ComObject Scripting.FileSystemObject}
PROCESS {if ($.psiscontainer)
{$fso.getfolder($.fullname).ShortName}
else {$fso.getfile($_.fullname).ShortName} } }
Get-Childitem "C:\Users\Geeeert\Documents\any existing file.txt" | Get-ShortName

Sometimes the resulting script works after obfuscation, sometimes it doesn't.

I ran the same bulk obfuscation command again, and I got up to 3 errors out of 48 scripts being obfuscated. The command was 'TOKEN\ALL\1,ENCODING\6,STRING\2'

2 errors had this errortext:
Exception calling "NewScriptBlock" with "1" argument(s): "At line:1 char:8178

• ... 98c98o98w63N79R72R98>98<98o98m63>98m79o72w79N72R63>98c79w72'(-crEpLAc ...

•                                                             ~
  

Unexpected token '(' in expression or statement.
At line:1 char:8178

• ... J98c98o98w63N79R72R98>98<98o98m63>98m79o72w79N72R63>98c79w72'(-crEpLA ...

•                                                              ~
  

Missing closing ')' in expression.
At line:1 char:8525

• ... %{CHAr } )+" $( sET-Item 'VarIAble:ofS' ' ') " )

•                                                                      ~
  

Missing closing ')' in expression."
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1180 char:25

• ... $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand. ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : ParseException

Out-ObfuscatedStringCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the c
ommand again.
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1246 char:108

• ... scatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLev ...

•                                        ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommand

1 error had this errortext:
Exception calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90

• ... FirstName+'.'+$Lastname.Substring(0,$MaxLength-($FirstName.Length+1)}

•                                                                     ~
  

Missing ')' in method call."
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1180 char:25

• ... $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand. ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : ParseException

Out-ObfuscatedTokenCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the co
mmand again.
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1238 char:108

• ... Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock

•                                                ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Out-ObfuscatedTokenCommand], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedTokenCommand

Exception calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90

• ... FirstName+'.'+$Lastname.Substring(0,$MaxLength-($FirstName.Length+1)}

•                                                                     ~
  

Missing ')' in method call."
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1180 char:25

• ... $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand. ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : ParseException

Out-EncodedBXORCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the comman
d again.
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1270 char:108

• ... dedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassTh ...

•                                        ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Out-EncodedBXORCommand], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Out-EncodedBXORCommand

Exception calling "NewScriptBlock" with "1" argument(s): "At line:44 char:90

• ... FirstName+'.'+$Lastname.Substring(0,$MaxLength-($FirstName.Length+1)}

•                                                                     ~
  

Missing ')' in method call."
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1180 char:25

• ... $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand. ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : ParseException

Out-ObfuscatedStringCommand : Cannot validate argument on parameter 'ScriptBlock'. The argument is null or empty. Provide an argument that is not null or empty, and then try the c
ommand again.
At G:\Software\PowerShell\Modules\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1246 char:108

• ... scatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLev ...

•                                        ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Out-ObfuscatedStringCommand], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Out-ObfuscatedStringCommand

So, instead of attaching the scripts getting an error while being obfuscated, I attach the snippet of PowerShell code I use to do the bulk obfuscation. It's not perfect, I know, but it may give you the opportunity to find out four yourself where, when and why things go wrong. Obfuscating "Function Test-ADPassword.ps1" (as passed in the original issue) still results in error quite often.

For me, this invoke-obfuscation module is just demo stuff: it doesn't have to be working 100% of the time. It would be nice if it does though. Btw, there are other ways to add to PowerShell obfuscation, such as code injection.

Kind regards, Geeeert
Obfuscate-Script.zip