• This repository has been archived on 01/Feb/2024
  • Stars
    star
    481
  • Rank 91,384 (Top 2 %)
  • Language
    C#
  • License
    MIT License
  • Created over 2 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

.NET/PowerShell/VBA Offensive Security Obfuscator

Codecepticon version

Table of Contents

Introduction

Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

Codecepticon allows you to obfuscate and rewrite code, but also provides features such as rewriting the command line as well.

Read This First

! Before we begin !

  • This documentation is on how to install and use Codecepticon only. Compilation, usage, and support for tools like Rubeus and SharpHound will not be provided. Refer to each project's repo separately for more information.

  • Codecepticon is actively developed/tested in VS2022, but it should work in VS2019 as well. Any tickets/issues created for VS2019 and below, will not be investigated unless the issue is reproducible in VS2022. So please use the latest and greatest VS2022.

  • The following packages MUST be v3.9.0, as newer versions have the following issue which is still open: dotnet/roslyn#58463

    • Microsoft.CodeAnalysis.CSharp.Workspaces
    • Microsoft.CodeAnalysis.Workspaces.MSBuild

    Codecepticon checks the version of these packages on runtime and will inform you if the version is different to v3.9.0.

  • It cannot be stressed this enough: always test your obfuscated code locally first.

Prerequisites

Visual Studio Pro/Community 2022

VS2022 .NET

Roslyn Compiler

VS2022 Roslyn

Open and Compile

Open Codecepticon, wait until all NuGet packages are downloaded and then build the solution.

Using Codecepticon

There are two ways to use Codecepticon, either by putting all arguments in the command line or by passing a single XML configuration file. Due to the high level of supported customisations, It's not recommended manually going through --help output to try and figure out which parameters to use and how. Use CommandLineGenerator.html and generate your command quickly:

Command Line Generator

The command generator's output format can be either Console or XML, depending what you prefer. Console commands can be executed as:

Codecepticon.exe --action obfuscate --module csharp --verbose ...etc

While when using an XML config file, as:

Codecepticon.exe --config C:\Your\Path\To\The\File.xml

If you want to deep dive into Codecepticon's functionality, check out this document.

For tips you can use, check out this document.

C#

Obfuscating a C# project is simple, simply select the solution you wish to target. Note that a backup of the solution itself will not be taken, and the current one will be the one that will be obfuscated. Make sure that you can independently compile the target project before trying to run Codecepticon against it.

VBA/VB6

The VBA obfuscation works against source code itself rather than a Microsoft Office document. This means that you cannot pass a doc(x) or xls(x) file to Codecepticon. It will have to be the source code of the module itself (press Alt-F11 and copy the code from there).

PowerShell

Due to the complexity of PowerShell scripts, along with the freedom it provides in how to write scripts it is challenging to cover all edge cases and ensure that the obfuscated result will be fully functional. Although it's expected for Codecepticon to work fine against simple scripts/functionality, running it against complex ones such as PowerView will not work - this is a work in progress.

Obfuscating Command Line Arguments

After obfuscating an application or a script, it is very likely that the command line arguments have also been renamed. The solution to this is to use the HTML mapping file to find what the new names are. For example, let's convert the following command line:

SharpHound.exe --CollectionMethods DCOnly --OutputDirectory C:\temp\

By searching through the HTML mapping file for each argument, we get:

Mapping One

Mapping Two

Mapping Three

And by replacing all strings the result is:

ObfuscatedSharpHound.exe --AphylesPiansAsp TurthsTance --AnineWondon C:\temp\

However, some values may exist in more than one category:

Mapping Four

Therefore it is critical to always test your result in a local environment first.

Sign Executables

It is also possible to use Codecepticon to digitally sign executable files (your compiled output). Codecepticon can both generate a signing certificate for you, and also use it (or any other you may provide) to sign your target file. Please note that for this functionality you will need Microsoft's SignTool - although it should be automatically installed when you install Visual Studio 2022.

FAQ

Why isn't there a compiled version under Releases that I can download?

The compiled output includes a lot of dependency DLLs, which due to licensing requirements we can't re-distribute without written consent.

Does Codecepticon only work for C# projects that already have a supported profile?

No, Codecepticon should work with everything. The profiles are just a bit of extra tweaks that are done to the target project in order to make it more reliable and easier to work with.

But as all code is unique, there will be instances where obfuscating a project will end up with an error or two that won't allow it to be compiled or executed. In this case a new profile may be in order - please raise a new issue if this is the case.

Same principle applies to PowerShell/VBA code - although those currently have no profiles that come with Codecepticon, it's an easy task to add if some are needed.

Can I contribute?

For reporting bugs and suggesting new features, please create an issue.

For submitting pull requests, please see the Contributions section.

Troubleshooting

I'm using Codecepticon against a C# project, it runs, but afterwards I can't compile the target project.

Before running Codecepticon make sure you can compile a clean version of the target project. Very often when this issue appears, it's due to missing dependencies for the target solution rather than Codecepticon. But if it still doesn't compile:

  • Is it a public project? Create an issue and paste the link with as much detail as possible. If the tool is part of SharpCollection, even better.
  • Is it a private project? In the spirit of improving Codecepticon we'll try to provide as much support as possible via screenshots and error/debug messages. But we will not be accessing/running any clean/obfuscated code via private repos etc.

Same as above, but it's a PowerShell/VBA script - can you help?

I will do my best, but as PowerShell scripts can be VERY complex and the PSParser isn't as advanced as Roslyn for C#, no promises can be made. Same applies for VBA/VB6.

I keep getting: "Method not found: 'System.Collections.Immutable.ImmutableArray"

You may at some point encounter the following error:

Method not found

Still trying to get to the bottom of this one, a quick fix is to uninstall and reinstall the System.Collections.Immutable package, from the NuGet Package Manager.

Contributions

Whether it's a typo, a bug, or a new feature, Codecepticon is very open to contributions as long as we agree on the following:

  • You are OK with the MIT license of this project.
  • Before creating a pull request, create an issue so it could be discussed before doing any work as internal development is not tracked via the public GitHub repository. Otherwise you risk having a pull request rejected if for example we are already working on the same/similar feature, or for any other reason.

References / Credits

More Repositories

1

AmpliGraph

Python library for Representation Learning on Knowledge Graphs https://docs.ampligraph.org
Python
2,147
star
2

Spartacus

Spartacus DLL/COM Hijacking Toolkit
C#
989
star
3

adop-docker-compose

Talk to us on Gitter: https://gitter.im/Accenture/ADOP
Shell
765
star
4

reactive-interaction-gateway

Create low-latency, interactive user experiences for stateless microservices.
Elixir
590
star
5

jenkins-attack-framework

Python
554
star
6

VulFi

IDA Pro plugin for query based searching within the binary useful mainly for vulnerability research.
Python
532
star
7

Ocaramba

C# Framework to automate tests using Selenium WebDriver
C#
277
star
8

CLRvoyance

Managed assembly shellcode generation
Assembly
263
star
9

protobuf-finder

IDA Pro plugin for reconstructing original .proto files from binary.
Python
256
star
10

alexia

A Framework for creating Amazon Echo (Alexa) skills using Node.js
JavaScript
164
star
11

adop-jenkins

Groovy
152
star
12

sfmc-devtools

Fast-track your developers and devops engineers by allowing them to programmatically copy-paste / deploy changes and work offline
JavaScript
137
star
13

Labs-Federated-Learning

Accenture Labs Federated Learning
92
star
14

FirmLoader

Python
90
star
15

mercury

Reference engine for composable applications
Java
81
star
16

serverless-ephemeral

This is a Serverless Framework plugin that helps bundling any stateless zipped library to AWS Lambda.
JavaScript
67
star
17

adop-platform-management

Groovy
60
star
18

adop-cartridge-java

Groovy
59
star
19

Condstanta

Python
56
star
20

EcoSonar

EcoSonar, the ecodesign audit tool
JavaScript
54
star
21

bdd-for-all

Flexible and easy to use library to enable your behavorial driven development (BDD) teams to easily collaborate while promoting automation, transparency and reporting.
Java
51
star
22

Cymple

Cymple - a productivity tool for creating Cypher queries in Python
Python
49
star
23

adop-gerrit

Shell
45
star
24

adop-aws

This repository contains a hardened, 2-tiered implementation of the DevOps Platform -> https://github.com/Accenture/adop-docker-compose
35
star
25

AARO-Bugs

Vulnerabilities, exploits, and PoCs
C
34
star
26

AIR

A deep learning object detector framework written in Python for supporting Land Search and Rescue Missions.
Python
30
star
27

generator-mario

Generator for Backbone/Marionette applications with lots of bells and whistles to help keep a non-trivial sized application moving forward at a breakneck pace!
JavaScript
29
star
28

sfmc-customapp

JavaScript
28
star
29

DBTestCompare

Application to compare results of two SQL queries
Java
25
star
30

AutoFixture.XUnit2.AutoMock

Autofixture auto-mocking for XUnit2 using a mocking library of your choice.
C#
22
star
31

kx.as.code

kx.as.code
Shell
19
star
32

openathon-2019-angular

IV OpenAthon CSE - Angular
TypeScript
19
star
33

OSDU-Ontology

An ontology designed for oil and gas, and subsurface energy data based on the industry standards.
HTML
18
star
34

alexia-starter-kit

Starter Kit project with sample Amazon Echo skill created using Alexia Framework
JavaScript
17
star
35

mv-unreal-aws

C++
16
star
36

tldr

The Lightweight Docker Runtime
Shell
15
star
37

pyheal

PyHeal is a Python wrapper for Microsoft SEAL aimed at making operations easier to use.
Python
15
star
38

openathon-2019-react

Openathon edition organised for the Accenture Technology Custom Open Cloud community where we will have again the opportunity to discover, in a practical way, the possibilities offered by the different architectures and leading frameworks in the market.
JavaScript
15
star
39

openathon-2019-docker

13
star
40

mercury-python

Python language pack for Mercury
Python
12
star
41

openathon-2020-serverless

Openathon VI - Custom Software Engineering
HTML
11
star
42

adop-sonar

Shell
11
star
43

waterfall-config

A simplistic configuration library for Java, heavily based on Typesafehub Config with some additional opinionated features
Java
9
star
44

sfmc-connector

Apex
8
star
45

askme

askme is a simple application designed to solicit immediate feedback during public speaking engagements, and is used as a demo app for multiple application architecture and dev process demos. It's also a cool and useful application in its own right.
JavaScript
8
star
46

adop-nexus

Shell
7
star
47

sfmc-devtools-copado

SFMC DevTools made easy using Copado Multi-Cloud's webinterface
JavaScript
7
star
48

mercury-composable

Reference implementation toolkit for writing composable applications
Java
7
star
49

adop-nginx

CSS
6
star
50

openathon-2020-python

openathon-2020-python
Python
6
star
51

ALM-SF-Metadata-API-Python-Tools

ALM SF Metadata API Python Tools
Python
6
star
52

DX-Mate

DX Mate
TypeScript
5
star
53

sfmc-devtools-vscode

Accenture SFMC DevTools for VS Code
TypeScript
5
star
54

Off-chain-storage-verification

A Blockchain-based Auditing Framework for Off-chain Storage
JavaScript
5
star
55

grails-spring-security-oauth-azure

grails-spring-security-oauth-azure
Groovy
5
star
56

mac-enablement

Shell
5
star
57

ALM-SF-DX-Python-Tools

ALM SF DX Python Tools
Python
5
star
58

adop-jenkins-worker

Dockerfile
4
star
59

adop-ldap-phpadmin

Shell
4
star
60

hiera-aws-sm

A Hiera 5 backend for AWS Secrets Manager
Ruby
4
star
61

Cockpit

Java
4
star
62

digital-products-boosters

digital-products-boosters
JavaScript
4
star
63

ALM-SF-DX-Pipelines

ALM SF DX Pipelines
Groovy
4
star
64

ALM-SF-Metadata-API-Pipelines

ALM SF Metadata API Pipelines
Groovy
4
star
65

openathon-2018-spring-boot-cloud

Materials (detailed guideline and exemplar solution) for the first Openathon organized by Accenture Technology Custom Software Engineering practice in Spain, focused on learning the basic to microservice development with Spring Boot and Spring Cloud.
Java
4
star
66

adop-cartridge-java-regression-tests

Java
3
star
67

speech2spikes

Python
3
star
68

mercury-nodejs

Reference engine for composable applications
TypeScript
3
star
69

alexa-pokitdok

JavaScript
3
star
70

cna-aws-cdk-patterns

TypeScript
3
star
71

openathon-2019-appian

OpenAthon 2019 - Appian
3
star
72

openathon-2021-quarkus

openathon-2021-quarkus
Shell
3
star
73

adop-cartridge-specification

Shell
3
star
74

adop-sensu

Ruby
3
star
75

azure-arc-playground-builder

Azure Arc Quickstart showcasing Arc-enabled App Service & Data Services
Shell
3
star
76

can_dlc_fuzzer

C++
3
star
77

tldr-alb

Application Load Balancer container for the The Lightweight Docker Runtime
Shell
2
star
78

evil_update

C
2
star
79

adop-cartridge-java-pipeline

Groovy
2
star
80

energy-consumption-measuring-toolkit

Python
2
star
81

openathon-2019-docker-spring-boot-app

Java
2
star
82

adop-cartridge-java-environment-template

2
star
83

DBTestCompareGenerator

Tool for generating database tests
C#
2
star
84

Mendix.RecaptchaWidget

JavaScript
2
star
85

adop-ldap-ltb

PHP
2
star
86

morpheus-data-api

Python client to Morpheus Data API https://apidocs.morpheusdata.com
Python
2
star
87

reactive_technologylearningpills

Technology Learning Pills: Reactive
TypeScript
2
star
88

adop-platform-extension-chef

Chef Server v12 extension for the ADOP platform.
2
star
89

Docknet

A pure Numpy implementation of neural networks for educational purposes
Jupyter Notebook
2
star
90

NEC850_Architecture

C++
2
star
91

Mendix.ObjectivityCommons

Java
1
star
92

Mendix.GlobusTheme

Objectivityโ€™s UI resources module and theme for building apps on the Mendix 9 platform.
SCSS
1
star
93

Mendix.IfElse

JavaScript
1
star
94

adop-logstash

1
star
95

Shakespeare_RNN

Python
1
star
96

adop-gitlab

Shell
1
star
97

CIFR_Yara

YARA
1
star
98

Mendix.CssClassSwitcher

A Mendix widget that adds CSS classes determined by a microflow (or nanoflow) to elements determined by CSS selector.
CSS
1
star
99

docker-plaso

Makefile
1
star
100

openathon-2019-docker-angular-app

TypeScript
1
star