Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

Codecepticon allows you to obfuscate and rewrite code, but also provides features such as rewriting the command line as well.

Read This First

! Before we begin !

  • This documentation is on how to install and use Codecepticon only. Compilation, usage, and support for tools like Rubeus and SharpHound will not be provided. Refer to each project’s repo separately for more information.
  • Codecepticon is actively developed/tested in VS2022, but it should work in VS2019 as well. Any tickets/issues created for VS2019 and below, will not be investigated unless the issue is reproducible in VS2022. So please use the latest and greatest VS2022.
  • The following packages MUST be v3.9.0, as newer versions have the following issue which is still open: dotnet/roslyn#58463
    • Microsoft.CodeAnalysis.CSharp.Workspaces
    • Microsoft.CodeAnalysis.Workspaces.MSBuild
    Codecepticon checks the version of these packages on runtime and will inform you if the version is different to v3.9.0.
  • It cannot be stressed this enough: always test your obfuscated code locally first.

Prerequisites

Visual Studio Pro/Community 2022

Roslyn Compiler

Open and Compile

Open Codecepticon, wait until all NuGet packages are downloaded and then build the solution.

Using Codecepticon

There are two ways to use Codecepticon, either by putting all arguments in the command line or by passing a single XML configuration file. Due to the high level of supported customisations, It’s not recommended manually going through --help output to try and figure out which parameters to use and how. Use CommandLineGenerator.html and generate your command quickly:

The command generator’s output format can be either Console or XML, depending what you prefer. Console commands can be executed as:

Codecepticon.exe --action obfuscate --module csharp --verbose ...etc

While when using an XML config file, as:

Codecepticon.exe --config C:\Your\Path\To\The\File.xml

If you want to deep dive into Codecepticon’s functionality, check out this document.

For tips you can use, check out this document.

C#

Obfuscating a C# project is simple, simply select the solution you wish to target. Note that a backup of the solution itself will not be taken, and the current one will be the one that will be obfuscated. Make sure that you can independently compile the target project before trying to run Codecepticon against it.

VBA/VB6

The VBA obfuscation works against source code itself rather than a Microsoft Office document. This means that you cannot pass a doc(x) or xls(x) file to Codecepticon. It will have to be the source code of the module itself (press Alt-F11 and copy the code from there).

PowerShell

Due to the complexity of PowerShell scripts, along with the freedom it provides in how to write scripts it is challenging to cover all edge cases and ensure that the obfuscated result will be fully functional. Although it’s expected for Codecepticon to work fine against simple scripts/functionality, running it against complex ones such as PowerView will not work – this is a work in progress.

Obfuscating Command Line Arguments

After obfuscating an application or a script, it is very likely that the command line arguments have also been renamed. The solution to this is to use the HTML mapping file to find what the new names are. For example, let’s convert the following command line:

SharpHound.exe --CollectionMethods DCOnly --OutputDirectory C:\temp\

By searching through the HTML mapping file for each argument, we get:

And by replacing all strings the result is:

ObfuscatedSharpHound.exe --AphylesPiansAsp TurthsTance --AnineWondon C:\temp\

However, some values may exist in more than one category:

Therefore it is critical to always test your result in a local environment first.

LEAVE A REPLY

Please enter your comment!
Please enter your name here