Kali Linux

Codecepticon : .NET Application That Allows You To Obfuscate C#, VBA/VB6 (Macros), And PowerShell Source Code

Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

Codecepticon allows you to obfuscate and rewrite code, but also provides features such as rewriting the command line as well.

Read This First

! Before we begin !

  • This documentation is on how to install and use Codecepticon only. Compilation, usage, and support for tools like Rubeus and SharpHound will not be provided. Refer to each project’s repo separately for more information.
  • Codecepticon is actively developed/tested in VS2022, but it should work in VS2019 as well. Any tickets/issues created for VS2019 and below, will not be investigated unless the issue is reproducible in VS2022. So please use the latest and greatest VS2022.
  • The following packages MUST be v3.9.0, as newer versions have the following issue which is still open: dotnet/roslyn#58463
    • Microsoft.CodeAnalysis.CSharp.Workspaces
    • Microsoft.CodeAnalysis.Workspaces.MSBuild
    Codecepticon checks the version of these packages on runtime and will inform you if the version is different to v3.9.0.
  • It cannot be stressed this enough: always test your obfuscated code locally first.

Prerequisites

Visual Studio Pro/Community 2022

Roslyn Compiler

Open and Compile

Open Codecepticon, wait until all NuGet packages are downloaded and then build the solution.

Using Codecepticon

There are two ways to use Codecepticon, either by putting all arguments in the command line or by passing a single XML configuration file. Due to the high level of supported customisations, It’s not recommended manually going through --help output to try and figure out which parameters to use and how. Use CommandLineGenerator.html and generate your command quickly:

The command generator’s output format can be either Console or XML, depending what you prefer. Console commands can be executed as:

Codecepticon.exe --action obfuscate --module csharp --verbose ...etc

While when using an XML config file, as:

Codecepticon.exe --config C:\Your\Path\To\The\File.xml

If you want to deep dive into Codecepticon’s functionality, check out this document.

For tips you can use, check out this document.

C#

Obfuscating a C# project is simple, simply select the solution you wish to target. Note that a backup of the solution itself will not be taken, and the current one will be the one that will be obfuscated. Make sure that you can independently compile the target project before trying to run Codecepticon against it.

VBA/VB6

The VBA obfuscation works against source code itself rather than a Microsoft Office document. This means that you cannot pass a doc(x) or xls(x) file to Codecepticon. It will have to be the source code of the module itself (press Alt-F11 and copy the code from there).

PowerShell

Due to the complexity of PowerShell scripts, along with the freedom it provides in how to write scripts it is challenging to cover all edge cases and ensure that the obfuscated result will be fully functional. Although it’s expected for Codecepticon to work fine against simple scripts/functionality, running it against complex ones such as PowerView will not work – this is a work in progress.

Obfuscating Command Line Arguments

After obfuscating an application or a script, it is very likely that the command line arguments have also been renamed. The solution to this is to use the HTML mapping file to find what the new names are. For example, let’s convert the following command line:

SharpHound.exe --CollectionMethods DCOnly --OutputDirectory C:\temp\

By searching through the HTML mapping file for each argument, we get:

And by replacing all strings the result is:

ObfuscatedSharpHound.exe --AphylesPiansAsp TurthsTance --AnineWondon C:\temp\

However, some values may exist in more than one category:

Therefore it is critical to always test your result in a local environment first.

R K

Recent Posts

ModTask – Task Scheduler Attack Tool

ModTask is an advanced C# tool designed for red teaming operations, focusing on manipulating scheduled…

20 hours ago

HellBunny : Advanced Shellcode Loader For EDR Evasio

HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect…

20 hours ago

SharpRedirect : A Lightweight And Efficient .NET-Based TCP Redirector

SharpRedirect is a simple .NET Framework-based redirector from a specified local port to a destination…

20 hours ago

Flyphish : Mastering Cloud-Based Phishing Simulations For Security Assessments

Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…

2 days ago

DeLink : Decrypting D-Link Firmware Across Devices With A Rust-Based Library

A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…

2 days ago

LLM Lies : Hallucinations Are Not Bugs, But Features As Adversarial Examples

LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…

2 days ago