python-obfuscation-framework 1.4.1__py3-none-any.whl

pof/__init__.py

@@ -0,0 +1,21 @@
+# POF, a free and open source Python obfuscation framework.
+# Copyright (C) 2022-2024  POF Team
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from pof.main import BaseObfuscator, Obfuscator
+
+__version__ = "1.4.1"
+
+__all__ = ("BaseObfuscator", "Obfuscator", "__version__")

pof/__main__.py

@@ -0,0 +1,22 @@
+# POF, a free and open source Python obfuscation framework.
+# Copyright (C) 2022-2024  POF Team
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import sys
+
+from pof.cli import _cli
+
+if __name__ == "__main__":
+    sys.exit(_cli())  # pragma: no cover

pof/cli.py

@@ -0,0 +1,187 @@
+import argparse
+import logging
+import sys
+import time
+
+from pof import Obfuscator, __version__
+from pof.errors import PofError
+from pof.evasion import *  # noqa: F403
+from pof.evasion import __all__ as all_evasion
+from pof.obfuscator import *  # noqa: F403
+from pof.obfuscator import __all__ as all_obfuscator
+from pof.stager import *  # noqa: F403
+from pof.stager import __all__ as all_stager
+
+
+class PofCliError(PofError):
+    pass
+
+
+class CLIObfuscator(Obfuscator):
+    def obfuscator(self, source, obfuscator, *args, **kwargs):
+        """Execute a single obfuscator."""
+        tokens = self._get_tokens(source)
+
+        try:
+            if "Obfuscator" not in obfuscator:
+                msg = "this is not an obfuscator"
+                raise KeyError(msg)  # noqa: TRY301
+            obf = globals()[obfuscator]
+        except KeyError as err:
+            lobf = ", ".join([e for e in all_obfuscator if "Obfuscator" in e])
+            msg = f"obfuscator {obfuscator} not found in: {lobf}"
+            raise PofCliError(msg) from err
+
+        logging.info(f"using '{obf.__name__}' obfuscator")
+        logging.debug(f"args={args}")
+        logging.debug(f"kwargs={kwargs}")
+        tokens = globals()[obfuscator](*args, **kwargs).obfuscate_tokens(tokens)
+        return self._untokenize(tokens)
+
+    def stager(self, source, stager, *args, **kwargs):
+        """Execute a single stager."""
+        tokens = self._get_tokens(source)
+
+        try:
+            if "Stager" not in stager:
+                msg = "this is not a stager"
+                raise KeyError(msg)  # noqa: TRY301
+            obf = globals()[stager]
+        except KeyError as err:
+            lpl = ", ".join([e for e in all_stager if "Stager" in e])
+            msg = f"stager '{stager}' not found in: {lpl}"
+            raise PofCliError(msg) from err
+
+        logging.info(f"using '{obf.__name__}' stager")
+        logging.debug(f"{args=}")
+        logging.debug(f"{kwargs=}")
+        tokens = globals()[stager](*args, **kwargs).generate_stager(tokens)
+        return self._untokenize(tokens)
+
+    def evasion(self, source, evasion, *args, **kwargs):
+        """Execute a single evasion method."""
+        tokens = self._get_tokens(source)
+
+        try:
+            if "Evasion" not in evasion:
+                msg = "this is not an evasion method"
+                raise KeyError(msg)  # noqa: TRY301
+            obf = globals()[evasion]
+        except KeyError as err:
+            lobf = ", ".join([e for e in all_evasion if "Evasion" in e])
+            msg = f"evasion {evasion} not found in: {lobf}"
+            raise PofCliError(msg) from err
+
+        logging.info(f"using '{obf.__name__}' evasion")
+        logging.debug(f"{args=}")
+        logging.debug(f"{kwargs=}")
+        tokens = globals()[evasion](*args, **kwargs).add_evasion(tokens)
+        return self._untokenize(tokens)
+
+
+handler = logging.StreamHandler()
+formatter = logging.Formatter("%(levelname)s %(message)s\x1b[39m")
+
+# colored logging
+logging.addLevelName(logging.DEBUG, "\x1b[36m[*]")
+logging.addLevelName(logging.INFO, "\x1b[32m[+]")
+logging.addLevelName(logging.WARNING, "\x1b[33m[?]")
+logging.addLevelName(logging.ERROR, "\x1b[31m[!]")
+logging.addLevelName(logging.CRITICAL, "\x1b[31m[!!!]")
+
+handler.setFormatter(formatter)
+
+logging.basicConfig(level=logging.INFO, handlers=[handler])
+
+
+def _handle(args):
+    if args.version:
+        print(__version__)  # noqa: T201
+        return 0
+
+    level = getattr(logging, args.logging)
+    logger = logging.getLogger()
+    logger.setLevel(level)
+
+    a = []
+    k = {}
+    if args.kwargs is not None:
+        for e in args.kwargs:
+            if "=" in e:
+                key, value = e.split("=")
+                k.update({key: value})
+            else:
+                a.append(e)
+
+    logging.info(f"starting obfuscation of {args.input.name}")
+    source = args.input.read()
+    start = time.time()
+
+    out = CLIObfuscator().__getattribute__(args.function)(source, *a, **k)
+
+    end = time.time()
+    time_diff = round(end - start, 4)
+    logging.info(f"took: {time_diff}s")
+    args.output.write(out)
+    logging.info(f"successfully obfuscated {args.input.name} to {args.output.name}")
+    # no errors
+    return 0
+
+
+def _cli():
+    parser = argparse.ArgumentParser(
+        prog="obfuscate",
+        description="%(prog)s CLI tool to obfuscate Python source code.",
+    )
+    parser.add_argument("-v", "--version", action="store_true")
+    parser.add_argument(
+        "--raise-exceptions",
+        action="store_true",
+        help="Raise exceptions instead of just printing them.",
+    )
+    parser.add_argument(
+        "input",
+        nargs="?",  # required to be able to pipe to stdin
+        help="input file",
+        type=argparse.FileType("r"),
+        default=sys.stdin,
+    )
+    parser.add_argument(
+        "-o",
+        "--output",
+        help="output file",
+        type=argparse.FileType("w"),
+        default=sys.stdout,
+    )
+    parser.add_argument(
+        "-f",
+        "--function",
+        help="obfuscation function",
+        default="obfuscate",
+    )
+    parser.add_argument(
+        "--logging",
+        help="logging level, INFO, DEBUG, ERROR, CRITICAL",
+        default="INFO",
+    )
+    parser.add_argument(
+        "-k",
+        "--kwargs",
+        help="variables for obfuscator",
+        nargs="*",
+    )
+
+    args = parser.parse_args()
+
+    try:
+        return _handle(args)
+    except Exception as e:
+        logging.error(str(e))  # noqa: TRY400
+        if args.raise_exceptions:
+            raise
+        logging.debug("use `--raise-exceptions` to see full trace back.")
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(_cli())  # pragma: no cover

pof/errors.py

@@ -0,0 +1,2 @@
+class PofError(Exception):
+    pass

pof/evasion/__init__.py

@@ -0,0 +1,57 @@
+from .argv import ArgvEvasion
+from .cpu.cpu_count import CPUCountEvasion
+from .fs.directory_exist import DirectoryExistEvasion
+from .fs.directory_list_exist import DirectoryListExistEvasion
+from .fs.directory_list_missing import DirectoryListMissingEvasion
+from .fs.directory_missing import DirectoryMissingEvasion
+from .fs.exec_method import ExecMethodEvasion
+from .fs.executable_path import ExecPathEvasion
+from .fs.file_exist import FileExistEvasion
+from .fs.file_list_exist import FileListExistEvasion
+from .fs.file_list_missing import FileListMissingEvasion
+from .fs.file_missing import FileMissingEvasion
+from .fs.tmp import LinuxTmpCountEvasion, TmpCountEvasion, WinTmpCountEvasion
+from .hardware.ram_count import LinuxRAMCountEvasion
+from .hooks.debugger import DebuggerEvasion
+from .hooks.tracemalloc import TracemallocEvasion
+from .human.prompt import WinPromptEvasion
+from .multi import MultiEvasion
+from .os.domain import DomainEvasion
+from .os.hostname import HostnameEvasion
+from .os.uid import LinuxUIDEvasion
+from .os.username import UsernameEvasion
+from .processes.proc_count import LinuxProcCountEvasion
+from .time.expire import ExpireEvasion
+from .time.uptime import LinuxUptimeEvasion
+from .time.utc import UTCEvasion
+
+__all__ = [
+    "ArgvEvasion",
+    "CPUCountEvasion",
+    "DebuggerEvasion",
+    "DirectoryExistEvasion",
+    "DirectoryListExistEvasion",
+    "DirectoryListMissingEvasion",
+    "DirectoryMissingEvasion",
+    "DomainEvasion",
+    "ExecMethodEvasion",
+    "ExecPathEvasion",
+    "ExpireEvasion",
+    "FileExistEvasion",
+    "FileListExistEvasion",
+    "FileListMissingEvasion",
+    "FileMissingEvasion",
+    "HostnameEvasion",
+    "LinuxProcCountEvasion",
+    "LinuxRAMCountEvasion",
+    "LinuxTmpCountEvasion",
+    "LinuxUIDEvasion",
+    "LinuxUptimeEvasion",
+    "MultiEvasion",
+    "TmpCountEvasion",
+    "TracemallocEvasion",
+    "UTCEvasion",
+    "UsernameEvasion",
+    "WinPromptEvasion",
+    "WinTmpCountEvasion",
+]

pof/evasion/argv.py

@@ -0,0 +1,44 @@
+from tokenize import NAME, NUMBER, OP, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class ArgvEvasion(BaseEvasion):
+    """Ensure that the correct argument is passed."""
+
+    def __init__(self, argv="argv", position=1) -> None:
+        self.argv = argv
+        # can put -1 in position to select the last argument
+        self.position = position
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "sys"),
+        ]
+
+    def check_tokens(self):
+        """Validates system does not use UTC timezone.
+
+        `len(sys.argv)==1 or sys.argv[1]!="123"`
+        """
+        return [
+            (NAME, "len"),
+            (OP, "("),
+            (NAME, "sys"),
+            (OP, "."),
+            (NAME, "argv"),
+            (OP, ")"),
+            (OP, "=="),
+            (NUMBER, str(self.position)),
+            (NAME, "or"),
+            (NAME, "sys"),
+            (OP, "."),
+            (NAME, "argv"),
+            (OP, "["),
+            (NUMBER, str(self.position)),
+            (OP, "]"),
+            (OP, "!="),
+            (STRING, repr(self.argv)),
+        ]

pof/evasion/base.py

@@ -0,0 +1,48 @@
+from tokenize import DEDENT, INDENT, LPAR, NAME, NEWLINE, OP, RPAR, STRING
+
+
+class BaseEvasion:
+    # add evasion class name inside the exception
+    ADD_CLASS_NAME = True
+
+    @classmethod
+    def fail_call_tokens(cls):
+        return [
+            (NAME, "raise"),
+            (NAME, "Exception"),
+            (LPAR, "("),
+            (
+                STRING,
+                (
+                    repr(cls.__class__.__name__)
+                    if cls.ADD_CLASS_NAME
+                    else repr("evasion check triggered")
+                ),
+            ),
+            (RPAR, ")"),
+        ]
+
+    @staticmethod
+    def import_tokens():
+        return []
+
+    @staticmethod
+    def check_tokens():
+        return []
+
+    def add_evasion(self, tokens):
+        return [
+            *self.import_tokens(),
+            (NEWLINE, "\n"),
+            (NAME, "if"),
+            (LPAR, "("),
+            *self.check_tokens(),
+            (RPAR, ")"),
+            (OP, ":"),
+            (NEWLINE, "\n"),
+            (INDENT, "    "),
+            *self.fail_call_tokens(),
+            (NEWLINE, "\n"),
+            (DEDENT, ""),
+            *tokens,
+        ]

pof/evasion/cpu/cpu_count.py

@@ -0,0 +1,27 @@
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR
+
+from pof.evasion.base import BaseEvasion
+
+
+class CPUCountEvasion(BaseEvasion):
+    def __init__(self, min_cpu_count: int = 2) -> None:
+        self.min_cpu_count = min_cpu_count
+
+    @staticmethod
+    def import_tokens() -> list[tuple[int, str]]:
+        return [
+            (NAME, "import"),
+            (NAME, "multiprocessing"),
+        ]
+
+    def check_tokens(self) -> list[tuple[int, str]]:
+        """`multiprocessing.cpu_count() < 2`."""
+        return [
+            (NAME, "multiprocessing"),
+            (OP, "."),
+            (NAME, "cpu_count"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "<"),
+            (NUMBER, str(self.min_cpu_count)),
+        ]

pof/evasion/fs/directory_exist.py

@@ -0,0 +1,29 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class DirectoryExistEvasion(BaseEvasion):
+    def __init__(self, directory) -> None:
+        self.directory = directory
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """`not os.path.isdir('/tmp/a')`."""
+        return [
+            (NAME, "not"),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isdir"),
+            (LPAR, "("),
+            (STRING, repr(self.directory)),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/directory_list_exist.py

@@ -0,0 +1,46 @@
+import io
+from tokenize import LPAR, NAME, OP, RPAR, generate_tokens
+
+from pof.evasion.base import BaseEvasion
+
+
+class DirectoryListExistEvasion(BaseEvasion):
+    def __init__(self, directory_list) -> None:
+        self.directory_list = directory_list
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """Trigger evasion if any directory from the list is absent on the system.
+
+        `not all([os.path.isdir(p)for p in['/tmp/a','/tmp/b',...]])`
+        """
+        # TODO (deoktr): change
+        io_obj = io.StringIO(repr(self.directory_list))
+        directory_list_tokens = list(generate_tokens(io_obj.readline))
+
+        return [
+            (NAME, "not"),
+            (NAME, "all"),
+            (LPAR, "("),
+            (OP, "["),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isdir"),
+            (LPAR, "("),
+            (NAME, "p"),
+            (RPAR, ")"),
+            (NAME, "for"),
+            (NAME, "p"),
+            (NAME, "in"),
+            *directory_list_tokens,
+            (OP, "]"),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/directory_list_missing.py

@@ -0,0 +1,45 @@
+import io
+from tokenize import LPAR, NAME, OP, RPAR, generate_tokens
+
+from pof.evasion.base import BaseEvasion
+
+
+class DirectoryListMissingEvasion(BaseEvasion):
+    def __init__(self, directory_list) -> None:
+        self.directory_list = directory_list
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """Trigger evasion if any directory from the list is present on the system.
+
+        `any([os.path.isdir(p) for p in ['/tmp/a', '/tmp/b', ...]])`
+        """
+        # TODO (deoktr): change
+        io_obj = io.StringIO(repr(self.directory_list))
+        directory_list_tokens = list(generate_tokens(io_obj.readline))
+
+        return [
+            (NAME, "any"),
+            (LPAR, "("),
+            (OP, "["),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isdir"),
+            (LPAR, "("),
+            (NAME, "p"),
+            (RPAR, ")"),
+            (NAME, "for"),
+            (NAME, "p"),
+            (NAME, "in"),
+            *directory_list_tokens,
+            (OP, "]"),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/directory_missing.py

@@ -0,0 +1,28 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class DirectoryMissingEvasion(BaseEvasion):
+    def __init__(self, directory) -> None:
+        self.directory = directory
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """`os.path.isdir('/tmp/a')`."""
+        return [
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "path"),
+            (OP, "."),
+            (NAME, "isdir"),
+            (LPAR, "("),
+            (STRING, repr(self.directory)),
+            (RPAR, ")"),
+        ]

pof/evasion/fs/exec_method.py

@@ -0,0 +1,51 @@
+from tokenize import NAME, OP
+
+from pof.evasion.base import BaseEvasion
+
+
+class ExecMethodEvasion(BaseEvasion):
+    def __init__(self, method="file") -> None:
+        # "file" or "memory"
+        self.exec_method = method
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "time"),
+        ]
+
+    def check_tokens(self):
+        """Verify the execution method.
+
+        When Python code is executed from the console or from the memory
+        directly the `__file__` object will be equal to `<stdin>`, if a script
+        is meant to be launched with a specific method the evasion can be added.
+
+        Usage:
+
+        This doesn't work (trigger evasion when file is selected)
+        ```bash
+        echo "print(__file__)" | ./pof.py ... | python
+        Exception: evasion check triggered
+        ```
+
+        This works (doesn't trigger evasion when file is selected)
+        ```bash
+        echo "print(__file__)" | ./pof.py ... > bin/a.py & python bin/a.py
+        /path/to/file/bin/a.py
+        ```
+
+        Todo:
+        If running from the console `__file__` doesn't exist, this needs to be
+        taken into account !
+        """
+        equal = "=!"
+        if self.exec_method == "file":
+            equal = "=="
+
+        return [
+            (NAME, "__file__"),
+            (OP, equal),
+            (NAME, repr("<stdin>")),
+        ]

pof/evasion/fs/executable_path.py

@@ -0,0 +1,66 @@
+import io
+from tokenize import LPAR, NAME, OP, RPAR, generate_tokens
+
+from pof.evasion.base import BaseEvasion
+
+
+class ExecPathEvasion(BaseEvasion):
+    DEFAULT_CONTAIN_LIST = (
+        "virus",
+        "VIRUS",
+        "sample",
+        "SAMPLE",
+        "sandbox",
+        "SANDBOX",
+        "malware",
+        "Malware",
+        # Anubis sandbox
+        "InsideTm",
+        "insidetm",
+    )
+
+    def __init__(self, contain_list=DEFAULT_CONTAIN_LIST) -> None:
+        self.contain_list = contain_list
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "pathlib"),
+        ]
+
+    def check_tokens(self):
+        """Check if full exec path contains one of the specific strings.
+
+        `any([s in str(pathlib.Path(__file__).absolute()) for s in["virus",...]])`
+        """
+        # TODO (deoktr): generate tokens differently
+        io_obj = io.StringIO(repr(self.contain_list))
+        contain_list_tokens = list(generate_tokens(io_obj.readline))
+
+        return [
+            (NAME, "any"),
+            (LPAR, "("),
+            (OP, "["),
+            (NAME, "s"),
+            (NAME, "in"),
+            (NAME, "str"),
+            (LPAR, "("),
+            (NAME, "pathlib"),
+            (OP, "."),
+            (NAME, "Path"),
+            (LPAR, "("),
+            (NAME, "__file__"),
+            (RPAR, ")"),
+            (OP, "."),
+            (NAME, "absolute"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (NAME, "for"),
+            (NAME, "s"),
+            (NAME, "in"),
+            *contain_list_tokens,
+            (OP, "]"),
+            (RPAR, ")"),
+        ]