The latest articles on DEV Community by Localtonet (@localtonet_9bc198a0885334). https://dev.to/localtonet_9bc198a0885334 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3744380%2F2c38622c-9b8d-4181-86ea-5d06915e315d.png https://dev.to/localtonet_9bc198a0885334 en Localtonet Sun, 15 Feb 2026 16:29:11 +0000 https://dev.to/localtonet_9bc198a0885334/-1e54 https://dev.to/localtonet_9bc198a0885334/-1e54 <div class="ltag__link"> <a href="/localtonet_9bc198a0885334" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3744380%2F2c38622c-9b8d-4181-86ea-5d06915e315d.png" alt="localtonet_9bc198a0885334"> </div> </a> <a href="https://dev.to/localtonet_9bc198a0885334/obfusps-building-a-smart-ast-aware-powershell-obfuscation-engine-in-go-1oeo" class="ltag__link__link"> <div class="ltag__link__content"> <h2>ObfusPS — Building a Smart, AST-Aware PowerShell Obfuscation Engine in Go</h2> <h3>Localtonet ・ Feb 15</h3> <div class="ltag__link__taglist"> </div> </div> </a> </div> Localtonet Sun, 15 Feb 2026 16:29:01 +0000 https://dev.to/localtonet_9bc198a0885334/obfusps-building-a-smart-ast-aware-powershell-obfuscation-engine-in-go-1oeo https://dev.to/localtonet_9bc198a0885334/obfusps-building-a-smart-ast-aware-powershell-obfuscation-engine-in-go-1oeo <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2nx5g3a49wadzh70znts.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2nx5g3a49wadzh70znts.png" alt=" " width="800" height="800"></a></p> <p>I built ObfusPS as a research-oriented PowerShell obfuscation framework focused on one constraint above everything else:<br> Obfuscation must not change runtime behavior.</p> <p>The project explores structural and encoding-based transformations while preserving deterministic execution and providing runtime validation.</p> <p>This article explains the design principles behind the engine.</p> <p>Core Design Principles<br> 1️⃣ Behavioral Fidelity First</p> <p>ObfusPS includes an optional validation system that:</p> <p>Executes the original script</p> <p>Executes the obfuscated script</p> <p>Compares:</p> <p>stdout</p> <p>stderr</p> <p>exit code</p> <p>If validation fails, the engine can retry with progressively safer settings.</p> <p>Across the internal test matrix (13 scripts × 5 levels × 10 profiles), all combinations passed validation at the time of writing.</p> <p>The goal is reproducible transformation — not just visual obfuscation.</p> <p>2️⃣ Clear Separation of Responsibilities</p> <p>ObfusPS uses a multi-language architecture:</p> <p>Component Role<br> Go Core engine (pipeline, packers, RNG, metrics, validation)<br> PowerShell Native AST parsing<br> C# (.NET 8) Optional AST fallback parser<br> Python GUI wrapper</p> <p>Important architectural decision:</p> <p>The Go engine never executes PowerShell.<br> It produces transformed text only.<br> Runtime behavior lives entirely in generated PowerShell stubs.</p> <p>This simplifies auditing and makes the build reproducible.</p> <p>Obfuscation Model</p> <p>ObfusPS combines two layers:</p> <p>🔹 Pipeline transforms (pre-packing)</p> <p>Applied in a defined order:</p> <p>Identifier renaming</p> <p>String encoding (XOR or RC4)</p> <p>String tokenization</p> <p>Numeric expression encoding</p> <p>Formatting jitter</p> <p>Opaque predicates</p> <p>Function reordering (safe shuffle)</p> <p>Dead code injection</p> <p>Optional anti-reverse checks</p> <p>Each transform can be enabled manually or via profile.</p> <p>🔹 Encoding levels (1–5)</p> <p>Five wrapping strategies progressively increase structural complexity:</p> <p>Unicode character reconstruction</p> <p>Base64 wrapping</p> <p>Base64 with intermediate variable indirection</p> <p>GZip compression + Base64</p> <p>GZip + XOR encryption + fragmentation + polymorphic template</p> <p>Level 5 adds:</p> <p>32-byte XOR key derived from a seeded LCG</p> <p>Fragment shuffling (Fisher–Yates)</p> <p>Optional integrity verification</p> <p>Maximum fragment count is 256 (auto-scaled).</p> <p>Smart Analysis</p> <p>ObfusPS includes a static analysis phase with 22+ internal feature detectors.<br> It evaluates:</p> <p>Dynamic invocation patterns</p> <p>Module-related constructs</p> <p>String complexity</p> <p>Control-flow patterns</p> <p>Script size and entropy</p> <p>The engine produces:</p> <p>A complexity score (0–100)</p> <p>A recommended profile</p> <p>Suggested flags</p> <p>This allows either manual configuration or automatic selection.</p> <p>Profiles &amp; Determinism</p> <p>There are 10 predefined profiles ranging from minimal transformation (safe) to maximum configuration (paranoid, redteam).</p> <p>All explicit flags override profile defaults.</p> <p>For reproducible builds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-seed N </code></pre> </div> <p>ensures deterministic randomness — important for CI/CD and controlled testing scenarios.</p> <p>Metrics &amp; Reporting</p> <p>After transformation, ObfusPS reports:</p> <p>Output size</p> <p>Shannon entropy</p> <p>Character diversity</p> <p>Alphanumeric ratio</p> <p>Size ratio (input vs output)</p> <p>Line count</p> <p>This allows quantitative comparison between strategies instead of relying on visual inspection.</p> <p>Scope &amp; Limits</p> <p>Input encoding: UTF-8 only</p> <p>Output encoding: UTF-8 with BOM</p> <p>Max input size: 100 MB</p> <p>Fragment limit (level 5): 256</p> <p>The tool is intended for:</p> <p>Research</p> <p>Authorized red/blue team simulation</p> <p>IP protection</p> <p>It is not designed for unauthorized or malicious usage.</p> <p>Why Go?</p> <p>The engine is written in Go because it provides:</p> <p>Single static binary</p> <p>Zero runtime dependency</p> <p>Cross-platform compilation</p> <p>Deterministic execution model</p> <p>Strong performance for text-heavy pipelines</p> <p>The architecture is intentionally explicit and modular to support auditing and future AST-based improvements.</p> <p>Closing Thoughts</p> <p>Obfuscation is not just about hiding code.</p> <p>It is about:</p> <p>Controlled transformation</p> <p>Deterministic randomness</p> <p>Structural mutation</p> <p>Runtime equivalence guarantees</p> <p>ObfusPS is an engineering exercise in making those constraints coexist.</p> <p>Repository:<br> <a href="https://dev.tourl"></a><a href="https://github.com/BenzoXdev/ObfusPS" rel="noopener noreferrer">https://github.com/BenzoXdev/ObfusPS</a></p> cybersecurity go security showdev Localtonet Sat, 31 Jan 2026 20:08:16 +0000 https://dev.to/localtonet_9bc198a0885334/malware-builder-5213 https://dev.to/localtonet_9bc198a0885334/malware-builder-5213 <p><a href="https://github.com/BenzoXdev/Blx-Virus-Builder" rel="noopener noreferrer">https://github.com/BenzoXdev/Blx-Virus-Builder</a></p> programming python security opensource