Skip to main content
Liam Smydo
  1. Projects/

PSObfuscate - Build, encode, wrap, and deliver PowerShell payloads

·886 words·5 mins
Liam Smydo
Author
Liam Smydo
Hi, I’m Liam. This site contains my various cybersecurity projects, CTF write-ups, and labs, including detailed technical write-ups and different resources I find useful.
Table of Contents

The problem I’m aiming to solve
#

I spend a lot of time in labs and CTF environments. If you do too, you know the drill: you need a reverse shell, you need it encoded a specific way, you need it wrapped in a delivery format that fits your scenario, and you needed it five minutes ago.

For a long time, my workflow looked like this: pull a shell template from a cheat sheet, manually base64-encode it, wrap however I need, fix the escaping, realise AMSI didn’t like my encoding, start over. Every time. The process was repetitive, error-prone, and slow enough to break my focus during time sensitive work.

So I built the tool I kept wishing existed.

image.png

What is PSObfuscate?
#

PSObfuscate is a command-line payload builder and encoder for PowerShell reverse shells, meant for operators Who value their time. It takes a payload source, applies one or more encoding transforms, wraps the result in a delivery format, and hands you a delivery ready payload. The entire pipeline lives in a single Python file with zero external dependencies.

The workflow is four steps:

  1. Source - Use the built-in TCP reverse shell or load any script you have
  2. Encode - Apply encoding layers (Base64, Hex, ASCII, URL, Binary, Reverse) or a structural rewrite with randomized variable names
  3. Wrap - Package as a raw .ps1, encoded PowerShell launcher, .bat, .vbs, or .hta
  4. Deliver - Print, copy, save, or spin up an HTTP server and Netcat listener to serve and catch it

Every combination of source, encoding, and delivery format is available from a single interface. No context switching, no manual steps, Beautifully simple.

image.png

Video Demo
#

Why the UX Matters
#

Most security tools dump output to the terminal and move on. I wanted something that felt like a control panel, something an operator could sit in front of and work through scenarios without losing context.

There are two modes:

Interactive wizard - run it with no arguments. It walks you through full payload configuration, I tried to make this process as fast and simple as possible. It is even so simple that a base payload can be created in 5 clicks of the enter key.

Usage:

python3 PsObfuscate.py

image.png

CLI mode - for when you know exactly what you want, or you need to script it

python3 PsObfuscate.py -h

image.png

python3 PsObfuscate.py -i 10.0.0.1 -p 4444 -t 1 -d bat -o payload.bat

image.png

Encoding Layers
#

Seven Encoding layers. Each one wraps the payload in an IEX (Invoke-Expression) self-decoding pattern. At runtime, PowerShell decodes and executes the original payload.

image.png

Layers are stackable. -t 6,1 reverses the payload, then Base64-encodes the result. At runtime they unwrap in reverse order. This gives you a wide range of representations from the same source payload.

Advanced mode is different from the other layers. Instead of wrapping the payload, it structurally rewrites it: randomized variable names, cmdlet names encoded as char-code arrays, arithmetic identity expressions, and inline comment noise. AMSI fears this payload.

Delivery Formats
#

Once the payload is encoded, you choose how to package it for your target:

image.png

You can change the delivery format after building without re-running the wizard. The post-build menu lets you switch formats and see the output update in real time.

Built-In Listeners
#

After building and saving a payload, PSObfuscate can start listeners for you:

  • HTTP server - Python’s http.server running in the background, serving your payload file. Gives you the iwr fetch command ready to paste.
  • Netcat listener — Foreground nc -lvnp to catch the reverse shell.
  • Both - HTTP in the background, netcat in the foreground. When you exit netcat, the tool returns you to a clean Payload Ready screen with the HTTP server still running. This is perfect for workflows where the operator wants to deliver the payload via an http web server, can also start a foreground nc listener to catch the shell after delivery/execution.

No need to open another terminal tab, remember the right flags, or manually coordinate ports.

Design Decisions
#

A few choices I made early on that shaped the tool:

Zero dependencies. On an engagement box or a CTF VM, you don’t want to pip install anything. PSObfuscate is Python 3 standard library only. Drop the file, run it.

Single file. scp or git clone one file. No package structure, no config directory, no setup script. This matters when you’re working on systems you don’t control.

What I Learned Building It
#

Building a tool you actually use day to day teaches you things differently than building for a portfolio and makes you genuinely want to make the tool useful for others.

Terminal UX is underrated in security tooling. Most operator tools are functional but rough - walls of scrolling text, no state persistence, no visual hierarchy. Investing in screen clearing, config bars, and consistent menu patterns made the tool faster to use in practice, not just nicer to look at.

Tight Tool Scope matters. I had to resist adding features that would make the tool more complex without making it more useful. No staged payloads, no C2 integration, no persistence mechanisms. The tool does one thing well: prepare payloads for delivery.

Try It
#

PSObfuscate is open source and available on GitHub.

github.com/01xmm/PSObfuscate

git clone https://github.com/01xmm/PSObfuscate.git
cd PSObfuscate
python3 PsObfuscate.py

For authorized security testing and research only.