In this post, we will look at what obfuscation is and how to obfuscate scripts in your packaged executables using PowerShell Pro Tools.

What is obfuscation? 

Obfuscation is a technique of scrambling the script or source code so that it cannot easily be determined what the script is doing based on static analysis. With obfuscation, you can help to protect against reverse engineering or extraction of scripts from an executable. Obfuscation only makes it more difficult for a user to open a tool, such as dnSpy, to extract the script. It’s not impossible. A determined and experienced reverse engineer will be able to extract the script if they spend enough time.

When you obfuscate a packaged script with PowerShell Pro Tools, the resulting decompiled executable looks something like this.

The obfuscation will hide strings and resources included within the executable. From a casual user, it will be difficult to read the script. Note that if script logging is enabled on a machine, the unobfuscated script will be written to the event log.

Obfuscation in Visual Studio

To obfuscate your packaged script in PowerShell Tools for Visual Studio, you will need to update the project properties for your PowerShell project. Right-click on the project in the Solution Explorer window and click Properties. Navigate to the Advanced properties tab and select the Executable Properties tab. On that tab, you can check the Obfuscate executable checkbox.

Now, when you build your executable, it will undergo an obfuscation process that will result in a scrambled executable.

Obfuscation in Visual Studio Code

To enable obfuscation in PowerShell Pro Tools for VS Code, you will need to set the Obfuscate property of the Package configuration hashtable to $true.

@{
   Root = 'c:\Users\Adam\Desktop\script.ps1' 
   OutputPath = 'c:\Users\Adam\Desktop\out' 
      Package = @{
         Enabled = $true 
         Obfuscate = $false 
      }
}

Running the build process in VS Code will result in the same obfuscated executable that would be created in Visual Studio. You can use the same configuration when using Merge-Script directly.

Conclusion

In this post, we looked at obfuscation. As described, it’s not perfect protection against reverse engineering but makes it harder for the casual user to extract the contents of your script from your executable.