`Pkg.PowerShellBeautifier` — API for deobfuscating Microsoft PowerShell scripts¶

Overview¶

The Pkg.PowerShellBeautifier module contains the API for deobfuscating Microsoft PowerShell scripts.

Beautifying a PowerShell Script¶

The following code example demonstrates how to beautify a PowerShell script:

from Pkg.PowerShellBeautifier import *

script = r"""$A = get-childitem c:\temp

$B = gET-cHILDITEM c:\temp

$C = get-conTENT c:\temp\asdf.txt

$D = DIR C:\

iF (1 -eq 1) {
    Write-hOSt "hi"
}
"""

bt = PowerShellBeautifier()
bt.deobfuscate_code = True
bt.keep_comments = True
bt.name_variables = True
bt.remove_unused_variables = True
bt.replace_variables = True
bt.known_variables = bt.defaultKnownVariables()

output = bt.beautify(script, "text")
print(output)

Module API¶

Pkg.PowerShellBeautifier module API.

Classes:

PowerShellBeautifier()

Beautifier for PowerShell scripts.

class PowerShellBeautifier¶

Beautifier for PowerShell scripts.

Methods:

beautify(script[, fmt])

Beautifies the input script.

defaultKnownVariables()

Returns a dictionary that can be used to initialize known_variables.

Attributes:

deobfuscate_code

If True, deobfuscates the code.

indent_spaces

The amount of indentation spaces.

keep_comments

If True, keeps the comments in the code.

known_variables

A dictionary used to resolve known variables.

name_variables

If True, automatically names variables.

remove_unused_variables

If True, removes unused variables in the code.

replace_variables

If True, replaces the variables in the code.

theme

The Pro.UI.ProTheme instance to be used to colorize the code.

beautify(script: str, fmt: str = 'lines') → Optional[Union[str, Pro.Core.NTByteArrayList]]¶

Beautifies the input script.

Parameters

script (str) – The script to beautify.

fmt (str) – The output format. Can be either "text" or "lines".

Returns

Returns the beautified code either as a string or as a Pro.Core.NTByteArrayList instance if successful; otherwise returns None.

Return type

Optional[Union[str, NTByteArrayList]]

defaultKnownVariables() → Dict[str, Union[str, int]]¶

Returns

Returns a dictionary that can be used to initialize known_variables.

Return type

Dict[str, Union[str, int]]

See also known_variables.

deobfuscate_code¶

If True, deobfuscates the code.

indent_spaces¶

The amount of indentation spaces.

keep_comments¶

If True, keeps the comments in the code.

known_variables¶

A dictionary used to resolve known variables.

Note

The variable names must be lowercase.

See also defaultKnownVariables().

name_variables¶

If True, automatically names variables.

remove_unused_variables¶

If True, removes unused variables in the code.

replace_variables¶

If True, replaces the variables in the code.

theme¶

The Pro.UI.ProTheme instance to be used to colorize the code. Colors are only used when the ‘fmt’ parameter in beautify() is set to "lines".