Skip to main content

deobfuscate

zeph_tools::shell::deobfuscate

Function deobfuscate 

Source 
pub fn deobfuscate(command: &str) -> String
Expand description

Normalize an obfuscated shell command string for blocklist and policy evaluation.

Applies transformations in order:

  1. Truncate to 8 KiB.
  2. Decode \xNN hex escapes.
  3. Decode \NNN octal escapes.
  4. Decode \uNNNN Unicode escapes.
  5. Collapse backslash line-continuations (\↵).
  6. Expand ${VAR} / $VAR to [var:VAR].
  7. Replace backtick subshells `cmd` with [subshell: cmd].
  8. Replace $(cmd) with [subshell: cmd].
  9. Strip unescaped quotes used for string concatenation.
  10. Normalize runs of whitespace to a single space and trim.

§Examples

use zeph_tools::shell::deobfuscate::deobfuscate;

assert_eq!(deobfuscate(r"\x63url"), "curl");
assert_eq!(deobfuscate(r"\143at"), "cat");
assert_eq!(deobfuscate("$(whoami)"), "[subshell: whoami]");
assert_eq!(deobfuscate("${HOME}/file"), "[var:HOME]/file");