Obfuscate without PDB is not possible with Alcatraz

.github/workflows/build.yml

@@ -1,5 +1,4 @@
-name: GitHub Actions Demo
+name: Build go-socks5-ssh-proxy 
-run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
 
 on:
   pull_request:
@@ -13,28 +12,91 @@ env:
   # The go version to use for builds. We set check-latest to true when
   # installing, so we get the latest patch version that matches the
   # expression.
-  GO_VERSION: "~1.22.3"
+  GO_VERSION: "~1.22.5"
 
 jobs:
-  Explore-GitHub-Actions:
+  release:
+    name: Build release
+    environment: prod
     runs-on: ubuntu-latest
     steps:
-      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
-      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
-      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
       - name: Check out repository code
         uses: actions/checkout@v4
+
       - uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
           check-latest: true
-      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
+
-      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: Use config_release.go from action secrets
-      - name: List files in the repository
+        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
-        run: |
+        with:
-          ls ${{ github.workspace }}
+          base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
-      - run: echo "🍏 This job's status is ${{ job.status }}."
+          filename: "config_release.go"
-      - run: make ci
+
+      - name: Use resources/ssh_private_key from action secrets
+        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
+        with:
+          base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
+          filename: "ssh_private_key"
+          working-directory: "./resources"
+
+      - run: make release
+
+      - name: Store release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-release
+          path: |
+            dist
+
+  release-dll:
+    name: Build release DLL
+    environment: prod
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+          check-latest: true
+
+      - name: Set up MinGW
+        uses: egor-tensin/setup-mingw@v2
+        with:
+          platform: x64
+
+      - name: Use config_release.go from action secrets
+        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
+        with:
+          base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
+          filename: "config_release.go"
+
+      - name: Use resources/ssh_private_key from action secrets
+        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
+        with:
+          base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
+          filename: "ssh_private_key"
+          working-directory: "./resources"
+
+      - name: Run GoReleaser to build release DLL
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          # either 'goreleaser' (default) or 'goreleaser-pro'
+          distribution: goreleaser
+          # 'latest', 'nightly', or a semver
+          version: '~> v2'
+          args: release --clean --snapshot
         env:
-          CONFIG_RELEASE_GO_FILE: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Store release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-release-dll
+          path: |
+            dist

.github/workflows/obfuscate.yaml.snippet

@@ -0,0 +1,58 @@
+  release-obfuscate:
+    name: Build release obfuscated
+    runs-on: windows-latest
+    needs:
+      - release
+      - release-dll 
+    steps:
+      - name: Check out Alcatraz
+        uses: actions/checkout@v4
+        with:
+          repository: 'weak1337/Alcatraz'
+
+      - name: Download release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-release
+
+      - name: Download release-dll artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-release-dll
+
+      - name: Dir
+        run: "Get-ChildItem -Path . -Force -Recurse"
+
+      - name: Run Alcatraz-con.exe on release EXE
+        run: "./x64/Release/Alcatraz-con.exe socks5-ssh-proxy.exe"
+      
+      - name: Run Alcatraz-con.exe on release DLL
+        run: "./x64/Release/Alcatraz-con.exe dll_windows_amd64_v1/go-socks5-ssh-proxy.dll"
+
+      - name: Create dist directory and move obfuscated artifacts
+        run: |
+          # Define source files and destination directory
+          $sourceFiles = @("socks5-ssh-proxy.exe", "dll_windows_amd64_v1/go-socks5-ssh-proxy.dll")
+          $destinationDir = "dist"
+
+          # Create the destination directory if it doesn't exist
+          if (-not (Test-Path -Path $destinationDir)) {
+              New-Item -ItemType Directory -Path $destinationDir
+          }
+
+          # Move each file to the destination directory
+          foreach ($file in $sourceFiles) {
+              if (Test-Path -Path $file) {
+                  Move-Item -Path $file -Destination $destinationDir
+                  Write-Output "Moved $file to $destinationDir"
+              } else {
+                  Write-Output "File $file does not exist"
+              }
+          }
+
+      - name: Store release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-release-obfuscated
+          path: |
+            dist

.gitignore

@@ -1,7 +1,11 @@
 .DS_Store
 socks5-ssh-proxy
 resources/ssh_*
-config_release.go
+config_release*.go
+config_template_*.go
 socks5-ssh-proxy.release
+*.base64
 *.exe
 *.zip
+
+dist/

.goreleaser.yaml

@@ -0,0 +1,55 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - id: "dll"
+    env:
+      - CGO_ENABLED=1
+      - CC=x86_64-w64-mingw32-gcc
+      - CXX=x86_64-w64-mingw32-g++
+    goos:
+      - windows
+    goarch:
+      - amd64
+    ldflags:
+      - -H=windowsgui
+    buildmode: c-shared
+    tags:
+      - release
+      - dll
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

Makefile

@@ -1,13 +1,12 @@
 SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go 
 GARBLE_BIN = $(shell go env GOPATH)/bin/garble
-GO_ENV_VARS = CGO_ENABLED=0
 
 all: socks5-ssh-proxy
 
-ci: secrets release
+ci: release
-secrets:
-	cat $(CONFIG_RELEASE_GO_FILE) > config_release.go
 release: socks5-ssh-proxy.release socks5-ssh-proxy.exe
+	mkdir -v -p dist
+	cp -v $^ dist
 
 test: socks5-ssh-proxy
 	cp socks5-ssh-proxy ~/.ssh; cd ~/.ssh; ~/.ssh/socks5-ssh-proxy
@@ -16,10 +15,16 @@ test-release: socks5-ssh-proxy.release
 socks5-ssh-proxy: $(SOURCES) 
 	go build -o $@
 socks5-ssh-proxy.release: resources $(SOURCES)
-	$(GO_ENV_VARS) go build -tags release -o $@
+	GOOS=darwin GOARCH=amd64 $(GO_ENV_VARS) go build -tags release -o $@
+	upx $@
 win: socks5-ssh-proxy.exe
-socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
+#socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
-	GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@
+#	GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@
+socks5-ssh-proxy.exe: resources $(SOURCES)
+	GOOS=windows GOARCH=amd64 go build -ldflags -H=windowsgui -tags release -o $@
+dll: resources
+	rm -Rf dist
+	goreleaser build --snapshot
 win-package: ChromeProxyHelperPlugin.zip
 ChromeProxyHelperPlugin.zip: socks5-ssh-proxy.exe
 	cp socks5-ssh-proxy.exe chrome_proxy.exe
@@ -41,6 +46,8 @@ clean-key:
 config_release.go:
 	cp config_template.go $@
 	sed -i '' 's/!release/release/g' $@
+config_release.go.base64: config_release.go
+	base64 -i $< -o $@
 
 resources: resources/ssh_private_key
 resources/ssh_private_key:
@@ -49,5 +56,9 @@ resources/ssh_private_key:
 	@echo "====================================="
 	@cat $@.pub
 	@echo "====================================="
+resources/ssh_private_key.base64: resources/ssh_private_key
+	base64 -i $< -o $@
+
+secrets: config_release.go.base64 resources/ssh_private_key.base64
 
 .phony: clean test win

README.md

@@ -1,13 +1,42 @@
 # socks5-ssh-proxy
 
-If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy. Beat the sensorship, and be free!
+If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a [Jump server](https://en.wikipedia.org/wiki/Jump_server). Beat the (corporate) sensorship, and be free!
+
+## Background information
+
+The proxy can use [SSHFP DNS record](https://en.wikipedia.org/wiki/SSHFP_record) verification for extra protection so the SSH host public key is side-channel checked.
+
+The `release` build target is fully silent as `os.stdout` and `os.stderr` is written to `/dev/null`. Also it embeds the configuration to the SSH jump host (see `config_template.go` copied to `config_release.go`).
 
 ## Server installation
 
-For SSHFP check:
+When using OpenSSH server a special `tunnel` user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host.
 
-- Create SSHFP DNS records use `ssh-keygen -r` on the server
+### `/etc/ssh/sshd_config`
-- Configure DNS server with those records
+
+The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group `ssh`. It immediate drops the connection instead of sending a response. The system `tunnel` user needs to set `PermitTTY no` so no shell is possible, only TCP forwarding.
+
+```
+PermitRootLogin no
+PasswordAuthentication no
+MaxAuthTries 0
+ChallengeResponseAuthentication no
+
+Match Group ssh
+	MaxAuthTries 3 # Only key-based may be tried
+
+Match User tunnel
+	MaxAuthTries 1 # Only key-based may be tried
+	GatewayPorts yes
+	AllowTcpForwarding yes
+	PermitTTY no
+	PasswordAuthentication no
+```
+
+### SSHFP verification
+
+- Create SSHFP DNS records use `ssh-keygen -r` on the SSH jumphost server
+- Configure (public) DNS server with those records
 - Check if records are active with `dig SSHFP <hostname> +short`
 
 ## Browsing with chrome over the proxy
@@ -18,12 +47,31 @@ E.g:
 
 ## Detection
 
-See <https://go.dev/doc/faq#virus>
+It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see <https://go.dev/doc/faq#virus>.
 
-* Microsoft Defender: Trojan:Win32/Gracing.I - Severe
+Following detections have been tested:
 
+* Microsoft Defender: [Trojan](https://en.wikipedia.org/wiki/Trojan_horse_(computing)):Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
+* Palo Alto Networks, Inc. - Cortex [XDR](https://en.wikipedia.org/wiki/Extended_detection_and_response): detected as Suspicious (no fix yet)
 
-## Related blog posts
+## Build time dependencies
 
-* https://blog.projectdiscovery.io/proxify-portable-cli-based-proxy/
+## macOS
-* https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/
+
+* go
+* upx
+* goreleaser
+* mingw-w64 (for building the windows dll)
+
+## Related information
+
+* <https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/>
+* <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
+* <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
+
+* <https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/>
+
+## Development information
+
+* <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
+* <https://github.com/weak1337/Alcatraz>

docs/release-management.md

@@ -0,0 +1,8 @@
+# release management with github actions
+
+* Generate `resources/ssh_private_key` with `make resources/ssh_private_key`
+* Base64 encode `resources/ssh_private_key` with base64
+
+## See also
+
+* <https://github.com/marketplace/actions/secret-to-file>

main.py

@@ -0,0 +1,5 @@
+import ctypes
+
+lib = ctypes.cdll.LoadLibrary('library.dll')
+main = library.executeMain
+main()

main_dll.go

@@ -0,0 +1,13 @@
+//go:build dll
+// +build dll
+
+package main
+
+import (
+	"C"
+)
+
+//export executeMain
+func executeMain() {
+	main()
+}