go-socks5-ssh-proxy/docs/NOTES.md

Some notes to Escape from Babylon

Well known paths (Windows)

• Python official install path for current user %APPDATA\Local\Programs\Python\PythonXX

• NPM global current user path: %APPDATA%\Roaming\npm\node_modules\npm\bin

• Go bin folder: C:\Users\YourUsername\go\bin\go.exe

• Rust: C:\Users\YourUsername\.cargo\bin\rustc.exe

• Haskel: C:\Users\YourUsername\AppData\Roaming\local\bin\ghc.exe

• FireFox: C:\Users\<username>\AppData\Local\Mozilla Firefox\firefox.exe

• Chrome: C:\Users\<username>\AppData\Local\Google\Chrome\Application

  • chrome.exe: The main executable for launching Google Chrome.
  • chrome_proxy.exe: A process used for managing proxy settings in Chrome.
  • chrome_launcher.exe: Typically used to start the Chrome browser with specific configurations.
  • chrome.dll: While not an .exe, chrome.dll is a crucial dynamic link library file used by Chrome. (For context, it is located in the same directory or subdirectories, but it’s not an executable file.)
  • chrome_remote_desktop_host.exe: If Chrome Remote Desktop is installed, this executable handles remote desktop connections.
  • chrome_update.exe: An executable for updating Chrome.

• Edge extensions: C:\Users\<YourUsername>\AppData\Local\Microsoft\Edge\User Data\Default\Extensions

• Opera: C:\Users\<YourUsername>\AppData\Roaming\Opera Software\Opera Stable\Extensions

• Firefox profile extensions: C:\Users\<YourUsername>\AppData\Roaming\Mozilla\Firefox\Profiles\<ProfileName>\extensions

• Chrome extensions and components: C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\Extensions

Check if running under wine by testing if executables are present:

• .wine/drive_c/windows/syswow64/wine*.exe
• .wine/drive_c/windows/system32/wine*.exe

Ultimate Packer for Executables (UPX)

• https://www.ired.team/offensive-security/defense-evasion/t1045-software-packing-upx
• https://medium.com/@ankyrockstar26/unpacking-a-upx-malware-dca2cdd1a8de
• https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html?ref=nishtahir.com
• https://www.esecurityplanet.com/threats/upx-compression-detection-evasion/

Persistence and hiding

• Search for existing well known binary paths
• Copy argv[0] to well known binary path
• Register startup by system
  • schtasks (cmd) for system or local user
  • go-autostart: shortcut in start-menu
• Write state file of persistence to somewhere...

Debugging release build

• The "VMK" environment variable is the VerboseModeKey which enables logging to stdout/stderr even in release build

OS and emulator/environment detector

• Linux
  • Native
  • Msys (Windows)
  • CYGWIN (Windows)
  • Microsoft WSL & WSLv2
  • FreeBSD linuxemu
• Windows
  • WINE
  • ReactOS
  • Native
• Darwin (macOS)

Windows

• Copy to well known current user binary path to semi related filenames
• Run via start menu item for current user, or via schtasks
  • https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
  • https://github.com/emersion/go-autostart

Detection

• https://www.logpoint.com/en/blog/deep-dive-on-malicious-dlls/
• https://github.com/sandflysecurity/sandfly-entropyscan
• https://pypi.org/project/unipacker/

Related information

• https://github.com/rootkit-io/awesome-malware-development
• https://github.com/rshipp/awesome-malware-analysis#readme
• https://github.com/Karneades/awesome-malware-persistence#readme>
• https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/
• https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6
• https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8
• https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/
• https://www.trisul.org/blog/traffic-analysis-of-secure-shell-ssh/

Development information

• https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d
• https://github.com/burrowers/garble?tab=readme-ov-file#mechanism>