commit of experiment code

trustedsec · Feb 13, 2024 · cfdb89b · cfdb89b
commit cfdb89b
Show file tree

Hide file tree

Showing 3,565 changed files with 2,729,346 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,8 @@
+*.obj
+*.exe
+.vscode
+bin
+dist
+malware/arsenal-kit
+.git
+.pdb
diff --git a/README.MD b/README.MD
@@ -0,0 +1,13 @@
+This repo is a companion document to the blog post available at \<url\>
+
+Individual projects under goodware / malware will have readme's referencing the original sources, which all all included here as well in no particular order.
+
+https://github.com/B-Con/crypto-algorithms/tree/master
+https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
+https://github.com/capstone-engine/capstone/archive/5.0.tar.gz
+https://download.cobaltstrike.com/scripts
+https://github.com/gentilkiwi/mimikatz
+https://github.com/trustedsec/COFFLoader
+https://github.com/trustedsec/trevorc2
+https://github.com/silentbreaksec/Throwback
+
diff --git a/clang-cl64.toolchain b/clang-cl64.toolchain
@@ -0,0 +1,45 @@
+cmake_minimum_required (VERSION 3.20)
+
+MACRO(HEADER_DIRECTORIES return_list)
+    FILE(GLOB_RECURSE new_list /opt/winsdk/sdk/*.h /opt/winsdk/crt/*.h)
+    SET(dir_list "")
+    FOREACH(file_path ${new_list})
+        GET_FILENAME_COMPONENT(dir_path ${file_path} PATH)
+        SET(dir_list ${dir_list} ${dir_path})
+    ENDFOREACH()
+    LIST(REMOVE_DUPLICATES dir_list)
+    SET(${return_list} ${dir_list})
+ENDMACRO()
+
+if(NOT CACHE_KEY)
+    HEADER_DIRECTORIES(sdkheaders)
+    set(CACHE_KEY "${sdkheaders}" CACHE INTERNAL "Cached result of the macro")
+else()
+    set(sdkheaders ${CACHE_KEY})
+endif()
+
+set(RC_INCLUDES "")
+FOREACH(OPT ${sdkheaders})
+	set(RC_INCLUDES ${RC_INCLUDES} " -I ${OPT} ")
+ENDFOREACH()
+string(REPLACE ";" " " RC_INCLUDES ${RC_INCLUDES})
+
+set(CMAKE_SYSTEM_NAME      Windows)
+set(CMAKE_SYSTEM_VERSION      10.0)
+set(CMAKE_SYSTEM_PROCESSOR   x86_64)
+
+set(CMAKE_ASM_COMPILER "/usr/bin/llvm-ml")
+set(CMAKE_MASM_COMPILER "/usr/bin/llvm-ml")
+set(CMAKE_ASM_MASM_COMPILER "/usr/bin/llvm-ml")
+
+set(CMAKE_C_COMPILER   "/usr/bin/clang-cl")
+set(CMAKE_CXX_COMPILER "/usr/bin/clang-cl")
+set(CMAKE_RC_COMPILER  "/usr/bin/llvm-rc")
+set(CMAKE_MT  "/usr/bin/llvm-mt")
+set(CMAKE_LINKER "/usr/bin/lld-link")
+set(CMAKE_C_FLAGS_INIT  "/winsdkdir /opt/winsdk/sdk  /vctoolsdir /opt/winsdk/crt")
+set(CMAKE_CXX_FLAGS_INIT  "/winsdkdir /opt/winsdk/sdk  /vctoolsdir /opt/winsdk/crt")
+set(CMAKE_EXE_LINKER_FLAGS_INIT "/winsdkdir:/opt/winsdk/sdk  /vctoolsdir:/opt/winsdk/crt /MANIFEST:NO")
+set(CMAKE_RC_FLAGS_INIT "${RC_INCLUDES}")
+set(CMAKE_C_STANDARD_INCLUDE_DIRECTORIES "${sdkheaders}")
+set(CMAKE_CXX_STANDARD_INCLUDE_DIRECTORIES "${sdkheaders}")
diff --git a/cmake examples.txt b/cmake examples.txt
@@ -0,0 +1,13 @@
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libStringObfuscation.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libMBAObfuscation.so -Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libIndirectCall.so -Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libFlattening.so -Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libBogusControlFlow.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+
+
+---
+
+
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libMBAObfuscation.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libBogusControlFlow.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libFlattening.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+CFLAGS="-Xclang -fpass-plugin=/opt/winsdk/llvm-passes/libIndirectCall.so" cmake --toolchain /opt/winsdk/LLVM-Obfuscation-Experiments/clang-cl64.toolchain ..
+
+#for mimikatz you need to modify the CMAKELists file to add the options to the mimikatz cmakelists.txt
diff --git a/goodware/MessageBox_Only/makefile b/goodware/MessageBox_Only/makefile
@@ -0,0 +1,128 @@
+#should use the -cl version of clang as we are linking against visual studio libraries
+CC:=clang-cl
+#we want to use lld-link to line up with what visual studio expects / does
+#when inline with compiler one would use -fuse-ld=$(LLD)
+LLD:=lld-link
+#we want to use llvm-lib to make an msvc compatibile library
+LIB:=llvm-lib
+#named variable with base directory we are storing our LLVM passes in
+LLVMPASSDIR:=/opt/winsdk/llvm-passes
+#output directory info
+OUTPUTDIR:=bin
+BASEOBJDIR=obj
+OUTPUTNAME:=pickanexename
+OUTPUTEXT=.exe
+#populate this with the libraries you are using
+LIBRARIES:= kernel32.lib user32.lib
+
+CFLAGS:=/permissive- /DNDEBUG /DUNICODE /D_UNICODE /Iinclude /W1 /Gy /Gw-  /Ob1 /Ot /Oy /sdl- /Zo-
+#link must come after filenames and Cflags
+LDFLAGS:=/DEBUG:NONE /DYNAMICBASE /GUARD:NO /MANIFEST:EMBED /OPT:NOREF /SUBSYSTEM:WINDOWS
+
+#out of tree optimizer passes
+LLVMOPT:=
+
+WINSDK:=/winsdkdir /opt/winsdk/sdk
+VCTOOL:=/vctoolsdir /opt/winsdk/crt
+
+WINSDKLINK:=/winsdkdir:/opt/winsdk/sdk
+VCTOOLLINK:=/vctoolsdir:/opt/winsdk/crt
+
+SRC:= $(wildcard src/*.c)
+SRC += $(wildcard src/*.cpp)
+
+ifneq ($(filter obfbogus,$(MAKECMDGOALS)),)
+LLVMOPT+= -Xclang -fpass-plugin=$(LLVMPASSDIR)/libBogusControlFlow.so
+endif
+
+ifneq ($(filter obfflat,$(MAKECMDGOALS)),)
+LLVMOPT+= -Xclang -fpass-plugin=$(LLVMPASSDIR)/libFlattening.so
+endif
+
+ifneq ($(filter obfindirect,$(MAKECMDGOALS)),)
+LLVMOPT+= -Xclang -fpass-plugin=$(LLVMPASSDIR)/libIndirectCall.so
+endif
+
+ifneq ($(filter obfmba,$(MAKECMDGOALS)),)
+LLVMOPT+= -Xclang -fpass-plugin=$(LLVMPASSDIR)/libMBAObfuscation.so
+endif
+
+ifneq ($(filter obfstr,$(MAKECMDGOALS)),)
+LLVMOPT+= -Xclang -fpass-plugin=$(LLVMPASSDIR)/libStringObfuscation.so
+endif
+
+ifneq ($(filter 32bit,$(MAKECMDGOALS)),)
+CFLAGS+= -m32
+OBJDIR:=$(BASEOBJDIR)32
+OUTPUTNAME:=$(OUTPUTNAME)_32
+else
+OBJDIR:=$(BASEOBJDIR)64
+OUTPUTNAME:=$(OUTPUTNAME)_64
+endif
+
+OBJFILES_C:= $(SRC:src/%.c=$(OBJDIR)/%.obj)
+OBJFILES:=$(OBJFILES_C:src/%.cpp=$(OBJDIR)/%.obj)
+
+all: build
+
+# Pattern rule for .c files
+$(OBJDIR)/%.obj: src/%.c
+	$(CC) $(WINSDK) $(VCTOOL) $(LLVMOPT) $< $(CFLAGS) /c /Fo$@
+
+# Pattern rule for .cpp files (if you have C++ sources)
+$(OBJDIR)/%.obj: src/%.cpp
+	$(CC) $(WINSDK) $(VCTOOL) $(LLVMOPT) $< $(CFLAGS) /std:c++17 /c /Fo$@
+
+
+build: setup $(OBJFILES)
+	$(LLD) $(WINSDKLINK) $(VCTOOLLINK) $(OBJFILES) $(LDFLAGS) /OUT:$(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT)  $(LIBRARIES) 
+
+print-src:
+	@echo $(SRC)
+
+print-obj:
+	@echo $(OBJFILES_C)
+
+.PHONY: setup obfflat obfindirect obfmba obfstr 32bit obfbogus
+
+setup:
+	mkdir -p $(BASEOBJDIR)32
+	mkdir -p $(BASEOBJDIR)64
+	mkdir -p bin
+
+all-tests:
+	make part-clean
+	make all obfbogus
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_bogus$(OUTPUTEXT)
+	make part-clean
+	make all obfflat
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_flat$(OUTPUTEXT)
+	make part-clean
+	make all obfindirect
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_indirect$(OUTPUTEXT)
+	make part-clean
+	make all obfmba
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_mba$(OUTPUTEXT)
+	make part-clean
+	make all obfstr
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_str$(OUTPUTEXT)
+	make part-clean
+	make all obfbogus obfflat obfindirect obfmba obfstr
+	mv $(OUTPUTDIR)/$(OUTPUTNAME)$(OUTPUTEXT) $(OUTPUTDIR)/$(OUTPUTNAME)_all$(OUTPUTEXT)
+	make part-clean
+	make all
+	make part-clean
+
+
+part-clean:
+	rm -f $(BASEOBJDIR)32/*
+	rm -f $(BASEOBJDIR)64/*
+
+
+clean:
+	rm -f $(BASEOBJDIR)32/*
+	rm -f $(BASEOBJDIR)64/*
+	rm -f bin/*
+
+
+
diff --git a/goodware/MessageBox_Only/readme.md b/goodware/MessageBox_Only/readme.md
@@ -0,0 +1 @@
+I wrote this code
diff --git a/goodware/MessageBox_Only/src/test.cpp b/goodware/MessageBox_Only/src/test.cpp
@@ -0,0 +1,12 @@
+#include <Windows.h>
+
+int  WinMain(
+  [in]           HINSTANCE hInstance,
+  [in, optional] HINSTANCE hPrevInstance,
+  [in]           LPSTR     lpCmdLine,
+  [in]           int       nShowCmd
+)
+{
+    MessageBoxA(NULL, "Test compile1", "Test compile", 0);
+    return 0;   
+}
diff --git a/goodware/aes256/include/aes.h b/goodware/aes256/include/aes.h
@@ -0,0 +1,125 @@
+/*********************************************************************
+* Filename:   aes.h
+* Author:     Brad Conte (brad AT bradconte.com)
+* Copyright:
+* Disclaimer: This code is presented "as is" without any guarantees.
+* Details:    Defines the API for the corresponding AES implementation.
+*********************************************************************/
+
+#ifndef AES_H
+#define AES_H
+
+/*************************** HEADER FILES ***************************/
+#include <stddef.h>
+
+/****************************** MACROS ******************************/
+#define AES_BLOCK_SIZE 16               // AES operates on 16 bytes at a time
+
+/**************************** DATA TYPES ****************************/
+typedef unsigned char BYTE;            // 8-bit byte
+typedef unsigned int WORD;             // 32-bit word, change to "long" for 16-bit machines
+
+/*********************** FUNCTION DECLARATIONS **********************/
+///////////////////
+// AES
+///////////////////
+// Key setup must be done before any AES en/de-cryption functions can be used.
+void aes_key_setup(const BYTE key[],          // The key, must be 128, 192, or 256 bits
+                   WORD w[],                  // Output key schedule to be used later
+                   int keysize);              // Bit length of the key, 128, 192, or 256
+
+void aes_encrypt(const BYTE in[],             // 16 bytes of plaintext
+                 BYTE out[],                  // 16 bytes of ciphertext
+                 const WORD key[],            // From the key setup
+                 int keysize);                // Bit length of the key, 128, 192, or 256
+
+void aes_decrypt(const BYTE in[],             // 16 bytes of ciphertext
+                 BYTE out[],                  // 16 bytes of plaintext
+                 const WORD key[],            // From the key setup
+                 int keysize);                // Bit length of the key, 128, 192, or 256
+
+///////////////////
+// AES - CBC
+///////////////////
+int aes_encrypt_cbc(const BYTE in[],          // Plaintext
+                    size_t in_len,            // Must be a multiple of AES_BLOCK_SIZE
+                    BYTE out[],               // Ciphertext, same length as plaintext
+                    const WORD key[],         // From the key setup
+                    int keysize,              // Bit length of the key, 128, 192, or 256
+                    const BYTE iv[]);         // IV, must be AES_BLOCK_SIZE bytes long
+
+int aes_decrypt_cbc(const BYTE in[], size_t in_len, BYTE out[], const WORD key[], int keysize, const BYTE iv[]);
+
+// Only output the CBC-MAC of the input.
+int aes_encrypt_cbc_mac(const BYTE in[],      // plaintext
+                        size_t in_len,        // Must be a multiple of AES_BLOCK_SIZE
+                        BYTE out[],           // Output MAC
+                        const WORD key[],     // From the key setup
+                        int keysize,          // Bit length of the key, 128, 192, or 256
+                        const BYTE iv[]);     // IV, must be AES_BLOCK_SIZE bytes long
+
+///////////////////
+// AES - CTR
+///////////////////
+void increment_iv(BYTE iv[],                  // Must be a multiple of AES_BLOCK_SIZE
+                  int counter_size);          // Bytes of the IV used for counting (low end)
+
+void aes_encrypt_ctr(const BYTE in[],         // Plaintext
+                     size_t in_len,           // Any byte length
+                     BYTE out[],              // Ciphertext, same length as plaintext
+                     const WORD key[],        // From the key setup
+                     int keysize,             // Bit length of the key, 128, 192, or 256
+                     const BYTE iv[]);        // IV, must be AES_BLOCK_SIZE bytes long
+
+void aes_decrypt_ctr(const BYTE in[],         // Ciphertext
+                     size_t in_len,           // Any byte length
+                     BYTE out[],              // Plaintext, same length as ciphertext
+                     const WORD key[],        // From the key setup
+                     int keysize,             // Bit length of the key, 128, 192, or 256
+                     const BYTE iv[]);        // IV, must be AES_BLOCK_SIZE bytes long
+
+///////////////////
+// AES - CCM
+///////////////////
+// Returns True if the input parameters do not violate any constraint.
+int aes_encrypt_ccm(const BYTE plaintext[],              // IN  - Plaintext.
+                    WORD plaintext_len,                  // IN  - Plaintext length.
+                    const BYTE associated_data[],        // IN  - Associated Data included in authentication, but not encryption.
+                    unsigned short associated_data_len,  // IN  - Associated Data length in bytes.
+                    const BYTE nonce[],                  // IN  - The Nonce to be used for encryption.
+                    unsigned short nonce_len,            // IN  - Nonce length in bytes.
+                    BYTE ciphertext[],                   // OUT - Ciphertext, a concatination of the plaintext and the MAC.
+                    WORD *ciphertext_len,                // OUT - The length of the ciphertext, always plaintext_len + mac_len.
+                    WORD mac_len,                        // IN  - The desired length of the MAC, must be 4, 6, 8, 10, 12, 14, or 16.
+                    const BYTE key[],                    // IN  - The AES key for encryption.
+                    int keysize);                        // IN  - The length of the key in bits. Valid values are 128, 192, 256.
+
+// Returns True if the input parameters do not violate any constraint.
+// Use mac_auth to ensure decryption/validation was preformed correctly.
+// If authentication does not succeed, the plaintext is zeroed out. To overwride
+// this, call with mac_auth = NULL. The proper proceedure is to decrypt with
+// authentication enabled (mac_auth != NULL) and make a second call to that
+// ignores authentication explicitly if the first call failes.
+int aes_decrypt_ccm(const BYTE ciphertext[],             // IN  - Ciphertext, the concatination of encrypted plaintext and MAC.
+                    WORD ciphertext_len,                 // IN  - Ciphertext length in bytes.
+                    const BYTE assoc[],                  // IN  - The Associated Data, required for authentication.
+                    unsigned short assoc_len,            // IN  - Associated Data length in bytes.
+                    const BYTE nonce[],                  // IN  - The Nonce to use for decryption, same one as for encryption.
+                    unsigned short nonce_len,            // IN  - Nonce length in bytes.
+                    BYTE plaintext[],                    // OUT - The plaintext that was decrypted. Will need to be large enough to hold ciphertext_len - mac_len.
+                    WORD *plaintext_len,                 // OUT - Length in bytes of the output plaintext, always ciphertext_len - mac_len .
+                    WORD mac_len,                        // IN  - The length of the MAC that was calculated.
+                    int *mac_auth,                       // OUT - TRUE if authentication succeeded, FALSE if it did not. NULL pointer will ignore the authentication.
+                    const BYTE key[],                    // IN  - The AES key for decryption.
+                    int keysize);                        // IN  - The length of the key in BITS. Valid values are 128, 192, 256.
+
+///////////////////
+// Test functions
+///////////////////
+int aes_test();
+int aes_ecb_test();
+int aes_cbc_test();
+int aes_ctr_test();
+int aes_ccm_test();
+
+#endif   // AES_H