Linux bind shell with anti-reverse engineering techniques
Switch branches/tags
Nothing to show
Clone or download
jacob-baines Order matters
Fooling around with Yara, I realized the order of the obfuscations is not right. "cryptor" must be applied after "fakeHeadersXbit" or a negative size for .data is in the fake section headers table is probable.
Latest commit 935bb89 Feb 9, 2017
Permalink
Failed to load latest commit information.
computeChecksums Initial commit Dec 20, 2016
cryptor Initial commit Dec 20, 2016
encryptFunctions Removed build files Dec 20, 2016
fakeHeadersXBit Initial commit Dec 20, 2016
madvise Initial commit Dec 20, 2016
stripBinary Initial commit Dec 20, 2016
trouble Order matters Feb 9, 2017
CMakeLists.txt Initial commit Dec 20, 2016
LICENSE Initial commit Dec 20, 2016
README.md Spelling in README.md Dec 22, 2016

README.md

Don't Panic

This project combines a variety of Linux anti-reverse engineering techniques into one binary. The binary is a bind shell named Trouble. The bind shell requires a password. I've written all about the techniques used in a free book. You can find it on leanpub: https://leanpub.com/anti-reverse-engineering-linux

If you don't want to compile the project yourself then you can find it on VirusTotal:

https://www.virustotal.com/en/file/a39b83850757ca85a4ddd049226662ecf9f3644a29fb862ad27751b090a468b5/analysis/

FAQ

What is the purpose of this repository?

This is intended to be educational. Compile the binary and hand it to your junior reverse engineer. Tell him/her to recover the password to the bind shell. Or tell them to expand the cryptor into something that looks more like a real cryptor. This is an educational tool. No more and no less.

How does this compare to Shiva or Burneye?

I would say that it doesn't. Shiva (whose source was never released as far as I know) and Burneye are real ELF protection tools. This repository only seeks to teach the reader how to program various anti-reversing techniques. Those tools are for real world usage.

Why do I need to use sudo?

Trouble spawns a child that traces the parent process using ptrace(). You can easily remove this logic if you are uncomfortable with it.

Dependencies

The code was written and tested on Ubuntu 16.04 x64. I can't promise it works anywhere else. Furthermore, the project depends on:

  1. musl
  2. cmake

You can install the dependencies with the following command

sudo apt-get install cmake musl-dev musl-tools

Compiling

To compile create a build directory, run cmake, and the type make. For example:

albino-lobster@ubuntu:~/dontpanic$ mkdir build
albino-lobster@ubuntu:~/dontpanic$ cd build/
albino-lobster@ubuntu:~/dontpanic/build$ cmake ..
-- The C compiler identification is GNU 5.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- The CXX compiler identification is GNU 5.4.0
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /home/albino-lobster/dontpanic/build
albino-lobster@ubuntu:~/dontpanic/build$ make
Scanning dependencies of target stripBinary
[  5%] Building CXX object stripBinary/CMakeFiles/stripBinary.dir/src/stripBinary.cpp.o
[ 11%] Linking CXX executable stripBinary
[ 11%] Built target stripBinary
Scanning dependencies of target fakeHeadersXBit
[ 16%] Building CXX object fakeHeadersXBit/CMakeFiles/fakeHeadersXBit.dir/src/fakeHeadersXBit.cpp.o
[ 22%] Linking CXX executable fakeHeadersXBit
[ 22%] Built target fakeHeadersXBit
Scanning dependencies of target encryptFunctions
[ 27%] Building CXX object encryptFunctions/CMakeFiles/encryptFunctions.dir/src/encryptFunctions.cpp.o
[ 33%] Building CXX object encryptFunctions/CMakeFiles/encryptFunctions.dir/src/rc4.c.o
[ 38%] Linking CXX executable encryptFunctions
[ 38%] Built target encryptFunctions
Scanning dependencies of target computeChecksums
[ 44%] Building CXX object computeChecksums/CMakeFiles/computeChecksums.dir/src/computeChecksums.cpp.o
[ 50%] Building CXX object computeChecksums/CMakeFiles/computeChecksums.dir/src/crc32.c.o
[ 55%] Linking CXX executable computeChecksums
[ 55%] Built target computeChecksums
Scanning dependencies of target madvise
[ 61%] Building CXX object madvise/CMakeFiles/madvise.dir/src/madvise.cpp.o
[ 66%] Linking CXX executable madvise
[ 66%] Built target madvise
Scanning dependencies of target cryptor
[ 72%] Building CXX object cryptor/CMakeFiles/cryptor.dir/src/cryptor.cpp.o
[ 77%] Linking CXX executable cryptor
[ 77%] Built target cryptor
Scanning dependencies of target addLDS
[ 77%] Built target addLDS
Scanning dependencies of target trouble
[ 83%] Building C object trouble/CMakeFiles/trouble.dir/src/trouble.c.o
[ 88%] Building C object trouble/CMakeFiles/trouble.dir/src/rc4.c.o
[ 94%] Building C object trouble/CMakeFiles/trouble.dir/src/crc32.c.o
[100%] Linking C executable trouble
The bind shell password is: wulg2FZo17WKoZ6e5Eyyet2BNBP1ppRE
1+0 records in
1+0 records out
1 byte copied, 7.5031e-05 s, 13.3 kB/s
[100%] Built target trouble
albino-lobster@ubuntu:~/dontpanic/build$ 

Executing the program

Due to the use of ptrace, you'll neeed to execute with sudo. Otherwise, simply run the "trouble" binary like so:

albino-lobster@ubuntu:~/dontpanic/build$ sudo ./trouble/trouble 
[sudo] password for albino-lobster: 

This will cause the program to begin listening on port 1270.

Connecting to the bind shell

You'll need the bind shell password in order to successfully connect. The password is output when you compile the program. In the output above the bind shell password is "wulg2FZo17WKoZ6e5Eyyet2BNBP1ppRE". Here is an example of connecting to the bindshell:

albino-lobster@ubuntu:~$ nc 127.0.0.1 1270
wulg2FZo17WKoZ6e5Eyyet2BNBP1ppRE
pwd
/home/albino-lobster/dontpanic/build
ls -l
total 60
-rw-rw-r-- 1 albino-lobster albino-lobster 13010 Dec 20 04:08 CMakeCache.txt
drwxrwxr-x 4 albino-lobster albino-lobster  4096 Dec 20 04:08 CMakeFiles
-rw-rw-r-- 1 albino-lobster albino-lobster  7418 Dec 20 04:08 Makefile
-rw-rw-r-- 1 albino-lobster albino-lobster  2050 Dec 20 04:08 cmake_install.cmake
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 computeChecksums
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 cryptor
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 encryptFunctions
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 fakeHeadersXBit
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 madvise
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 stripBinary
drwxrwxr-x 3 albino-lobster albino-lobster  4096 Dec 20 04:08 trouble
exit
albino-lobster@ubuntu:~$

License

BSD-3-Clause