Welcome! Slimpack is a toolkit intended to allow for the creation of AES-NI encrypted file loaders from single source code file Linux NASM-syntax assembly language projects.
For example:
BITS 64
global _start
_start:
mov rax, 59 ; sys_execve
mov rdi, cmd
mov [arg], rdi ; argv0 cmd name
mov rbx, av1
mov [arg+8], rbx
mov rsi, arg
mov rdx, 0 ; envp (null)
syscall
mov rax, 60 ; sys_exit
syscall
section .data
cmd db '/bin/echo',0
av1 db 'hiya mateys',0
section .bss
arg resq 8
(All being well) slimpack will remove the section definitions and build a binary with .text / .data / .bss all together (yes really - the whole thing will run in one big rwx area! :))
The file is then encrypted with AES-NI instructions (AES128-ECB "possibly" done correctly - I copied the code from the well commented GAS syntax examples at https://github.com/kmcallister/aesni-examples but have done minimal checks for correctness.. n.b: ECB is a weaker mode but 'good enough' here)
The loader is then built.. A small stub of code that sets up the process to run in rwx memory (via program header flag) and gives itself an area of rwx memory to work in and do the decryption fetching the key from one of three locations:
- From stdin:
When the loader is run the user is prompted to enter a password of 16 characters on stdin. If this is correct the program executes.
- From a file:
When the loader is run it reads 16 bytes from a chosen offset in some file and uses that as the key.
- Hardcoded:
When the loader is run it reads the key from it's own program memory where it is hardcoded in plaintext.
# First set the chosen method in key.inc and configure other inc file if required (e.g file location/offset etc)
$ ./rebuild_loader.sh /tmp/input.asm /tmp/build
Removing section attributes from input file
Building input file
Building encrypter
Running encrypter
Building loader
Done
$ strace /tmp/build
execve("/tmp/build", ["/tmp/build"], 0x7ffdf20285a0 /* 58 vars */) = 0
open("/etc/ssh/ssh_host_rsa_key.pub", O_RDONLY) = 3
lseek(3, 72, SEEK_SET) = 72
read(3, "rTmaPkoitYdtRutk", 16) = 16
execve("/bin/echo", ["/bin/echo", "hiya mateys"], NULL) = 0
The code is a little rough, especially in the encrypter as this is something of an unfinished project made for a demo.