Git Product home page Git Product logo

crimson-forge's Introduction

image

Crimson Forge

Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures. It achieves this by rewriting the input code utilizing the following two techniques:

Shuffling: Instructions are shuffled into a new order at the basic block level. This is a reliable technique and does not modify the size of resulting binary.

Alterations: Instructions are swapped with functional equivalents, effectively de-optimizing them. New instructions are inserted into the same graph used by the Shuffling technique, allowing them to be reordered as well.

Due to the nature of the re-writing, it is not necessary for processed shellcode to exist within writeable memory. This eliminates a very common pattern which is identified as malicious by many AV and EDR systems.

Installation

See the INSTALL.md for installation instructions.

Getting Started

Once installed, utilize the primary command line interface at ./crimson-forge. The help menu documents each of the options. Basic usage includes specifying an architecture (e.g. amd64 or x86), providing an input file, and specifying an output file. By default both the input and output files are expected to be raw shellcode, not executable files such EXEs. Use the --format and --output-format options to specify the input and output data formats respectively. Note that the --output-format option can be specified multiple times. Additionally, arguments can be defined in a file one per line and passed using the syntax ./crimson-forge @file/with/args.txt. See data/common-arguments.txt as an example.

Known Limitations

Unstaged Payloads: Unstaged payloads as generated by the Metasploit Framework are currently not functional due to the constraints on the file format.

Tainted References: Certain payloads retrieve references to their location in memory and then apply a static offset to it. Crimson Forge has no way to identify the significance of the static offset which will change when Alterations are applied. Crimson Forge will attempt to identify instances where this occurs and will disable Alterations altogether to ensure a functional output is produced. However, disabling Alterations limits the capability to generate unique binaries.

Encoded Payloads: All encoding modules within the Metasploit Framework require the shellcode to be placed in memory with Read, Write and Execute (RWX) permissions. This defeats the purpose of Crimson Forge. See also Tainted References.

Overlapping Instructions: In certain, theoretical scenarios instructions may overlap with one another. This would be the case where one instruction jumps or calls an address within another instruction. This would cause the block-level analysis to be misaligned.

The following example would result in a jump into the body of the move instruction resulting in the flow of execution being jmp $+3, inc eax rather than what is stated.

jmp  $+3
mov  eax, 0xc0ff0000

Technical Documentation

The existing technical documentation of the internal API is able to be built with Sphinx. Build the documentation with the following command:

sphinx-build -a -E -v -b html docs/source docs/html

Credits

Crimson Forge was originally designed and developed by RSM US LLP in Q1 of 2019 as part of an offensive security research and development initiative.

crimson-forge's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

gavz sasqwatch chazmacc red-infosec rsmusllp 5l1v3r1 sho-luv bernadam miralayipouya

crimson-forge's Issues

Pipenv fails to install several dependencies

When installing crimson-forge via pipenv a couple of dependencies fail to install. See below for the full commands and terminal output.
OS: Fedora 31 (virtual machine)
Branch: master
Pipenv version: version 2018.11.26

Pipfile.lock not found, creating…
Locking [dev-packages] dependencies…
✔ Success! 
Locking [packages] dependencies…
✔ Success! 
Updated Pipfile.lock (3cd13f)!
Installing dependencies from Pipfile.lock (3cd13f)…
An error occurred while installing angr==8.19.4.5 --hash=sha256:386efa0b110883059e5bf195fea25223a859d42075e60582ed95bb64ad7086fa --hash=sha256:3b24763494f85d1af600eb39fae6e42f0fa4583dfd8f17c069c62c6bda5e9a56 --hash=sha256:87f271fe749395cb772dda135e5e458db8d9cc49d724597e0e0f7c70d2a96380 --hash=sha256:b3bbcbc0fc140146f076c087d4efc8681ac579e46251d5ff8b086249a3fddf1c --hash=sha256:d8c94e27dc1a017e5fe39034b8f6af53527fbf44509a81b09dd93f79af56a2f7! Will try again.
An error occurred while installing psutil==5.6.7 --hash=sha256:094f899ac3ef72422b7e00411b4ed174e3c5a2e04c267db6643937ddba67a05b --hash=sha256:10b7f75cc8bd676cfc6fa40cd7d5c25b3f45a0e06d43becd7c2d2871cbb5e806 --hash=sha256:1b1575240ca9a90b437e5a40db662acd87bbf181f6aa02f0204978737b913c6b --hash=sha256:21231ef1c1a89728e29b98a885b8e0a8e00d09018f6da5cdc1f43f988471a995 --hash=sha256:28f771129bfee9fc6b63d83a15d857663bbdcae3828e1cb926e91320a9b5b5cd --hash=sha256:70387772f84fa5c3bb6a106915a2445e20ac8f9821c5914d7cbde148f4d7ff73 --hash=sha256:b560f5cd86cf8df7bcd258a851ca1ad98f0d5b8b98748e877a0aec4e9032b465 --hash=sha256:b74b43fecce384a57094a83d2778cdfc2e2d9a6afaadd1ebecb2e75e0d34e10d --hash=sha256:e85f727ffb21539849e6012f47b12f6dd4c44965e56591d8dec6e8bc9ab96f4a --hash=sha256:fd2e09bb593ad9bdd7429e779699d2d47c1268cbde4dda95fcd1bd17544a0217 --hash=sha256:ffad8eb2ac614518bbe3c0b8eb9dffdb3a8d2e3a7d5da51c5b974fb723a5c5aa! Will try again.
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 45/45 — 00:00:30
An error occurred while installing unicorn==1.0.1 --hash=sha256:2a0a43ebf73da8e79e91e89b4e72ab2413a410167db4dff25008721ec117cda1 --hash=sha256:3a8ad7a7f4be7583e77ca2f7f921a26081eb4987a37afbd8c91850eb6a8a673c --hash=sha256:66bada80960b2d7da45408acd10d2ea8fdf2c51781543d4e9401d10480b6a574 --hash=sha256:6f25eef8119620d54cf17472be7fbd3566143a72ff5ff5a6e3639171e026ab28 --hash=sha256:7e827ac975f5f1ad0022009df22c6af7db7e5229e7878835ee059d4dc16217c4! Will try again.
An error occurred while installing z3-solver==4.5.1.0.post2 --hash=sha256:474a22a1c6b26a89fc0fe563a9e0738bf1ff6b6f645f3b1d7a4beda18b3f44bc --hash=sha256:6b10b317f056890a341304071fb3ab220f0adb2c87439a04eba9e69028a7e3ff --hash=sha256:c185d05d236c6c9756e914756c73f797cb618d81b42e694166639cce5bcfdb1f --hash=sha256:c802dbe5368743dd30dd2a684c15b83b17c3c95df54b66f97611a5988ae0f696 --hash=sha256:cf57c53f1e366f3f6bc806fd83ad288b9c82ee8d2bbdfdc64d53767aaf500209 --hash=sha256:e41001b7f43ecb9eb9bedf6762bd0e002561590487cc78c0b48f608a85ce02ac --hash=sha256:f472f1d0d04856cfaf15d0ebab5ff39b2b1bc09b2f4d2119c0ba0540121b5265! Will try again.
Installing initially failed dependencies…
  ☤  ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 4/4 — 00:00:15
[pipenv.exceptions.InstallError]: ['Collecting angr==8.19.4.5', '  Using cached angr-8.19.4.5.tar.gz (834 kB)']
[pipenv.exceptions.InstallError]: ['ERROR: Command errored out with exit status 1:', '     command: /root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/bin/python3 -c \'import sys, setuptools, tokenize; sys.argv[0] = \'"\'"\'/tmp/pip-install-qya89nsb/angr/setup.py\'"\'"\'; __file__=\'"\'"\'/tmp/pip-install-qya89nsb/angr/setup.py\'"\'"\';f=getattr(tokenize, \'"\'"\'open\'"\'"\', open)(__file__);code=f.read().replace(\'"\'"\'\\r\\n\'"\'"\', \'"\'"\'\\n\'"\'"\');f.close();exec(compile(code, __file__, \'"\'"\'exec\'"\'"\'))\' egg_info --egg-base /tmp/pip-install-qya89nsb/angr/pip-egg-info', '         cwd: /tmp/pip-install-qya89nsb/angr/', '    Complete output (49 lines):', '      ERROR: Command errored out with exit status 1:', '       command: /root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/bin/python3 -u -c \'import sys, setuptools, tokenize; sys.argv[0] = \'"\'"\'/tmp/pip-wheel-ieobx12r/unicorn/setup.py\'"\'"\'; __file__=\'"\'"\'/tmp/pip-wheel-ieobx12r/unicorn/setup.py\'"\'"\';f=getattr(tokenize, \'"\'"\'open\'"\'"\', open)(__file__);code=f.read().replace(\'"\'"\'\\r\\n\'"\'"\', \'"\'"\'\\n\'"\'"\');f.close();exec(compile(code, __file__, \'"\'"\'exec\'"\'"\'))\' bdist_wheel -d /tmp/pip-wheel-0kjxuj80', '           cwd: /tmp/pip-wheel-ieobx12r/unicorn/', '      Complete output (12 lines):', '      running bdist_wheel', '      running build', '      Building C extensions', '      cd qemu && \\', '      ./configure --cc="cc" --extra-cflags="-DUNICORN_HAS_X86 -DUNICORN_HAS_ARM -DUNICORN_HAS_ARMEB -DUNICORN_HAS_M68K -DUNICORN_HAS_ARM64 -DUNICORN_HAS_MIPS -DUNICORN_HAS_MIPSEL -DUNICORN_HAS_MIPS64 -DUNICORN_HAS_MIPS64EL -DUNICORN_HAS_SPARC -fPIC -fvisibility=hidden" --target-list="x86_64-softmmu, arm-softmmu, armeb-softmmu, m68k-softmmu, aarch64-softmmu, mips-softmmu, mipsel-softmmu, mips64-softmmu, mips64el-softmmu, sparc-softmmu,sparc64-softmmu,"', '    ', "      ERROR: Cannot use 'python', Python 2.4 or later is required.", '             Note that Python 3 or later is not yet supported.', '             Use --python=/path/to/python to specify a supported Python.', '    ', '      make: *** [Makefile:214: qemu/config-host.h-timestamp] Error 1', "      error: [Errno 2] No such file or directory: 'libunicorn.so'", '      ----------------------------------------', '      ERROR: Failed building wheel for unicorn', '    ERROR: Failed to build one or more wheels', '    Traceback (most recent call last):', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/installer.py", line 128, in fetch_build_egg', '        subprocess.check_call(cmd)', '      File "/usr/lib64/python3.7/subprocess.py", line 363, in check_call', '        raise CalledProcessError(retcode, cmd)', "    subprocess.CalledProcessError: Command '['/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/bin/python3', '-m', 'pip', '--disable-pip-version-check', 'wheel', '--no-deps', '-w', '/tmp/tmpn_kayssz', '--quiet', 'unicorn']' returned non-zero exit status 1.", '    ', '    During handling of the above exception, another exception occurred:', '    ', '    Traceback (most recent call last):', '      File "<string>", line 1, in <module>', '      File "/tmp/pip-install-qya89nsb/angr/setup.py", line 149, in <module>', "        'angr': ['lib/*']", '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/__init__.py", line 144, in setup', '        _install_setup_requires(attrs)', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/__init__.py", line 139, in _install_setup_requires', '        dist.fetch_build_eggs(dist.setup_requires)', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/dist.py", line 721, in fetch_build_eggs', '        replace_conflicting=True,', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/pkg_resources/__init__.py", line 783, in resolve', '        replace_conflicting=replace_conflicting', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/pkg_resources/__init__.py", line 1066, in best_match', '        return self.obtain(req, installer)', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/pkg_resources/__init__.py", line 1078, in obtain', '        return installer(requirement)', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/dist.py", line 777, in fetch_build_egg', '        return fetch_build_egg(self, req)', '      File "/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/lib/python3.7/site-packages/setuptools/installer.py", line 130, in fetch_build_egg', '        raise DistutilsError(str(e))', "    distutils.errors.DistutilsError: Command '['/root/.local/share/virtualenvs/crimson-forge-DIUU_OG7/bin/python3', '-m', 'pip', '--disable-pip-version-check', 'wheel', '--no-deps', '-w', '/tmp/tmpn_kayssz', '--quiet', 'unicorn']' returned non-zero exit status 1.", '    ----------------------------------------', 'ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.']
ERROR: ERROR: Package installation failed...

Update angr Compatibility

Update compatibility with angr. Version 8.19.4.5 breaks compatibility with Crimson Forge by removing the symbolic attribute on an object used by the analysis. While waiting to get to this, angr has been pinned to the previous version of 8.19.2.4 in commit 609497b.

The resulting stack trace while using the incompatible version is:

./crimson-forge -a x86 --format raw files/messagebox.x86.bin   

  ___  _ __ (_) _ __ ___   ___   ___   _ __     / _|  ___   _ __  __ _   ___ 
 / __|| '__|| || '_ ` _ \ / __| / _ \ | '_ \   | |_  / _ \ | '__|/ _` | / _ \
| (__ | |   | || | | | | |\__ \| (_) || | | |  |  _|| (_) || |  | (_| ||  __/
 \___||_|   |_||_| |_| |_||___/ \___/ |_| |_|  |_|   \___/ |_|   \__, | \___|
                                                                 |___/

[*] Crimson-Forge Engine: v0.2.0
[*] Architecture set as: X86
[*] Input hash (SHA-256): 237cf93fedfff54977f5d07c6fc8c4a60272c9aff6e4e02da765e713aa5a9965
[*] Using analysis profile: shellcode (auto-detected)
Traceback (most recent call last):
  File "./crimson-forge", line 36, in <module>
    cli.main()
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/cli.py", line 282, in main
    tainted_self_refs = crimson_forge.analysis.symexec_tainted_self_reference_identification(exec_seg)
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/analysis.py", line 323, in symexec_tainted_self_reference_identification
    return not _simulate_state_recursively(state, collections.deque())
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/analysis.py", line 309, in _simulate_state_recursively
    simgr.step(num_inst=len(blk.instructions))
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/sim_manager.py", line 343, in step
    successors = self.step_state(state, successor_func=successor_func, **run_args)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/sim_manager.py", line 381, in step_state
    successors = self.successors(state, successor_func=successor_func, **run_args)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/sim_manager.py", line 420, in successors
    return self._project.factory.successors(state, **run_args)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/factory.py", line 54, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/engine.py", line 146, in process
    opt_level=opt_level)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/engine.py", line 60, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/engine.py", line 197, in _process
    self._handle_irsb(state, successors, irsb, skip_stmts, last_stmt, whitelist)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/engine.py", line 276, in _handle_irsb
    cont = self._handle_statement(state, successors, stmt)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/engine.py", line 391, in _handle_statement
    exit_data = stmt_handler(self, state, stmt)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/statements/wrtmp.py", line 4, in SimIRStmt_WrTmp
    data = engine.handle_expression(state, stmt.data)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/engines/vex/engine.py", line 462, in handle_expression
    state._inspect('expr', BP_AFTER, expr=expr, expr_result=result)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/sim_state.py", line 329, in _inspect
    self.inspect.action(*args, **kwargs)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/state_plugins/inspect.py", line 249, in action
    bp.fire(self.state)
  File "/home/steiner/.local/share/virtualenvs/crimson-forge-HnuLA3sX/lib/python3.7/site-packages/angr/state_plugins/inspect.py", line 201, in fire
    self.action(state)
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/analysis.py", line 92, in _breakpoint
    handler(state)
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/analysis.py", line 96, in _breakpoint_expr
    if not expr.symbolic:
AttributeError: 'Get' object has no attribute 'symbolic'

Fix the support for source output format.

Fix the support for source output format. Reproduce by running with the --output-format source option.

Traceback (most recent call last):
  File "./crimson-forge", line 36, in <module>
    cli.main()
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/cli.py", line 216, in main
    _handle_output(args, printer, arch, output_data)
  File "/home/steiner/Repositories/crimson-forge/crimson_forge/cli.py", line 119, in _handle_output
    args.output.write(o_exec_seg.to_source().encode('utf-8'))
AttributeError: 'ExecutableSegment' object has no attribute 'to_source'

AttributeError: 'DataBlock' object has no attribute 'instructions' 

Traceback (most recent call last):
  File "./crimson-forge", line 36, in <module>
    cli.main()
  File "/home/silburfuchs/tools/crimson-forge/crimson_forge/cli.py", line 280, in main
    tainted_self_refs = crimson_forge.analysis.symexec_tainted_self_reference_identification(exec_seg)
  File "/home/silburfuchs/tools/crimson-forge/crimson_forge/analysis.py", line 322, in symexec_tainted_self_reference_identification
    return not _simulate_state_recursively(state, collections.deque())
  File "/home/silburfuchs/tools/crimson-forge/crimson_forge/analysis.py", line 319, in _simulate_state_recursively
    result = result and _simulate_state_recursively(new_state, history)
  File "/home/silburfuchs/tools/crimson-forge/crimson_forge/analysis.py", line 319, in _simulate_state_recursively
    result = result and _simulate_state_recursively(new_state, history)
  File "/home/silburfuchs/tools/crimson-forge/crimson_forge/analysis.py", line 308, in _simulate_state_recursively
    simgr.step(num_inst=len(blk.instructions))
AttributeError: 'DataBlock' object has no attribute 'instructions'

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.