JIT Obfuscation Proof of Concept
In my adventures I came across GNU lightning. Lightning generates assembly at runtime and is great for implementing a just-in-time compiler. A really neat example is this Brainfuck JIT compiler by Erik Dubbelboer.
I thought that was pretty neat and wanted to play with lightning a little. However, I didn't want to code up my own fullblown VM. That would require some serious effort and I'm not that interested. So I wrote this little toy that xor deobfuscates a function in memory using lightning. The the bindshell is the same one I used in my Anti-Reversing Techniques book. You can see more here.
If you don't want to compile the project yourself then you can find it on VirusTotal:
Dependencies
The code was written and tested on Ubuntu 16.04 x64. I can't promise it works anywhere else. Furthermore, the project depends on:
- musl
- cmake
- lightning
You can install musl and cmake the following command
sudo apt-get install cmake musl-dev musl-toolsThere is no package for lightning so you'll have to download and compile it yourself.
Compiling
To compile create a build directory, run cmake, and the type make. For example:
albinolobster@ubuntu:~/jit_obfuscation$ cd build/
albinolobster@ubuntu:~/jit_obfuscation/build$ cmake ..
-- The C compiler identification is GNU 5.4.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- The CXX compiler identification is GNU 5.4.0
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /home/albinolobster/jit_obfuscation/build
albinolobster@ubuntu:~/jit_obfuscation/build$ make
Scanning dependencies of target stripBinary
[ 16%] Building CXX object stripBinary/CMakeFiles/stripBinary.dir/src/stripBinary.cpp.o
[ 33%] Linking CXX executable stripBinary
[ 33%] Built target stripBinary
Scanning dependencies of target xorFunction
[ 50%] Building CXX object xorFunction/CMakeFiles/xorFunction.dir/src/xorFunction.cpp.o
[ 66%] Linking CXX executable xorFunction
[ 66%] Built target xorFunction
Scanning dependencies of target addLDS
[ 66%] Built target addLDS
Scanning dependencies of target trouble
[ 83%] Building C object trouble/CMakeFiles/trouble.dir/src/trouble.c.o
[100%] Linking C executable trouble
The bind shell password is: rsMzp7gqOME8J5KOAVeDnmNUQb4z7pKU
[ 99%] Bind shell function obfuscated!
[100%] Built target trouble
albinolobster@ubuntu:~/jit_obfuscation/build$ Executing the program
Simply run the "trouble" binary like so:
albinolobster@ubuntu:~/jit_obfuscation/build$ ./trouble/troubleThis will cause the program to begin listening on port 1270.
Connecting to the bind shell
You'll need the bind shell password in order to successfully connect. The password is output when you compile the program. In the output above the bind shell password is "rsMzp7gqOME8J5KOAVeDnmNUQb4z7pKU". Here is an example of connecting to the bindshell:
albinolobster@ubuntu:~$ nc 127.0.0.1 1270
rsMzp7gqOME8J5KOAVeDnmNUQb4z7pKU
pwd
/home/albinolobster/jit_obfuscation/build
ls -l
total 40
-rw-rw-r-- 1 albinolobster albinolobster 12151 Aug 22 05:35 CMakeCache.txt
drwxrwxr-x 4 albinolobster albinolobster 4096 Aug 22 05:35 CMakeFiles
-rw-rw-r-- 1 albinolobster albinolobster 5499 Aug 22 05:35 Makefile
-rw-rw-r-- 1 albinolobster albinolobster 1711 Aug 22 05:35 cmake_install.cmake
drwxrwxr-x 3 albinolobster albinolobster 4096 Aug 22 05:35 stripBinary
drwxrwxr-x 3 albinolobster albinolobster 4096 Aug 22 05:35 trouble
drwxrwxr-x 3 albinolobster albinolobster 4096 Aug 22 05:35 xorFunction
exit
albinolobster@ubuntu:~$License
BSD-3-Clause