Setting up Obfuscator-LLVM

Simon-Davies commented 2 years ago

Heya mate. Nimcrypt2 is working very well. I just tested it with the Mythic agent Apollo using the raw shellcode.

I managed to get Obfuscator-LLVM working on Windows and integrated it into Visual Studio for another project.

I am having problems getting Obfuscator-LLVM working on Kali though. Which branch did you use?

Could you provide more detailed instructions on how to set it up on Kali please.

Fankaren commented 2 years ago

Hi! I will give you my answer here. I use ubuntu20.04 with the initial environment:

sudo apt-get install cmake gcc g++ -y
gcc 9.3.0 
g++ 9.3.0 
cmake 3.16.3

step by step

download the branch.

git clone -b llvm-4.0 --depth=1 https://github.com/obfuscator-llvm/obfuscator.git

switch gcc and g++ version.(should run on version 8)

sudo apt-get install gcc-8 g++-8 -y
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-8 8
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-8 8
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 9
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 9
sudo update-alternatives --config gcc     # choose version 8
sudo update-alternatives --config g++   # choose version 8
gcc --version
g++ --version

modify the source code.
```
vim path_to_ollvm/include/llvm/ExecutionEngine/Orc/OrcRemoteTargetClient.h
```
Line number 690. Change <char>> to <uint_8>>. Or it will be wrong when u compile the project.
build ollvm
```
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_INCLUDE_TESTS=OFF ../obfuscator/
make -j7
```
after one or two hour. You will see Linking CXX shared library ../../../../lib/libclang.so. Ending with make error 2. But don't worry. Files you need are ready to be used.

Enjoy! Although it took me half day to figure it out (

Reference link: https://github.com/obfuscator-llvm/obfuscator/issues/151 https://www.jianshu.com/p/9136f7257e46 https://linuxconfig.org/how-to-switch-between-multiple-gcc-and-g-compiler-versions-on-ubuntu-20-04-lts-focal-fossa

Simon-Davies commented 2 years ago

Thank you

Did you move the folders /lib and /include to the below location?

/usr/lib/clang/version_number

@icyguider any ideas what is causing the below errors?

`si@kali:~/Tools/Nimcrypt2$ ./nimcrypt -f apollo.bin -t raw -g -l

               .-'   `'.
              /         \
              |         ;
              |         |           ___.--,
     _.._     |0) ~ (0) |    _.---'`__.-( (_.

.--'_.. '.__.\ '--. \_.-' ,.--' "" ( ,.--'` ', /./; ;, '..'` `) ) .---..' / | |\ \..--"" ""'--., ---' .'.''-._.-'./ /\ '. \ .-~~~````~~~-._-.__.' | | .' _.-' | | \ \ '.~--- \ \/ .' \ \ '. '-._) \/ / \ \=._~-. Nimcrypt v2 jgs / /\) ) / / "".\ , .-'.'\ \ / / ( ( / / 3-in-1 C#, PE, & Raw Shellcode Loader --~ ) ) .-'.' '.'. | ( (/( ( ) ) '-; ` '-; (-'

[+] Using explorer.exe for shellcode injection [+] GetSyscallStub enabled [+] String encryption disabled [+] Sandbox checks enabled [+] Unhooking ntdll.dll disabled [+] Verbose messages disabled [+] Syscall name randomization enabled [+] Using Obfuscator-LLVM to compile Hint: used config file '/home/si/.choosenim/toolchains/nim-1.6.4/config/nim.cfg' [Conf] Hint: used config file '/home/si/.choosenim/toolchains/nim-1.6.4/config/config.nims' [Conf] .................................................................................................................................................................................... /home/si/Tools/Nimcrypt2/GetSyscallStub.nim(6, 8) Hint: duplicate import of 'winim'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(5, 8) [DuplicateModuleImport] /home/si/Tools/Nimcrypt2/GetSyscallStub.nim(7, 8) Hint: duplicate import of 'strutils'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(9, 8) [DuplicateModuleImport] /home/si/Tools/Nimcrypt2/GetSyscallStub.nim(8, 8) Hint: duplicate import of 'ptr_math'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(10, 8) [DuplicateModuleImport] /home/si/Tools/Nimcrypt2/GetSyscallStub.nim(73, 9) Hint: 'oldProtection' is declared but not used [XDeclaredButNotUsed] /home/si/Tools/Nimcrypt2/GetSyscallStub.nim(74, 9) Hint: 'low2' is declared but not used [XDeclaredButNotUsed] /home/si/Tools/Nimcrypt2/stub.nim(60, 5) Hint: 'JkMGUQgesFovfWdECwlHpaSC' is declared but not used [XDeclaredButNotUsed] /home/si/Tools/Nimcrypt2/stub.nim(80, 5) Hint: 'xMOWrqOUUtmbqlMssMrHdroB' is declared but not used [XDeclaredButNotUsed] CC: stdlib_digitsutils.nim CC: stdlib_assertions.nim CC: stdlib_dollars.nim CC: stdlib_widestrs.nim CC: stdlib_io.nim CC: stdlib_system.nim CC: ../../.nimble/pkgs/winim-3.8.0/winim/inc/winbase.nim CC: ../../.nimble/pkgs/winim-3.8.0/winim/inc/tlhelp32.nim In file included from /home/si/.cache/nim/stub_r/stdlib_system.nim.c:8: In file included from /usr/x86_64-w64-mingw32/include/windows.h:69: In file included from /usr/x86_64-w64-mingw32/include/windef.h:9: In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163: In file included from /usr/x86_64-w64-mingw32/include/winnt.h:1555: In file included from /usr/bin/../include/clang/13.0.1/include/x86intrin.h:15: In file included from /usr/bin/../include/clang/13.0.1/include/immintrin.h:488: /usr/bin/../include/clang/13.0.1/include/amxintrin.h:238:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values) return builtin_ia32_tileloadd64_internal(m, n, base, ^~~~~~~~~~~ /usr/bin/../include/clang/13.0.1/include/amxintrin.h:246:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values) return builtin_ia32_tileloaddt164_internal(m, n, base, ^~~~~~~~~~~~~ /usr/bin/../include/clang/13.0.1/include/amxintrin.h:254:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values) return __builtin_ia32_tdpbssd_internal(m, n, k, dst, src1, src2); ^~~~~~~~~~~~~ fatal error: too many errors emitted, stopping now [-ferror-limit=]
CC: ../../.nimble/pkgs/winim-3.8.0/winim/utils.nim CC: stdlib_parseutils.nim 4 errors generated. Error: execution of an external compiler program 'x86_64-w64-mingw32-clang -c -w -ferror-limit=3 -DWIN32_LEAN_AND_MEAN -mllvm -bcf -mllvm -sub -mllvm -fla -mllvm -split -aesSeed=GEOU236HCU8FJNUBZ19H4Z8VS74Z6UBP -Os -I/home/si/.choosenim/toolchains/nim-1.6.4/lib -I/home/si/Tools/Nimcrypt2 -o /home/si/.cache/nim/stub_r/stdlib_system.nim.c.o /home/si/.cache/nim/stub_r/stdlib_system.nim.c' failed with exit code: 1

[!] Stub compilation failed! Check stub for errors. `

Fankaren commented 2 years ago

please make sure you are using the right clang from ollvm. try:

which clang
ls -la `which clang`

make sure you have build ollvm the right way. And do all the stuff in readme.

Simon-Davies commented 2 years ago

I built Obfuscator-LLVM and replaced the clang in /usr/bin with the newly built clang.

To build I used:

mkdir build
cd build
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release -DLLVM_INCLUDE_TESTS=OFF ../obfuscator/
make -j7

If I run: x86_64-w64-mingw32-clang -v it shows "Obfuscator-LLVM" in the output.

Did you move the folders /lib and /include to /usr/lib/clang/clang_version

I'm unsure about what to do in this below step:

Backup existing clang library files, copy new newly built Obfuscator-LLVM library includes to /usr/lib/clang/OLD_VERSION/

I am trying now with the version of Ubuntu you are using Fankaren. I have followed your instructions and ollvm is currently building.

icyguider commented 2 years ago

@Simon-Davies

Essentially you should now just need to replace the system include directory that's seen in the error message you last posted (/usr/include/clang/13.0.1/) with the clang include folder from your ollvm build. Here's how I would do it for your system:

#Create Backup of original system clang include directory
mv /usr/include/clang/13.0.1/ /usr/include/clang/13.0.1_BACKUP/
#Create new system clang include directory
mkdir -p /usr/include/clang/13.0.1/
#Copy clang include folder from ollvm build directory into the new system clang include directory
cp -R ~/build/lib/clang/5.0.2/include/ /usr/include/clang/13.0.1/

Of course for the last command you will need to give it the build folder of wherever you compiled Obfuscator-LLVM. Hope this works for you.

@Fankaren Thanks so much for assisting. I really appreciate it!

Simon-Davies commented 2 years ago

Thank you guys. I really appreciate all your help. I understand now @icyguider

Working now. I used Obfuscator-llvm 9.0.1. The below fixed my issue, thanks @icyguider

cp -R ~/build/lib/clang/5.0.2/include/ /usr/include/clang/13.0.1/

sec13b commented 7 months ago

Kali : install gcc-8 g++-8 -y sudo apt-get install gcc-8 g++-8 -y [sudo] password for kali: Reading package lists... Done Building dependency tree... Done Reading state information... Done Package g++-8 is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source

E: Unable to locate package gcc-8 E: Package 'g++-8' has no installation candidate

WFoy-Ortiz commented 5 months ago

This helped get the proper versions of gcc & g++

sudo apt update
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/gcc-8_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.edge.kernel.org/ubuntu/pool/universe/g/gcc-8/gcc-8-base_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libgcc-8-dev_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/cpp-8_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libmpx2_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/main/i/isl/libisl22_0.22.1-1_amd64.deb
sudo apt install ./libisl22_0.22.1-1_amd64.deb ./libmpx2_8.4.0-3ubuntu2_amd64.deb ./cpp-8_8.4.0-3ubuntu2_amd64.deb ./libgcc-8-dev_8.4.0-3ubuntu2_amd64.deb ./gcc-8-base_8.4.0-3ubuntu2_amd64.deb ./gcc-8_8.4.0-3ubuntu2_amd64.deb

wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libstdc++-8-dev_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/g++-8_8.4.0-3ubuntu2_amd64.deb
sudo apt install ./libstdc++-8-dev_8.4.0-3ubuntu2_amd64.deb ./g++-8_8.4.0-3ubuntu2_amd64.deb

sec13b commented 5 months ago

wget http://ftp.us.debian.org/debian/pool/main/g/gcc-8/libgcc-8-dev_8.3.0-6_amd64.deb

on kali , dont work

icyguider / Nimcrypt2

Setting up Obfuscator-LLVM #6