Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting up Obfuscator-LLVM #6

Closed
Simon-Davies opened this issue Mar 28, 2022 · 9 comments
Closed

Setting up Obfuscator-LLVM #6

Simon-Davies opened this issue Mar 28, 2022 · 9 comments

Comments

@Simon-Davies
Copy link

Simon-Davies commented Mar 28, 2022
edited
Loading

Heya mate. Nimcrypt2 is working very well. I just tested it with the Mythic agent Apollo using the raw shellcode.

I managed to get Obfuscator-LLVM working on Windows and integrated it into Visual Studio for another project.

I am having problems getting Obfuscator-LLVM working on Kali though. Which branch did you use?

Could you provide more detailed instructions on how to set it up on Kali please.
@Simon-Davies Simon-Davies changed the title Obfuscator-LLVM issue Setting up Obfuscator-LLVM Mar 28, 2022
@Fankaren
Copy link

Fankaren commented Mar 28, 2022
edited
Loading

Hi! I will give you my answer here.
I use ubuntu20.04 with the initial environment:

sudo apt-get install cmake gcc g++ -y
gcc 9.3.0 
g++ 9.3.0 
cmake 3.16.3

step by step

  1. download the branch.
git clone -b llvm-4.0 --depth=1 https://github.com/obfuscator-llvm/obfuscator.git
  1. switch gcc and g++ version.(should run on version 8)
sudo apt-get install gcc-8 g++-8 -y
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-8 8
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-8 8
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 9
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 9
sudo update-alternatives --config gcc     # choose version 8
sudo update-alternatives --config g++   # choose version 8
gcc --version
g++ --version
  1. modify the source code.
vim path_to_ollvm/include/llvm/ExecutionEngine/Orc/OrcRemoteTargetClient.h

Line number 690. Change <char>> to <uint_8>>. Or it will be wrong when u compile the project.

  1. build ollvm
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_INCLUDE_TESTS=OFF ../obfuscator/
make -j7

after one or two hour. You will see Linking CXX shared library ../../../../lib/libclang.so. Ending with make error 2.
But don't worry. Files you need are ready to be used.

Enjoy!
Although it took me half day to figure it out (

Reference link:
obfuscator-llvm/obfuscator#151
https://www.jianshu.com/p/9136f7257e46
https://linuxconfig.org/how-to-switch-between-multiple-gcc-and-g-compiler-versions-on-ubuntu-20-04-lts-focal-fossa

@Simon-Davies
Copy link
Author

Simon-Davies commented Mar 28, 2022
edited
Loading

Thank you

Did you move the folders /lib and /include to the below location?

/usr/lib/clang/version_number

@icyguider any ideas what is causing the below errors?

si@kali:~/Tools/Nimcrypt2$ ./nimcrypt -f apollo.bin -t raw -g -l ___ .-' '.
/
| ;
| | .--,
.. |0) ~ (0) | .---'__.-( (_. __.--'.. '..\ '--. _.-' ,.--' "" ( ,.--' ',_ /./; ;, '..' __ _) ) .---..' / | |\ _..--"" ""'--.,
---' .'.''-._.-'./ /\ '. \ .-~~~````~~~-.-.__.' | | .' _.-' | | \ \ '. ~---`
\ / .' \ \ '. '-.)
/ / \ \ `=.__`-. Nimcrypt v2
jgs / /\ `) ) / / `"".`
, _.-'.'\ \ / / ( ( / / 3-in-1 C#, PE, & Raw Shellcode Loader
`--` ) ) .-'.' '.'. | (
(/` ( (` ) ) '-;
` '-; (-'

[+] Using explorer.exe for shellcode injection
[+] GetSyscallStub enabled
[+] String encryption disabled
[+] Sandbox checks enabled
[+] Unhooking ntdll.dll disabled
[+] Verbose messages disabled
[+] Syscall name randomization enabled
[+] Using Obfuscator-LLVM to compile
Hint: used config file '/home/si/.choosenim/toolchains/nim-1.6.4/config/nim.cfg' [Conf]
Hint: used config file '/home/si/.choosenim/toolchains/nim-1.6.4/config/config.nims' [Conf]
....................................................................................................................................................................................
/home/si/Tools/Nimcrypt2/GetSyscallStub.nim(6, 8) Hint: duplicate import of 'winim'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(5, 8) [DuplicateModuleImport]
/home/si/Tools/Nimcrypt2/GetSyscallStub.nim(7, 8) Hint: duplicate import of 'strutils'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(9, 8) [DuplicateModuleImport]
/home/si/Tools/Nimcrypt2/GetSyscallStub.nim(8, 8) Hint: duplicate import of 'ptr_math'; previous import here: /home/si/Tools/Nimcrypt2/stub.nim(10, 8) [DuplicateModuleImport]
/home/si/Tools/Nimcrypt2/GetSyscallStub.nim(73, 9) Hint: 'oldProtection' is declared but not used [XDeclaredButNotUsed]
/home/si/Tools/Nimcrypt2/GetSyscallStub.nim(74, 9) Hint: 'low2' is declared but not used [XDeclaredButNotUsed]
/home/si/Tools/Nimcrypt2/stub.nim(60, 5) Hint: 'JkMGUQgesFovfWdECwlHpaSC' is declared but not used [XDeclaredButNotUsed]
/home/si/Tools/Nimcrypt2/stub.nim(80, 5) Hint: 'xMOWrqOUUtmbqlMssMrHdroB' is declared but not used [XDeclaredButNotUsed]
CC: stdlib_digitsutils.nim
CC: stdlib_assertions.nim
CC: stdlib_dollars.nim
CC: stdlib_widestrs.nim
CC: stdlib_io.nim
CC: stdlib_system.nim
CC: ../../.nimble/pkgs/winim-3.8.0/winim/inc/winbase.nim
CC: ../../.nimble/pkgs/winim-3.8.0/winim/inc/tlhelp32.nim
In file included from /home/si/.cache/nim/stub_r/stdlib_system.nim.c:8:
In file included from /usr/x86_64-w64-mingw32/include/windows.h:69:
In file included from /usr/x86_64-w64-mingw32/include/windef.h:9:
In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163:
In file included from /usr/x86_64-w64-mingw32/include/winnt.h:1555:
In file included from /usr/bin/../include/clang/13.0.1/include/x86intrin.h:15:
In file included from /usr/bin/../include/clang/13.0.1/include/immintrin.h:488:
/usr/bin/../include/clang/13.0.1/include/amxintrin.h:238:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values)
return __builtin_ia32_tileloadd64_internal(m, n, base,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/../include/clang/13.0.1/include/amxintrin.h:246:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values)
return __builtin_ia32_tileloaddt164_internal(m, n, base,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/../include/clang/13.0.1/include/amxintrin.h:254:10: error: returning 'int' from a function with incompatible result type '_tile1024i' (vector of 256 'int' values)
return __builtin_ia32_tdpbssd_internal(m, n, k, dst, src1, src2);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fatal error: too many errors emitted, stopping now [-ferror-limit=]
CC: ../../.nimble/pkgs/winim-3.8.0/winim/utils.nim
CC: stdlib_parseutils.nim
4 errors generated.
Error: execution of an external compiler program 'x86_64-w64-mingw32-clang -c -w -ferror-limit=3 -DWIN32_LEAN_AND_MEAN -mllvm -bcf -mllvm -sub -mllvm -fla -mllvm -split -aesSeed=GEOU236HCU8FJNUBZ19H4Z8VS74Z6UBP -Os -I/home/si/.choosenim/toolchains/nim-1.6.4/lib -I/home/si/Tools/Nimcrypt2 -o /home/si/.cache/nim/stub_r/stdlib_system.nim.c.o /home/si/.cache/nim/stub_r/stdlib_system.nim.c' failed with exit code: 1

[!] Stub compilation failed! Check stub for errors.
`

@Fankaren
Copy link

Fankaren commented Mar 29, 2022
edited
Loading

please make sure you are using the right clang from ollvm. try:

which clang
ls -la `which clang`

image

make sure you have build ollvm the right way. And do all the stuff in readme.

@Simon-Davies
Copy link
Author

Simon-Davies commented Mar 29, 2022
edited
Loading

I built Obfuscator-LLVM and replaced the clang in /usr/bin with the newly built clang.

To build I used:

mkdir build
cd build
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release -DLLVM_INCLUDE_TESTS=OFF ../obfuscator/
make -j7

If I run: x86_64-w64-mingw32-clang -v it shows "Obfuscator-LLVM" in the output.

Did you move the folders /lib and /include to /usr/lib/clang/clang_version

I'm unsure about what to do in this below step:

Backup existing clang library files, copy new newly built Obfuscator-LLVM library includes to /usr/lib/clang/OLD_VERSION/

I am trying now with the version of Ubuntu you are using Fankaren. I have followed your instructions and ollvm is currently building.

@icyguider
Copy link
Owner

@Simon-Davies

Essentially you should now just need to replace the system include directory that's seen in the error message you last posted (/usr/include/clang/13.0.1/) with the clang include folder from your ollvm build. Here's how I would do it for your system:

#Create Backup of original system clang include directory
mv /usr/include/clang/13.0.1/ /usr/include/clang/13.0.1_BACKUP/
#Create new system clang include directory
mkdir -p /usr/include/clang/13.0.1/
#Copy clang include folder from ollvm build directory into the new system clang include directory
cp -R ~/build/lib/clang/5.0.2/include/ /usr/include/clang/13.0.1/

Of course for the last command you will need to give it the build folder of wherever you compiled Obfuscator-LLVM. Hope this works for you.

@Fankaren Thanks so much for assisting. I really appreciate it!

@Simon-Davies
Copy link
Author

Simon-Davies commented Mar 29, 2022
edited
Loading

Thank you guys. I really appreciate all your help. I understand now @icyguider

Working now. I used Obfuscator-llvm 9.0.1. The below fixed my issue, thanks @icyguider

cp -R ~/build/lib/clang/5.0.2/include/ /usr/include/clang/13.0.1/

@javvylx javvylx mentioned this issue Aug 31, 2022
Closed
@sec13b
Copy link

sec13b commented Feb 16, 2024

Kali :
install gcc-8 g++-8 -y
sudo apt-get install gcc-8 g++-8 -y
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package g++-8 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Unable to locate package gcc-8
E: Package 'g++-8' has no installation candidate

@WFoy-Ortiz
Copy link

WFoy-Ortiz commented Mar 23, 2024
edited
Loading

This helped get the proper versions of gcc & g++

sudo apt update
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/gcc-8_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.edge.kernel.org/ubuntu/pool/universe/g/gcc-8/gcc-8-base_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libgcc-8-dev_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/cpp-8_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libmpx2_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/main/i/isl/libisl22_0.22.1-1_amd64.deb
sudo apt install ./libisl22_0.22.1-1_amd64.deb ./libmpx2_8.4.0-3ubuntu2_amd64.deb ./cpp-8_8.4.0-3ubuntu2_amd64.deb ./libgcc-8-dev_8.4.0-3ubuntu2_amd64.deb ./gcc-8-base_8.4.0-3ubuntu2_amd64.deb ./gcc-8_8.4.0-3ubuntu2_amd64.deb

wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/libstdc++-8-dev_8.4.0-3ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/g/gcc-8/g++-8_8.4.0-3ubuntu2_amd64.deb
sudo apt install ./libstdc++-8-dev_8.4.0-3ubuntu2_amd64.deb ./g++-8_8.4.0-3ubuntu2_amd64.deb

@sec13b
Copy link

sec13b commented Mar 23, 2024

wget http://ftp.us.debian.org/debian/pool/main/g/gcc-8/libgcc-8-dev_8.3.0-6_amd64.deb

on kali , dont work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Simon-Davies @Fankaren @WFoy-Ortiz @icyguider @sec13b