vitrifyr/README.md
2024-08-17 21:34:16 +02:00

3.1 KiB

vitrifyr

A Rust system tool that allows file (de)vitrification

Preamble

Sometimes "blue teams" need to collect and send over networks a piece of malware. They can always cp it to an USB stick or so and then link it to an e-mail, but often they'd rather "vitrify" it to prevent any undesired binary executions on each and every platforms it may go through.

For this purpose one can always run base64 -w0 < /path/to/malware.bin | xz > /tmp/vitrified.data and then xz -d < /tmp/vitrified.data | base64 -d > /path/to/malware.bin on the other end, but maybe they cannot (or don't want to) use any system tools from an host that has been infected.

vitrifyr allows base64 encoding followed by xz compression, with optional AES-256-CBC encryption. On devitrification, the process is reversed.

Output files are named using input file content SHA256 digest to allow future integrity check. Files are saved with (at most, depending on system umask) 0o640 UNIX permissions (not supported on Windows).

Vitrification ASCII flow :

┌────────────┐      ┌────────┐      ┌────┐      ┌─────────────┐      ┌─────────────┐
│            │      │        │      │    │      │             │      │             │
│ Input file ├─────>│ base64 ├─────>│ xz ├─────>│ AES-256-CBC ├─────>│ Output file │
│            │      │        │      │    │      │             │      │             │
└────────────┘      └────────┘      └────┘      └─────────────┘      └─────────────┘

Build

cargo build

Usage

vitrifyr --help

Examples

# Vitrify Bash binary to /tmp with informational logs
vitrified_path="$(vitrifyr -i /usr/bin/bash -o /tmp --verbose)"

# Devitrify Bash to /dev/shm with debugging logs, without writing to stdout output file path
vitrifyr -d -i "$vitrified_path" -o /dev/shm --debug -q


# Vitrify systemd binary to /tmp with maximum compression, before encrypting it with "passw0rd" key
vitrified_path="$(vitrifyr -i /usr/bin/systemd -o /tmp --compression-level 9 -k 'passw0rd')"

# Decrypt and devitrify stdin bytes to /tmp (skipping integrity check)
vitrifyr -d -k 'passw0rd' -o /tmp --skip-integrity < "$vitrified_path"


# Vitrify OpenSSH client to current directory, without naming output file with input file digest
vitrified_path="$(vitrifyr -i /usr/bin/ssh --skip-integrity)"

# Devitrify it while processing input with chunks of 4KB (for lower memory footprint)
vitrifyr -d "$vitrified_path" --skip-integrity --chunk-size 4096


# Vitrify and devitrify OpenSSH server, with fastest compression and hexadecimal encryption key
  export VITRIFYR_KEY="0xBEEF"
vitrified_path="$(vitrifyr -i /usr/sbin/sshd --compression-level 0)"
vitrifyr -d -i "$vitrified_path"

Contributing

Code format

rustup component add rustfmt
cargo fmt

Code analysis

rustup component add clippy
cargo clippy