3.1 KiB
vitrifyr
A Rust system tool that allows file (de)vitrification
Preamble
Sometimes "blue teams" need to collect and send over networks a piece of malware. They can always
cp
it to an USB stick or so and then link it to an e-mail, but often they'd rather "vitrify" it
to prevent any undesired binary executions on each and every platforms it may go through.
For this purpose one can always run base64 -w0 < /path/to/malware.bin | xz > /tmp/vitrified.data
and then xz -d < /tmp/vitrified.data | base64 -d > /path/to/malware.bin
on the other end, but
maybe they cannot (or don't want to) use any system tools from an host that has been infected.
vitrifyr allows base64 encoding followed by xz compression, with optional AES-256-CBC encryption. On devitrification, the process is reversed.
Output files are named using input file content SHA256 digest to allow future integrity check.
Files are saved with (at most, depending on system umask) 0o640
UNIX permissions (not supported
on Windows).
Vitrification ASCII flow :
┌────────────┐ ┌────────┐ ┌────┐ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │ │ │ │ │ │
│ Input file ├─────>│ base64 ├─────>│ xz ├─────>│ AES-256-CBC ├─────>│ Output file │
│ │ │ │ │ │ │ │ │ │
└────────────┘ └────────┘ └────┘ └─────────────┘ └─────────────┘
Build
cargo build
Usage
vitrifyr --help
Examples
# Vitrify Bash binary to /tmp with informational logs
vitrified_path="$(vitrifyr -i /usr/bin/bash -o /tmp --verbose)"
# Devitrify Bash to /dev/shm with debugging logs, without writing to stdout output file path
vitrifyr -d -i "$vitrified_path" -o /dev/shm --debug -q
# Vitrify systemd binary to /tmp with maximum compression, before encrypting it with "passw0rd" key
vitrified_path="$(vitrifyr -i /usr/bin/systemd -o /tmp --compression-level 9 -k 'passw0rd')"
# Decrypt and devitrify stdin bytes to /tmp (skipping integrity check)
vitrifyr -d -k 'passw0rd' -o /tmp --skip-integrity < "$vitrified_path"
# Vitrify OpenSSH client to current directory, without naming output file with input file digest
vitrified_path="$(vitrifyr -i /usr/bin/ssh --skip-integrity)"
# Devitrify it while processing input with chunks of 4KB (for lower memory footprint)
vitrifyr -d "$vitrified_path" --skip-integrity --chunk-size 4096
# Vitrify and devitrify OpenSSH server, with fastest compression and hexadecimal encryption key
export VITRIFYR_KEY="0xBEEF"
vitrified_path="$(vitrifyr -i /usr/sbin/sshd --compression-level 0)"
vitrifyr -d -i "$vitrified_path"
Contributing
Code format
rustup component add rustfmt
cargo fmt
Code analysis
rustup component add clippy
cargo clippy