hackerhouse-opensource/Marble hackerhouse-opensource/Marble

  • Stars
    star
    224
  • Rank 176,926 (Top 4 %)
  • Language
    C++
  • Created 9 months ago
  • Updated 9 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hackerhouse-opensource/Marble
github

hackerhouse-opensource

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.

Marble Framework

In 2017, Wikileaks published incomplete source code for the Marble Framework. Using AI/ML and a human with information learned from the Vault7 leaks, we re-constructed the missing code libraries and have patched the StringScrambling solution to compile for build-time String Obfuscation using 106 "Marbles" with Visual Studio. This Framework was created for use by the Central Intelligence Agency (CIA) Applied Engineering Department (AED), however a number of malware samples have been identified in the wild using these algorithms which may indicate use by others. By releasing our modifications, we aim to improve detections of the framework and identification of additional samples using these techniques in the wild. The tool description from CIA internal wiki follows:

"The Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools. When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop. This framework is intended to help us (AED) to improve upon our current process for string/data obfuscation in our tools." The framework utilizes pre and post-build execution steps to apply obfuscation to the tool. If the tool breaks the build, the post build will always be able to repair it. The pre-build execuion step will store clean copies of the code before making modifications. The post build execution step restores the files to a clean-copy state. The framework allows for obfuscation to be chosen randomly from a pool of techniques. These techniques can be filtered based upon the project needs. If desired, a user may also, select a specific technique to use for obfuscation. A receipt file is generated on run (and replaces any previous receipts). The receipt file identifes the algorithm used as well as all of the strings/data that was obfuscated. The post-build step will also double check to make sure none of the obfuscated data appears in the binary.

This framework can be used to dynamically obfuscate and handle common string operations as an anti-forensics' capability.

Documentation

To use, compile the solution which will produce Mibster.exe, Mender.exe and Validator.exe. These tools can be added into the Pre-Build and Post-Build steps of a Visual Studio file to obfuscate the following data types by including Marble.h and your chosen deobfuscator from the Shared folder in your project file:

  • CARBLE - char[] / char*
  • WARBLE - wchar[] / wchar*
  • BARBLE - byte[] / byte*

Running the Mibster.exe will use options specified in Marble.h (such as which XOR / RXOR algorithm to use, wether strings should be cleared after use, chooses at random by default etc.) and obfuscate your strings. You can then run Validator.exe to ensure no strings are present and Mender.exe to restore the original source code (recommended post-build). The deobfuscator (Marble) chosen should be added from the Shared folder into your project. File states and changes are stored in ".marble" files and it supports a total of 106 algorithms (known as "Marbles") to be chosen from. More information and documentation can be found on the Wikileaks Vault7 wiki.

Marble Framework (wikileaks)

Documentation can also be found in the docs folder which has been created from the link above.

Testing

When testing this application from the command line under cmd.exe, Mibster.exe will not produce any output as it is designed to run under the output console of Visual Studio (where it works as a pre-build event), however if you just want to test it under cmd.exe or similar, uncomment the following code block in Mibster.cpp seen in the wWinMain function. Note that this will need to be removed if you intend to use it under visual studio and is only for debugging purposes.

// Attach to the parent console for output.
/*if (AttachConsole(ATTACH_PARENT_PROCESS))
{
	// Redirect stdout to the attached console
	FILE* stream;
	_wfreopen_s(&stream, L"CONOUT$", L"w", stdout);
}*/

Malware Detected

The following malware samples have been identified in the wild as using code components from the Marble Framework:

  • Worm:Win32/Takc!pz (Microsoft)
  • TROJAN-DROPPER.WIN32.DAPATO (Kaspersky)

License

Hacker House code additions are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.

More Repositories

1

iscsicpl_bypassUAC

UAC bypass for x64 Windows 7 - 11
C++
727
star
2

exploits

exploits and proof-of-concept vulnerability demonstration files from the team at Hacker House
C
389
star
3

SignToolEx

Patching "signtool.exe" to accept expired certificates for code-signing.
C++
219
star
4

Stinger

CIA UAC bypass implementation of Stinger that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as Administrator.
C++
205
star
5

OffensiveLua

Offensive Lua.
Lua
146
star
6

Artillery

CIA UAC bypass implementation that utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator.
C
146
star
7

ColorDataProxyUACBypass

Exploits undocumented elevated COM interface ICMLuaUtil via process spoofing to edit registry then calls ColorDataProxy to trigger UAC bypass. Win 7 & up.
C
130
star
8

WMIProcessWatcher

A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
C++
113
star
9

tools

A collection of tools created for computer security research purposes.
Python
108
star
10

cve-2018-10933

cve-2018-10933 libssh authentication bypass
Dockerfile
107
star
11

backdoors

Tools for maintaining access to systems and proof-of-concept demonstrations.
Python
103
star
12

CompMgmtLauncher_DLL_UACBypass

CompMgmtLauncher & Sharepoint DLL Search Order hijacking UAC/persist via OneDrive
C++
100
star
13

MsSettingsDelegateExecute

Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
C++
74
star
14

pyongyang_2407

Pyongyang 2407 - Android ROM from North Korea, modified to run on WBW5511_MAINBOARD_P2 devices. Releases contains an archived ROM with all needed tools to boot DPRK Android on compatible hardware. This repository contains installation instructions, hardware documentation and exploits for disabling censorship tools of North Korea Android.
C
66
star
15

envschtasksuacbypass

Bypass UAC elevation on Windows 8 (build 9600) & above.
C++
53
star
16

documents

Papers, presentations and documents from the team at Hacker House.
Perl
47
star
17

shellcode

shellcode are codes designed to be injected into the memory space of another process during exploitation.
C
42
star
18

electionhacking

Diebold Accuvote-TSx Election Machine Hacking
C++
34
star
19

NoFaxGiven

Code Execution & Persistence in NETWORK SERVICE FAX Service
C++
30
star
20

Gigabyte_ElevatePersist

Giga-byte Control Center (GCC) is a software package designed for improved user experience of Gigabyte hardware, often found in gaming and performance PC's. A UAC elevation vulnerability exists that can be used for persistence in a novel fashion.
C++
30
star
21

AESCrypt

AES-256 Microsoft Cryptography API Example Use.
C++
27
star
22

rebirth

rebirth IOS11 - 11.3.1 jailbreak security research utility
C
22
star
23

cve-2021-34527

CVE-2021-34527 AddPrinterDriverEx() Privilege Escalation
C++
18
star
24

hackerhouse-opensource

Github profile
11
star
25

hfioquake3_DoS

ioquake3 engine is vulnerable to a remotely exploitable off-by-one overflow due to a miscalculated array index within the privileged admin console command banaddr. Attacker needs the rcon password to exploit this vulnerability.
Python
5
star