Tor static link and cross compilation

Question

Tor static link and cross compilation

mauri870 opened this issue 8 years ago · 21 comments

Hi guys, I've found some problems with the compilation with tor statically linked on the malware. I'm on this feature

It's currently working on linux but the malware is only for windows so we need make the cross compilation.

The Makefile has been updated to download tor and it's dependecies and compile then.
The malware is now importing the main C code of tor and start it.

I'm compiling with the following command:

go build --ldflags '-extldflags "-static"' -o $(BIN_DIR)/ransomware

And I got it working with no problems
But when I try to compile for windows...

env GOOS=windows CGO_ENABLED=1 go build --ldflags '-extldflags "-static" -H windowsgui' -o $(BIN_DIR)/ransomware.exe

Invalid option --mthreads

Well, I update this command to use mingw:

env GOOS=windows CGO_ENABLED=1 GOARCH=386 CC=i686-w64-mingw32-gcc go build --ldflags '-extldflags "-static" -H windowsgui' -o $(BIN_DIR)/ransomware.exe

And it thrown errors like netdb.h not found (WTF it is on the standard library :|)

Then if I add -I/usr/include to the CFLAGS on the malware I receive a bunch of warnings for conflicts with methods :(

If anyone has knowledge to help I would appreciate, cheers!

Answer 1 · 2016-10-06T22:17:06.000Z

Hi,

Have a look here : https://github.com/KoreTeam/KoreCoin/tree/master/src/tor

and here you can see how it is called :

and : https://github.com/KoreTeam/KoreCoin/blob/master/src/tor/korecoin.cpp
and : https://github.com/KoreTeam/KoreCoin/blob/master/src/tor/korecoin.h

here you can see many things like in makefile etc : https://github.com/KoreTeam/KoreCoin/search?p=1&q=tor&utf8=%E2%9C%93

note this needs libevent and maybe openssl
not sure if this helps, i still didn't have the chance to test the code, ill try to soon.

Answer 2 · 2016-10-06T22:24:30.000Z

also found this related to -mthreads :

https://github.com/KoreTeam/KoreCoin/blob/master/korecoin-qt.pro#L479

Answer 3 · 2016-10-07T00:12:53.000Z

Hi @hanoosh, thanks for the links. I will check soon.

I'm stucked on this part and I need finish this to proceed with the next features 😞

Answer 4 · 2016-10-07T00:25:02.000Z

Here is another link: http://blog.hashbangbash.com/2014/04/linking-golang-statically/

i'm also trying to dig for more info about this. if this can not be done, i think the best way is to pack tor.exe and the .dlls with the malware, then auto extract and run and make proxy on the malware ( but this is not good as the final malware.exe will be big size.

another idea is to just make it connect to C&C server with tor2web urls like https://XXXXXXX.onion.cab

Answer 5 · 2016-10-07T00:31:49.000Z

I think I'm just missing some flags during compilation or not using mingw correctly because it is suposed to work while building for windows... On linux linking tor statically generates a 12mb binary

Answer 6 · 2016-10-07T00:35:00.000Z

i think you can use : strip , it will reduce the file size

Answer 7 · 2016-10-07T00:45:36.000Z

The C&C need to be a hidden service, tor2web can be an alternative to this

Answer 8 · 2016-10-07T00:47:46.000Z

I've spend some time trying to link tor with the final binary, it generates a lot of code, a lot of dependencies and a lot of time to compile... I'm thinking to leave this idea and choose a more lightweight alternative

Answer 9 · 2016-10-07T00:50:39.000Z

Yes, i hope some other developers joins the party. good job mate

Answer 10 · 2016-10-07T01:04:40.000Z

Thanks for the ideas and links @hanoosh
I will keep this issue open for discussion and any progress I will post here
Cheers!

Answer 11 · 2016-10-10T11:51:57.000Z

you got Tor linked for windows ?

Answer 12 · 2016-10-10T11:54:59.000Z

Yes

On Oct 10, 2016 3:21 PM, "Hanoosh" notifications@github.com wrote:

you got Tor linked for windows ?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#3 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMxY5hBGwZYMtzRQ9csjVhynvG4EkGfCks5qyibegaJpZM4KPz9m
.

Answer 13 · 2016-10-10T12:33:32.000Z

@appendhc Can you share the code with us?

Answer 14 · 2016-10-10T18:39:37.000Z

@hanoosh Not yet 😞

Probably I will use tor2web

Answer 15 · 2017-06-09T09:14:07.000Z

i have given this instruction in terminal of lubuntu 14.04.1 below mentioned
go get -v github.com/mauri870/ransomware
and i got this error can't load package: package github.com/mauri870/ransomware: no buildable Go source files in /root/Projects/Proj1/src/github.com/mauri870/ransomware
i can't able to resolve that error pls help me

Answer 16 · 2017-06-09T17:05:23.000Z

@karikalansaitechnology Try go get -v github.com/mauri870/ransomware/...

Answer 17 · 2017-06-12T18:50:51.000Z

ugh u can use this lolol... for Windows... why would u want a large openssl..
https://github.com/wbenny/mini-tor

Answer 18 · 2017-06-12T18:56:18.000Z

also u can use winsock to make requests if u want... but i dont know how you would resolve the onion domain since tor doesnt have DNS

Answer 19 · 2017-06-28T22:36:27.000Z

I think the best way to hide the communication between the malware and the server is to include the tor binaries in the malware with go-bindata or download it at the start of the program and start the proxy before any http calls.
Just like WanaDecrypt0r:
WanaDecrypt0r moves on to download a TOR client and extracts the contents into the TaskData folder. The TOR client is necessary to communicate to the known Command and Control servers

Answer 20 · 2018-03-31T23:50:24.000Z

Finished the tor support using the standalone tor windows proxy 😄. Enjoy

Answer 21 · 2018-05-21T18:06:33.000Z

@mauri870 - I wrote https://github.com/cretz/bine which leverages https://github.com/cretz/tor-static to let you statically compile Tor in if you want. You can create onion services on the client side too if you want. There is built-in support for data dir deletion and not leaving things in default locations like regular Tor use might.