different behaviour on different host (docker) about kiteshield HOT 9 CLOSED

Debug Trace :

[kiteshield] starting ptrace runtime
[kiteshield] number of trap points: 60
[kiteshield] RC4 decrypting binary with key 3e6eceffa15dcec7485595468c7f5020
[kiteshield] number of encrypted functions: 30
[kiteshield] list of trap points:
[kiteshield] 800003db3 value: c3, type: ret, function: _ZNSt7__cxx1112basic_stringIcSt (#0)
[kiteshield] 800003d40 value: 41, type: ent, function: _ZNSt7__cxx1112basic_stringIcSt (#0)
[kiteshield] 8000028d5 value: e9, type: jmp, function: _GLOBAL__sub_I_main (#1)
[kiteshield] 800002830 value: 53, type: ent, function: _GLOBAL__sub_I_main (#1)
[kiteshield] 800002a68 value: c3, type: ret, function: _ZNSt7__cxx1112basic_stringIcSt (#2)
[kiteshield] 8000029f0 value: 41, type: ent, function: _ZNSt7__cxx1112basic_stringIcSt (#2)
[kiteshield] 8000037cf value: c3, type: ret, function: _ZL16get_random_bytesm.constpro (#3)
[kiteshield] 800003540 value: 41, type: ent, function: _ZL16get_random_bytesm.constpro (#3)
[kiteshield] 80000346f value: c3, type: ret, function: _ZN9filecrypt9FileCrypt4openEv (#4)
[kiteshield] 800003390 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt4openEv (#4)
[kiteshield] 800002f40 value: e9, type: jmp, function: _ZN9filecrypt9FileCrypt14create (#5)
[kiteshield] 800002ef0 value: 53, type: ent, function: _ZN9filecrypt9FileCrypt14create (#5)
[kiteshield] 800003e44 value: f3, type: ret, function: _ZN2ay15obfuscated_dataILy22ELy (#6)
[kiteshield] 800003e30 value: 48, type: ent, function: _ZN2ay15obfuscated_dataILy22ELy (#6)
[kiteshield] 800002dec value: e9, type: jmp, function: ZN9filecrypt9FileCryptC2ERKS0 (#7)
[kiteshield] 800002de0 value: 48, type: ent, function: ZN9filecrypt9FileCryptC2ERKS0 (#7)
[kiteshield] 800003e64 value: f3, type: ret, function: _ZN2ay15obfuscated_dataILy13ELy (#8)
[kiteshield] 800003e50 value: 48, type: ent, function: _ZN2ay15obfuscated_dataILy13ELy (#8)
[kiteshield] 800003c56 value: c3, type: ret, function: ZN9filecrypt6Pbkdf2C1ERKS0 (#9)
[kiteshield] 800003c50 value: 48, type: ent, function: ZN9filecrypt6Pbkdf2C1ERKS0 (#9)
[kiteshield] 800003535 value: e9, type: jmp, function: _ZN9filecrypt9FileCrypt7decrypt (#10)
[kiteshield] 800003510 value: 53, type: ent, function: _ZN9filecrypt9FileCrypt7decrypt (#10)
[kiteshield] decrypted 24608 bytes
[kiteshield] 800003e04 value: f3, type: ret, function: _ZN2ay15obfuscated_dataILy13ELy (#11)
[kiteshield] mapping LOAD section from packed binary at 800000000
[kiteshield] 800003df0 value: 48, type: ent, function: _ZN2ay15obfuscated_dataILy13ELy (#11)
[kiteshield] 80000249b value: c3, type: ret, function: main (#12)
[kiteshield] 800002150 value: 41, type: ent, function: main (#12)
[kiteshield] mapping LOAD section from packed binary at 800205000
[kiteshield] 800003c47 value: c3, type: ret, function: _ZN9filecrypt6Pbkdf2C1Ev (#13)
[kiteshield] 800003c40 value: 48, type: ent, function: _ZN9filecrypt6Pbkdf2C1Ev (#13)
[kiteshield] mapping INTERP ELF at path /lib64/ld-linux-x86-64.so.2
[kiteshield] 800003fba value: e9, type: jmp, function: _ZN9filecrypt9FileCryptD2Ev (#14)
[kiteshield] mapped LOAD section from fd at b00000000
[kiteshield] 800003fca value: c3, type: ret, function: _ZN9filecrypt9FileCryptD2Ev (#14)
[kiteshield] interpreter base address is b00000000
[kiteshield] mapped extra space for static data (.bss) at b0022b000 len 368
[kiteshield] mapped LOAD section from fd at b00229000
[kiteshield] 800003e70 value: 41, type: ent, function: _ZN9filecrypt9FileCryptD2Ev (#14)
[kiteshield] 800003bf3 value: c3, type: ret, function: _ZNSt24uniform_int_distribution (#15)
[kiteshield] binary base address is 800000000
[kiteshield] 800003b60 value: 41, type: ent, function: _ZNSt24uniform_int_distribution (#15)
[kiteshield] taking 7fffd842ed88 as auxv start
[kiteshield] 800003965 value: e9, type: jmp, function: _ZN9filecrypt9FileCrypt7encrypt (#16)
[kiteshield] replaced auxv entry 9 with value 34359748832 (0x8000028e0)
[kiteshield] 800003940 value: 53, type: ent, function: _ZN9filecrypt9FileCrypt7encrypt (#16)
[kiteshield] replaced auxv entry 3 with value 34359738432 (0x800000040)
[kiteshield] 80000315c value: c3, type: ret, function: _ZN9filecrypt9FileCrypt12init_d (#17)
[kiteshield] replaced auxv entry 7 with value 47244640256 (0xb00000000)
[kiteshield] 800003090 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt12init_d (#17)
[kiteshield] replaced auxv entry 5 with value 9 (0x9)
[kiteshield] 800003a72 value: c3, type: ret, function: _ZNSt23mersenne_twister_engineI (#18)
[kiteshield] finished mapping binary into memory
[kiteshield] 800003a20 value: 48, type: ent, function: _ZNSt23mersenne_twister_engineI (#18)
[kiteshield] control will be passed to packed app at b00001090
[kiteshield] 800003d22 value: c3, type: ret, function: _ZN9filecrypt6Pbkdf26deriveERKN (#19)
[kiteshield] runtime.c:959 child: PTRACE_TRACEME failed with error -1
[kiteshield] 800003c60 value: 55, type: ent, function: _ZN9filecrypt6Pbkdf26deriveERKN (#19)
[kiteshield] 8000039ec value: c3, type: ret, function: _ZStplIcSt11char_traitsIcESaIcE (#20)
[kiteshield] 800003970 value: 41, type: ent, function: _ZStplIcSt11char_traitsIcESaIcE (#20)
[kiteshield] 8000028e0 value: 31, type: ent, function: _start (#21)
[kiteshield] 800002cec value: c3, type: ret, function: _ZN9filecrypt9FileCryptC2ERKNSt (#22)
[kiteshield] 800002ac0 value: 41, type: ent, function: _ZN9filecrypt9FileCryptC2ERKNSt (#22)
[kiteshield] 800003e24 value: f3, type: ret, function: _ZN2ay15obfuscated_dataILy63ELy (#23)
[kiteshield] 800003e10 value: 48, type: ent, function: _ZN2ay15obfuscated_dataILy63ELy (#23)
[kiteshield] 800003383 value: c3, type: ret, function: _ZN9filecrypt9FileCrypt15proces (#24)
[kiteshield] 800003220 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt15proces (#24)
[kiteshield] 800003210 value: e9, type: jmp, function: _ZN9filecrypt9FileCrypt14create (#25)
[kiteshield] 8000031c0 value: 53, type: ent, function: _ZN9filecrypt9FileCrypt14create (#25)
[kiteshield] 800002e3f value: c3, type: ret, function: _ZN9filecrypt9FileCrypt5closeEv (#26)
[kiteshield] 800002e00 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt5closeEv (#26)
[kiteshield] 80000307f value: c3, type: ret, function: _ZN9filecrypt9FileCrypt15proces (#27)
[kiteshield] 800002f50 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt15proces (#27)
[kiteshield] 800004034 value: c3, type: ret, function: __libc_csu_init (#28)
[kiteshield] 800003fd0 value: 41, type: ent, function: __libc_csu_init (#28)
[kiteshield] 800003909 value: c3, type: ret, function: _ZN9filecrypt9FileCrypt12init_e (#29)
[kiteshield] 800003830 value: 41, type: ent, function: _ZN9filecrypt9FileCrypt12init_e (#29)
[kiteshield] runtime.c:760 PTRACE_SETOPTIONS failed with error -1

from kiteshield.

my code is using : https://github.com/ilwoong/filecrypt and https://github.com/adamyaxley/Obfuscate c++14 header

from kiteshield.

@GunshipPenguin any idea for PTRACE_SETOPTIONS failed with error -1

from kiteshield.

Extra info : filecrypt using openssl. docker image has all necessary libs is that enough ?

from kiteshield.

@GunshipPenguin

do we need to compile always static the binary that we want to protect ?

from kiteshield.

@GunshipPenguin
same binary successfully packed with Vmpsoft.com linux demo packer.

What I am suspected opnssl library causing the problem .

You can compile https://github.com/ilwoong/filecrypt with make and final binary couldnt be kityshielded..

Best

from kiteshield.

Hi,

-1 is EPERM. Seems you're running in a context where you don't have permissions to do PTRACE_SETOPTIONS. You might need to give yourself CAP_SYS_PTRACE in the docker container. See: https://stackoverflow.com/a/42030182.

from kiteshield.

@GunshipPenguin

I cant believe !! Thanks a lot.

Best .

PS: Is there any way kiteshielded binary read encrypted binary decrypt it and run it without saving the disk?

So kiteshield performance not an issue .

Best

from kiteshield.

(closing this because the original issue was fixed)

PS: Is there any way kiteshielded binary read encrypted binary decrypt it and run it without saving the disk?

If I'm reading you right, you seem to be misinterpreting how kiteshield works. Kiteshield does not save the unencrypted binary to disk at all, it reads the encrypted binary, decrypts it entirely in memory, and then runs it. No unencrypted data is ever written back to disk, so I think this is a non-issue. Feel free to open another issue if I'm misreading you here.

from kiteshield.