First commit

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # egebalci
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: https://www.blockchain.com/tr/btc/address/1615NKMjpHShh3hWHrazWybgJxpqZgz4f2

.gitignore

@@ -0,0 +1 @@
+sgn

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Ege Balcı
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,2 @@
+normal:
+	go build -ldflags="-s -w" -o sgn

README.md

@@ -0,0 +1,162 @@
+[![BANNER](https://github.com/EgeBalci/sgn/raw/master/img/banner.png)](https://github.com/EgeBalci/sgn)
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/egebalci/sgn)](https://goreportcard.com/report/github.com/egebalci/sgn)
+[![Open Issues](https://img.shields.io/github/issues/egebalci/sgn?style=flat-square&color=red)](https://github.com/EgeBalci/sgn/issues)
+[![License](https://img.shields.io/github/license/egebalci/amber.svg?style=flat-square)](https://raw.githubusercontent.com/EgeBalci/sgn/master/LICENSE)
+[![Twitter](https://img.shields.io/badge/[email protected]?style=flat-square)](https://twitter.com/egeblc)
+
+SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to [LSFR](https://en.wikipedia.org/wiki/Linear-feedback_shift_register). This project is the reimplementation of the [original Shikata ga nai](https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb) in golang with many improvements. 
+
+
+## How? & Why?
+For offensive security community, the original implementation of shikata ga nai encoder is considered to be the best shellcode encoder(until now). But over the years security researchers found several pitfalls for statically detecing the encoder(related work [FireEye article](https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html)). The main motive for this project was to create a better encoder that encodes the given binary to the point it is identical with totally random data and not possible to detect the presence of a decoder. With the help of [keystone](http://www.keystone-engine.org/) assembler library following improvments are implemented.
+
+- [x] 64 bit support. `Finally properly encoded x64 shellcodes !`
+- [x] New smaller decoder stub. `LFSR key reduced to 1 byte`
+- [x] Encoded stub with pseudo random schema. `Decoder stub is also encoded with a psudo random schema`
+- [x] No visible loop condition `Stub decodes itself WITHOUT using any loop conditions !!` 
+- [x] Decoder stub obfuscation. `Random garbage instruction generator added with keystone`
+- [x] Safe register option. `Non of the registers are clobbered (optional preable, may reduce polimorphism)` 
+
+## Install
+
+**Dependencies:**
+
+Only dependencies required is keystone and capstone libraries. For easily installing capstone libarary check the table;
+
+
+<table>
+  <tr>
+      <th>OS</th>
+      <th>Install Command</th>
+  </tr>
+  <tr>
+      <td>Ubuntu/Debian</td>
+      <td>sudo apt-get install libcapstone-dev</td>
+  </tr>
+  <tr>
+      <td>Mac</td>
+      <td>brew install capstone</td>
+  </tr>
+  <tr>
+      <td>FreeBSD</td>
+      <td>pkg install capstone</td>
+  </tr>
+  <tr>
+      <td>OpenBSD</td>
+      <td>sudo pkg_add capstone</td>
+  </tr>
+  <tr>
+      <td>Windows/All Other...</td>
+      <td><a href="https://www.capstone-engine.org/documentation.html">CHECK HERE</a></td>
+  </tr>
+</table>
+
+Installation of keystone library can be little tricky in some cases. [Check here](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) for keystone library installation guides.
+
+Then just go get it ツ
+
+```
+go get github.com/egebalci/sgn
+```
+
+**Usage**
+
+`-h` is pretty self explanatory use `-v` if you want to see what's going on behind the scenes `( ͡° ͜ʖ ͡°)_/¯`
+<p align="center">
+  <img src="https://github.com/EgeBalci/sgn/raw/master/img/usage.gif">
+</p>
+
+
+```
+       __   _ __        __                               _ 
+  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
+ (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
+/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
+========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========  
+    ┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない
+
+Usage: sgn [OPTIONS] <FILE>
+  -a int
+    	Binary architecture (32/64) (default 32)
+  -asci
+    	Generates a full ASCI printable payload (takes very long time to bruteforce)
+  -badchars string
+    	Don't use specified bad characters given in hex format (\x00\x01\x02...)
+  -c int
+    	Number of times to encode the binary (increases overall size) (default 1)
+  -h	Print help
+  -max int
+    	Maximum number of bytes for obfuscation (default 50)
+  -o string
+    	Encoded output binary name
+  -plain-decoder
+    	Do not encode the decoder stub
+  -safe
+    	Do not modify and register values
+  -v	More verbose output
+```
+
+
+## Using As Library
+Warning !! SGN package is still under development for better performance and several improvements. Most of the functions are subject to change.
+
+```
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+
+	sgn "github.com/egebalci/sgn/lib"
+)
+
+func main() {
+	// First open some file
+	file, err := ioutil.ReadFile("myfile.bin")
+	if err != nil { // check error
+		fmt.Println(err)
+		return
+	}
+	// Create a new SGN encoder
+	encoder := sgn.NewEncoder()
+	// Set the proper architecture
+	encoder.SetArchitecture(64)
+	// Encode the binary
+	encodedBinary, err := encoder.Encode(file)
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+	// Print out the hex dump of the encoded binary
+	fmt.Println(hex.Dump(encodedBinary))
+
+}
+```
+
+
+## Execution Flow
+
+The following image is a basic workflow diagram for the encoder. But keep in mind that the sizes, locations and orders will change for garbage instructions, decoders and schema decoders on each iteration. 
+
+<p align="center">
+  <img src="https://github.com/EgeBalci/sgn/raw/master/img/flow.png">
+</p>
+
+LFSR itself is pretty powerful in terms of probability space. For even more polimorphism garbage instructions are appended at the begining of the unencoded raw payload. Below image shows the the companion matrix of the characteristic polynomial of the LFSR and denoting the seed as a column vector, the state of the register in Fibonacci configuration after k steps.
+
+<p align="center">
+  <img src="https://github.com/EgeBalci/sgn/raw/master/img/matrices.svg">
+</p>
+
+
+## [Challenge](https://github.com/EgeBalci/sgn/wiki/Challange_Guidelines)
+
+Considering the probability space of this encoder I personally don't think that any rule based static detection mechanism can detect the binaries that are encoded with SGN. In fact I am willing to give out the donation money for this project as a symbolic prize if anyone can write a YARA rule that can detect every encoded output. Check out [***HERE***](https://github.com/EgeBalci/sgn/wiki/Challange_Guidelines) for the guidelines and rules for claiming the donation money.
+
+[***Current Donation Amount***](https://www.blockchain.com/tr/btc/address/1615NKMjpHShh3hWHrazWybgJxpqZgz4f2)
+
+[![QR](https://github.com/EgeBalci/sgn/raw/master/img/btc_qr.png)](https://www.blockchain.com/tr/btc/address/1615NKMjpHShh3hWHrazWybgJxpqZgz4f2)
+
+If you tried and failed please consider donating `[̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]`

examples/encode_x64_binary.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+
+	sgn "github.com/egebalci/sgn/lib"
+)
+
+func main() {
+	// First open some file
+	file, err := ioutil.ReadFile("myfile.bin")
+	if err != nil { // check error
+		fmt.Println(err)
+		return
+	}
+	// Create a new SGN encoder
+	encoder := sgn.NewEncoder()
+	// Set the proper architecture
+	encoder.SetArchitecture(64)
+	// Encode the binary
+	encodedBinary, err := encoder.Encode(file)
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+	// Print out the hex dump of the encoded binary
+	fmt.Println(hex.Dump(encodedBinary))
+
+}

go.mod

@@ -0,0 +1,10 @@
+module github.com/egebalci/sgn
+
+go 1.13
+
+require (
+	github.com/EgeBalci/keystone-go v0.0.0-20191020215946-e413e564d55a
+	github.com/briandowns/spinner v1.9.0
+	github.com/fatih/color v1.9.0
+	github.com/olekukonko/tablewriter v0.0.4
+)

go.sum

@@ -0,0 +1,20 @@
+github.com/EgeBalci/keystone-go v0.0.0-20191020215946-e413e564d55a h1:f7foeXv2svlJU0ihmcKbR+bln5fcF1nbGyoJ4PBRznc=
+github.com/EgeBalci/keystone-go v0.0.0-20191020215946-e413e564d55a/go.mod h1:/HCfOmUN3INldcXC0YnFrOtOw3MuRFEQ9cKTT5fZuQ8=
+github.com/briandowns/spinner v1.9.0 h1:+OMAisemaHar1hjuJ3Z2hIvNhQl9Y7GLPWUwwz2Pxo8=
+github.com/briandowns/spinner v1.9.0/go.mod h1://Zf9tMcxfRUA36V23M6YGEAv+kECGfvpnLTnb8n4XQ=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
+github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/olekukonko/tablewriter v0.0.4 h1:vHD/YYe1Wolo78koG299f7V/VAS08c6IpCLn+Ejf/w8=
+github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=