Added an append flag to the config repack command. (Velocidex#142)

This allows us to append an external zip file to the Velociraptor
executable while repacking. The added zip file will be covered by the
.rscs section and therefore will be protected by the authenticode
signature.

The standard Golang zip library does not support processing of zip
files with prepended data. The PR also includes a fork of the standard
library which supports this.

.gitignore

@@ -14,3 +14,4 @@ xml
 node_modules/
 package-lock.json
 __debug_bin
+bin/rsrc.syso

Makefile

@@ -15,6 +15,9 @@ release:
 windows:
 	go run make.go -v windowsDev
 
+windowsx86:
+	go run make.go -v windowsx86
+
 clean:
 	go run make.go -v clean
 

appveyor.yml

@@ -7,6 +7,7 @@ environment:
   GOPATH: c:\gopath
   PATH: C:\msys64\mingw64\bin;%GOPATH%\bin;%PATH%
   VELOCIRAPTOR_CONFIG: artifacts\testdata\windows\appveyor.config.yaml
+  GOPROXY: https://proxy.golang.org
 
 cache:
   - '%LocalAppData%\go-build -> .appveyor_cache_clear'

bin/repack.go

@@ -20,6 +20,7 @@ package main
 import (
 	"bytes"
 	"compress/zlib"
+	"encoding/binary"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -43,6 +44,10 @@ var (
 		"config_file", "The filename to write into the binary.").
 		Required().String()
 
+	repack_command_append = repack_command.Flag(
+		"append", "If provided we append the file to the output binary.").
+		File()
+
 	repack_command_output = repack_command.Arg(
 		"output", "The filename to write the repacked binary.").
 		Required().String()
@@ -90,7 +95,7 @@ func doRepack() {
 	err = validate_config(config_data)
 	kingpin.FatalIfError(err, "Config file invalid")
 
-	// Compres1s the string.
+	// Compress the string.
 	var b bytes.Buffer
 	w := zlib.NewWriter(&b)
 	w.Write(config_data)
@@ -125,6 +130,36 @@ func doRepack() {
 	data, err := ioutil.ReadAll(fd)
 	kingpin.FatalIfError(err, "Unable to read executable")
 
+	if repack_command_append != nil {
+		// A PE file - adjust the size of the .rsrc section to
+		// cover the entire binary.
+		if string(data[0:2]) == "MZ" {
+			stat, err := (*repack_command_append).Stat()
+			kingpin.FatalIfError(err, "Unable to read appended file")
+
+			end_of_file := int64(len(data)) + stat.Size()
+
+			// This is the IMAGE_SECTION_HEADER.Name which
+			// is also the start of IMAGE_SECTION_HEADER.
+			offset_to_rsrc := bytes.Index(data, []byte(".rsrc"))
+
+			// Found it.
+			if offset_to_rsrc > 0 {
+				// IMAGE_SECTION_HEADER.PointerToRawData is a 32 bit int.
+				start_of_rsrc_section := binary.LittleEndian.Uint32(
+					data[offset_to_rsrc+20:])
+				size_of_raw_data := uint32(end_of_file) - start_of_rsrc_section
+				binary.LittleEndian.PutUint32(
+					data[offset_to_rsrc+16:], size_of_raw_data)
+			}
+		}
+
+		appended, err := ioutil.ReadAll(*repack_command_append)
+		kingpin.FatalIfError(err, "Unable to read appended file")
+
+		data = append(data, appended...)
+	}
+
 	match := embedded_re.FindIndex(data)
 	if match == nil {
 		kingpin.Fatalf("I can not seem to locate the embedding config????")

go.mod

@@ -34,7 +34,6 @@ require (
 	github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect
 	github.com/go-ole/go-ole v1.2.4
 	github.com/go-sql-driver/mysql v1.4.1 // indirect
-	github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc // indirect
 	github.com/golang/mock v1.3.1
 	github.com/golang/protobuf v1.3.2
 	github.com/golangplus/bytes v0.0.0-20160111154220-45c989fe5450 // indirect
@@ -82,7 +81,6 @@ require (
 	github.com/tink-ab/tempfile v0.0.0-20180226111222-33beb0518f1a
 	github.com/xor-gate/ar v0.0.0-20170530204233-5c72ae81e2b7 // indirect
 	github.com/xor-gate/debpkg v0.0.0-20181217150151-a0c70a3d4213
-	go.opencensus.io v0.22.1 // indirect
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	golang.org/x/exp v0.0.0-20191014171548-69215a2ee97e // indirect
 	golang.org/x/net v0.0.0-20191021144547-ec77196f6094

go.sum

@@ -55,6 +55,7 @@ github.com/Velocidex/survey v1.8.7-0.20190926071832-2ff99cc7aa49 h1:TJVN1zYl5sKJ
 github.com/Velocidex/survey v1.8.7-0.20190926071832-2ff99cc7aa49/go.mod h1:kfPUQ2gP0xtIydiR52dirNYt4OvCr+iZuepL4XaIk58=
 github.com/Velocidex/yaml v0.0.0-20190812045153-ad0acda9eea0 h1:rFd07P9lqQPsmgPVvS0crnGpq63eFyd7qQyyvLgBrMY=
 github.com/Velocidex/yaml v0.0.0-20190812045153-ad0acda9eea0/go.mod h1:LVK71wXgKJYbhcGaK+QDA6QM+yLgcO21ZihAoxAdMak=
+github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw=
 github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
 github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 h1:smF2tmSOzy2Mm+0dGI2AIUHY+w0BUc+4tn40djz7+6U=
 github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38/go.mod h1:r7bzyVFMNntcxPZXK3/+KdruV1H5KSlyVY0gc+NgInI=
@@ -139,9 +140,6 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc h1:55rEp52jU6bkyslZ1+C/7NGfpQsEc6pxGLAGDOctqbw=
-github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
@@ -348,8 +346,6 @@ github.com/xor-gate/debpkg v0.0.0-20181217150151-a0c70a3d4213/go.mod h1:SoEebpbm
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.1 h1:8dP3SGL7MPB94crU3bEPplMPe83FI4EouesJUeFHv50=
-go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
 golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4 h1:QlVATYS7JBoZMVaf+cNjb90WD/beKVHnIxFKT4QaHVI=
 golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=

magefile.go

@@ -104,11 +104,38 @@ func (self *Builder) Env() map[string]string {
 	return env
 }
 
+// Make sure the correct version of the syso file is present. If we
+// are building for non windows platforms we need to remove it
+// completely.
+func (self Builder) ensureSyso() error {
+	sh.Rm("bin/rsrc.syso")
+
+	if self.goos == "windows" {
+		switch self.arch {
+		case "386":
+			err := sh.Copy("bin/rsrc.syso", "docs/rsrc_386.syso")
+			if err != nil {
+				return err
+			}
+		case "amd64":
+			err := sh.Copy("bin/rsrc.syso", "docs/rsrc_amd64.syso")
+			if err != nil {
+				return err
+			}
+
+		}
+	}
+
+	return nil
+}
+
 func (self Builder) Run() error {
 	if err := os.Mkdir("output", 0700); err != nil && !os.IsExist(err) {
 		return fmt.Errorf("failed to create output: %v", err)
 	}
 
+	self.ensureSyso()
+
 	err := ensure_assets()
 	if err != nil {
 		return err

third_party/zip/README.txt

@@ -0,0 +1,6 @@
+This is a fork on archive/zip from the standard library with a number
+of bugfixes:
+
+* Support extra bytes before zip file (see issue https://github.com/golang/go/issues/10464)
+
+Includes patch by Phil Webb philwebb https://github.com/philwebb/go/commit/b1b65c2b4cd85f1a67c3c5c8cf40254030c7cab4