AI prompts
base on The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools. # Marble Framework
In 2017, Wikileaks published incomplete source code for the Marble Framework. Using AI/ML and a human with
information learned from the Vault7 leaks, we re-constructed the missing code libraries and have patched the
StringScrambling solution to compile for build-time String Obfuscation using 106 "Marbles" with Visual Studio.
This Framework was created for use by the Central Intelligence Agency (CIA) Applied Engineering Department (AED),
however a number of malware samples have been identified in the wild using these algorithms which may indicate
use by others. By releasing our modifications, we aim to improve detections of the framework and identification
of additional samples using these techniques in the wild. The tool description from CIA internal wiki follows:
> "The Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
> When signaturing tools, string obfuscation algorithms (especially those that are unique) are often used to
> link malware to a specific developer or development shop. This framework is intended to help us (AED) to
> improve upon our current process for string/data obfuscation in our tools." The framework utilizes pre and
> post-build execution steps to apply obfuscation to the tool. If the tool breaks the build, the post build will
> always be able to repair it. The pre-build execuion step will store clean copies of the code before making
> modifications. The post build execution step restores the files to a clean-copy state. The framework allows for
> obfuscation to be chosen randomly from a pool of techniques. These techniques can be filtered based upon the
> project needs. If desired, a user may also, select a specific technique to use for obfuscation. A receipt file
> is generated on run (and replaces any previous receipts). The receipt file identifes the algorithm used as well
> as all of the strings/data that was obfuscated. The post-build step will also double check to make sure none of
> the obfuscated data appears in the binary.
This framework can be used to dynamically obfuscate and handle common string operations as an anti-forensics'
capability.
## Documentation
To use, compile the solution which will produce `Mibster.exe`, `Mender.exe` and `Validator.exe`. These tools
can be added into the Pre-Build and Post-Build steps of a Visual Studio file to obfuscate the following
data types by including `Marble.h` and your chosen deobfuscator from the `Shared` folder in your project file:
* CARBLE - char[] / char*
* WARBLE - wchar[] / wchar*
* BARBLE - byte[] / byte*
Running the `Mibster.exe` will use options specified in `Marble.h` (such as which XOR / RXOR algorithm to use,
wether strings should be cleared after use, chooses at random by default etc.) and obfuscate your strings. You
can then run `Validator.exe` to ensure no strings are present and `Mender.exe` to restore the original source
code (recommended post-build). The deobfuscator (Marble) chosen should be added from the Shared folder into your
project. File states and changes are stored in ".marble" files and it supports a total of 106 algorithms (known as
"Marbles") to be chosen from. More information and documentation can be found on the Wikileaks Vault7 wiki.
[Marble Framework (wikileaks)](https://wikileaks.org/ciav7p1/cms/page_14588467.html)
Documentation can also be found in the `docs` folder which has been created from the link above.
## Testing
When testing this application from the command line under cmd.exe, `Mibster.exe` will not produce any output as
it is designed to run under the output console of Visual Studio (where it works as a pre-build event), however if
you just want to test it under cmd.exe or similar, uncomment the following code block in `Mibster.cpp` seen in the
`wWinMain` function. Note that this will need to be removed if you intend to use it under visual studio and is only
for debugging purposes.
```
// Attach to the parent console for output.
/*if (AttachConsole(ATTACH_PARENT_PROCESS))
{
// Redirect stdout to the attached console
FILE* stream;
_wfreopen_s(&stream, L"CONOUT$", L"w", stdout);
}*/
```
## Malware Detected
The following malware samples have been identified in the wild as using code components from the Marble Framework:
* Worm:Win32/Takc!pz (Microsoft)
* TROJAN-DROPPER.WIN32.DAPATO (Kaspersky)
# License
Hacker House code additions are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.
", Assign "at most 3 tags" to the expected json: {"id":"6499","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"