backdoor'ed binaries unusable

[smeukinou]

Describe the bug Not sure if it's a bug or not, but once I backdoored a PE executable;, the PE still runs the Sliver shellcode, but never goes to the original EXE code. Making it of course very suspect. I tried to look, in the binject repository and I understand that binject exects the shellcod eto "return" at some point to then jump to the OEP. Sliver's generated sc seems in "while true {}" mode. Am I missing something ?

To Reproduce Steps to reproduce the behavior: backdoor --profile any-profile test.exe

Expected behavior The embedded sc would execute in background while the original app is displayed and usable.

Screenshots Well nothing is displayed, .....

Desktop (please complete the following information): Win10,Win11 64 bits

[smeukinou]

As a side note, instead of binjection, I had success backdoring binaries while keeping their original purpose with msfvenom -x and -k options and 'non' as terminating function. Maybe it would be intersting to switchto that ?

[moloch--]

I think we're also on an old version of binject and there's been some recent bug fixes too, just haven't had time to take a look yet.

[smeukinou]

Unrelated to this issue, but related to old stuff that needs updating, I fixed a bug in the keylogger causing random but frequent crashes, and opened an issue with the fix here: https://github.com/trustedsec/SliverKeylogger/issues/2 Not sure if they will handle it or not. Should I submit somewhere else ?

[rkervella]

I think we're also on an old version of binject and there's been some recent bug fixes too, just haven't had time to take a look yet.

This is kind of known issue from the start. We're not parsing the original binary to look for the original entrypoint so we're not passing that info to Binject. We could probably do that, I just don't know how it will play with Donut, need to run some tests first.

[moloch--]

@smeukinou you can send the PR here too: https://github.com/sliverarmory/SliverKeylogger

[smeukinou]

Here it is (but without signature as I don't have avlid setup for github for now, if this is mandatory I wll retry in a few days): https://github.com/sliverarmory/SliverKeylogger/pull/1

And to come back to the original topic, from the test I've performed with binjection (the full tool, not the embedded version in sliver), donut and msfvenom. It seems more like a question of the sliver shellcode never terminating (ie being block on some waitforsingleobject() or some waiting loop). The same problem exists with msf shellcodes, and can be circumvented by using EXITFUNC=none, that specifically instructs msfvenom to not terminate process or thread at the end of the shellcode and just do nothing (then the binjection code to retrun to OEP of the backdoored exe can execute and everything's fine). Using prependmigrate=true permoits to have the sheell code run in a different process and survive the original exe.