BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
8.58k stars 1.13k forks source link

backdoor'ed binaries unusable #1210

Open smeukinou opened 1 year ago

smeukinou commented 1 year ago

Describe the bug Not sure if it's a bug or not, but once I backdoored a PE executable;, the PE still runs the Sliver shellcode, but never goes to the original EXE code. Making it of course very suspect. I tried to look, in the binject repository and I understand that binject exects the shellcod eto "return" at some point to then jump to the OEP. Sliver's generated sc seems in "while true {}" mode. Am I missing something ?

To Reproduce Steps to reproduce the behavior: backdoor --profile any-profile test.exe

Expected behavior The embedded sc would execute in background while the original app is displayed and usable.

Screenshots Well nothing is displayed, .....

Desktop (please complete the following information): Win10,Win11 64 bits

smeukinou commented 1 year ago

As a side note, instead of binjection, I had success backdoring binaries while keeping their original purpose with msfvenom -x and -k options and 'non' as terminating function. Maybe it would be intersting to switchto that ?

moloch-- commented 1 year ago

I think we're also on an old version of binject and there's been some recent bug fixes too, just haven't had time to take a look yet.

smeukinou commented 1 year ago

Unrelated to this issue, but related to old stuff that needs updating, I fixed a bug in the keylogger causing random but frequent crashes, and opened an issue with the fix here: https://github.com/trustedsec/SliverKeylogger/issues/2 Not sure if they will handle it or not. Should I submit somewhere else ?

rkervella commented 1 year ago

I think we're also on an old version of binject and there's been some recent bug fixes too, just haven't had time to take a look yet.

This is kind of known issue from the start. We're not parsing the original binary to look for the original entrypoint so we're not passing that info to Binject. We could probably do that, I just don't know how it will play with Donut, need to run some tests first.

moloch-- commented 1 year ago

@smeukinou you can send the PR here too: https://github.com/sliverarmory/SliverKeylogger

smeukinou commented 1 year ago

Here it is (but without signature as I don't have avlid setup for github for now, if this is mandatory I wll retry in a few days): https://github.com/sliverarmory/SliverKeylogger/pull/1

And to come back to the original topic, from the test I've performed with binjection (the full tool, not the embedded version in sliver), donut and msfvenom. It seems more like a question of the sliver shellcode never terminating (ie being block on some waitforsingleobject() or some waiting loop). The same problem exists with msf shellcodes, and can be circumvented by using EXITFUNC=none, that specifically instructs msfvenom to not terminate process or thread at the end of the shellcode and just do nothing (then the binjection code to retrun to OEP of the backdoored exe can execute and everything's fine). Using prependmigrate=true permoits to have the sheell code run in a different process and survive the original exe.