From c6e384508c7946acfd6f3c98d97e7e51638993f2 Mon Sep 17 00:00:00 2001
From: moloch-- <875022+moloch--@users.noreply.github.com>
Date: Sat, 6 Mar 2021 14:33:22 -0600
Subject: [PATCH 1/3] small refactor, removed any string consts
---
implant/sliver/constants/constants.go | 1 +
implant/sliver/encoders/english-words.go | 18 ++++++++++++++++++
implant/sliver/encoders/gzip.go | 10 +++++-----
implant/sliver/evasion/evasion.go | 18 ++++++++++++++++++
implant/sliver/evasion/evasion_darwin.go | 20 +++++++++++++++++++-
implant/sliver/evasion/evasion_linux.go | 18 ++++++++++++++++++
implant/sliver/evasion/evasion_windows.go | 18 ++++++++++++++++++
implant/sliver/hostuuid/uuid_windows.go | 4 ++--
implant/sliver/netstat/netstat_linux.go | 4 ++--
implant/sliver/proxy/provider_darwin_test.go | 4 ++--
10 files changed, 103 insertions(+), 12 deletions(-)
diff --git a/implant/sliver/constants/constants.go b/implant/sliver/constants/constants.go
index 0c4e34eceb..9f4c4a5588 100644
--- a/implant/sliver/constants/constants.go
+++ b/implant/sliver/constants/constants.go
@@ -20,6 +20,7 @@ package constants
along with this program. If not, see .
*/
+// Do not use an actual `const` or the string won't be obfuscated
var (
SliverName = `{{.Name}}`
)
diff --git a/implant/sliver/encoders/english-words.go b/implant/sliver/encoders/english-words.go
index 6e20ad2575..11c6a33712 100644
--- a/implant/sliver/encoders/english-words.go
+++ b/implant/sliver/encoders/english-words.go
@@ -1,5 +1,23 @@
package encoders
+/*
+ Sliver Implant Framework
+ Copyright (C) 2021 Bishop Fox
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
+
func getEnglishDictionary() []string {
return []string{
diff --git a/implant/sliver/encoders/gzip.go b/implant/sliver/encoders/gzip.go
index 762e9bdeb0..c10a41ea2a 100644
--- a/implant/sliver/encoders/gzip.go
+++ b/implant/sliver/encoders/gzip.go
@@ -1,10 +1,5 @@
package encoders
-import (
- "bytes"
- "compress/gzip"
-)
-
/*
Sliver Implant Framework
Copyright (C) 2019 Bishop Fox
@@ -23,6 +18,11 @@ import (
along with this program. If not, see .
*/
+import (
+ "bytes"
+ "compress/gzip"
+)
+
// GzipEncoderID - EncoderID
const GzipEncoderID = 49
diff --git a/implant/sliver/evasion/evasion.go b/implant/sliver/evasion/evasion.go
index e76ff3bd8f..44ca34bddf 100644
--- a/implant/sliver/evasion/evasion.go
+++ b/implant/sliver/evasion/evasion.go
@@ -1 +1,19 @@
package evasion
+
+/*
+ Sliver Implant Framework
+ Copyright (C) 2021 Bishop Fox
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
diff --git a/implant/sliver/evasion/evasion_darwin.go b/implant/sliver/evasion/evasion_darwin.go
index 9b2323f1f8..44ca34bddf 100644
--- a/implant/sliver/evasion/evasion_darwin.go
+++ b/implant/sliver/evasion/evasion_darwin.go
@@ -1 +1,19 @@
-package evasion
\ No newline at end of file
+package evasion
+
+/*
+ Sliver Implant Framework
+ Copyright (C) 2021 Bishop Fox
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
diff --git a/implant/sliver/evasion/evasion_linux.go b/implant/sliver/evasion/evasion_linux.go
index e76ff3bd8f..44ca34bddf 100644
--- a/implant/sliver/evasion/evasion_linux.go
+++ b/implant/sliver/evasion/evasion_linux.go
@@ -1 +1,19 @@
package evasion
+
+/*
+ Sliver Implant Framework
+ Copyright (C) 2021 Bishop Fox
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
diff --git a/implant/sliver/evasion/evasion_windows.go b/implant/sliver/evasion/evasion_windows.go
index 0d4ce7f286..ae56112724 100644
--- a/implant/sliver/evasion/evasion_windows.go
+++ b/implant/sliver/evasion/evasion_windows.go
@@ -1,5 +1,23 @@
package evasion
+/*
+ Sliver Implant Framework
+ Copyright (C) 2021 Bishop Fox
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
+
import (
"github.com/bishopfox/sliver/implant/sliver/syscalls"
"golang.org/x/sys/windows"
diff --git a/implant/sliver/hostuuid/uuid_windows.go b/implant/sliver/hostuuid/uuid_windows.go
index 5b3e080f0f..b875a9e7e9 100644
--- a/implant/sliver/hostuuid/uuid_windows.go
+++ b/implant/sliver/hostuuid/uuid_windows.go
@@ -25,8 +25,8 @@ import (
)
// Stored Format: {U-U-I-D}
-const uuid_keypath = "HKEY_LOCAL_MACHINE\\SYSTEM\\HardwareConfig"
-const uuid_key = "LastConfig"
+var uuid_keypath = "HKEY_LOCAL_MACHINE\\SYSTEM\\HardwareConfig"
+var uuid_key = "LastConfig"
func GetUUID() string {
key, err := registry.OpenKey(registry.CURRENT_USER, uuid_keypath, registry.QUERY_VALUE)
diff --git a/implant/sliver/netstat/netstat_linux.go b/implant/sliver/netstat/netstat_linux.go
index b2477bfe8e..fe58d8b238 100644
--- a/implant/sliver/netstat/netstat_linux.go
+++ b/implant/sliver/netstat/netstat_linux.go
@@ -192,7 +192,7 @@ type procFd struct {
p *Process
}
-const sockPrefix = "socket:["
+var sockPrefix = "socket:["
func getProcName(s []byte) string {
i := bytes.Index(s, []byte("("))
@@ -251,7 +251,7 @@ func (p *procFd) iterFdDir() {
}
func extractProcInfo(sktab []SockTabEntry) {
- const basedir = "/proc"
+ var basedir = "/proc"
fi, err := ioutil.ReadDir(basedir)
if err != nil {
return
diff --git a/implant/sliver/proxy/provider_darwin_test.go b/implant/sliver/proxy/provider_darwin_test.go
index 5b8cb56f37..4200fc2b63 100644
--- a/implant/sliver/proxy/provider_darwin_test.go
+++ b/implant/sliver/proxy/provider_darwin_test.go
@@ -10,13 +10,13 @@ import (
"github.com/stretchr/testify/assert"
)
-const (
+var (
ScutilDataHttpsHttp = "ScutilDataHttpsHttp"
ScutilDataHttps = "ScutilDataHttps"
ScutilDataHttp = "ScutilDataHttp"
)
-const (
+var (
ScutilBypassTest1 = "localhost"
ScutilBypassTest2 = "myorg1.com"
ScutilBypassTest3 = "endpoint.myorg2.com"
From c9b1cdd3bab9cf20434f16003911eb1b8805369a Mon Sep 17 00:00:00 2001
From: moloch-- <875022+moloch--@users.noreply.github.com>
Date: Sat, 6 Mar 2021 15:00:02 -0600
Subject: [PATCH 2/3] Re-implemented un-obfuscated canaries
---
implant/sliver/constants/constants.go | 10 ++++++++++
server/generate/canaries.go | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/implant/sliver/constants/constants.go b/implant/sliver/constants/constants.go
index 9f4c4a5588..903ce9ca5d 100644
--- a/implant/sliver/constants/constants.go
+++ b/implant/sliver/constants/constants.go
@@ -1,5 +1,7 @@
package constants
+import "reflect"
+
// Ironically not consts, becuase our string obfuscator only works on `var`s
/*
@@ -24,3 +26,11 @@ package constants
var (
SliverName = `{{.Name}}`
)
+
+// Message - Fake message for embedding canaries
+type Message struct {
+ Command string `c2:"[[GenerateCanary]]"`
+}
+
+// never obfuscate the Message type
+var _ = reflect.TypeOf(Message{})
diff --git a/server/generate/canaries.go b/server/generate/canaries.go
index ad42f53dd1..4c86aab0ff 100644
--- a/server/generate/canaries.go
+++ b/server/generate/canaries.go
@@ -97,5 +97,5 @@ func (g *CanaryGenerator) GenerateCanary() string {
dbSession := db.Session()
dbSession.Create(&canary)
- return fmt.Sprintf("%s%s", canaryPrefix, canaryDomain)
+ return canaryDomain
}
From a62e3e463a56e3e34237c7d14d5f49861c67441b Mon Sep 17 00:00:00 2001
From: moloch-- <875022+moloch--@users.noreply.github.com>
Date: Sun, 7 Mar 2021 10:13:10 -0600
Subject: [PATCH 3/3] Fix garble unpack for windows
---
implant/sliver/constants/constants.go | 4 +---
server/assets/assets.go | 8 ++++++--
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/implant/sliver/constants/constants.go b/implant/sliver/constants/constants.go
index 903ce9ca5d..cb2920b22e 100644
--- a/implant/sliver/constants/constants.go
+++ b/implant/sliver/constants/constants.go
@@ -2,8 +2,6 @@ package constants
import "reflect"
-// Ironically not consts, becuase our string obfuscator only works on `var`s
-
/*
Sliver Implant Framework
Copyright (C) 2019 Bishop Fox
@@ -22,7 +20,7 @@ import "reflect"
along with this program. If not, see .
*/
-// Do not use an actual `const` or the string won't be obfuscated
+// Ironically not consts to ensure the string obfuscator hits this value
var (
SliverName = `{{.Name}}`
)
diff --git a/server/assets/assets.go b/server/assets/assets.go
index a3a1027680..f83551d19e 100644
--- a/server/assets/assets.go
+++ b/server/assets/assets.go
@@ -161,13 +161,17 @@ func setupGo(appDir string) error {
return err
}
- garbleAssetPath := path.Join("fs", runtime.GOOS, runtime.GOARCH, "garble")
+ garbleFileName := "garble"
+ if runtime.GOOS == "windows" {
+ garbleFileName = "garble.exe"
+ }
+ garbleAssetPath := path.Join("fs", runtime.GOOS, runtime.GOARCH, garbleFileName)
garbleFile, err := assetsFs.ReadFile(garbleAssetPath)
if err != nil {
setupLog.Errorf("Static asset not found: %s", garbleFile)
return err
}
- garbleLocalPath := path.Join(appDir, "go", "bin", "garble")
+ garbleLocalPath := path.Join(appDir, "go", "bin", garbleFileName)
err = ioutil.WriteFile(garbleLocalPath, garbleFile, 0755)
if err != nil {
setupLog.Errorf("Failed to write garble %s", err)