Commit 77dff62a authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 3.1.3

parent 9b0b09fc
##The Backdoor Factory (BDF)
#### YOU MUST BE *THIS* TALL TO RIDE THIS RIDE
For security professionals and researchers only.
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
DerbyCon 2013:
Shmoocon 2015:
Video: http://www.youtube.com/watch?v=jXLb2RNX5xs
Injection Module Demo: http://www.youtube.com/watch?v=04aJAex2o3U
Video: https://archive.org/details/joshpitts_shmoocon2015
Slides: http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
Paper: https://www.dropbox.com/s/te7e35c8xcnyfzb/JoshPitts-UserlandPersistenceOnMacOSX.pdf
DerbyCon 2014:
......@@ -23,11 +17,13 @@ DerbyCon 2014:
Video: http://www.youtube.com/watch?v=LjUN9MACaTs
Shmoocon 2015:
DerbyCon 2013:
Video: https://archive.org/details/joshpitts_shmoocon2015
Video: http://www.youtube.com/watch?v=jXLb2RNX5xs
Paper: https://www.dropbox.com/s/te7e35c8xcnyfzb/JoshPitts-UserlandPersistenceOnMacOSX.pdf
Injection Module Demo: http://www.youtube.com/watch?v=04aJAex2o3U
Slides: http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
Contact the developer on:
......@@ -43,9 +39,12 @@ Under a BSD 3 Clause License
See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki
Dependences
---
###Dependences
#####*To use OnionDuke you MUST be on an intel machine because aPLib has no support for the ARM chipset yet.*
[Capstone engine](http://www.capstone-engine.org) can be installed from PyPi with:
sudo pip install capstone
......@@ -115,10 +114,11 @@ Recently tested on many binaries.
-Jump (j), for code cave jumping
-Single (s), for patching all your shellcode into one cave
-Append (a), for creating a code cave
-Ignore (i), nevermind, ignore this binary
Can ignore DLLs.
-Ignore (i or q), nevermind, ignore this binary
Can ignore DLLs
Import Table Patching
AutoPatching
AutoPatching (-m automtic)
Onionduke (-m onionduke)
###ELF Files
......@@ -223,22 +223,38 @@ Sample Usage:
###Changelog
####7/17/2015
* Fix to correct early exit on gatherng PE info.
####08/12/2015
* Added 'replace' PATCH_METHOD - a straight PE copy pasta of the supplied binary
* More for usage with BDFProxy
Usage: ./backdoor.py -f weee.exe -m replace -b supplied_binary.exe
####7/06/2015
* Clean exit if text section name is mangled or out of order.
####08/11/2015
* Stability fix for auto cave selection for rare caves of overlap
####08/05/2015
* BH USA UPDATES, w00t!
* OnionDuke, use -m onionduke
* Supports user supplied exe's and dll's
* Usage: ./backdoor.py -f originalfile.exe -m onionduke -b pentest.dll/exe
* XP MODE = Prior IAT based payloads did not support XP, Wine, or Windows 98. If you need to support XP use the -X flag. I'm not supporting anything less than XP (and not XP x64).
* Invoke UAC prompt to runas as admin. *experimental* - patches the PE manifest if requestedExecutionLevel exists.
* Stability updates:
* Fixed a bug with incorrect RVA calculation jmp'ing across 2+ code caves
* Better checks to determine if a new section for the IAT will write into appended data and therefore fail
* Speed Improvements:
* Faster code cave finding while using *automatic* mode (-m automatic)
* Faster rsrc parsing to find manifest file
####5/01/2015
* Bug fix to the reverse_tcp_stager_threaded payload when using single caves payload
* Bug fix to the reverse_tcp_stager_threaded payload when using single caves payload
####4/28/2015
* Adding check for Bound Imports (PE files with bound imports will not be patched)
* Adding check for Bound Imports (PE files with bound imports will not be patched)
####4/14/2015
......@@ -275,7 +291,7 @@ breaks BDF.
Fixes to support cython capstone implementation null byte truncation issue
####12/27/201
####12/27/2014
Added payloadtests.py
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
@ECHO OFF
ECHO --- Building aPLib 16bit NASM depacker examples ---
ECHO.
call nasm deppack.nas -o deppack.com
call nasm depptiny.nas -o depptiny.com
;aPLib data decompressor for Apple II
;Peter Ferrie (peter.ferrie@gmail.com)
;assemble using ACME
;dst<src
!cpu 65c02
!to "aplib",plain
*=$800
init = 0 ;set to 1 if you know the values
hiunp = 0 ;unpacker entirely in high memory
hipak = 0 ;packed data entirely in high memory (requires hiunp)
!if init {
oep = $1234 ;first unpacked byte to run, you must set this by yourself
orgoff = $1234 ;offset of first unpacked byte, you must set this by yourself
}
!if hiunp {
hioff = $d000 ;address of unpacker in high memory, you can change this but leave room for packed data if hipak=1
!if hipak {
paksize = $1234 ;size of packed data, you must set this by yourself if hiunp=1
}
} else {
paksize = $1234 ;size of packed data, you must set this by yourself if hiunp=0
}
;unpacker variables, no need to change these
src = $0
dst = $2
ecx = $4
last = $6
tmp = $8
A1L = $3c
A1H = $3d
A2L = $3e
A2H = $3f
A4L = $42
A4H = $43
LCBANK2 = $c083
MOVE = $fe2c
!if init {
lda #>pakoff ;packed data offset
sta src+1
lda #<pakoff
sta src
lda #>orgoff ;original unpacked data offset
sta dst+1
!if (>(oep-1)=>orgoff) { ;oep = original entrypoint
pha
} else {
lda #>(oep-1)
pha
}
lda #<orgoff
sta dst
!if (<(oep-1)=<orgoff) {
pha
} else {
lda #<(oep-1)
pha
}
}
unpack ;unpacker entrypoint
ldx #$80
stz ecx+1
!if hiunp {
lda #>literal
sta A1H
lda #<literal
sta A1L
!if hipak {
lda #>pakoff+paksize ;packed data offset + packed data size
sta A2H
lda #<pakoff+paksize
sta A2L
} else {
lda #>pakoff
sta A2H
lda #<pakoff
sta A2L
}
lda #>hioff
sta A4H
lda #<hioff
sta A4L
jsr MOVE
lda LCBANK2
lda LCBANK2
rts
;*=$d000
} else {
jmp literal
pakoff
;place packed data here for low memory unpacking
*=pakoff+paksize
}
literal
jsr getput
ldy #2
nexttag
jsr getbit
bcc literal
jsr getbit
bcc codepair
jsr getbit
bcs onebyte
jsr getsrc
lsr
beq donedepacking
stz ecx
rol ecx
sta last
stz last+1
bra domatch_with_2inc
getbit
txa
asl
bne .stillbitsleft
jsr getsrc
rol
.stillbitsleft
tax
donedepacking
rts
onebyte
ldy #1
sty ecx
iny
lda #$10
.getmorebits
pha
jsr getbit
pla
rol
bcc .getmorebits
stz tmp+1
bne domatch
jsr putdst
linktag
bra nexttag
codepair
jsr getgamma
- jsr dececx
dey
bne -
tay
ora ecx+1
bne normalcodepair
jsr getgamma
bra domatch_lastpos
normalcodepair
dey
sty last+1
jsr getsrc
sta last
jsr getgamma
cpy #$7d
bcs domatch_with_2inc
cpy #5
bcs domatch_with_inc
lda last
bmi domatch_new_lastpos
tya
bne domatch_new_lastpos
domatch_with_2inc
inc ecx
bne domatch_with_inc
inc ecx+1
domatch_with_inc
inc ecx
bne domatch_new_lastpos
inc ecx+1
domatch_new_lastpos
domatch_lastpos
ldy #1
lda last+1
sta tmp+1
lda last
domatch
sta tmp
lda src+1
pha
lda src
pha
lda dst
sec
sbc tmp
sta src
lda dst+1
sbc tmp+1
sta src+1
- jsr getput
jsr dececx
ora ecx+1
bne -
pla
sta src
pla
sta src+1
bra linktag
getgamma
lda #1
sta ecx
stz ecx+1
.getgammaloop
jsr getbit
rol ecx
rol ecx+1
jsr getbit
bcs .getgammaloop
rts
dececx
lda ecx
bne +
dec ecx+1
+ dec
sta ecx
rts
getput
jsr getsrc
putdst
sta (dst)
inc dst
bne +
inc dst+1
+ rts
getsrc
lda (src)
inc src
bne +
inc src+1
+ rts
!if hiunp {
pakoff
;place packed data here for high memory unpacking
}
;aPLib data decompressor for Apple II
;Peter Ferrie (peter.ferrie@gmail.com)
;assemble using ACME
;src<dst
!cpu 65c02
!to "aplib",plain
*=$800
init = 0 ;set to 1 if you know the values
!if init {
oep = $1234 ;first unpacked byte to run, you must set this by yourself
orgoff = $1234 ;offset of first unpacked byte, you must set this by yourself
orgsize = $1234 ;size of unpacked data, you must set this by yourself
paksize = $1234 ;size of packed data, you must set this by yourself
}
;unpacker variables, no need to change these
src = $0
dst = $2
ecx = $4
last = $6
tmp = $8
!if init {
lda #>pakoff+paksize ;packed data offset + packed data size
sta src+1
lda #<pakoff+paksize
sta src
lda #>orgoff+orgsize ;original unpacked data offset + original unpacked size
sta dst+1
!if (>(oep-1)=>(orgoff+orgsize)) { ;oep = original entrypoint
pha
} else {
lda #>(oep-1)
pha
}
lda #<orgoff+orgsize
sta dst
lda #<(oep-1)
pha
}
unpack ;unpacker entrypoint
ldx #$80
stz ecx+1
literal
jsr getput
ldy #2
nexttag
jsr getbit
bcc literal
jsr getbit
bcc codepair
jsr getbit
bcs onebyte
jsr getsrc
lsr
beq donedepacking
stz ecx
rol ecx
sta last
stz last+1
bra domatch_with_2inc
getbit
txa
asl
bne .stillbitsleft
jsr getsrc
rol
.stillbitsleft
tax
donedepacking
rts
onebyte
ldy #1
sty ecx
iny
lda #$10
.getmorebits
pha
jsr getbit
pla
rol
bcc .getmorebits
stz tmp+1
bne domatch
jsr putdst
linktag
bra nexttag
codepair
jsr getgamma
- jsr dececx
dey
bne -
tay
ora ecx+1
bne normalcodepair
jsr getgamma
bra domatch_lastpos
normalcodepair
dey
sty last+1
jsr getsrc
sta last
jsr getgamma
cpy #$7d
bcs domatch_with_2inc
cpy #5
bcs domatch_with_inc
lda last
bmi domatch_new_lastpos
tya
bne domatch_new_lastpos
domatch_with_2inc
inc ecx
bne domatch_with_inc
inc ecx+1
domatch_with_inc
inc ecx
bne domatch_new_lastpos
inc ecx+1
domatch_new_lastpos
domatch_lastpos
ldy #1
lda last+1
sta tmp+1
lda last
domatch
sta tmp
lda src+1
pha
lda src
pha
lda dst
clc
adc tmp
sta src
lda dst+1
adc tmp+1
sta src+1
- jsr getput
jsr dececx
ora ecx+1
bne -
pla
sta src
pla
sta src+1
bra linktag
getgamma
lda #1
sta ecx
stz ecx+1
.getgammaloop
jsr getbit
rol ecx
rol ecx+1
jsr getbit
bcs .getgammaloop
rts
dececx
lda ecx
bne +
dec ecx+1
+ dec
sta ecx
rts
getput
jsr getsrc
putdst
pha
lda dst
bne +
dec dst+1
+ dec dst
pla
sta (dst)
rts
getsrc
lda src
bne +
dec src+1
+ dec src
lda (src)
rts
pakoff
;place packed data here
aPLib data decompressor for the Apple II by Peter Ferrie.
Two versions, depending on your unpacking needs.
apdstsrc.s is for when the unpacked address is lower in memory than the packed address (for example, if you load the packed data to the top of memory and want to unpack to the bottom of memory).
apsrcdst.s is for when the unpacked address is higher in memory than the packed address (for example, if you load the packed data to the bottom of memory and want to unpack to the top of memory).
Both versions support an option called "init". You can use this if you know both addresses and unpacked entrypoint at assemble-time. Sample initialisation code will be generated for you.
apdstsrc.s has more options:
hiunp: unpacker will be relocated to high memory ($d000 or higher) and run from there. It allows the unpacker code in low memory to be overwritten.
hipak: packed data will also be relocated to high memory. It allows the entire low memory to be used for unpacked data.
apsrcdst.s unpacks backwards in memory to maximise the amount that can be unpacked. Packed data must be stored backwards for this to work.
The src and dst can overlap up to the point of the last byte fetched by getbit.
appack.exe can be used to pack data on a PC, just remove the AP32 header (24 bytes), the rest is the packed data.
http://pferrie.host22.com
'// Simple demo using the aPLib compression library to compress and decompress a string buffer.
'
'// aPLib - a free, highly-refined C++/asm implementation of a pure LempelZiv LZ77-based lossless data compression library. See aPLib.inc for more info.
'// aPLib is Copyright (c) 1998-2014 Joergen Ibsen, All Rights Reserved. Website: http://www.ibsensoftware.com
'// Free to use for both commercial and non-commercial use. Please see the aPLib License in \aPLib\readme.txt
'
'// This demo uses the aPLib SAFE-version pack/depack functions.
'// Using the Safe pack function aPsafe_pack() prepends a 24-byte header to the compressed data, which not only makes the data safer to
'// decompress with aPsafe_depack() or aP_depack_asm_safe() in regards to their internal error-trapping, but also makes more info available:
' ADDR SIZE TYPE DATA
' 0 dword Const String "AP32" (dword &h41503332)
' 4 dword Const* Size of header (24 bytes in v1.1.0, dword &h18000000) *Size may change in future releases
' 8 dword Var Size of compressed data
' 12 dword Var CRC32 checksum of compressed data
' 16 dword Var Size of original data
' 20 dword Var CRC32 checksum original data
#COMPILE EXE
#INCLUDE "aPLib.inc"
%HEAP_NO_SERIALIZE = &h00000001 '// not used
%HEAP_GENERATE_EXCEPTIONS = &h00000004
%HEAP_ZERO_MEMORY = &h00000008
%HEAP_ALLOC_FLAGS = %HEAP_ZERO_MEMORY OR %HEAP_GENERATE_EXCEPTIONS
%HEAP_FREE_FLAGS = 0
DECLARE FUNCTION GetProcessHeap LIB "kernel32.dll" ALIAS "GetProcessHeap" () AS LONG
DECLARE FUNCTION HeapAlloc LIB "kernel32.dll" ALIAS "HeapAlloc" (BYVAL hHeap AS DWORD, BYVAL dwFlags AS DWORD, BYVAL dwBytes AS DWORD) AS DWORD
DECLARE FUNCTION HeapFree LIB "kernel32.dll" ALIAS "HeapFree" (BYVAL hHeap AS DWORD, BYVAL dwFlags AS DWORD, BYVAL lpMem AS DWORD) AS LONG
FUNCTION PBMAIN() AS LONG
LOCAL srcbuf AS STRING, workmem AS DWORD, dstbuf AS DWORD, srclen AS DWORD, packlen AS DWORD, depacklen AS DWORD
srcbuf = REPEAT$(100000, "ABC 12345 AAAAA") '// data to compress
srclen = LEN(srcbuf) '// length of data to compress
'// Allocate buffers
workmem = HeapAlloc (GetProcessHeap(), %HEAP_ALLOC_FLAGS, BYVAL aP_workmem_size(BYVAL srclen)) '// Temp working buffer
dstbuf = HeapAlloc (GetProcessHeap(), %HEAP_ALLOC_FLAGS, BYVAL aP_max_packed_size(BYVAL srclen)) '// Destination buffer for packed data
'// Compress srcbuf into dstbuf
packlen = aPsafe_pack (BYVAL STRPTR(srcbuf), BYVAL dstbuf, BYVAL srclen, BYVAL workmem, BYVAL 0, BYVAL 0)
HeapFree (GetProcessHeap(), %HEAP_FREE_FLAGS, workmem) '// Free temp working buffer
IF packlen = %APLIB_ERROR THEN
STDOUT "APLIB_ERROR"
ELSE
STDOUT "Compressed" & STR$(srclen) & " bytes down to" & STR$(packlen)
END IF
'// Decompress dstbuf back into srcbuf
depacklen = aPsafe_depack (BYVAL dstbuf, BYVAL packlen, BYVAL STRPTR(srcbuf), BYVAL srclen)
IF depacklen = %APLIB_ERROR THEN
STDOUT "APLIB_ERROR"
ELSE
STDOUT "Decompressed" & STR$(packlen) & " bytes back to" & STR$(depacklen)
END IF
HeapFree (GetProcessHeap(), %HEAP_FREE_FLAGS, dstbuf)
STDOUT "Done": WAITKEY$
END FUNCTION