Merge pull request #1215 from BishopFox/protobuf-xor

Implant protobuf update
BishopFox · Apr 27, 2023 · 649960a · 649960a
2 parents 651587c + 7c33022
commit 649960a
Show file tree

Hide file tree

Showing 7 changed files with 242 additions and 25 deletions.
diff --git a/protobuf/clientpb/client.pb.go b/protobuf/clientpb/client.pb.go
diff --git a/protobuf/commonpb/common.pb.go b/protobuf/commonpb/common.pb.go
diff --git a/protobuf/dnspb/dns.pb.go b/protobuf/dnspb/dns.pb.go
diff --git a/protobuf/rpcpb/services.pb.go b/protobuf/rpcpb/services.pb.go
diff --git a/protobuf/rpcpb/services_grpc.pb.go b/protobuf/rpcpb/services_grpc.pb.go
diff --git a/protobuf/sliverpb/sliver.pb.go b/protobuf/sliverpb/sliver.pb.go
diff --git a/server/assets/assets.go b/server/assets/assets.go
@@ -21,8 +21,13 @@ package assets
 import (
 	"archive/zip"
 	"bytes"
+	"encoding/hex"
 	"errors"
 	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/printer"
+	"go/token"
 	"io"
 	insecureRand "math/rand"
 	"os"
@@ -256,6 +261,7 @@ func SetupGoPath(goPathSrc string) error {
 		setupLog.Info("Static asset not found: constants.go")
 		return err
 	}
+	sliverpbGoSrc = xorPBRawBytes(sliverpbGoSrc)
 	sliverpbGoSrc = stripSliverpb(sliverpbGoSrc)
 	sliverpbDir := filepath.Join(goPathSrc, "github.com", "bishopfox", "sliver", "protobuf", "sliverpb")
 	os.MkdirAll(sliverpbDir, 0700)
@@ -268,6 +274,7 @@ func SetupGoPath(goPathSrc string) error {
 		setupLog.Info("Static asset not found: common.pb.go")
 		return err
 	}
+	commonpbSrc = xorPBRawBytes(commonpbSrc)
 	commonpbDir := filepath.Join(goPathSrc, "github.com", "bishopfox", "sliver", "protobuf", "commonpb")
 	os.MkdirAll(commonpbDir, 0700)
 	os.WriteFile(filepath.Join(commonpbDir, "common.pb.go"), commonpbSrc, 0600)
@@ -278,6 +285,7 @@ func SetupGoPath(goPathSrc string) error {
 		setupLog.Info("Static asset not found: dns.pb.go")
 		return err
 	}
+	dnspbSrc = xorPBRawBytes(dnspbSrc)
 	dnspbDir := filepath.Join(goPathSrc, "github.com", "bishopfox", "sliver", "protobuf", "dnspb")
 	os.MkdirAll(dnspbDir, 0700)
 	os.WriteFile(filepath.Join(dnspbDir, "dns.pb.go"), dnspbSrc, 0600)
@@ -306,6 +314,208 @@ func stripSliverpb(src []byte) []byte {
 	return out
 }
 
+func xorPBRawBytes(src []byte) []byte {
+	var (
+		fileAst                   *ast.File
+		err                       error
+		sliverpbVarName           = "file_sliverpb_sliver_proto_rawDesc"
+		sliverPbProtoInitFuncName = "file_sliverpb_sliver_proto_init"
+		fset                      = token.NewFileSet()
+		parserMode                = parser.ParseComments
+	)
+	fileAst, err = parser.ParseFile(fset, "", src, parserMode)
+	if err != nil {
+		// Panic because this is mandatory for the agent to work
+		panic(err)
+	}
+	var xorKey [8]byte
+	// generate random xor key
+	if _, err := insecureRand.Read(xorKey[:]); err != nil {
+		// Panic because this is mandatory for the agent to work
+		panic(err)
+	}
+
+	ast.Inspect(fileAst, func(n ast.Node) bool {
+		switch node := n.(type) {
+		// Look for the protobuf init function and decode the XORed
+		// data at the top of the function
+		case *ast.FuncDecl:
+			// add an ast.AssignStmt at the top of the function Body
+			// that calls the xor function on the file_sliverpb_sliver_proto_rawDesc object
+			if node.Name.Name == sliverPbProtoInitFuncName {
+				newStmt := &ast.AssignStmt{
+					Lhs: []ast.Expr{
+						ast.NewIdent(sliverpbVarName),
+					},
+					Tok: token.ASSIGN,
+					Rhs: []ast.Expr{
+						&ast.CallExpr{
+							Fun: ast.NewIdent("xor"),
+							Args: []ast.Expr{
+								ast.NewIdent(sliverpbVarName),
+								ast.NewIdent("xorKey"),
+							},
+						},
+					},
+				}
+				node.Body.List = append([]ast.Stmt{newStmt}, node.Body.List...)
+			}
+
+		// Look for the protobuf rawDesc variable and XOR each byte
+		case *ast.GenDecl:
+			for _, spec := range node.Specs {
+				switch spec := spec.(type) {
+				case *ast.ValueSpec:
+					for _, id := range spec.Names {
+						if id.Name == sliverpbVarName {
+							values := spec.Values[0].(*ast.CompositeLit).Elts
+							// XOR each value of the slice
+							for i, v := range values {
+								elt := v.(*ast.BasicLit)
+								elt.Value = xorByte(elt.Value, xorKey[i%len(xorKey)])
+							}
+
+						}
+					}
+				default:
+				}
+			}
+		default:
+		}
+		return true
+	})
+
+	// Add the XOR function to the AST
+	fileAst.Decls = append(fileAst.Decls, ast.Decl(&ast.FuncDecl{
+		Name: ast.NewIdent("xor"),
+		Type: &ast.FuncType{
+			Params: &ast.FieldList{
+				List: []*ast.Field{
+					{
+						Names: []*ast.Ident{ast.NewIdent("input")},
+						Type:  ast.NewIdent("[]byte"),
+					},
+					{
+						Names: []*ast.Ident{ast.NewIdent("key")},
+						Type:  ast.NewIdent("[]byte"),
+					},
+				},
+			},
+			Results: &ast.FieldList{
+				List: []*ast.Field{
+					{
+						Type: ast.NewIdent("[]byte"),
+					},
+				},
+			},
+		},
+		Body: &ast.BlockStmt{
+			List: []ast.Stmt{
+				&ast.AssignStmt{
+					Lhs: []ast.Expr{
+						ast.NewIdent("out"),
+					},
+					Tok: token.DEFINE,
+					Rhs: []ast.Expr{
+						&ast.CallExpr{
+							Fun: ast.NewIdent("make"),
+							Args: []ast.Expr{
+								&ast.ArrayType{
+									Elt: ast.NewIdent("byte"),
+								},
+								&ast.CallExpr{
+									Fun: ast.NewIdent("len"),
+									Args: []ast.Expr{
+										ast.NewIdent("input"),
+									},
+								},
+							},
+						},
+					},
+				},
+				&ast.RangeStmt{
+					Key:   ast.NewIdent("i"),
+					Value: ast.NewIdent("_"),
+					Tok:   token.DEFINE,
+					X:     ast.NewIdent("input"),
+					Body: &ast.BlockStmt{
+						List: []ast.Stmt{
+							&ast.AssignStmt{
+								Lhs: []ast.Expr{
+									&ast.IndexExpr{
+										X:     ast.NewIdent("out"),
+										Index: ast.NewIdent("i"),
+									},
+								},
+								Tok: token.ASSIGN,
+								Rhs: []ast.Expr{
+									&ast.BinaryExpr{
+										X: &ast.IndexExpr{
+											X:     ast.NewIdent("input"),
+											Index: ast.NewIdent("i"),
+										},
+										Op: token.XOR,
+										Y: &ast.IndexExpr{
+											X: ast.NewIdent("key"),
+											Index: &ast.BinaryExpr{
+												X: &ast.Ident{
+													Name: "i",
+												},
+												Op: token.REM,
+												Y: &ast.CallExpr{
+													Fun: ast.NewIdent("len"),
+													Args: []ast.Expr{
+														ast.NewIdent("key"),
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				&ast.ReturnStmt{
+					Results: []ast.Expr{
+						ast.NewIdent("out"),
+					},
+				},
+			},
+		},
+	}))
+
+	xorTokens := make([]ast.Expr, len(xorKey))
+	// map xorKey to a slice of ast.BasicLit
+	for i, b := range xorKey {
+		xorTokens[i] = &ast.BasicLit{
+			Kind:  token.INT,
+			Value: fmt.Sprintf("0x%x", b),
+		}
+	}
+
+	// add the global xorKey variable to the AST
+	fileAst.Decls = append(fileAst.Decls, ast.Decl(&ast.GenDecl{
+		Tok: token.VAR,
+		Specs: []ast.Spec{
+			&ast.ValueSpec{
+				Names: []*ast.Ident{ast.NewIdent("xorKey")},
+				Values: []ast.Expr{
+					&ast.CompositeLit{
+						Type: ast.NewIdent("[]byte"),
+						Elts: xorTokens,
+					},
+				},
+			},
+		},
+	}))
+
+	outBuff := bytes.Buffer{}
+	// Render the AST as Go code
+	printer.Fprint(&outBuff, fset, fileAst)
+	return outBuff.Bytes()
+}
+
 func setupCodenames(appDir string) error {
 	nouns, err := assetsFs.ReadFile("fs/nouns.txt")
 	if err != nil {
@@ -426,3 +636,18 @@ func pseudoRandStringRunes(n int) string {
 	}
 	return string(b)
 }
+
+func xorByte(raw string, key byte) string {
+	// strip 0x
+	raw = raw[2:]
+	if len(raw) == 1 {
+		// Because we got `0x8` at some point
+		raw = fmt.Sprintf("0%s", raw)
+	}
+	hexByte, err := hex.DecodeString(raw)
+	if err != nil {
+		panic(err)
+	}
+	newByte := hex.EncodeToString([]byte{hexByte[0] ^ key})
+	return fmt.Sprintf("0x%s", newByte)
+}