Direct Syscalls and Sleep Obfuscate

[hipstertrojan]

Hi everyone,

first of all, thanks for the amazing tool.
I have seen the disclaimer that AV evasion is out of scope of this project. Does this also apply for the implementation of direct syscalls or a sleep obfuscate mechanism (like in Ekko/Foliage)? Or are there plans to implement these in the future?

Thanks a lot in advance.

[moloch--]

We already implement some direct syscalls, we may add more in the future --though typically these will be most effective to implement in your loader. Obfuscated sleep is complicated because of the go runtime, but we're open to ideas on how to implement it.

[hipstertrojan]

Thanks a lot for the quick answer. Is there an overview of the direct syscalls that have already been implemented? Or could you point me towards an instance in the code where these are implemented that I could get an idea how these look?

[moloch--]

https://github.com/C-Sto/BananaPhone

[moloch--]

I think* go-donut also uses direct syscalls in the loader but I'd have to go look.

[hipstertrojan]

Cool, thanks a lot!!

[scriptchildie]

I cant think of a sensible way to recreate ekko sleep obfuscation or similar but i wrote a small PoC on how to encrypt a function while the beacon is sleeping. Given the size of sliver though it would be a pain to implement.

Also reflect.ValueOf(toBEncrypted).Pointer() was pointing to the wrong address on go version go1.20.7 windows/amd64. All good on go1.21.0

mask.go

package main

import (
	"fmt"
	"time"
	"unsafe"

	"golang.org/x/sys/windows"
)

func encryptFunc(funcAddr uintptr, SleepTime uint32) error {

	fmt.Printf("[+] Encrypting function at address 0x%x\n", funcAddr)
	FuncLength := findAddrLength(funcAddr)

	var oldprotect uint32
	err := windows.VirtualProtect(funcAddr, uintptr(FuncLength), windows.PAGE_EXECUTE_READWRITE, &oldprotect)
	fmt.Printf("[+] Changing memory permissions to the memory region from 0x%x to 0x%x\n", oldprotect, windows.PAGE_EXECUTE_READWRITE)
	if err != nil {
		return fmt.Errorf("[Error] failed VirtualProtect: %v", err)
	}

	fmt.Println("[+] Encrypting memory region")
	xorFunc(funcAddr, FuncLength, 0xFF)

	fmt.Printf("[+] Sleeping for %d seconds\n", SleepTime)
	time.Sleep(time.Duration(SleepTime) * time.Second)

	fmt.Println("[+] Woke up")
	fmt.Println("[+] Decrypting memory region")
	xorFunc(funcAddr, FuncLength, 0xFF)

	fmt.Printf("[+] Restoring memory permissions of the memory region to 0x%x\n", oldprotect)
	err = windows.VirtualProtect(funcAddr, uintptr(FuncLength), oldprotect, &oldprotect)
	if err != nil {
		return fmt.Errorf("[Error] failed VirtualProtect: %v", err)
	}

	fmt.Println("[+] Success")
	//Success
	return nil
}

func findAddrLength(funcAddr uintptr) uint32 {
	var i uint32 = 0
	for {
		if *(*byte)(unsafe.Pointer(funcAddr + uintptr(i))) == 0xc3 {
			break
		}
		i++
	}
	return i
}

func xorFunc(funcAddr uintptr, funcLength uint32, key byte) { // Could be replaced with something fancy like SystemFunction032
	for i := uint32(0); i < funcLength; i++ {
		*(*byte)(unsafe.Pointer(funcAddr + uintptr(i))) = *(*byte)(unsafe.Pointer(funcAddr + uintptr(i))) ^ key
	}

}

main.go

package main

import (
	"fmt"
	"log"
	"reflect"
)

func main() {

	for {
		toBEncrypted()
		err := encryptFunc(reflect.ValueOf(toBEncrypted).Pointer(), 3) //encrypt function toBEncrypted(), sleep for 3 seconds , decrypt function
		if err != nil {
			log.Fatalf("%v", err)

		}
		toBEncrypted()
		fmt.Println("-----------------")
	}

}

// This function is encrypted during sleeping
func toBEncrypted() (uint32, error) {
	fmt.Println("is it working?")
	return 0, nil
}

[moloch--]

Don't you have to pause the go runtime? How do you ensure no goroutines execute code from the obfuscated region?

[scriptchildie]

In the example above I only obfuscated the bytes of the function toBEncrypted().

if it was ran as a goroutine it would panic but as long as it's not in use during the sleep period you should be good.

[moloch--]

Ahh okay, I see. Well with other recent changes in Go 1.21 we have a reliable way of moving a lot of code out of the main implant which should shrink the primary payload size and make something like this a bit more practical.

[parzel]

I implemented some basic runtime sleep and heap encryption (https://github.com/parzel/GoSleepyCrypt) but its necessary to call shellcode for it. I also suspend the go runtime in the PoC to prevent a panic. As its synchronous, not sure how it would fit best into sliver though.

[scriptchildie]

I believe I got Ekko to work properly using go.

In order to get the goroutines to work I suspend all processes before encrypting memory and I resume straight after decrypting

It would be interesting to see if it could be implemented on a larger project.

https://github.com/scriptchildie/goEkko

An obvious caveat. When the sleep obfuscation happens the go routines pause.

Original code in c:
https://github.com/Cracked5pider/Ekko