Run on load not working

[jrozner]

Describe the bug
Generating an implant and specify -R or --run-on-load does not seem to actually produce a dll with a DllMain that calls StartW. Dumping symbols I didn't see it there and it's definitely not connecting back. If I manually call StartW it seems to work.

Expected behavior
Loading the DLL should cause the implant to trigger

[jrozner]

It looks like the rendering logic is broken. The conditional https://github.com/BishopFox/sliver/blob/master/implant/sliver/sliver.c#L23-L26 must be failing for some reasons because even with -R or --run-on-load it is being left out which would explain why it's not working. I haven't had a chance to determine if the flag isn't being parsed correctly or if it's making it across the RPC service. I also saw https://github.com/BishopFox/sliver/blob/master/implant/sliver/sliver.h#L4 that RunSliver has a forward declaration but there's no actual definition. Using RunDll32 implant.dll,Start and RunDll32 implant.dll,StartW both work. I'm assuming RunSliver is from an older version and was changed to StartW.

[rkervella]

How are you running the DLL?

[rkervella]

I'm unable to reproduce the issue on master. For test purposes, I'm loading the library using this piece of code:

#include <iostream>
#include <Windows.h>

int main(int argc, char* argv[])
{
    if (argc != 2) {
        std::cerr << "Missing lib path" << std::endl;
        return 1;
    }
    std::cout << "Loading " << argv[1] << std::endl;
    HMODULE mod = LoadLibraryA(argv[1]);
    std::cout << "Loaded " << argv[1] << ", now sleeping 30s ..." << std::endl;
    Sleep(30000);
    std::cout << "Done!" << std::endl;
    return 0;
}

Implant was generated with this command:

generate --mtls myhost.local --run-at-load --format shared

[rkervella]

It looks like the rendering logic is broken. The conditional https://github.com/BishopFox/sliver/blob/master/implant/sliver/sliver.c#L23-L26 must be failing for some reasons because even with -R or --run-on-load it is being left out which would explain why it's not working. I haven't had a chance to determine if the flag isn't being parsed correctly or if it's making it across the RPC service. I also saw https://github.com/BishopFox/sliver/blob/master/implant/sliver/sliver.h#L4 that RunSliver has a forward declaration but there's no actual definition. Using RunDll32 implant.dll,Start and RunDll32 implant.dll,StartW both work. I'm assuming RunSliver is from an older version and was changed to StartW.

The code is working as intended. DllMain calls CreateThread using Start as the function to run as a thread, and Start calls StartW. StartW is exported from the Go code. RunSliver is a leftover artifact from the old days that we should remove, but isn't used anywhere anymore.

[jrozner]

When I looked at the generated code it was missing all the parts that were in the conditional block. I didn't test against master but I should have some time this weekend to give it a shot and see if it's fixed there. Also, I think I generated it from a profile. Not sure if that makes any difference.

[rkervella]

Coming from a profile shouldn't make a difference. If it does it's a bug.