add unicode DLL argument passing option for sideload Donut generator

BishopFox · Jul 31, 2022 · 3b821d1 · 3b821d1
1 parent 4e8e254
commit 3b821d1
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 5 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -1076,6 +1076,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 		Flags: func(f *grumble.Flags) {
 			f.String("e", "entry-point", "", "Entrypoint for the DLL (Windows only)")
 			f.String("p", "process", `c:\windows\system32\notepad.exe`, "Path to process to host the shellcode")
+			f.Bool("w", "unicode", false, "Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)")
 			f.Bool("s", "save", false, "save output to file")
 			f.Bool("X", "loot", false, "save output as loot")
 			f.String("n", "name", "", "name to assign loot (optional)")

diff --git a/client/command/exec/sideload.go b/client/command/exec/sideload.go
@@ -61,6 +61,7 @@ func SideloadCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		ProcessName: processName,
 		Kill:        !ctx.Flags.Bool("keep-alive"),
 		IsDLL:       isDLL,
+		IsUnicode:   ctx.Flags.Bool("unicode"),
 	})
 	ctrl <- true
 	<-ctrl

diff --git a/protobuf/sliverpb/sliver.pb.go b/protobuf/sliverpb/sliver.pb.go
diff --git a/protobuf/sliverpb/sliver.proto b/protobuf/sliverpb/sliver.proto
@@ -434,6 +434,7 @@ message SideloadReq {
   string EntryPoint = 4;
   bool Kill = 5;
   bool isDLL = 6;
+  bool isUnicode = 7;
 
   commonpb.Request Request = 9;
 }

diff --git a/server/generate/donut.go b/server/generate/donut.go
@@ -16,15 +16,19 @@ func DonutShellcodeFromFile(filePath string, arch string, dotnet bool, params st
 		return
 	}
 	isDLL := (filepath.Ext(filePath) == ".dll")
-	return DonutShellcodeFromPE(pe, arch, dotnet, params, className, method, isDLL)
+	return DonutShellcodeFromPE(pe, arch, dotnet, params, className, method, isDLL, false)
 }
 
 // DonutShellcodeFromPE returns a Donut shellcode for the given PE file
-func DonutShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, className string, method string, isDLL bool) (data []byte, err error) {
+func DonutShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, className string, method string, isDLL bool, isUnicode bool) (data []byte, err error) {
 	ext := ".exe"
 	if isDLL {
 		ext = ".dll"
 	}
+	var isUnicodeVar uint32
+	if isUnicode {
+	   isUnicodeVar = 1
+	}
 	donutArch := getDonutArch(arch)
 	// We don't use DonutConfig.Thread = 1 because we create our own remote thread
 	// in the task runner, and we're doing some housekeeping on it.
@@ -44,7 +48,7 @@ func DonutShellcodeFromPE(pe []byte, arch string, dotnet bool, params string, cl
 		Entropy:    0,         // 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
 		Compress:   uint32(1), // 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman
 		ExitOpt:    1,         // exit thread
-		Unicode:    0,
+		Unicode:    isUnicodeVar,
 	}
 	return getDonut(pe, &config)
 }

diff --git a/server/rpc/rpc-tasks.go b/server/rpc/rpc-tasks.go
@@ -175,7 +175,7 @@ func (rpc *Server) Sideload(ctx context.Context, req *sliverpb.SideloadReq) (*sl
 	}
 
 	if getOS(session, beacon) == "windows" {
-		shellcode, err := generate.DonutShellcodeFromPE(req.Data, arch, false, req.Args, "", req.EntryPoint, req.IsDLL)
+		shellcode, err := generate.DonutShellcodeFromPE(req.Data, arch, false, req.Args, "", req.EntryPoint, req.IsDLL, req.IsUnicode)
 		if err != nil {
 			tasksLog.Errorf("Sideload failed: %s", err)
 			return nil, err
@@ -268,7 +268,7 @@ func getSliverShellcode(name string) ([]byte, error) {
 		if err != nil {
 			return data, err
 		}
-		data, err = generate.DonutShellcodeFromPE(fileData, build.ImplantConfig.GOARCH, false, "", "", "", false)
+		data, err = generate.DonutShellcodeFromPE(fileData, build.ImplantConfig.GOARCH, false, "", "", "", false, false)
 		if err != nil {
 			rpcLog.Errorf("DonutShellcodeFromPE error: %v\n", err)
 			return data, err