Possible issue with dynamic code generation/compile-time obfuscation

[Mister-Joe]

Describe the bug
Windows Defender has established a signature for Sliver binaries, but Sliver is described as having dynamic code generation & compile-time obfuscation capabilities. AV evasion is out of scope for this project, but considering Sliver binaries are being detected based on a static signature, it might be an in-scope issue.

To Reproduce
Steps to reproduce the behavior:

1. generate beacon --http
2. generate beacon --mtls
3. Run generated binaries through ThreatCheck (https://github.com/rasta-mouse/ThreatCheck)
4. See signature

Expected behavior
Generated binaries should evade static analysis.

Screenshots

Desktop (please complete the following information):

• OS: Windows
• Version 19044

Additional context

The functions in question all seem to be DNS related. File: sliver.pb.go around line 5000.

[moloch--]

Obfuscation is incomplete, this is a known issue. However, the obfuscator is also always improving! Presently, the obfuscation is intended to complicate automated analysis, not manual analysis in creating static signatures.

[rkervella]

What version of Sliver are you using?

[rkervella]

Looks like something's changed in the protobuf package and a bunch of new symbols/strings are added now. I'll have a look.

[Mister-Joe]

Hi @rkervella I am using v1.5.24. Thanks for looking into this!

[rkervella]

Ran a few tests, looks like garble is missing out a bunch of stuff on the protobuf generated files. Probably due to an update in either Go, Garble (regression?) or the protobuf package itself. Not sure what we can do at this point apart from pinging mvdan.

[moloch--]

Let me fix the garble unit tests before we invest more time.

[rkervella]

Let me fix the garble unit tests before we invest more time.

I already tested with upstream Garble, no difference.

[moloch--]

We should file a ticket with upstream Garble then while we sort out the details.

[moloch--]

#916

[Mister-Joe]

Does not look like this has been fixed yet @moloch-- . Was it supposed to be resolved after the latest update? Tested on v1.5.29. generate beacon --http 127.0.0.1

[moloch--]

Ah okay, at this point it's an upstream garble issue (I think these are pb struct json annotations not strings), though we may be able to do an ad-hoc patch.

[moloch--]

Reflections is a known limitation of the obfuscator though, so not sure there's much we can do.

[moloch--]

@rkervella do you think we can strip these?

[rkervella]

No, it's a garble issue. These are not annotations in the protobuf, but the types and function names, so we can't really replace them after code generation (or we'll end up the goobfuscate route again).

[moloch--]

Okay we'll have to file a bug with garble.

[moloch--]

#1215