sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

How to use the spawndll function

Open 1n7erface opened this issue 1 year ago • 4 comments

Sorry, I have carefully read the methods for using spawndll in the wiki, but I cannot find a solution. When I am using the CNA script in cobaltstrike, its content is shown below. image I understand the meaning of this script, but I cannot find parameters that can achieve the same effect in the sliver's spawn dll module. Can load the dll and the shellcode to generate a new session. Can the developer help me complete this function in Sliver and provide a use case? I look forward to your reply. Thank you.

1n7erface avatar Mar 21 '23 09:03 1n7erface

From help spawndll:

[server] sliver > help spawndll

Command: spawndll <options> <filepath to DLL> [entrypoint arguments]
About: Load and execute a Reflective DLL in memory in a remote process.

--process - Process to inject into.
--export - Name of the export to call (default: ReflectiveLoader)


Usage:
======
  spawndll [flags] filepath [arguments...]

Args:
=====
  filepath   string         path the DLL file
  arguments  string list    arguments to pass to the DLL entrypoint (default: [])

Flags:
======
  -e, --export            string    Entrypoint of the Reflective DLL (default: ReflectiveLoader)
  -h, --help                        display help
  -k, --keep-alive                  don't terminate host process once the execution completes
  -X, --loot                        save output as loot
  -n, --name              string    name to assign loot (optional)
  -P, --ppid              uint      parent process id (optional) (default: 0)
  -p, --process           string    Path to process to host the shellcode (default: c:\windows\system32\notepad.exe)
  -A, --process-arguments string    arguments to pass to the hosting process
  -s, --save                        save output to file
  -t, --timeout           int       command timeout in seconds (default: 60)

My understanding is that this CNA creates a new payload, referenced as $stager and passes that as an argument to the reflective DLL. We don't really support that kind of arguments for spawndll, only strings at the moment (char * to be precise). So if you find a way to encode your payload as a string, you can pass that as an argument to spawndll /path/to/reflective-dll.dll YOUR_ARG_HERE.

rkervella avatar Mar 22 '23 18:03 rkervella

I haven't found a way to encode your payload as a string, and I think it's very difficult. So this is exactly the question I want to ask, can the slider take payload as a parameter of spawndll, like bdllspwn in cobalt strike

1n7erface avatar Mar 27 '23 16:03 1n7erface

Will this be supported in sliver in future versions?

1n7erface avatar Mar 27 '23 16:03 1n7erface

Possibly, yes, it shouldn't be technically difficult to implement. I can't provide you with an estimate, as we're currently pretty busy with other stuff.

rkervella avatar Mar 27 '23 17:03 rkervella