BishopFox
Armory commands return no output
Describe the bug When I try to use extensions from the armory on active windows sessions, I receive no output, no matter the extension or argument.
I am on version 1.6.0 and built from source. the armory commands work when I use 1.5.4
To Reproduce Steps to reproduce the behavior:
- start sliver server in daemon mode, connect client on localhost
-
armory install seatbelt - connect to open windows session
-
seatbelt -- -groups=system
Expected behavior Seatbelt returns an ascii banner and info about the system
Screenshots
[*] seatabelt output: and nothing else```
Desktop (please complete the following information): -pentoo linux
I'm just here to help the devs at my level, I'm facing the same problem and I've had a look, the problem seems to come from go/donut in binject.
When you activate debug mode in the implant, you see that access is denied and the command to stop a sacrificial process doesn't work, simply because the process died before receiving the command because it wasn't loaded. and i thought of the execute-assembly loader, but the whole loading process seemed to be working fine, and that's when i thought of donut, because it seems to me that it's activated by default and hard in the code.
in short, the temporary solution is to return to the previous functional state of go/donut, in particular to the following state I tried it quickly, so let's see if it works for everyone. You can use the master version at the time of this message and change the 2 go/donut x64,and x86 files in this commit. here
Most likely it's the AMSI bypass being detected.
seatbelt -M -i -- -groups=system
Does this work? Does Defender kill the process?
I did several tests before publishing my message, and what I can say is that even with windows security turned off I don't get the output, and indeed in --in-process it works and I thought of the same thing amsi kills us even before the answer, but I also tried to put the recent version of the donut loader on sliver 1.5.42 and well same worries no output on functions based on execute-assembly
Could it be related to this: https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/ ?
I did several tests before publishing my message, and what I can say is that even with windows security turned off I don't get the output, and indeed in --in-process it works and I thought of the same thing amsi kills us even before the answer, but I also tried to put the recent version of the donut loader on sliver 1.5.42 and well same worries no output on functions based on execute-assembly
I believe there are two different places AMSI is used, one which donut uses (loader stub) and the other which execute-assembly uses. One seems to be detected and flagged, the donut one seems to fail silently or is not present in the newer loader stub.
Could it be related to this: https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/ ?
Since I am not using 24h2, it shouldn't be the case.
Having the same issue. In-process does work, but the injection seems to be broken within go-clr or execute-assembly. The injection BOFs from the armory do work though.
I worked on something at that time to make it possible to use the gonut stubs from 1.6 on version 1.5, in order to create an external server to compile implants with the obfuscation of version 1.6 while retaining the proper obfuscation and functionality of version 1.5 for everything related to execute-assembly. The project should still work if that helps you, great but it does more than that: you can fully obfuscate Sliver relative to the YARA rules I referenced in the Git repo. I wrote this over a year ago; I recently saw that someone had the same idea but did it manually they were more drastic and stopped using gonut and another person did the same thing as me but for Mimikatz. I’ll probably integrate this into my project in the near future, I hope.
https://github.com/Oni-kuki/Tape