Unobfuscated strings in binary #1760
Comments
|
This is a known issue. Still not sure if it's a regression in Garble or if something changed in the protobuf library, or a bit of both. Either way, Garble is not picking up the protobuf methods, which makes for easy signatures to be built. |
|
At least the DNS ones are gone, not sure why these are showing up. |
|
These are on most of the Yara rules on GitHub for sliver. I just did a dirty find and replace on the strings to get around the rules. |
|
several Defender AV signatures detecting these strings. Any workaround? Are those above all the strings get detected? |
|
We've been toying with custom AST obfuscation for the protobuf some of it is merged into v1.6 but it's slow going and lesnuages and I have less time to work on Sliver these days so no ETA on a comprehensive fix. |
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Unobfuscated strings are found in the Sliver binary and in memory
Desktop (please complete the following information):
Additional context
The strings identified were:
Matched String: ").RequestResend"
Matched String: ").GetPrivInfo"
Matched String: "B/Z-github.com/bishopfox/sliver/protobuf/sliverpbb" ascii fullword
Matched String: "InvokeSpawnDllReq" ascii fullword
Matched String: "NetstatReq" ascii fullword
Matched String: "HTTPSessionInit" ascii fullword
Matched String: "ScreenshotReq" ascii fullword
Matched String: "RegistryReadReq" ascii fullword
The text was updated successfully, but these errors were encountered: