Patch win86/64 PE and linux86/64 binaries with shellcode. The goal of The Backdoor Factory is to patch executable binaries with user desired shellcode and continue normal execution of the binary prepatched state. Under a BSD 3 Clause License.
This is done by either appending a code cave or using existing code caves of the executable. This project includes several customized metasploit shellcodes. Plus a new shellcode loadliba_reverse_tcp: designed to bypass all the protections of EMET 4.1. Also, the user can provide their own shellcode for use.
This update provides the loadliba_reverse_tcp shellcode, stability fixes, and speed improvements.
Usage: backdoor.py [options] Options: -h, --help show this help message and exit -f FILE, --file=FILE File to backdoor -s SHELL, --shell=SHELL Payloads that are available for use. -H HOST, --hostip=HOST IP of the C2 for reverse connections -P PORT, --port=PORT The port to either connect back to for reverse shells or to listen on for bind shells -J, --cave_jumping Select this options if you want to use code cave jumping to further hide your shellcode in the binary. -a, --add_new_section Mandating that a new section be added to the exe (better success) but less av avoidance -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE User supplied shellcode, make sure that it matches the architecture that you are targeting. -c, --cave The cave flag will find code caves that can be used for stashing shellcode. This will print to all the code caves of a specific size.The -l flag can be use with this setting. -l SHELL_LEN, --shell_length=SHELL_LEN For use with -c to help find code caves of different sizes -o OUTPUT, --output-file=OUTPUT The backdoor output file -n NSECTION, --section=NSECTION New section name must be less than seven characters -d DIR, --directory=DIR This is the location of the files that you want to backdoor. You can make a directory of file backdooring faster by forcing the attaching of a codecave to the exe by using the -a setting. -w, --change_access This flag changes the section that houses the codecave to RWE. Sometimes this is necessary. Enabled by default. If disabled, the backdoor may fail. -i, --injector This command turns the backdoor factory in a hunt and shellcode inject type of mechinism. Edit the target settings in the injector module. -u SUFFIX, --suffix=SUFFIX For use with injector, places a suffix on the original file for easy recovery -D, --delete_original For use with injector module. This command deletes the original file. Not for use in production systems. *Author not responsible for stupid uses.* -O DISK_OFFSET, --disk_offset=DISK_OFFSET Starting point on disk offset, in bytes. Some authors want to obfuscate their on disk offset to avoid reverse engineering, if you find one of those files use this flag, after you find the offset. -S, --support_check To determine if the file is supported by BDF prior to backdooring the file. For use by itself or with verbose. This check happens automatically if the backdooring is attempted. -M, --cave-miner Future use, to help determine smallest shellcode possible in a PE file -q, --no_banner Kills the banner. -v, --verbose For debug information output. -T IMAGE_TYPE, --image-type=IMAGE_TYPE ALL, x32, or x64 type binaries only. Default=ALL -Z, --zero_cert Allows for the overwriting of the pointer to the PE certificate table effectively removing the certificate from the binary for all intents and purposes. -R, --runas_admin Checks the PE binaries for 'requestedExecutionLevel level="highestAvailable"'. If this string is included in the binary, it must run as system/admin. Doing this slows patching speed significantly. -L, --patch_dll Use this setting if you DON'T want to patch DLLs. Patches by default.
Can find all codecaves in an EXE/DLL. By default, clears the pointer to the PE certificate table, thereby unsigning a binary. Can inject shellcode into code caves or into a new section. Can find if a PE binary needs to run with elevated privileges. When selecting code caves, you can use the following commands: -Jump (j), for code cave jumping -Single (s), for patching all your shellcode into one cave -Append (a), for creating a code cave -Ignore (i), nevermind, ignore this binary Can ignore DLLs.
Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.
The user can : -Provide custom shellcode. -Patch a directory of executables/dlls. -Select x32 or x64 binaries to patch only. -Include BDF is other python projects see pebin.py and elfbin.py