Customizing implant build

[rwhitcroft]

Hope this is the right spot to ask.

I'm trying to figure out how to (manually) build an implant binary but with certain features disabled. Some prelim testing suggests Defender is triggering on some of the DNS-related strings in the implant binary. (I could very well be totally wrong here, still want to test though.)

For example:

implant/sliver/transports/dnsclient/dnsclient.go:// {{if .Config.DNSc2Enabled}}
implant/sliver/transports/dnsclient/dnsclient.go:// {{end}} -DNSc2Enabled

Where do I set the DNSc2Enabled flag when compiling?

Thanks!

[moloch--]

The implant code is actually Golang text/template's which are rendered prior to compiling. To compile manually you'll need to render the templates. All the template parameters are stored in the Implant Config object, there's a database model and a protobuf version of this object. The DNSc2Enabled boolean will be set to true if you specified a --dns C2 endpoint as part of the generate command.

The two easiest ways to mess with the implant code:

1. Copy the main Sliver repo, modify the code and recompile the server. This will mean that generate will generate implants with the new modified code (implant code is embedded in the server at compile time).

2. An alternative but slightly less convenient way would be to modify the already generated the code. Generated code for each implant is saved to ~/.sliver/slivers/<os>/<arch>/<name>, which you can modify an recompile. The generated code will also contain things like the cryptographic keys for the implant. The original compiler commands will be in the sliver.log file, which may take some coaxing as we also use various env variables when compiling.