{"id":2548,"date":"2023-10-24T11:54:58","date_gmt":"2023-10-24T09:54:58","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=2548"},"modified":"2025-09-15T13:24:23","modified_gmt":"2025-09-15T13:24:23","slug":"customizing-sliver-part-3","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/customizing-sliver-part-3\/","title":{"rendered":"Customizing Sliver – Part 3"},"content":{"rendered":"

In this third and final post in the series<\/a> about Sliver C2<\/a> I\u2019ll provide a tutorial for creating a simple command, named helloworld<\/em>, that will take some parameters in input, send them to the implant, and then print back a string coming from the implant. You can find the full code<\/strong>\u00a0implementing the helloworld<\/em> command here<\/a> at the branch hello_world <\/strong>of my fork of Sliver.<\/p>\n

Creating the Hello World command<\/h2>\n

The process for creating the command can be split in three phases:<\/p>\n

    \n
  1. Define protobuf messages for server, client, and implant in sliver.proto\/client.proto and the rpc functions inside services.proto.<\/li>\n
  2. Develop\/debug the interaction betweeen client-side command and server handler.<\/li>\n
  3. Develop the implant handler and debug all the flow.<\/li>\n<\/ol>\n

    Defining protobuf messages<\/h3>\n

    First of all, we need to define the format of requests and responses that will be exchanged during client-server interaction and server-implant interaction, and the gRPC function for client-server communication.<\/p>\n

    Here are the definitions in sliver.proto and services.proto:<\/p>\n

    sliver.proto\r\n...\r\n...\r\nmessage HelloWorldReq {\r\n  string param1 = 1;\r\n  uint32 param2 = 2;\r\n  bool param3 = 3;\r\ncommonpb.Request Request = 9;\r\n}\r\nmessage HelloWorld {\r\n  string output = 1;\r\n  commonpb.Response Response = 9;\r\n}\r\n...\r\n...\r\n-------------------------------------------\r\nservices.proto\r\n...\r\n...\r\n\/\/ *** Hello World ***\r\nrpc HelloWorld(sliverpb.HelloWorldReq) returns (sliverpb.HelloWorld);<\/pre>\n
    The request is HelloWorldReq<\/strong> and contains a string, a uint32, and a boolean field. In addition, it embeds commonpb.Request as all the other request messages in the file.<\/p>\n
    The response is HelloWorld <\/strong>and contains just a string. In addition it embeds commonpb.Response as all the other response messages in the file.<\/p>\n
    You can give a look at the other messages in order to find more field types that you can embed in your messages.<\/p>\n
    Finally, in services.proto we defined the gRPC function HelloWorld<\/strong> that takes as input a sliverpb.HelloWorldReq<\/strong> message and returns a sliverpb.HelloWorld<\/strong> message, the ones defined in sliverpb.proto.<\/p>\n
    Now, run the command make pb<\/em> in a terminal under the sliver main folder:<\/p>\n
    \n
    \n
    \u250c\u2500\u2500(kali\u327fkali)-[~\/sliver]\r\n\u2514\u2500$\u00a0make\u00a0pb\r\nprotoc\u00a0-I\u00a0protobuf\/\u00a0protobuf\/commonpb\/common.proto\u00a0--go_out=paths=source_relative:protobuf\/\r\nprotoc\u00a0-I\u00a0protobuf\/\u00a0protobuf\/sliverpb\/sliver.proto\u00a0--go_out=paths=source_relative:protobuf\/\r\nprotoc\u00a0-I\u00a0protobuf\/\u00a0protobuf\/clientpb\/client.proto\u00a0--go_out=paths=source_relative:protobuf\/\r\nprotoc\u00a0-I\u00a0protobuf\/\u00a0protobuf\/dnspb\/dns.proto\u00a0--go_out=paths=source_relative:protobuf\/\r\nprotoc\u00a0-I\u00a0protobuf\/\u00a0protobuf\/rpcpb\/services.proto\u00a0--go_out=paths=source_relative:protobuf\/\u00a0--go-grpc_out=protobuf\/\u00a0--go-grpc_opt=paths=source_relative\u00a0\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/sliver]\r\n\u2514\u2500$<\/pre>\n
    This is going to rebuild all the go files under the protobuf folder such as sliver.pb.go, client.pb.go, and so on. By now they contain the go struct and functions corresponding to messages and gRPC functions previously defined. You can browse to protobuf\/sliver.pb.go <\/strong>in order to notice that now a HelloWorldReq struct<\/strong> is present with associated methods.<\/p>\n<\/div>\n<\/div>\n
    \n
    \"\"
    The sliver.pb.go file containing HelloWorldReq<\/figcaption><\/figure><\/figure>\n
    Developing the client-side command<\/h3>\n
    Here we are going to define a new HelloWorld command in the client component of the framework. First, we need to add the command definition in client\/command\/sliver.go<\/a>. Here’s the definition I\u2019ve written:<\/p>\n
    \/\/ [ Hello World] ------------------------------------------\r\n  helloWorldCmd := &cobra.Command{\r\n   Use:   consts.HelloWorldStr,\r\n   Short: \"Hello World command\",\r\n   Long:  help.GetHelpFor([]string{consts.HelloWorldStr}),\r\n   Args:  cobra.ExactArgs(1),\r\n   Run: func(cmd *cobra.Command, args []string) {\r\n    helloworld.HelloWorldCmd(cmd, con, args)\r\n   },\r\n   GroupID: consts.FilesystemHelpGroup,\r\n  }\r\n  sliver.AddCommand(helloWorldCmd)\r\n  Flags(\"\", false, helloWorldCmd, func(f *pflag.FlagSet) {\r\n   f.Uint32P(\"intflag\", \"i\", 0, \"parameter 2\")\r\n   f.BoolP(\"boolflag\", \"x\", false, \"parameter 3\")\r\n   f.Int64P(\"timeout\", \"t\", defaultTimeout, \"grpc timeout in seconds\")\r\n  })\r\n  carapace.Gen(helloWorldCmd).PositionalCompletion(\r\n   carapace.ActionValues().Usage(\"parameter1\")\r\n  )<\/pre>\n
    First I created a cobra.Command struct having with the following fields:<\/p>\n