• XSS.stack #1 – первый литературный журнал от юзеров форума

(EN/RU) (C#) How to do startup if injected/crypted?

Отслеживать
Leer

Leer

HDD-drive
Пользователь
Регистрация
06.08.2021
Сообщения
20
Реакции
0
I can translate russian, but apologies for it. I don't understand how authors or users who crypt their file, how does the files startup still work? if the process is injected, how can it copy itself, or launch itself on start up? You can have the file get it's bytes and write to new file, but then it is not crypted on next launch. If someone has some idea or code in C# to demonstrate, will help much, thanks. I am talking about the original file having startup, not the crypter itself by the way

Я не понимаю, как авторы или пользователи, которые шифруют свой файл, как все еще работает запуск файлов? если процесс введен, как он может копировать себя или запускать себя при запуске? Файл можно получить байт и записать в новый файл, но при следующем запуске он не будет зашифрован. Если у кого-то есть какие-то идеи или код в С# , чтобы продемонстрировать, поможет, спасибо

Еще раз прошу прощения за перевод
 
c0d3r_0f_shr0d13ng3r сказал(а):
Self runpe or loadpe
I'm going to reply in english since you did, however if you wish to reply in russian that is fine, since you post in it alot.
how would this handle startups however? if the original file has startup, then is crypted, even if the file is injected into memory, and then again via the original files runpe, it will still be in memory, with no physical file to run no? there is fileless persistence yes, is that the way you go then? or am I simply missing something

also thank you for your response, I lurk on this forum but you seem very intelligent so I'm happy you have an interest to help me :)
 
Kapibara сказал(а):
you must open PE file in memory , decrypt it and reload to reflective, and then jump to entry point.
how will this still function with startup however?
By reflective, for an example you mean this correct:

Invoke-ReflectivePEInjection - PowerSploit

powersploit.readthedocs.io
how can this allow for standard startups however like run keys for example?
 
Kapibara сказал(а):
decrypt it in memory and find original entry point
ok so it's in memory, and now being ran in memory, but if a run key was to be used for persistence, how would that work? if the file is 100% in memory, how can the file be ran again?
forgive me if this simple, but it's just hard for me to imagine

if someone has a code sample in C#, that would help alot most likely I am "do it" learner
 
Leer сказал(а):
ok so it's in memory, and now being ran in memory, but if a run key was to be used for persistence, how would that work?
Ты должен добавить в автозагрузку файл который запускает твой екзе в памяти.Тогда при автозагрузке он будет запускаться и запускать твой екзе.Это же очевидно, не?
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Leer сказал(а):
if the file is 100% in memory, how can the file be ran again?
You can store the file in registry (in the end the whole registry hive is just another file, but still), you can store the file in WMI (in the end the whole WMI database is just another file, but still), you can use some LOLBINs to download and execute your file from internet or lan each time system reboot and etc.
 
DildoFagins сказал(а):
You can store the file in registry (in the end the whole registry hive is just another file, but still), you can store the file in WMI (in the end the whole WMI database is just another file, but still), you can use some LOLBINs to download and execute your file from internet or lan each time system reboot and etc.
I think then my plan will be to write a key in registry, then use a reflection method to get it executed. Thank you for the ideas, I think I know the way to correctly have it done, thank you


"Ты должен добавить в автозагрузку файл который запускает твой екзе в памяти.Тогда при автозагрузке он будет запускаться и запускать твой екзе.Это же очевидно, не?"

Спасибо за ваши советы!
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх