• XSS.stack #1 – первый литературный журнал от юзеров форума

Bypass all AV's & Make Payload that never dies

Отслеживать

qGodless

(L2) cache
Пользователь
Регистрация
10.07.2022
Сообщения
385
Реакции
106
The idea is to delete the notepad.exe and download your own which should be combined with a payload And you have to code it so it doesn't execute just replace. This way you will bypass the av's because your not executing anything you just replaced a process
And when the victim starts notepad.exe it will start a payload. This way even if there was an AV it won't be able to stop the reverseshell (I tried it) because it's a windows process that is running
Even if it gets detected & deleted... every time the target starts a notepad it will execute the payload

I previously did this but it requires admin privilege's and a lot of time coding not just deleting and downloading
I did code it in C# but it still needs a lot of fixing to work properly
 
Пожалуйста, обратите внимание, что пользователь заблокирован
По сабжу:
79e07ee5bf7a787200788a6666569fec.jpg
 
Pernat1y сказал(а):
It will not work.
It seems very doable

And the reason is because there is a lot of programs that are meant to replace your notepad.exe for a newer, better looking one. If I can see how they did it without getting suspected by WD. I can replace with my own backdoored notepad.exe


Or maybe somehow mess up the registry to start the backdoored notepad instead of the windows one

edit: https://github.com/lygstate/NotepadStarter
 
Последнее редактирование:
qGodless сказал(а):
It seems very doable
Doable - yes. Workable - no.
Replace notepad with your malware or backdoored file and check if it works in the first place.
 
It may not work but stackoverflow gave me a better solution
stackoverflow.com

Replacing notepad.exe with a new one

I'm working on a project that let's folks remove the old notepad from system32 and download a new better looking one like notepad++ string path = "C:\\Windows\\System32\\notepad.exe"; File.
stackoverflow.com stackoverflow.com
 
Update: It did work eventually. The theory is to remove .txt from the Right-click tab and add a new one that instead of backdoored version. which would not work as you said Pernat1y. Instead it would start a program that downloads a malware & starts system32/notepad.exe
 
qGodless сказал(а):
Update: It did work eventually. The theory is to remove .txt from the Right-click tab and add a new one that instead of backdoored version. which would not work as you said Pernat1y. Instead it would start a program that downloads a malware & starts system32/notepad.exe
You can hijack any extension and associate it with your malware, but it will not magically exclude it from AV scan.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
qGodless сказал(а):
LOL, That's a fake msg, I don't think there is a way to run without UAC
So the actual code didn't do anything? You've just test it without proactive defense kicking in, so it is basically the same as testing it for signatures and av emilator without running it, not really a fair test.
 
qGodless сказал(а):
LOL, That's a fake msg, I don't think there is a way to run without UAC.
I thought of adding bypass scripts but they're just gonna flag it
Anyway, I don't see putty window :)
 
Pernat1y сказал(а):
Anyway, I don't see putty window :)
Long answer: Well that's why my code is different. It's not a regular download & start trojan. Instead it goes to the registry and removes the new text document && Adds mine. This way every time the target start a new txt document it will download & start a program that start a new notepad.exe on the current path wait sometime and starts my malware

One problem is if the target goes to the directory where my malware is, windows defender could remove the file that do that. And the OS would just corrupts I think, because there is no txt to use, It would just prompt "File doesn't exist"

DildoFagins I'm too lazy to record xD, maybe soon. The test is just to show it's a thing,

Short answer: You will see the putty windows when you start a text file

Edit: it wouldn't just download everytime, it will check first if the malware is up or not
Edit2: I'm thinking of adding more processes like docx & rtf... So i get a shell in a less time
 
Последнее редактирование:
If you want this kind of level of stealth you probably should look into the realm of rootkits which is super hard, plus you would have to target a specific set of UEFI firmware's ( most likely their vulnerabilities ), you only can make 100% undetectable payload if you run it in kernel, because AV solutions all has kernel mode components, which is 100% bypassable only from kernel mode. And rootkit would give you this ability. Instead of trying to hijack notepad, read this:

nixhacker.com

Developing and Installing your first Kernel driver in Windows 10(under 10 min)

Windows kernel development is painful to follow after lots of changes in driver handling by windows. In this article I will help you with developing and installing your driver in less than 10 minutes in windows 10.
nixhacker.com nixhacker.com

And read this:


And also you would have to learn assembler language and kernel debugging and you would have to reverse engineer uefi
 
Пожалуйста, обратите внимание, что пользователь заблокирован
ТС, предлагаю другой вариант. Идея в том, чтобы удалить антивирус и заменить его своей копией с пейлоадом. Изучай, пробуй.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Quake3 сказал(а):
ТС, предлагаю другой вариант. Идея в том, чтобы удалить антивирус и заменить его своей копией с пейлоадом. Изучай, пробуй.
Тут много вариантов для дальнейших исследований. Удалить венду и заменить ее своей. А дальше заменить комп своим, доставить через яндекс.доставку. Ну а еще дальше удалить пользователя и заменить собой.
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх