I asked a donut a month ago about dcrat HOT 20 CLOSED

I've tried donut,the problem maybe caused by the unsafe code.

https://github.com/qwqdanchun/DcRat/blob/main/Plugin/RemoteDesktop/RemoteDesktop/StreamLibrary/UnsafeCodecs/UnsafeStreamCodec.cs

you will find some native code in remotedesktop.dll

from dcrat.

maybe look at this project
https://github.com/qwqdanchun/Bypass
it shows how to code a loader to bypass av
change the way of encryption, and enjoy it.

from dcrat.

Unsafe code -> It is impossible to convert to safe code?

Can't fix it in UnsafeStreamCodec.cs?

The fileless technique I tested is

Compile it to a donut and run the command below

metasploit command

use post/windows/manage/shellcode_inject

set AUTOUNHOOK false

set CHANNELIZED false

set INTERACTIVE false

set pid 0

set shellcode /root/payload.bin

set session 1(number)

run

from dcrat.

https://github.com/quasar/Quasar/blob/bee3f764c3b24d3df31bdc44dd72e72d102538c4/Quasar.Common/Video/Codecs/UnsafeStreamCodec.cs

In the case of a quasar remote, view the screen possible

There seems to be something different

from dcrat.

Sorry for what i say before.
I make a payload.bin with donut ,and test with a c# loader and a c++ loader just now.
both work well.So it may not because of the unsafe code.

Don't have msf on my pc, can't test the shellcode_inject module.
Have you ever tried any shellcode loader?

from dcrat.

You don't have to use Metasploit

You can also create thread after copying the donut compressed program to memory

Something that can be said for sure

quasar remote is view possible

I have no idea how to solve this problem

Thanks for the help

from dcrat.

pid 0 runs notepad.exe -> new notepad process memory injection

You can also specify the pid

from dcrat.

try to change the pid.

I find that this artical says"在注入进程时，发现注入到notepad.exe中无法执行，但注入到powershell中可以执行。"
translated:"When the process is injected, it is found that injection into Notepad cannot be executed, but injection into PowerShell can be executed."

https://www.freebuf.com/articles/system/234365.html

from dcrat.

Process does not matter if the window session is the same process

explorer.exe,RuntimeBroker.exe,notepad.exe etc.. -> all impossible

Remote viewing of Quasar is possible

In UnsafeStreamCodec.cs, Quasar has several different parts.

I don't know why this is not possible from anync remote

from dcrat.

try powershell,maybe because of the clr ?

from dcrat.

can't find why it doesn't work

from dcrat.

fix.zip

Quasar source works fine

This is the source with try and some additions

The screen is now displayed normally

############################################################

https://www.eset.com/us/home/free-trial/

eset antivirus msil/agent detect

eset detects unconditionally when connecting tcp socket

Do you know how to bypass eset tcp?

Screen output problem was solved lol

ClientSocket.cs

foreach (IPAddress theaddress in addresslist)
{
try
{
TcpClient.Connect(theaddress, ServerPort); // tcp connect eset anti virus detect
if (TcpClient.Connected) break;
}
catch { }
}

from dcrat.

Thank you for your code.
I'll push it later.

If you'd like to bypass tcp detect, may change it to udp or dns and so on

After install eset in VM. I test the rat. It didn't detect tcp when connect. Don't know why.
However,sad to find many plugin may be detect.
Maybe i should rewrite some plugin later.

from dcrat.

not detected as exe execution

Memory area detection

1. Copy the donut-packed memory and create thread

2. Connect tcp in the created thread

3. detect memory tcp connect

Normal exe execution is not detected

Fileless technique bypasses 90% of antivirus

I am curious if there is any new detection technique

thank you

#############################################

Thanks for any hints on the screen viewing problem(unsafe code memory)

I don't know how to bypass eset

from dcrat.

eset's scan is powerful.
maybe it disable tcp connect from process like notepad?

this is my guess

from dcrat.

For it didn't detect tcp connect when you just run it as exe

from dcrat.

https://github.com/BlackINT3/OpenArk/releases/tag/v1.1.0

Obregistercallbacks in kernel

If you disable the loadimage kernel part to work with openark

Can't be detected

It seems to be detected if the running thread image address is not normal

Create thread and detect if the image address value is abnormal!

from dcrat.

Good work!

However this is hard to bypass

from dcrat.

usually you can't disable it in ring3

from dcrat.

eset is like a good antivirus

If you load the drive with ring 0 it will probably be bypassed easily

From the general computer to the system privilege, you must also increase privileges and manipulate tokens

ring3 seems to need an idea

Thanks for the reply

from dcrat.