Living off the Land exe don't start at bootup in Windows VM

[badmanagerbmx]

Hi,

I ran the Living off the Land exe, and make sure there is the message "could not display value" when seeing the registry. When I run the removaltool, it say that it was removed successfully, so it seem to work.

Besides that, I know for sure that the Living off the land exe did not work because the stager did not run (he's supposed to download the rootkit files).

Does I use something wrong? Does it work on your system? I use a Windows VM, and I have an hard time trying to just make program run at bootup, so maybe it comes from there..

BR

[bytecode77]

Does the executable require admin privileges or does it have a UAC manifest with requireAdministrator? In this case, it won't start from HKCU...\Run, because it's not possible to use registry startup to create elevated processes. It's required to use scheduled tasks in that case.

Also, the LOTL PoC contains Payload.exe in the resources, but the file is encrypted. You can see that when you open Payload.exe in a hex editor. It's encrypted using simple XOR at compile time using EncryptFile.exe. If you want to provide your own file, you have to encrypt it also. I wouldn't recommend skipping encryption, because an executable within an executable will get you detected. If you put a non-encrypted file there, it will be decrypted, resulting in an invalid binary.

If you think your issue is due to the RunPE method not being able to create your process correctly, you can:

• Create a 32-bit C# project and add the RunPE class from the demo
• Load your executable file and call RunPE() to see where exactly it fails
• Both the creating process and the payload must be 32-bit.
• If you really need a 64-bit RunPE, you can use the RunPE class in my r77 project, which supports both x86 and x64

Debugging that way, you can see exactly what is happening during process creation using RunPE.

[badmanagerbmx]

Hi,

I didn't get any UAC or else when starting the exe. I set my code in the place of your payload, so, it's supposed to be encrypted too, right?

The exe is Win32 built, I will try your method and see if it help.

I tried on a second computer, not VM, but idk why but it could not even start the payload, so impossible to see if it really work again in bootup (I got the error message when trying to see in the registry editor).

BR

[bytecode77]

Yes, it definitely needs to be encrypted. Otherwise the RunPE is trying to parse an invalid PE file.

One more thing you could try is to to open cmd.exe and paste this:

powershell "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Internet Explorer\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"

It is the commandline that is used to start Powershell. If there is any error, Powershell will display it. If you didn't encrypt the payload, the C# code will probably crash because it is working on invalid data.

[badmanagerbmx]

Hi,

Thank you first to take time to answer this, you really MVP bro.

I tried to encrypt manually my exe with your encryption exe, and it seems to work (the payload did work), but I tried to reboot my computer, but the payload did not work.. (Since it's supposed to download files).

Just a question: why do you set the registry key in \"Software\Microsoft\Internet Explorer\ and not in \"Software\Microsoft\Windows\CurrentVersion\Run? I saw that my regedit show "could not display" error message in \"Software\Microsoft\Internet Explorer.

But are you really sure I'm supposed to manually encrypt my exe? If I rebuild the solution, my project as Payload project should be encrypted, right?

[bytecode77]

The exe in Software\Microsoft\Internet Explorer is not encrypted, because the powershell commandline has only 260 characters available. And it's not enough to implement any decryption. It's also not possible to use null embedded characters, that's why it's dugged up so deep. The encrypted executable is just Payload.exe, which is a C# resource of the injector. The injectior, of courese, cannot be encrypted. Please make sure to check the post build events for each project to see what goes where.

It seems strange, though, that your payload doesn't download files upon next reboot. Could it be that you have a notebook that's connected over WiFi? In such a situation, an internet connection may not be a available in this very moment. Try to periodically retry your download until an internet connection is available for at least one minute.

[badmanagerbmx]

Hi,

I don't think this could come from a lack of internet connexion, because I tried to download your depo > build solution, executable the Living off the land exe > got the display message. I checked the registry key and I got the error message.

I guess I should have the demo windows when I start windows but it's not the case. Or it's hidden? (only test that on VM)

BR

[bytecode77]

So, your executable performs many tasks and at some point fails and you need to figure out when exactly things go wrong.

One thing you could do is add a simple MessageBox to your payload at the very beginning of the main method: See if this MessageBox is displayed. Then you know for sure, that the executable is executed correctly.

Then you can continue to add a MessageBox between each line of code and see, which MessageBox is the last that was successfully displayed. That way, you can see exactly at which line of code it fails, even when you're not able to debug or profile it.

[bytecode77]

If you need further help, please feel free to re-open the issue.

[randomUser7852]

Hi,

I tried to use my custom exe, and copy/paste my code on your Payload project, but it can not run either. I keep the post build actions to compress and encrypt my exe and copy it in the encrypt resource folder, but it fail to start at boot-up. I saw that your original project does not have any dependencies, do you think it can come from there?

[bytecode77]

It's hard to tell what exactly is happening on your site. So here are some steps you could take to analyze this. Since hacking is all about the analytical approach:

1. Copy the RunPE function into a new C# project and try to call it using your unencrypted payload. If this fails, debug the RunPE function to see why. You cannot debug this when you compile the project as a whole.
2. Make sure encryption / decryption is handled properly and bitness of executables match (32-bit).
3. Try to find some steps to identify the cause of the problem. Many times, when having a situation where debugging isn't possible, you can still take parts of the code apart, such as in Step 1.

Since I can't see what you are doing, this is all the help I can offer right now.