bytecode77
commented
3 years ago This would not match the concept of this project. "Living Off The Land" is about the complete absence of any files. When your payload is stored on the disk, it will eventually be deleted by AV, no matter whether it's an executable or a DLL file.
"Living Off The Land" is no guarantee for full AV evasion either. It's rather the "minimal standard" that you should follow, because dropping files to disk (including bat files) will certainly get detected. Furthermore, the executable of this project is a PoC. It's intended to provide a fully functional example that you can use as a reference for your own implementation.
rundll is, indeed, used by some malware. It's an old technique, nothing special and trivial to implement. If you want to go for the rundll solution, you don't need any of the code from my project. It's a very simple commandline and you can use the null embedded character trick for the Run\ value, if you like. Note: null embedded characters don't evade AV.
randomUser7852
Hi,
I decided that the form of my malware should be a dll because it's not known by AV. In windows, we can use the command rundll32 to run it.
I could try to start a batch maybe? I understood that the living off the land executable loaded the content of the payload?