search

bytecode77 / living-off-the-land

Fileless attack with persistence
https://bytecode77.com/living-off-the-land
BSD 2-Clause "Simplified" License
279 stars 52 forks source link

Payload size #8

Closed kiwids0220 closed 2 years ago

kiwids0220 commented 2 years ago

Hi. nice code! But I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit? in the example I think you used MessageBoxA to call the native API. but what if I want to let's say download the bytes and injected it into explorer.exe process which means this might include multiple API calls? Please correct me if I am wrong on that. The only solution I can think of is that to create more registry keys and store them separately?

kiwids0220 commented 2 years ago

Hi, Just furthur trying to understand your code I think my question is that in order to load the actual payload , the payload.exe has to be first written to the disk? or how would you load it as in the README The injector then proceeds to load the actual Payload.exe from its own executable resources. The payload is then injected using the process hollowing technique (RunPE). // Loads Payload.exe (native executable) from resources and injects into suitable OS executable.

bytecode77 commented 2 years ago

I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit?

This project is a PoC that incorporates several techniques to demonstrate fileless startup. Of course, a lot more techniques exist. If you require something special, such as a large file, you need to figure out an implementation, such as multiple REG_BINARY values, a download, etc... Not sure what the size limit is, though.

The used technique requires a first stage to be written in C#, because Powershell is only capable of executing C# code, not native code. The second stage demonstrates native code execution, because many payloads are not written in C#. But you can also decide to only use C# and skip the last stage.

payload.exe has to be first written to the disk?

The whole purpose of this PoC is to have nothing written to the disk, executables and DLL's in particular. Once you touch the disk, the "game is over".

but what if I want to let's say download the bytes and injected it into explorer.exe process [...] ?

If you want DLL injection without writing a DLL to disk, check out my other project r77 where I use reflective DLL injection. DLL injection becomes a hard task if you require it to happen in-memory, but it's entirely possible. My code is pretty clean and it should be easy to understand how it works and apply it in your own project.

kiwids0220 commented 2 years ago

I got it now. Thanks for the answer!