ControlPipe using Powershell

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

https://bytecode77.com/r77-rootkit

BSD 2-Clause "Simplified" License

1.66k stars 398 forks source link

ControlPipe using Powershell #70

Closed APT-ZERO closed 9 months ago

APT-ZERO commented 9 months ago

Hi, Is it possible to control r77 using Powershell?

bytecode77 commented 9 months ago

Sure. Since PowerShell allows you to use C#, you have full .NET capabilities. The example I have prodived is in C++, so you have to write it in .NET within PowerShell instead.

APT-ZERO commented 9 months ago

That is great, but is it possible to control r77 using pure PowerShell 2.0 script/command

bytecode77 commented 9 months ago

I guess you want to avoid a .NET DLL being compiled and written to disk, because in your workflow, you access the control pipe in a fileless manner? ;) I needed to avoid cmdlets, too, in the AMSI bypass. It was a pain...

Anyway, I saw a PS example here that shows code for writing to a named pipe. So it should be entirely possible.