Closed ghost closed 3 years ago
hmm strange issue, i know the problem and how to fix it. how the fod helper uac bypass works is by changing the windir which i believe is c:/windows/system32 so anything trying to use %windir% will result in the path of ur file. what it should be doing is deleting that reg key in the end. but as i noticed you compiled the python script to an exe. it was not made for that, it was made to uac bypass python scripts not an exe, thats why it failed and could not delete the reg key in the end.
give me a moment and ill tell you how to fix it.
Alright! I see Your code executes a different version of uacbypass by applying powershell to it instead, different approaches also. Thanks!
open cmd and paste this command:
powershell Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
respond back and tell me if that fixed it.
Thanks! I'll check back when I wake up. By the way. is Your script uacbypass allowed to be compiled?
the uac bypass does not work when then script is an exe, i did not add exe support. it is trying to run this command in the uac bypass: python "path to/python/file.py". but in your case it is running python "path/to python/file.exe" <--breaks it as you cant run an exe as a python script. if enough people request it i will add exe support.
if you have anymore quistion/or concerns or wish to contact me, feel free to join my discord server. https://discord.gg/V589WeDmUr
Thanks!
Bot was working fine until i attempt to run the command !uacbypass with no success at all. Errors started appearing When clicking at Taskbar shortcuts as noted below:
C:\Windows\System32\fodhelper.exe | file will not open anymore | Error is now being shown, it seens whenever this file is clicked systems tries to locate the bot binary.exe for whatever reason. (There has been a registry change I believe ath the !uacbypass command.
If I attempt to Open Network and Internet Settings a Command Prompt opens and Error appears looking for the file.
Errors in video: https://user-images.githubusercontent.com/3595920/128725054-829a0d84-4824-426b-a982-b5048405af08.mp4 https://user-images.githubusercontent.com/3595920/128725059-ddfe140d-ef1f-42ed-9cf8-5610b38ce35b.mp4
CMD has now Parameters set to it as shown in the image:: "C:\Windows\System32\cmd.exe" /k start C:\Users\%username%\AppData\Local\Temp_MEI60802\D:\Folder\Exercises\2 - Remote Access Trojan\dist\SecureXDRAT.exe
Registry Changes made by the bot:
@moom825