I asked a donut a month ago

[qwer0123456]

Will the problem be solved?

localhost 192.168.0.1~255 vmware connection is fine

If you connect with an external IP, you cannot connect. (59.12.151.12 39.128.121.11)

Analyzing the source a little more,

Need more HWID and specific user ID?

remotedesktop.dll does not connect to the new port,

but In the case of file search, a new port connection is possible

The fileless technique is good

If this is resolved, there is also a willingness to donate

I don't know how to fix

If the issue is unrelated to the topic or cannot be fixed, please close the issue

Thank you

[qwqdanchun]

I've tried donut,the problem maybe caused by the unsafe code. https://github.com/qwqdanchun/DcRat/blob/main/Plugin/RemoteDesktop/RemoteDesktop/StreamLibrary/UnsafeCodecs/UnsafeStreamCodec.cs

you will find some native code in remotedesktop.dll

[qwqdanchun]

maybe look at this project https://github.com/qwqdanchun/Bypass it shows how to code a loader to bypass av change the way of encryption, and enjoy it.

[qwer0123456]

Unsafe code -> It is impossible to convert to safe code?

Can't fix it in UnsafeStreamCodec.cs?

The fileless technique I tested is

Compile it to a donut and run the command below

metasploit command

use post/windows/manage/shellcode_inject

set AUTOUNHOOK false

set CHANNELIZED false

set INTERACTIVE false

set pid 0

set shellcode /root/payload.bin

set session 1(number)

run

[qwer0123456]

https://github.com/quasar/Quasar/blob/bee3f764c3b24d3df31bdc44dd72e72d102538c4/Quasar.Common/Video/Codecs/UnsafeStreamCodec.cs

In the case of a quasar remote, view the screen possible

There seems to be something different

[qwqdanchun]

Sorry for what i say before. I make a payload.bin with donut ,and test with a c# loader and a c++ loader just now. both work well.So it may not because of the unsafe code.

Don't have msf on my pc, can't test the shellcode_inject module. Have you ever tried any shellcode loader?

[qwer0123456]

You don't have to use Metasploit

You can also create thread after copying the donut compressed program to memory

Something that can be said for sure

quasar remote is view possible

I have no idea how to solve this problem

Thanks for the help

[qwer0123456]

pid 0 runs notepad.exe -> new notepad process memory injection

You can also specify the pid

[qwqdanchun]

try to change the pid.

I find that this artical says"在注入进程时，发现注入到notepad.exe中无法执行，但注入到powershell中可以执行。" translated:"When the process is injected, it is found that injection into Notepad cannot be executed, but injection into PowerShell can be executed."

https://www.freebuf.com/articles/system/234365.html

[qwer0123456]

Process does not matter if the window session is the same process

explorer.exe,RuntimeBroker.exe,notepad.exe etc.. -> all impossible

Remote viewing of Quasar is possible

In UnsafeStreamCodec.cs, Quasar has several different parts.

I don't know why this is not possible from anync remote

[qwqdanchun]

try powershell,maybe because of the clr ?

[qwqdanchun]

can't find why it doesn't work

[qwer0123456]

fix.zip

Quasar source works fine

This is the source with try and some additions

The screen is now displayed normally

############################################################

https://www.eset.com/us/home/free-trial/

eset antivirus msil/agent detect

eset detects unconditionally when connecting tcp socket

Do you know how to bypass eset tcp?

Screen output problem was solved lol

ClientSocket.cs

foreach (IPAddress theaddress in addresslist) { try { TcpClient.Connect(theaddress, ServerPort); // tcp connect eset anti virus detect if (TcpClient.Connected) break; } catch { } }

[qwqdanchun]

Thank you for your code. I'll push it later.

If you'd like to bypass tcp detect, may change it to udp or dns and so on

After install eset in VM. I test the rat. It didn't detect tcp when connect. Don't know why. However,sad to find many plugin may be detect. Maybe i should rewrite some plugin later.

[qwer0123456]

not detected as exe execution

Memory area detection

1. Copy the donut-packed memory and create thread

2. Connect tcp in the created thread

3. detect memory tcp connect

Normal exe execution is not detected

Fileless technique bypasses 90% of antivirus

I am curious if there is any new detection technique

thank you

#############################################

Thanks for any hints on the screen viewing problem(unsafe code memory)

I don't know how to bypass eset

[qwqdanchun]

eset's scan is powerful. maybe it disable tcp connect from process like notepad?

this is my guess

[qwqdanchun]

For it didn't detect tcp connect when you just run it as exe

[qwer0123456]

https://github.com/BlackINT3/OpenArk/releases/tag/v1.1.0

Obregistercallbacks in kernel

If you disable the loadimage kernel part to work with openark

Can't be detected

It seems to be detected if the running thread image address is not normal

Create thread and detect if the image address value is abnormal!

[qwqdanchun]

Good work!

However this is hard to bypass

[qwqdanchun]

usually you can't disable it in ring3

[qwer0123456]

eset is like a good antivirus

If you load the drive with ring 0 it will probably be bypassed easily

From the general computer to the system privilege, you must also increase privileges and manipulate tokens

ring3 seems to need an idea

Thanks for the reply