Search the Community

Using fibers to run in-memory code in a different and stealthy way. Description A fiber is a unit of execution that must be manually scheduled by the application rather than rely on the priority-based scheduling mechanism built into Windows. Fibers are often called lightweight threads. For more detailed information about what are and how fibers work consult the official documentation. Fibers allow to have multiple execution flows in a single thread, each one with its own registers' state and stack. On the other hand, fibers are invisible to the kernel, which makes them a stealthier (and cheaper) method to execute in-memory code than spawning new threads. Advantages The use of fibers may be advantageous for some types of payloads (like a C2 beacon) for some of these reasons: Fibers allow to run in-memory code without the need of using the instructions JMP or CALL from the loader pointing to unbacked memory regions. This execution is performed without the creation of new threads, preventing the generation of callbacks from the kernel that can be collected by an EDR. The payload fiber's stack can be hidden when the payload enters on an alertable state or when it needs to wait for a pending I/O operation. This is done using a control fiber with a normal stack that runs code from disk. This "hiding" is cheaper and easier to implement that the regular thread stack spoofing process. The fibers are invisible to the kernel and all the switching procedure happens on user space, which makes it easier to hide from an EDR. [hide][Hidden Content]]

The PyIris project is a modular, stealthy and flexible remote-access-toolkit written completely in python. It allows users to dynamically build, generate, and encode/encrypt remote-access-trojan payloads for remote control of other compromised hosts. Features (Both Windows and Linux) Tab completion for most commands Dynamically generate scouts Robust error handling to allow scouts to recover from sudden disconnects Upload and download files from and to the target machine Sleep, kill and disconnect scouts Download files from external urls (web downloads) Keylogging in memory Displaying system information Taking screenshots without writing to disk See all currently open visible and nonvisible windows on the target Check to see if a scout is running with admin/root privileges Inject keystrokes Compile payloads into Windows EXEs or Linux ELFs Clear, set, or dump clipboard data Setting audio Take pictures from the webcam without writing to disk Stackable encryption of scout payload source code, in a theoretically infinite stack in infinite variations execute arbitrary python code and read the results even if the python interpreter is not installed on the target machine from compiled scouts request for admin/root sleep for an arbitrary length of time before running (To bypass AV dynamic program analysis) self-delete (only works for scripts) Stream webcam over TCP sockets (pretty laggy will work on a UDP version) Features (Windows) Archive persistence through the windows registry (HKEY_CURRENT_USER) Archive persistence through the windows startup folder Remote Command Execution through cmd.exe or powershell.exe (provided it is not blocked) Open URLs from a native browser (internet explorer ewww) Shutdown, restart, lock, logoff user gracefully without connection hanging from scout payload Execute or open files remotely Check the user idle time Dump saved chrome passwords (won’t work with the latest Chrome browsers since they changed encryption methods and I’m kinda lazy to update this lol) Disbale/ Enable the targets keyboard/mouse Bypass UAC through sdclt.exe (Has already been patched in recent windows updates) Features (Linux) Achieve persistence through cron jobs (crontab) Remote Command Execution through the bash shell [hide][Hidden Content]]

JATAYU Stealthy Stand-Alone PHP Web Shell FEATURES Http Header Based Authentication. 100% Undetectable. Exec Function Changer. Nothing Fancy [HIDE][Hidden Content]]