Tcpview backdoors
Tcpview backdoors code#
"NativePayload_MP1.cs" code is Mapper/Proxy tool for working with NativePayload_HTTP.sh as web Exfil-server tool "NativePayload_MP.cs" (old version) code was as Mapper for working with NativePayload_MPAgent as backdoor in Memory only Note: "always in the first step you should run, because our MemoryMappedFile will Create with this backdoor in memory then in the next Steps will Open/read/write Data in this Memory Map File" Picture 8: NativePayload_CSI integration with "NativePayload_MP" + NativePayload_MPAgent Step3: this command "whoami" read from memory & executed by Backdoor (NativePayload_MPAgent.exe) & in this time this Backdoor will create cmd output by base64 encoding and send output bytes to Memory as response to/for command, "important point" is this backdoor will not create any Network Connection etc so all cmd command will execute by this backdoor and all outputs will send to Memory Map File "only" so we don't have network connection by backdoor. but before this MPAgents sent this message ".::PID:6368" to memory Map file which means this Backdoor with this PID is ready to read/get cmd by so this information read by MP or proxy tool as you can see in picture in this step out command wrote by MP tool in Memory Map File with Message "NativePayload_MPAgent.cs.cmd=>whoami" this means MPAgent should read this and execute this command locally and resend command output here again by Base64 encoding. Step2: int this step our command downloaded from Exfil-server by NativePayload_MP.exe also this command injected to Memory, which means MP Process for talking to MPAgent Process will use this method and these both Processes only talking together by Reading/Writing in Memory Map File etc.
Tcpview backdoors download#
Step1: NativePayload_MP.exe & NativePayload_HTTP.sh (exfil-server side tool) executed, in this step Proxy Tool (NativePayload_MP) will create HTTP Connection to Exfil Server (NativePayload_HTTP.sh) tool for Download Commands from Server & injecting them into system Memory or (Memory File Map) Step0: Backdoor (NativePayload_MPAgent.exe) executed & in this time this Backdoor will create Memory Map File "In-Memory" also this backdoor will scan this Memory File Map for detecting New Commands which will send by Proxy tool in memory in that location of RAM. In this case an attacker can use this Method for Connection between backdoor/shell code to some Proxy tool in your system, very simple a backdoor can use another Process as Proxy in your system for connection to Attacker Server (exfil-server), this means your backdoor will not create Network Connection "Directly" to Attacker Server so in your Network Connection Monitor Tools like tcpview you can not see any Connection by Backdoor tool but you can see Proxy Tool Connections only which the proxy tool is not backdoor/malware code, so we have something like "Picture 1" In this article i want to talk about C# Memory File Mapping which is really simple and good way for create Connection between Processes, in this case i want to talk about how an attacker can use this Method for bypass your Defensive things like AV etc. Memory Mapping File & Connection in-memory between Backdoor & Proxy Process