C3
C3 copied to clipboard
WithSecureLabs
Custom Payload
Hey,
First of all let me thank you for bringing this amazing tool to the community, it is truly a work of art. That being said, I've been trying to tinker around with it and customize the injection procedure (Common\FSecure\WinTools\InjectionBuffer.cpp and Common\FSecure\C3\Interfaces\Peripherals\Beacon.cpp) to not use the stager provided by the team server. I reached the point where the beacon and the Relay are communicating on the same named pipe and the beacon successfuly appears on the Team Server, but for some reason after a single command the Gateway seems to stop reporting the beacon is alive to the team server, even though the process is still running on the victim machine with the Beacon still being located in memory correctly, and the SMB named pipe still active.
My question is basically what would be the best practise of customizing the used payload, as I've seen the ByteView class being used to call for the payload, but was hoping maybe I missed a really simple solution demonstrated somewhere else?
Thanks anyways, Yigal
