Phantom-Evasion
Phantom-Evasion copied to clipboard
oddcod3
Persistence Improvements
According to the README, the Timebases Persistence Method checks for a specific process name to be running.
This is a major problem if you're using the PrependMigrateProc option to lets say the svchost.exe process, of which Windows spawns multiple processes by default.
Thats why you will never be able to tell if the process is still running.
There is a much better way:
The meterpreter process could simple lock a specific file (for example the own executable), and the KeepAlive process could check if there is a lock on this file.
If the meterpreter process would die, windows will automatically remove the lock.
Yes you're right, Timebased Persistence Module need a unique process name unless it won't detect if session has died. By the way what do you mean with: meterpreter process could "lock" a file? Thank you @anonymouz4
Lock a file is write protection. I've used it myself but only in a batchfile to prevent starting another instance when one is still running. This is the code I uses (bat file):
//this extra call is to avoid a bug with %~f0 when the script is executed with quotes around the script name
call :getLock
:getLock
//calls main only if it can lock file
call :main 9>>"%~f0"
exit /b
:main
//code
By 'opening' a file, windows automatically write protects it I think this is used in c
Thank you! So if Exclusive locks cannot overlap an existing locked region of a file the main routine is called only if it can lock the specified file , which means that the process has been spawned for the first time or that the process has died and then removed the exclusive lock! I will add thoose features in the next release! Thank you again for pointing this out!