So when writing remote access tools like INNUENDO, you have to throw out all the parts of your brain that try to do normal RPC ("remote procedure call").
For example, I just wrote a module (yes, I can still write code, sorta), which sits on the client taking screengrabs every ten seconds. If the screengrab is 10% different from the last one, it stores it into a list (which has a maximum size of 100 images to avoid filling all of ram - images are compressed but still largish). Then when the command comes in to pull the list down, it serializes it, encrypts it to the server using RSA (to annoy incident response people doing memory forensics) and stores it in the data store (which can be disk, registry, memory, etc.) Then it gets trickled up to the server using INNUENDO's weird data transfer protocol and displayed to the user on request. The end result is that you can see a sample of everything the user did during the day, which is pretty awesome if that user is editing interesting documents. The downside is that while your brain is thinking "STREAMING IMAGES", this has to become "Start, Stop, Query, Collect". And this is true for almost all operations that are ongoing. In other words, people think of doing things with trojans like moving their arms. I make the request, it moves. But modern trojans are more like dealing with children. You make the request, you make the request again, it maybe moves, it moves, it maybe tells you it moves, it maybe tells you it already moved, so stop yelling at it! But deep down, if your trojan still supports portforwarding then you are failing. -dave (reminder, we have a talk coming up at INFILTRATE <http://www.infiltratecon.com/>about this. Tickets on sale now!)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave@lists.immunityinc.com https://lists.immunityinc.com/mailman/listinfo/dailydave