In this post I will write about achieving persistence using some unconventional methods . These methods does not use any registry key and they are more stealthy as compared to more mainstream methods . Well there is only one method but this works in a lot of software . One requirement is that the pc needs to have certain software installed . These software are quite common . This method works by changing interpreted code like python,JS etc
- Backdooring Discord
A few months back i hacked discord after i bypassed their source code integrity checker . Discord was actively checking sha256 source code . I modified each and every javascript file to find a file that was ignored . Turns out there was a file which was ignored . My exploit added a few lines of code to download a meterpreter payload and execute . It got executed and since discord runs at boot the malware was really persistent. Also defender was quite chill about the malware . Here is a demo . https://www.youtube.com/watch?v=pkV0PRwrVYQ and here is the complete writeup https://ciph3r.medium.com/hacking-discord-to-get-code-execution-87b190398f29
2. Backdooring software that uses plugins
Plugins are mostly written in an interpreted language such as python for ease of use . So in theory a malware can modify the source code and get persistence . So to test my theory i will use a popular 3d software called blender . I am a 3d artist so i use this tool a lot . First i located blenders script directory which in my case is C:\Users\cipher\AppData\Roaming\Blender Foundation\Blender\2.93\scripts\startup\MSPlugin . I wrote a script to add a few lines of python code to every python file there . The code just sends a request to localhost but it can be anything . Here is the code
Every time i run blender i get a request
