{"id":37141511,"url":"https://github.com/giuliocomi/backoori","last_synced_at":"2026-01-14T16:36:53.798Z","repository":{"id":57244158,"uuid":"215135660","full_name":"giuliocomi/backoori","owner":"giuliocomi","description":"Tool aided persistence via Windows URI schemes abuse","archived":false,"fork":false,"pushed_at":"2020-03-01T12:05:26.000Z","size":41253,"stargazers_count":82,"open_issues_count":0,"forks_count":23,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-06-20T09:11:04.225Z","etag":null,"topics":["golang","pentesting","pentesting-windows","persistence"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giuliocomi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-14T20:08:27.000Z","updated_at":"2024-04-26T08:04:17.000Z","dependencies_parsed_at":"2022-08-31T22:11:02.150Z","dependency_job_id":null,"html_url":"https://github.com/giuliocomi/backoori","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/giuliocomi/backoori","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fbackoori","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fbackoori/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fbackoori/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fbackoori/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giuliocomi","download_url":"https://codeload.github.com/giuliocomi/backoori/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fbackoori/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28426108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:32:27.303Z","status":"ssl_error","status_checked_at":"2026-01-14T16:28:36.419Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","pentesting","pentesting-windows","persistence"],"created_at":"2026-01-14T16:36:53.079Z","updated_at":"2026-01-14T16:36:53.790Z","avatar_url":"https://github.com/giuliocomi.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# backoori\nTool aided persistence via Windows URI schemes abuse\n\u003cbr/\u003e\n\u003ca href=\"https://github.com/giuliocomi/backoori/\"\u003e\u003cimg alt=\"Black Hat Arsenal Europe 2019\" src=\"https://github.com/giuliocomi/backoori/blob/master/badge_arsenal_blackhat_europe_2019.svg\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://raw.githubusercontent.com/empijei/wapty/master/LICENSE\" rel=\"nofollow\"\u003e\u003cimg src=\"https://camo.githubusercontent.com/dcb3a3de32cb31ae6a7edf80d88747f989878809/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c76332d626c75652e737667\" alt=\"License\" data-canonical-src=\"https://img.shields.io/badge/license-GPLv3-blue.svg\" style=\"max-width:100%;\"\u003e\u003c/a\u003e\n\u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/twitter/follow/giulio_comi?label=Follow\u0026style=social\"\u003e\n\n![](https://github.com/giuliocomi/backoori/blob/master/backoori_architecture.jpg)\n\n## Why\nBackoori (\"Backdoor the URIs\") is a Proof of Concept tool aimed to automate the fileless URI persistence technique in Windows 10 targets.\n\n## Abstract of the Research behind the tool\nThe widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application.\nThe subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen (an undocumented Accessibility Feature abuse technique that set off this whole research) to the classical web 'attack surface'.\n\nAll this research started with a novel Accessibility Feature Abuse I discuss here: \n\nhttps://www.secjuice.com/abusing-windows-10-for-fileless-persistence/\n\n### Slides BlackHat Arsenal presentation\nhttps://www.slideshare.net/GiulioComi/windows-10-uri-persistence-technique\n\nhttps://www.blackhat.com/eu-19/arsenal/schedule/#backoori-tool-aided-persistence-via-windows-uri-schemes-abuse-18131\n\n### Demo videos\n1) URI persistence technique: User triggered persistence scenario\nhttps://www.youtube.com/watch?v=oR9cSs6Sw4g\n\n2) URI persistence technique: Hijacking multiple Universal Apps\nhttps://www.youtube.com/watch?v=KLtDuhccfec\u0026t=49s\n\n3) URI persistence technique: Going beyond User triggered persistence via web 'attack surface'\nhttps://www.youtube.com/watch?v=W6FqUx8vi5c\n\n### Features\n1) Implements the Windows 10 URI persistence technique\n2) Standalone\n3) 0 dependencies\n\n### Installation\n```\ngo get github.com/giuliocomi/backoori\ngo run main.go\n```\n#### Cross-Compile\n* Windows x64: $ env GOOS=windows GOARCH=amd64 go build -o backoori main.go\n\n* Linux x64  : $ env GOOS=linux GOARCH=amd64  go build -o backoori main.go\n\n* MacOs x64  : $ env GOOS=darwin GOARCH=amd64  go build -o backoori main.go\n\n[Cross-Compile Instructions](https://www.digitalocean.com/community/tutorials/how-to-build-go-executables-for-multiple-platforms-on-ubuntu-16-04#step-4-%E2%80%94-building-executables-for-different-architectures)\n\n### Usage\n\n```\nBackoori0.92: tool aided persistence via Windows URI schemes abuse\n| Generate a ready-to-launch Powershell agent that will backdoor specific Universal URI Apps with fileless payloads of your choice.\n|  -help\n|        Display help details\n|  -online string\n|       Provide 'true' if wants agent to fetch the payloads via the webserver, 'false' otherwise to store the payloads directly in the agent PS file (default \"false\")\n|  -payloads string\n|       Provide the JSON filename containing the payloads to use in the backdoored gadgets (default \"./resources/payloads_sample.json\")\n|  -protocols string\n|       Provide the JSON filename containing the URI protocols to backdoor on the target system (default \"./resources/uri_protocols_sample.json\")\n|  -psversion int\n|       Provide the Powershell version that the agent will use for the payloads (recommended v2) (default 3)\n```\n\n### Example Output\n* *Golang cli*\n\n![](https://imgur.com/zAI1Rdf.png)\n\n* *Powershell agent output*\n![](https://imgur.com/jYWo83T.png)\n\n### How to add more payloads\nThe template of the payloads can be specified via -payloads flag (the default file is ./resources/payloads_sample.json).\nYou can place any payload you wish in the JSON file but you need to follow the conventions of other samples to set at program runtime the value you wish for certain placeholder.\n\n```\ne.g. {{IP}}, {{COMMAND}}, {{PORT}}, {{FILENAME}}, etc.\n```\n\n### How to test\nThe tool will make irreversible changes to the registry and manual repair is necessary :-).\nPlease test it on a VM or within the new Windows Sandbox App.\n\n### Possible next steps\n* [ ] Adding logging and symmetric payload encryption to the web server that deploys the gadgets\n* [ ] Support gadget interactions\n* [ ] Convert this standalone project to a Metasploit module\n\n## Issues\nSpot a bug? Please create an issue here on GitHub (https://github.com/giuliocomi/backoori/issues)\n\n## License\nThis project is licensed under the  GNU general public license Version 3.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuliocomi%2Fbackoori","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiuliocomi%2Fbackoori","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuliocomi%2Fbackoori/lists"}