{"id":17181142,"url":"https://github.com/rokups/virtual-reality","last_synced_at":"2025-06-18T20:36:38.911Z","repository":{"id":57962633,"uuid":"169395906","full_name":"rokups/virtual-reality","owner":"rokups","description":"Stealthy backdoor for Windows operating systems","archived":false,"fork":false,"pushed_at":"2020-02-13T14:11:36.000Z","size":503,"stargazers_count":278,"open_issues_count":1,"forks_count":45,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-06-17T02:55:00.471Z","etag":null,"topics":["backdoor","metasploit","netsec","netsec-tools","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rokups.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-06T11:29:22.000Z","updated_at":"2025-06-08T01:21:37.000Z","dependencies_parsed_at":"2022-09-08T11:13:55.655Z","dependency_job_id":null,"html_url":"https://github.com/rokups/virtual-reality","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rokups/virtual-reality","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rokups%2Fvirtual-reality","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rokups%2Fvirtual-reality/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rokups%2Fvirtual-reality/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rokups%2Fvirtual-reality/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rokups","download_url":"https://codeload.github.com/rokups/virtual-reality/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rokups%2Fvirtual-reality/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260629829,"owners_count":23038995,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","metasploit","netsec","netsec-tools","windows"],"created_at":"2024-10-15T00:33:09.787Z","updated_at":"2025-06-18T20:36:33.894Z","avatar_url":"https://github.com/rokups.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"Virtual Reality\r\n===============\r\n\r\nThis is a backdoor project for windows operating systems.\r\n\r\n## Intended audience\r\n\r\nThis is a proof-of-concept stealthy backdoor aimed to aid red teams in maintaining\r\ncontrol of their targets during the security evaluation process. The project also intends\r\nto expose ways to abuse standard features.\r\n\r\n## Features\r\n\r\nExtremely stealthy backdoor for Windows platform.\r\n\r\n* ICMP-PING backdoor. Passively listens for incoming pings and executes shellcode\r\ndelivered in ping payload.\r\n* HTTP backdoor using steganographically encoded images hosted on imgur.com\r\n* Grand-theft-socket - a payload for executing shellcode through the socket of existing\r\nservice,\r\n* Runs on anything from XP to W10\r\n\r\n## Details\r\n\r\n* Small size by using tinystl and avoiding standard c++ stl\r\n* Cooperative multitasking achieved by using Windows fibers\r\n* Permissively licensed, including all dependencies\r\n\r\n## Build instructions\r\n\r\n1. (Optional) Download appropriate [VC-LTL](https://github.com/Chuyu-Team/VC-LTL/releases)\r\nand extract to `VC-LTL` folder.\r\n2. `git clone https://github.com/rokups/virtual-reality`. Now you have two folders next to\r\neach other: `VC-LTL` and `virtual-reality.\r\n3. `mkdir cmake-build; cd cmake-build`.\r\n4. `cmake -DCMAKE_BUILD_TYPE=MinSizeRel ../virtual-reality`.\r\n5. `cmake --build . --config MinSizeRel`. Note that VC-LTL does not support debug builds.\r\nDo not build `Debug` configuration or ensure that `_DEBUG` preprocessor symbol is undefined.\r\n6. Payloads are found in `cmake-build/bin` directory.\r\n\r\nVC-LTL is used for linking to `msvcrt.dll` and greatly reducing executable sizes.\r\n\r\nMinGW builds are deprecated. They may work or may be broken. Reason for this is that\r\nexecutables built with MinGW crash when used in some injection techniques. I did not\r\ncare enough to figure it out.\r\n\r\n## Instructions\r\n\r\nModify `config.h` to suit your needs.\r\n\r\nUse `vr.py` to interact with the backdoor.\r\n\r\n### Shellcode payload\r\n\r\n`vr.py shellcode path/to/shellcode.bin` reads shellcode into the script's memory.\r\nOn its own this is useless therefore combine it with other commands. You may\r\nuse `-` instead of path in order to read shellcode from `stdin`.\r\n\r\n### Ping transport\r\n\r\n`msfvenom \u003c...\u003e | vr.py shellcode - -- ping 192.168.0.1` reads a shellcode from\r\n`stdin` and sends it via icmp-ping to `192.168.0.1`. Backdoor running on that\r\nmachine will execute this shellcode.\r\n\r\nThe shellcode will be delivered to the target by sending it as ICMP-PING packet payload.\r\n\r\n![ping-demo](https://user-images.githubusercontent.com/19151258/52339219-2c742600-2a15-11e9-95b0-212485421e35.png)\r\n\r\nContent of the packet appears to be random. The only give-away that something is up\r\nis a rather big packet size, although it is possible to customized packet size\r\nusing ping utility or specify custom payload (Linux).\r\n\r\n### imgur.com transport\r\n\r\n`msfvenom \u003c...\u003e | vr.py shellcode - -- png path/to/image.png` reads a shellcode\r\nfrom `stdin` and encodes into specified `image.png`. This image must exist and\r\nit must be in RGB format (no alpha). Resulting image should be uploaded to\r\nhttps://imgur.com/ and tagged with one or more tags while one of the tags must be\r\none that is specified in `config.h`.\r\n\r\nThe shellcode will be encoded into a specified image by altering the last two bits of\r\neach color component in the target image. 1 byte needs 4 color components\r\nto be encoded and thus requires 1.(3) pixels. Encoded images are indistinguishable\r\nfrom original to the naked eye. Backdoor queries imgur API for listing images\r\ntagged with a configured tag. Every new image is downloaded and inspected for\r\nencoded payload.\r\n\r\n![steg-demo](https://user-images.githubusercontent.com/19151258/52338654-adcab900-2a13-11e9-9887-3a55cde9dc36.png)\r\n\r\nLeft - original image. Right - image with the encoded payload. Bottom - difference mask.\r\n120x75 image was used. As you can see only a tiny portion of the pretty small image is used\r\nto encode 449 bytes payload.\r\n\r\n### Grand-theft-socket\r\n\r\nThis is a technique meant to backdoor a machine that:\r\n1. Has a public service listening (TCP).\r\n2. No outgoing traffic is allowed.\r\n\r\n`gts.dll` payload is meant to be injected to process of service that listens on public\r\ninterface. This payload hooks `WSAAccept()` function and allows creating meterpreter\r\nsession through the listening socket of already existing service while still allowing\r\nnormal traffic to flow as if nothing has happened.\r\n\r\nWhen new connection is being made payload does the following:\r\n1. Looks for a `tcp_knock` command and if found - whitelist command sender and terminate the connection.\r\n2. When connection comes from a whitelisted IP address:\r\n  1. Spawn a new process.\r\n  2. `WSADuplicateSocket()` newly connected socket into the newly created process.\r\n  3. The new process will read shellcode size, shellcode itself and execute received shellcode.\r\n  4. Simulate disconnection by returning `INVALID_SOCKET` with `WSAECONNRESET` error to the host process.\r\n  5. Clear whitelisted address. A new knock will be required for executing the next payload.\r\n3. When connection is made from non-whitelisted address and no `tcp_knock` is received -\r\nhand connection back to the host.\r\n\r\nUsage:\r\n1. On target host - inject `gts.dll` into process that accepts connections.\r\n2. On source host - execute `vr.py tcp_knock target_ip_address service_port`\r\n3. On source host - execute `meterpreter/bind_tcp` payload with `RHOST=target_ip_address`\r\nand `LPORT=service_port` within 30 seconds since sending `tcp_knock`.\r\n4. Observe that you just received meterpreter session.\r\n\r\n### Keylogger\r\n\r\nKeylogger module works by injecting a dll to a process that runs in user's session.\r\nIt is injected into explorer.exe by default. Only one injection per user session will\r\nbe active. Keylogger monitors user's keystrokes and clipboard and writes contents into\r\nfile `C:\\Windows\\Temp\\????????-????-????-????-????????????.N` where `?` is `[A-F0-9]`\r\nand `N` is a number (starting from 0). This file is a zip archive with first two bytes\r\nzeroed out. In order to access logs user should download a file and restore first two\r\nbytes which are `PK`. Removing file will cause keylogger to create a new archive next\r\ntime any logs are available. Keylogger thread exits and frees it's memory if main\r\nbackdoor terminates.\r\n\r\n## Security\r\n\r\nPayload is always obfuscated using the RC4 algorithm. As you probably have guessed\r\nreplay attacks are a thing against this backdoor. Also, backdoor may be controlled\r\nby a rival blue team if they have reverse-engineered sample and recovered RC4\r\nkey. Utmost security is not the point of this project. If the blue team is on to the\r\nbackdoor - nothing will save it anyway.\r\n\r\n## Recommendations\r\n\r\n* If possible - filter out ICMP-PING packets within the firewall\r\n* Take a proactive approach in monitoring your networks. Log everything and\r\nlook for abnormalities. Chances are your servers have no business querying\r\nimgur.com or similar social media domains.\r\n* Periodically scan your critical services for inline hooks.\r\n\r\n## etc\r\n\r\nQ: Why this name? This has nothing to do with virtual reality.\r\n\r\nA: Nothing at all. And no reason really. Naming is hard.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frokups%2Fvirtual-reality","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frokups%2Fvirtual-reality","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frokups%2Fvirtual-reality/lists"}