Payload Hiding
In certain circumstances it may be desirable for the mass storage device enumerated by the target when using
ATTACKMODE STORAGE
not to contain an inject.bin
payload file on its root. To that end, the HIDE_PAYLOAD
and RESTORE_PAYLOAD
commands may come in handy.The
HIDE_PAYLOAD
command will remove the inject.bin
file (and seed.bin
file, if it too exists) from the root of the MicroSD card.The
HIDE_PAYLOAD
and RESTORE_PAYLOAD
commands must be executed before entering an ATTACKMODE STORAGE
state.REM Example payload hiding and restoring
ATTACKMODE OFF
BUTTON_DEF
ATTACKMODE OFF
RESTORE_PAYLOAD
ATTACKMODE STORAGE
END_BUTTON
HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRING Nothing to see here...
- Upon first enumeration, the attached computer will not be able to see the i
nject.bin
orseed.bin
files on the USB Rubber Ducky storage. - Pressing the button will re-enumerate the USB Rubber Ducky storage with both files visible once more.
The
RESTORE_PAYLOAD
command will write the currently running payload from volatile memory, including the values for all stored variables, to the disk as inject.bin
.Executing the
HIDE_PAYLOAD
command will erase the running payload from the disk. If no subsequent RESTORE_PAYLOAD
command is executed before detaching the USB Rubber Ducky, the payload will not appear on the disk.
Last modified 1yr ago