Payload Hiding

Overview

In certain circumstances it may be desirable for the mass storage device enumerated by the target when using ATTACKMODE STORAGE not to contain an inject.bin payload file on its root. To that end, the HIDE_PAYLOAD and RESTORE_PAYLOAD commands may come in handy.

HIDE_PAYLOAD and RESTORE_PAYLOAD

The HIDE_PAYLOAD command will remove the inject.bin file (and seed.bin file, if it too exists) from the root of the MicroSD card.

The HIDE_PAYLOAD and RESTORE_PAYLOAD commands must be executed before entering an ATTACKMODE STORAGE state.

Example

REM Example payload hiding and restoring
ATTACKMODE OFF

BUTTON_DEF
    ATTACKMODE OFF
    RESTORE_PAYLOAD
    ATTACKMODE STORAGE
END_BUTTON

HIDE_PAYLOAD
ATTACKMODE HID STORAGE
DELAY 2000
STRING Nothing to see here...

Result

Upon first enumeration, the attached computer will not be able to see the inject.bin or seed.bin files on the USB Rubber Ducky storage.
Pressing the button will re-enumerate the USB Rubber Ducky storage with both files visible once more.

The RESTORE_PAYLOAD command will write the currently running payload from volatile memory, including the values for all stored variables, to the disk as inject.bin.

Executing the HIDE_PAYLOAD command will erase the running payload from the disk. If no subsequent RESTORE_PAYLOAD command is executed before detaching the USB Rubber Ducky, the payload will not appear on the disk.

Last updated 2 years ago