This is a daemon process which make a program runing all time.
3vilGu4rd is a persistent maintenance tool. It is written in VBS and packaged into a binary file with a VBE suffix. In theory, all systems after xp can run. After testing, the persistent can be maintained normally in win7, win server 2008, win2019, win10 and win11.
You can upload it to the victim's host when you get the host persistent, run the program, and specify the backdoor Trojan or other commands to maintain the persistent. The operation method is as follows:
-
Upload the daemon 3vilGu4rd.vbe to the target host, and then upload the Trojan to the victim host (remote.exe, custom path)
-
Use CS shell to remotely call 3vilGu4rd.vbe to guard our Trojan program.
3vilGu4rd.vbe (absolute path / Relative path of Trojan) [process name]
- Double-click to run the program or use the shell to directly call the program, and the usage and precautions of the program will pop up. Do not execute directly in actual combat
- "Mother-child" type daemon process, the mother program has no shellcode or malicious code, reducing the risk of the mother program being discovered
- The subroutine has a single function, reducing the detection of malicious programs caused by heuristic detection
- Dynamic generation, using the "avalanche effect", the Hash value of each generated file is different
- The program self-destructs, the program will self-destruct after executing the function, leaving no trace
- The Trojan will restart when the user log out or restart the machine
- VBE format, good versatility, in theory, the system after XP can be used. VBE format is the encrypted version of VBS, the program code and encryption are relatively difficult to crack
- At present, it can bypass the detection of domestic anti-software (non-Trojan programs)