Skip to content

TheRealAlexandre/Rawmote

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
afd.inc
afd.inc
 
 
main.asm
main.asm
 
 
ntsyscalls.inc
ntsyscalls.inc
 
 
system.inc
system.inc
 
 
utils.inc
utils.inc
 
 

Repository files navigation

Raw AFD Remote Shell (Windows x64 Assembly)

This project implements a remote shell using the Windows AFD (Ancillary Function Driver) interface through direct NT syscalls, without WinSock, without imports, and without any high‑level networking APIs. All socket operations—endpoint creation, binding, connecting, and data exchange—are performed through explicit NtCreateFile and NtDeviceIoControlFile interactions with the AFD driver.

The objective is to demonstrate low‑level TCP communication and remote command execution.

🔥 Features

  • No WinSock, no CRT, no imports

  • AFD endpoint creation via NtCreateFile

  • Networking performed through AFD IOCTLs

  • Dynamic API lookup using a ROR13 hash resolver

  • Remote shell launched through CreateProcessA with inherited std handles

    • STDIN → socket
    • STDOUT → socket
    • STDERR → socket

📁 Project Structure

├── main.asm             # Entry point and control flow
├── utils.inc            # inet_addr, strcmp, unicode length, etc.
├── ntsyscalls.inc       # NT syscall identifiers
├── afd.inc              # AFD IOCTL definitions
├── system.inc           # PE64 structures and system helpers

⚙️ How It Works (High-Level Overview)

1. AFD Endpoint Creation

NtCreateFile is used to open an AFD endpoint located at:

\Device\Afd\Endpoint

2. Binding and Connecting

AFD network operations are performed through specific IOCTLs:

  • IOCTL_AFD_BIND (0x12003)
  • IOCTL_AFD_CONNECT (0x12007)

The code constructs the expected data structures and passes them directly to the driver.

3. I/O Handling

Socket I/O relies on:

NtDeviceIoControlFile
NtWaitForSingleObject
NtClearEvent

These calls manage request submission, pending states, and event signaling.

4. Shell Creation

CreateProcessA is resolved dynamically using the ROR13 hashing routine. The created process inherits the socket as its standard handles, resulting in an interactive remote session with cmd.exe.

🔧 Build Instructions

Requires FASM.

Example:

fasm main.asm shell.exe

🧪 Testing

  1. Start a listener using ncat -l <port>.
  2. Update the IP and port inside the assembly code (default: 127.0.0.1:80).
  3. Execute the compiled binary.
  4. Interact with the remote CMD session.

⚠️ Legal Disclaimer

This project is intended strictly for research and educational purposes, including:

  • Windows internal architecture
  • Low-level networking
  • Syscall-level communication
  • Detection and anti-detection research

Unauthorized use on systems without permission is illegal.

📜 License

MIT License — use, modify, and experiment freely for research or learning.

About

Low-level Windows x64 assembly project implementing raw AFD socket operations, direct syscalls, and a minimal remote shell without WinSock or imports. Includes a custom API resolver, and fully handcrafted networking logic.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages