Modified fileless exe method by providing Windows DLL files that can be wrapped using C#. Updated README.

Author: doxx

Makefile

@@ -1,9 +1,9 @@
-.PHONY: all clean build-all checksums
+.PHONY: all clean build-all checksums build-dll
 
 # Define platforms and output settings
 OUTPUT_DIR=bin
 
-all: build-all checksums
+all: build-all build-dll checksums
 
 build-all:
 	mkdir -p $(OUTPUT_DIR)
@@ -27,6 +27,28 @@ build-all:
 	GOOS=windows GOARCH=amd64 go build -o $(OUTPUT_DIR)/darkflare-client-windows-amd64.exe client/main.go
 	GOOS=windows GOARCH=amd64 go build -o $(OUTPUT_DIR)/darkflare-server-windows-amd64.exe server/main.go
 
+# New target for DLL builds
+build-dll:
+	mkdir -p $(OUTPUT_DIR)/dll
+	# Windows AMD64 DLL
+	CGO_ENABLED=1 GOOS=windows GOARCH=amd64 \
+	CC="x86_64-w64-mingw32-gcc" \
+	CGO_CFLAGS="-I/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-x86_64/x86_64-w64-mingw32/include" \
+	CGO_LDFLAGS="-L/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-x86_64/x86_64-w64-mingw32/lib" \
+	go build --buildmode=c-shared \
+		-ldflags="-s -w" \
+		-o $(OUTPUT_DIR)/dll/darkflare-client-windows-amd64.dll \
+		client/main.go
+	# Windows 386 DLL
+	CGO_ENABLED=1 GOOS=windows GOARCH=386 \
+	CC="i686-w64-mingw32-gcc" \
+	CGO_CFLAGS="-I/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-i686/i686-w64-mingw32/include" \
+	CGO_LDFLAGS="-L/opt/homebrew/Cellar/mingw-w64/12.0.0_1/toolchain-i686/i686-w64-mingw32/lib" \
+	go build --buildmode=c-shared \
+		-ldflags="-s -w" \
+		-o $(OUTPUT_DIR)/dll/darkflare-client-windows-386.dll \
+		client/main.go
+
 checksums:
 	cd $(OUTPUT_DIR) && \
 	echo "# DarkFlare Binary Checksums" > checksums.txt && \
@@ -35,10 +57,10 @@ checksums:
 	( \
 		if command -v sha256sum >/dev/null 2>&1; then \
 			echo "Using sha256sum" && \
-			sha256sum * >> checksums.txt; \
+			find . -type f ! -name checksums.txt -exec sha256sum {} \; >> checksums.txt; \
 		else \
 			echo "Using shasum" && \
-			shasum -a 256 * >> checksums.txt; \
+			find . -type f ! -name checksums.txt -exec shasum -a 256 {} \; >> checksums.txt; \
 		fi \
 	)
 

README.md

@@ -295,72 +295,20 @@ Then simply:
 ssh remote-server
 ```
 
+## 🔒 Windows Fileless Execution
 
-## 🧙 Fileless Execution
-
-DarkFlare supports fileless execution on Windows systems using PowerShell, allowing you to run the client without saving any files to disk. This is particularly useful in restricted environments where:
-- You don't have write permissions to the local system
-- Security policies prevent executing downloaded binaries
-- You need to leave no traces on the filesystem
-- You want to run the client without installation or cleanup
-
-### PowerShell Memory Execution
-Save this as `memory-exec.ps1` or download from examples/:
-```powershell
-# See examples/memory-exec.ps1 in the repository
-param (
-    [Parameter(Mandatory=$true)]
-    [string]$t,
-    [Parameter(Mandatory=$true)]
-    [string]$d,
-    [Parameter(Mandatory=$false)]
-    [string]$l = "stdin:stdout",
-    [Parameter(Mandatory=$false)]
-    [string]$p
-)
-
-$url = "https://github.com/doxx/darkflare/releases/latest/download/darkflare-client-windows-amd64.exe"
-$webClient = New-Object System.Net.WebClient
-$bytes = $webClient.DownloadData($url)
-$assembly = [System.Reflection.Assembly]::Load($bytes)
-$args = @("-l", $l, "-t", $t, "-d", $d)
-if ($p) { $args += @("-p", $p) }
-$assembly.EntryPoint.Invoke($null, @(,[string[]]$args))
-```
+For scenarios requiring fileless operation on Windows systems, DarkFlare provides DLL variants that can be loaded directly into memory:
 
-### Usage Examples
+Location: `bin/dll/`
+- `darkflare-client-windows-386.dll` (32-bit)
+- `darkflare-client-windows-amd64.dll` (64-bit)
 
-1. Direct SSH connection using ProxyCommand:
-```bash
-ssh -o ProxyCommand="powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22" user@remote
-```
+These DLLs can be embedded within C# or C++ applications for memory-only execution, making them suitable for situations where disk writes need to be avoided.
 
-2. One-liner for immediate execution (no script file needed):
-```powershell
-$script = (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/doxx/darkflare/main/examples/memory-exec.ps1'); 
-powershell -Command $script -t cdn.example.com -d localhost:22
-```
+For implementation details and examples, see:
+- [Embedding Golang Tools in C#/C++](https://medium.com/@shantanukhande/red-team-how-to-embed-golang-tools-in-c-e269bf33876a)
 
-3. With a SOCKS5 proxy:
-```powershell
-powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22 -p socks5://proxy:1080
-```
-
-### Benefits
-- **No Installation Required**: Run directly from memory without installing
-- **No Filesystem Traces**: Leaves no artifacts on the local system
-- **Bypass Restrictions**: Works in environments with strict file execution policies
-- **Easy Cleanup**: No files to remove after use
-- **Latest Version**: Always downloads the latest release
-- **Portable**: Can be run from any PowerShell prompt with internet access
-
-### Security Considerations
-- Only download from trusted sources over HTTPS
-- Consider adding checksum verification for enhanced security
-- Be aware that some security software may detect/block memory execution
-- Use only in environments where you have permission to do so
-- The binary is still downloaded, just not saved to disk
-- Network administrators may still see the download traffic
+⚠️ Note: This feature should only be used in legitimate testing scenarios with proper authorization.
 
 ## 📖 Command Line Reference
 

bin/checksums.txt

@@ -1,14 +1,15 @@
 # DarkFlare Binary Checksums
-# Generated: Mon Dec 23 17:06:48 UTC 2024
+# Generated: Tue Jan  7 15:20:19 UTC 2025
 
-77b1046247f2ad10c0674197a71f4b2c5cc1e09dd9e02630dee8db5e106786d9  checksums.txt
-14705381b2991a46ecfe71682b3e0ff8e4189aab025a8b345d29f018ba514710  darkflare-client-darwin-amd64
-d6d7711419853958e955b500fcc3e1a212cf4c8e69ba9b8d1426c04a7a275e91  darkflare-client-darwin-arm64
-a377734c31105f0178a1f6ec2c2e1d91116c5aeba9bbfc79c7cdbdfe070ff685  darkflare-client-linux-amd64
-530aba39b34abdcf44b95f6eb1797f95e6484edaa1e790d6777138f7f8f7cbb9  darkflare-client-linux-arm64
-89baf3b59620b321cc888a6a7e5e8d04b2544c6dd1d4350289f0cba06a157367  darkflare-client-windows-amd64.exe
-cdf29af875438dbb991398f4331290299acb2676ba3e2cd93a945a1f67fde6f7  darkflare-server-darwin-amd64
-c7da08b1666b8adf1fc1f3bd6aba70b1c0a671903b8350d0a449316fa7384229  darkflare-server-darwin-arm64
-5baabce34c6460ab34e521d810d273a15214478ac28ddc5173e97508b4553e08  darkflare-server-linux-amd64
-adc8509157eec206a35521bd4350348b0b91be03a0ec154a80ef919973adf49a  darkflare-server-linux-arm64
-894b84c82a4a750b71446301820535edf142552ff18f49983a368fb99c52ad81  darkflare-server-windows-amd64.exe
+c7da08b1666b8adf1fc1f3bd6aba70b1c0a671903b8350d0a449316fa7384229  ./darkflare-server-darwin-arm64
+894b84c82a4a750b71446301820535edf142552ff18f49983a368fb99c52ad81  ./darkflare-server-windows-amd64.exe
+d6d7711419853958e955b500fcc3e1a212cf4c8e69ba9b8d1426c04a7a275e91  ./darkflare-client-darwin-arm64
+89baf3b59620b321cc888a6a7e5e8d04b2544c6dd1d4350289f0cba06a157367  ./darkflare-client-windows-amd64.exe
+adc8509157eec206a35521bd4350348b0b91be03a0ec154a80ef919973adf49a  ./darkflare-server-linux-arm64
+530aba39b34abdcf44b95f6eb1797f95e6484edaa1e790d6777138f7f8f7cbb9  ./darkflare-client-linux-arm64
+5baabce34c6460ab34e521d810d273a15214478ac28ddc5173e97508b4553e08  ./darkflare-server-linux-amd64
+cdf29af875438dbb991398f4331290299acb2676ba3e2cd93a945a1f67fde6f7  ./darkflare-server-darwin-amd64
+14705381b2991a46ecfe71682b3e0ff8e4189aab025a8b345d29f018ba514710  ./darkflare-client-darwin-amd64
+55d66950ba24f831185b239bcd5d3b10472de5f905944a9b172f1b90a04cde4a  ./dll/darkflare-client-windows-amd64.dll
+ae697bb86934dc7788edbb72fb5089c75403be9b1b9da4cc8cfad8dcbabf8011  ./dll/darkflare-client-windows-386.dll
+a377734c31105f0178a1f6ec2c2e1d91116c5aeba9bbfc79c7cdbdfe070ff685  ./darkflare-client-linux-amd64