@@ -219,6 +219,84 @@ ssh -o ProxyCommand="darkflare-client -l stdin:stdout -t cdn.example.com -d loca
219219- Maintains end-to-end encryption
220220- Traffic still appears as normal HTTPS to observers
221221
222+ ## 🧙 Fileless Execution
223+
224+ DarkFlare supports fileless execution on Windows systems using PowerShell, allowing you to run the client without saving any files to disk. This is particularly useful in restricted environments where:
225+ - You don't have write permissions to the local system
226+ - Security policies prevent executing downloaded binaries
227+ - You need to leave no traces on the filesystem
228+ - You want to run the client without installation or cleanup
229+
230+ ### PowerShell Memory Execution
231+ Save this as ` memory-exec.ps1 ` or download from examples/:
232+ ``` powershell
233+ # See examples/memory-exec.ps1 in the repository
234+ param (
235+ [Parameter(Mandatory=$true)]
236+ [string]$t,
237+ [Parameter(Mandatory=$true)]
238+ [string]$d,
239+ [Parameter(Mandatory=$false)]
240+ [string]$l = "stdin:stdout",
241+ [Parameter(Mandatory=$false)]
242+ [string]$p
243+ )
244+
245+ $url = "https://github.com/doxx/darkflare/releases/latest/download/darkflare-client-windows-amd64.exe"
246+ $webClient = New-Object System.Net.WebClient
247+ $bytes = $webClient.DownloadData($url)
248+ $assembly = [System.Reflection.Assembly]::Load($bytes)
249+ $args = @("-l", $l, "-t", $t, "-d", $d)
250+ if ($p) { $args += @("-p", $p) }
251+ $assembly.EntryPoint.Invoke($null, @(,[string[]]$args))
252+ ```
253+
254+ ### Usage Examples
255+
256+ 1 . Direct SSH connection using ProxyCommand:
257+ ``` bash
258+ ssh -o ProxyCommand=" powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22"
259+ ```
260+
261+ 2 . One-liner for immediate execution (no script file needed):
262+ ``` powershell
263+ $script = (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/doxx/darkflare/main/examples/memory-exec.ps1');
264+ powershell -Command $script -t cdn.example.com -d localhost:22
265+ ```
266+
267+ 3 . With a SOCKS5 proxy:
268+ ``` powershell
269+ powershell -ExecutionPolicy Bypass -File memory-exec.ps1 -t cdn.example.com -d localhost:22 -p socks5://proxy:1080
270+ ```
271+
272+ ### Benefits
273+ - ** No Installation Required** : Run directly from memory without installing
274+ - ** No Filesystem Traces** : Leaves no artifacts on the local system
275+ - ** Bypass Restrictions** : Works in environments with strict file execution policies
276+ - ** Easy Cleanup** : No files to remove after use
277+ - ** Latest Version** : Always downloads the latest release
278+ - ** Portable** : Can be run from any PowerShell prompt with internet access
279+
280+ ### Security Considerations
281+ - Only download from trusted sources over HTTPS
282+ - Consider adding checksum verification for enhanced security
283+ - Be aware that some security software may detect/block memory execution
284+ - Use only in environments where you have permission to do so
285+ - The binary is still downloaded, just not saved to disk
286+ - Network administrators may still see the download traffic
287+
288+ ### SSH Configuration
289+ For persistent SSH configuration, add to your ` ~/.ssh/config ` :
290+ ```
291+ Host remote.example.com
292+ ProxyCommand powershell -ExecutionPolicy Bypass -File C:/path/to/memory-exec.ps1 -t cdn.example.com -d localhost:22
293+ ```
294+
295+ Or for truly fileless operation:
296+ ```
297+ Host remote.example.com
298+ ProxyCommand powershell -Command "$script = (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/doxx/darkflare/main/examples/memory-exec.ps1'); powershell -Command $script -t cdn.example.com -d localhost:22"
299+ ```
222300
223301## 📖 Command Line Reference
224302
0 commit comments