Skip to content

0xROOTPLS/Hostless

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
embed_elf.py
embed_elf.py
 
 
hostless.c
hostless.c
 
 

Repository files navigation

Hostless

Hostless is a PoC that runs Linux ELF binaries on Windows systems without leaving artifacts on the host filesystem. It leverages Hyper-V to create an isolated execution environment with full network (and optional filesystem) access to the host system.

Features

  • Zero Host Footprint - ELF payload runs within an isolated Alpine Linux VM, invisible to the host
  • Automated - Handles all VM configuration, no user interaction required
  • Defensive - Watchdogs, init scripts, scheduled tasks, and permission modifications actively protect the payload & VM.
  • Network Integration - Full TCP/UDP access to host network via Hyper-V Default Switch
  • Filesystem Access - Full C:/ drive access to host PC via SMB (optional)
  • Silent Operation - Zero UI or minimal progress bar (*optional)

Requirements

  • Windows 10/11 Pro, Enterprise, or Education (Hyper-V capable)
  • Administrator privileges
  • Internet

Configuration

Edit defines at the top of hyperv_setup.c:

Option Default Description
ENABLE_SMB 0 Enable Windows filesystem access from VM
g_ui_mode UI_PROGRESS UI_PROGRESS for progress bar, UI_NONE for silent
VM_MEMORY_MB 256 VM memory allocation
VM_DISK_MB 512 Virtual disk size

Embedding Your Payload

  1. Place your Linux ELF binary as shell.elf in the project directory

  2. Run the embedding script:

    python embed_elf.py

  3. Rebuild the executable

  4. Setup Phase - Enables Hyper-V, creates minimal Alpine VM

  5. Deployment Phase - Transfers ELF via HTTP, configures persistence

  6. Runtime - VM runs silently, watchdog ensures availability

Network Access

The VM receives an IP on the Hyper-V Default Switch NAT network:

  • Full outbound internet access
  • Can reach Windows host via gateway IP
  • Supports all TCP/UDP protocols

Optional: Filesystem Access

Set ENABLE_SMB 1 to mount the Windows C:\ drive inside the VM at /mnt/win. This creates a local service account for authentication.

Files Created

Location Purpose
%TEMP%\Alp\ VM disk and ISO cache
Task Scheduler VM watchdog task
Registry Installation state

Uninstallation

# Stop and remove VM
Stop-VM -Name "AlpineRunner" -Force
Remove-VM -Name "AlpineRunner" -Force

# Remove files
Remove-Item "$env:TEMP\Alp" -Recurse -Force

# Remove scheduled task
schtasks /Delete /TN "Microsoft\Windows\Maintenance\SystemTask" /F

# Remove registry key
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule" -Name "MaintenanceState"

# Re-enable Hyper-V Manager (if locked)
icacls "C:\Windows\System32\virtmgmt.msc" /remove:d Everyone

Hostless - Because the best place to hide is nowhere at all.

About

A PoC which installs an isolated, persistent backdoor inside a Hyper-V virtual machine.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages