Skip to content
This repository has been archived by the owner on Sep 19, 2023. It is now read-only.

Bypassing

Jump to bottom
decryller edited this page Aug 9, 2023 · 1 revision

Wraith itself leaves no traces and is completely safe to run, however, I'll go the extra mile and tackle the only ""detection"" I've found, which is deletion-related.
If Wraith's directory is called "wraith", the self-destruct will delete the whole directory.
Otherwise, it will just delete the AppImage

// For people who compiled it from source. | Deletes the whole directory if it's called "wraith".
if (std::filesystem::current_path().filename() == "wraith") 
	std::filesystem::remove_all(std::filesystem::current_path());

else // For people who just downloaded the AppImage. | Delete the binary regardless of the name.
	std::filesystem::remove(std::filesystem::current_path() / &argv[0][2]);

This leads to the directory's changing and modification dates being updated with the self-destruct date (I haven't found a way of deleting the file that bypasses this).

To mask this, I've thought about two really easy and theoretically 100% success rate solutions.
If the server you play on requires you to download anything at all before getting screen-shared, follow solution number 1.
Otherwise, follow solution number 2.

  1. Delete Wraith before screen-share
    Assuming you will have to download something in order for the screen-share to take place and Wraith is located at your default downloads folder, you can just self-destruct Wraith and be fine.
    1) You get frozen and told to download something.
    2) You self-destruct Wraith. Your download folder's modification date is the self-destruct date.
    3) You download their program. Your download folder's modification date is their program's download date.
    4) Done.

  2. Download and run Wraith from /tmp
    If somehow the server you play on screen-shares without additional software, then you should download and run Wraith on the /tmp (temporary files) folder, since files here get created and erased quite frequently. You are completely safe if you choose to do this, since it would be completely unreasonable to sanction someone for their folder specially made to host ephemeral files being recently modified.
    The only downside to this is that /tmp contents get deleted automatically every time you boot your computer.

Clone this wiki locally