Skip to content


Repository files navigation


Tool aided persistence via Windows URI schemes abuse
Black Hat Arsenal Europe 2019 License Twitter Follow


Backoori ("Backdoor the URIs") is a Proof of Concept tool aimed to automate the fileless URI persistence technique in Windows 10 targets.

Abstract of the Research behind the tool

The widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application. The subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen (an undocumented Accessibility Feature abuse technique that set off this whole research) to the classical web 'attack surface'.

All this research started with a novel Accessibility Feature Abuse I discuss here:

Slides BlackHat Arsenal presentation

Demo videos

  1. URI persistence technique: User triggered persistence scenario

  2. URI persistence technique: Hijacking multiple Universal Apps

  3. URI persistence technique: Going beyond User triggered persistence via web 'attack surface'


  1. Implements the Windows 10 URI persistence technique
  2. Standalone
  3. 0 dependencies


go get
go run main.go


  • Windows x64: $ env GOOS=windows GOARCH=amd64 go build -o backoori main.go

  • Linux x64 : $ env GOOS=linux GOARCH=amd64 go build -o backoori main.go

  • MacOs x64 : $ env GOOS=darwin GOARCH=amd64 go build -o backoori main.go

Cross-Compile Instructions


Backoori0.92: tool aided persistence via Windows URI schemes abuse
| Generate a ready-to-launch Powershell agent that will backdoor specific Universal URI Apps with fileless payloads of your choice.
|  -help
|        Display help details
|  -online string
|       Provide 'true' if wants agent to fetch the payloads via the webserver, 'false' otherwise to store the payloads directly in the agent PS file (default "false")
|  -payloads string
|       Provide the JSON filename containing the payloads to use in the backdoored gadgets (default "./resources/payloads_sample.json")
|  -protocols string
|       Provide the JSON filename containing the URI protocols to backdoor on the target system (default "./resources/uri_protocols_sample.json")
|  -psversion int
|       Provide the Powershell version that the agent will use for the payloads (recommended v2) (default 3)

Example Output

  • Golang cli

  • Powershell agent output

How to add more payloads

The template of the payloads can be specified via -payloads flag (the default file is ./resources/payloads_sample.json). You can place any payload you wish in the JSON file but you need to follow the conventions of other samples to set at program runtime the value you wish for certain placeholder.

e.g. {{IP}}, {{COMMAND}}, {{PORT}}, {{FILENAME}}, etc.

How to test

The tool will make irreversible changes to the registry and manual repair is necessary :-). Please test it on a VM or within the new Windows Sandbox App.

Possible next steps

  • Adding logging and symmetric payload encryption to the web server that deploys the gadgets
  • Support gadget interactions
  • Convert this standalone project to a Metasploit module


Spot a bug? Please create an issue here on GitHub (


This project is licensed under the GNU general public license Version 3.


Tool aided persistence via Windows URI schemes abuse




Code of conduct





No releases published