Malware Development

• good initial background: https://www.udemy.com/course/ehf-maldev-in-windows/

TODO:

• start VM
• rto : Passw0rd!
• copy RTO-maldev-enc.zip to VM

Background: Portable Executable

Tools:

• PEBear
• ProcessHacker

When running a dll dllMain will be used, with different events.

rundll32 implant.dll,RunME (RunME is a function defined within implant.dll)

Payloads and Droppers

• where to store your payload?
  • .text
    • store teh payload in a local variable of the function main
    • allocate memory buffer (PAGE_READWRITE)
    • copy memory into buffer
    • make it executable (PAGE_EXECUTE_READ)
    • create a thread and run it
  • .data
    • store the payload in a global variable
  • .rsrc (resource section)
    • resources are defined in .rc files, special handling during compilation
    • FindResource, LoadResource, LockResource
    • then continue as used to

payload encryption/decryption

You can encode payloads, but this is not encryption. Typically base64 is used for that.

To get base64 version of the binary shellcode version: certutil -encode input.bin base64.bin

Encryption, typically XOR or AES: - XOR: should be easy, just add a simple xor-decrypt function before move-memory - AES: more complex

Function-Call Obfuscation: - against detection based upon imported DLLs and functions - replace direct function calls with function pointers to the right functions - the function lookup still needs strings → we can use in-place XOR to obfuscate that even more. As key, we can use one of the non-obvious strings already within the binary

backdooring PE files: creating Trojans

• code cave: using spare space
  • problem: maybe not enough space
  • how:
    • find code space
    • jump to the code space jmp
    • save registers pushad, pushfd
    • append shellcode to the code space
    • re-add original jump (so that application resumes)
      • before that, restore registers
      • popfd, popad
      • jmp
• new section
  • no size constraints, executable section might be detected
• extending section
  • increase the size of the last section

code injection

• transporting your payload from once process to another. why?

  • escape from short-lived process
  • change working context (so move to a process that e.g. typically talks to the internet)
  • backup C2, TOON: two is one, one is none

• payload injection into running remote process

  • first: get shellcode into remote process
  • second: make target process call your (now-included) shellcode

• typical examples

  • VirtualAllocEx, WriteProcessMemory + CreateRemoteThread
  • loading DLLs into remote process
    • CreateRemoteThread with LoadLibrary and a path to our malicious DLL
    • open process search for LoadLibrary or as kernel32 is loaded at same address, we can use the same address from our process
    • GetProcAddress to find Loadlibrary, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread with LoadLibrary
      • note in the injected DLL we typically use DLL_PROCESS_ATTACH event for starting (in the DllMain function)

Making Programs Invisible

• we’re talking about a black window opening up (from your dropper)
• how to get rid of this window?
  • call FreeConsole(), but windows will still be visible
  • create a WinMain function instead of main and add /subsystem:windows flag to compiler