Malware development 101: Creating your first ever MALWARE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right you probably clicked on this video cuz you want to learn how to create a malware from scratch well by the end of this video you'll have the knowledge to create your first one but why are you so interested in such thing is it curiosity is it that you want to hack someone huh well in case it's the L A disclaimer all knowledge and techniques explained in this video are for education of purposes only and I'm not responsible for any misuser abuse of it before we proceed I would like to introduce someone to you everyone this is sad what's up everyone my assistant for this video sad will help me explain terminologies and concepts of real stuff throughout the video if you want you can skip to the malware development part or you can stick around and learn the Core Concepts of malware so first things first why would we even develop modware it seems so illegal right well as reval Engineers or hackers in general we need to understand what's happening under the hood any engineering process is all about building something from point A to0 Z the process that resides in between is what's important to us we're standing at Point Z and we want to go all the way back to point a if we do not understand the engineering process that happen in between it'll be a waste of time for us tldr you cannot reverse engineering what you do not understand this is reverse engineering in a nutshell now let's discuss some terminologies and [Music] Concepts if we open the task manager on Windows we will see list of running programs these programs are also known as processes and there are two types of processes user move processes and system processes which are part of the operating system that has the highest privileges now if we open an awesome tool like process hacker we can see each process has a unique identifier associated with it this unique identifier is called pit or process identifier this pit is so crucial to us because we use it to get a handle to our process using this handle we can do pretty much anything we want with this process process such as allocating memory modifying the Privileges of certain pages in memory basically we can manipulate this process however we want another concept we need to be familiar with is the layout of memory and how it works the memory consists of multiple blocks these blocks are called pages each page has certain properties such as size or range of addresses security Flags or execution permissions like readwrite and execute and the P type that indic case if a page is committed or reserved or even both we'll get back to bee types later in the video now for a 32-bit process all memory addresses have maximum size of four bytes or a DW a word is two bytes a dword or double word is four bytes a qword or quad word is a bytes for a 64-bit process everything is the same except for the size of the addresses each memory address can have a maximum size of 8 bit or a q word make sure to take a minute and try to memorize these type definitions because we're going to be using using them a lot during our malware [Music] development now Shell Code what the hell is a shell code in ass simpish terms shell code is just a simply code that achieves a specific purpose you can think of it as a payload that executes for example a shell command or a reverse shell or even pops a symbol message box for example the Shell Code in this binary file executes message box if we open a hex editor we can see some print strings such as Kel 32. message box and our message hello world and if we open with a disassembler we can see a bunch of assembly instructions now a good question to ask here is why the hell would we even use any shellco in the first place we can just put our malicious code in a function and just call this function a runtime well as malware developers our main goal is to bypass antiviruses and adrs and avoid detection creating the modware is the easy part avoiding detection is the catam mouse game any she antivirus nowadays can just scan your malware for known signatures and malicious behavior such as suspicious windows apis and immediately Flags your malware as malicious we can't even use a plain Shell Code that executes a reverse shell and just hard code in our malware it will be flagged as malicious immediately since any antivirus has access to a huge database of signatur shell codes most of the time you'll have to encrypt your shell code with some sort of a cryptographic algorithm such as rc4 and a run time the Shell Code gets decrypted and executed but since this video is just an introduction to modware development we're just going to stick to the basics and in future videos I'm going to explain these techniques in [Music] detail one last terminology you need to be familiar with is the freaking Windows API the inner workers of the Windows operating system are so complex that you can learn Nuclear Physics instead in order to reduce this complexity Microsoft provided developers with the windows API to help make life easier for them when devel veloping applications for the Windows operating system these applications can be anything from a simple console app to a phenomenal AAA video game such as Starfield yeah I'm a big fan the libraries or rather we say the dlls provided by the windows API have tons of functions for literally anything for example using this simple python script we can extract the exports or the functions exported by the kernel32.dll library we can see API such as virtual aloc create remote thread right process memory and many more and they all well documented on Microsoft website which we will be referring to a lot when we start developing our malware the windows API also provides custom type definitions remember the word and dword type definitions we discussed earlier actually they are part of the windows API along with many other type definitions we can look up all the type definitions and what they map to on Microsoft documentations for example we can see that a word is defined as unide short dword is defined as unide long qword is defined as unside int64 and the list goes on if you ever were confused by a type definition you can always refer to this table now one last thing we need to discuss regarding the windows API is strs or structures and see a struct is like a container that can hold different types of data together it's like a customade data type that you can create to group related pieces of information imagine you're building a program to store information about students in AO school instead of using separate variables for each piece of information like name age and grade you can use a struct to group them together now since some windows apis return a pointer to a structure we need a predefined struct to store the data returned by a certain Windows API for example process Theory 2 first and process Theory 2 next are two windows apis that take in a struct called process entry 32 as a second parameter if the function succeeds this struct gets populated by information related to a certain process like the process name and ID in addition to the struct there are tons of more structs that are predefined and provided by the windows API for different use cases without the need to Define any of them all what we have to do is to include the windows header and that's it everything will be ready for us with these Concepts and terminologies out of the way now we can move on and start creating some [Music] modware let's start things off with self injection now some of you might be wondering what the hell is an injection technique or attack in the first place well the best way to try and avoid antiviruses is to use Fess attacks Fess attacks are attacks that only take place in memory without ring any files to dis without touching dis at all we all agreed that each process running has its own memory space like we discussed before we want to take advantage of this behavior and instead of running our malicious code to dis and then executing that we inject our malicious code or Shell Code somewhere in some process memory and then have this injected Shell Code executed all injection attacks have three steps in common the first step is to allocate memory for the Shell Code that you want to execute second is to write or copy the Shell Code into allocative memory and finally executing the Shell Code don't worry we'll go through each step in detail in next part just take a moment stretch get a drink and let's see everything in [Music] action all right so and this hey set what the hell is this where's the code what code the code that I told you to write for the video you didn't tell me to write any code you mother sorry about that God this guy's a mess anyways let's first talk about self injection in this code we have two header files included header VI and see are files that contain predefined functions strs NS and a lot more just like we discussed in the windows API earlier you can think of a header file and C as when you import a modu in Python that extends your code and gives you more functionality here we have the windows header file included you can always take a look inside any header file by holding control and then click on the header file by the way I'm using visual studio 2022 Community Edition you can get it from the Microsoft official website now inside the windows header file you'll find a lot of ifds and tons of other header files included basically the windows header acts as a wrapper around the windows API or a container that has everything already included and ready to use instead of having to include each header separately and make your code looks ugly So to avoid that you just include the windows header file and it's a happy life then the sdio header file is just for input and output operations which just included to be able to print strings or read and write stuff to the console now in the main function we first Define our Shell Code that we want to execute this is just a simple Shell Code to execute a message box if you want to create your own Shell Code you have three options if you have a good knowledge in assembly you can create your own from scratch I'll be making a special video on this later the second option is to to grab your desired Shell Code from sites like shell storm or exploit DB or if you have Cali Linux installed you can use the metas framework run msf console and then type use payload windows and if you want the Shell Code to be for x64 architecture type x64 we'll stick to x86 architecture for this video since we don't want to complicate things up we can see here tons of shell codes we can generate such as metor sessions reverse shells and many more we're just going to stick to a simple message box shell code for proof of concept one once you select the message box shell code Type show options and then set your custom message and title and then type generate if you're having trouble using msf console you can generate the same Shell Code with msf Venom by running this command and make sure to include the- FC flag to Output the Shell Code in C format once the shell code is generated copy the visual studio and make sure the architecture is set to x86 not x64 to make the executable compatible with the Shell Code now here we have 1 2 3 4 5 Windows API I that make all the functionality for the self injection technique so I think the best way to have a deeper understanding for the functionality of each API is to visualize what's really happening behind the scenes in the memory when each API is executed instead of just explaining what each API does so imagine this is the memory map of our process I know it's a crabby map but just imagine the code in our main function is loaded somewhere in this memory map let's say it's here for example now the first API you executed is virtual aloc remember we first need to allocate memory for our Shell Code and we use Virtual alloc for that this API takes four parameters first parameter is the Base address of the block of memory that we want to allocate since we don't know exactly where should we allocate this block of memory will let the operating system do that for us by setting this parameter as null the second parameter is how much memory we want to allocate since we want to allocate enough space for our Shell Code we'll just do that by setting the size of the allocated memory to the size of our Shell Code third parameter is the allocation type according to Microsoft documentations if we want to reserve and commit pages in one call we should use the MIM commit and MIM Reserve Flags together well I know we should do what the docs say but what exactly are these M commit and memories are flags and what does this pipeline symbol represent when we want to allocate a page block of memory we first need to reserve it that's why we use the memer flag then after we reserve it we need to commit it committing just telling the operating system that we want to read and write through this block of memory so use the MIM commit flag for that in plain English we're telling the operating system hey we want to reserve this block of memory so here's the reservation flag and then we want to read and write to this block of memory as well so here's the kit flag basically we cannot read and write to a block of memory unless we reserve it first now in order to use both of these flags together we use the pipeline or the logic or symbol to add them up since this symbol represents the logic or operation If We Hold control and click on this MIM commit flag we can see that it maps to a numerical value of h1000 these all caps flag are called enes Ines and see are data types defined by the user that map to numerical values so in here we can see the MIM commit flag maps to HX 1000 and MIM Reserve maps to HX 2000 now since we want to use both of these flags together we have to add them up and for that we use the logic or simple since the or logic gate simulates the submission B Behavior now if we or both of these numbers together we get hex 3000 which indicates that this memory page has the reserve and commit flag set we can even replace these flags with hex 3000 and our code will work just fine pretty neat right the last parameter is the protection flags for the memory page since we want to read write an excute code in this memory page we set the page exq read write flag and again to see the numerical varable that this new maps 2 hold control and click on it he can see the maps to HX 40 which you can hard code if you want if the virtual Al runs successfully it will return a void pointer to the Base address or the start address of the allocated memory page we all know that pointers are variables that store addresses which point to some data types in memory we can have a pointer points to literally any data type in memory such as an integer or a charart array a void pointer on the other hand just a pointer to an undefined data type in memory hence the term void the void pointer returned by the virtual API is defined as LP void which stands for a long pointer to void if we see the type definition for this LP void data type we can see it's set to void far which is a void pointer a nutshell now again the virtual AR API returned a void pointer because there's no data written in this memory page yet you can always check the type definition of any Windows API whenever you feel like it cuz Microsoft has a shitty time coming up with good names for their type definitions F Microsoft okay anyways the second step now is to write our shell code to the allocated memory so in the RTL copy memory API we copy or write our shell code to the allocated memory the RTL copy memory API has the same functionality as the MIM copy function but since we're working with the windows API we use a windows-based memory API which is RTL copy memory it takes in three parameters the destination or where to write to the source or where to read from and the size of the copi data which is set to the size of our Shell Code the final step is to execute our Shell Code using the create thread API this API takes in six parameters we only interested in the third parameter which is the entry point for the Crea thread threads are individual units of execution within a process and sometimes referred to as lightweight processes because they share the same memory space and resources of the parent process but they have their own programed counter stack and registers this allows them to run concurrently and perform task independently within the same process imagine that you have a program that consists of of three functions and each function takes one second to finish execution this means the program will take 3 seconds to finish execution using threads we can create three threads to execute each function in parallel and hence reduce the execution time to 1 second this is the general idea of threading and concurrency now this third parameter is set to the start address of our Shell Code and typ cast it to lb thread start routine basically What's Happening Here is that when we typ cast this memory address with this typ cast we're telling the operating system hey this is the entry point or the start address that we want the create thread to start execution from or this is the start of the code that must be executed when the thread is created if the thread created successfully the API will return a handle to the created thread a handle is yet another void pointer to the creative thread now since we don't want to terminate our program until our child code is finished execution we will pause or Hal the execution here using the weight for single object API this API takes in two parameters the thread handle and the amount of time we want to wait for until the program resumes the execution since we want to completely hold the execution until the thread returns or finishes execution we set it to infinite and after the thread returns and our shell code is executed we free up the allocated memory using virtual free now again when I run this program now A Memory page with the size of our Shell Code will be allocated with the allocation types of me commit and M reserve and we'll have the red right and xq flag set then our Shell Code will be written or copied into the allocated memory then a thread will be created to execute the Shell Code and the execution will hold until the thread returns or the shell code is executed and finally the handle will be closed to the thread and the allocated memory will be freed and then the program terminates congratulations cool stuff now let's confirm that our shell code is injected into our process by checking the memory map using our awesome process hack CER tool we know from our program that the Base address of our memory page starts at this address and we can find it easily here and if you notice the protection for the memory page is set to read write and execute which is what we specify in our program reading the injected Shell Code we can see our message which is shco by msf Venom same as in the message box but it's kind of upside down due to the indianus since Byer data is stored in little Indian in memory which makes it kind of reversed or upside down and if you still don't believe me you can compare injected Shell Code to our hardcoded Shell Code and you'll find out they match exactly told you it's legit [Music] nice all so far so good now let's get a bit nerdier and upgrade this self injection technique to process injection in self injection we injected our Shell Code into the memory space of our creative process the same thing will be done in process injection the only difference that we will inject our Shell Code into the memory space of another running process let's say we're going to inject into Microsoft Paint since Microsoft Paint is a 64-bit process we have to use a 64-bit Shell Code so back here in Cali we on the same msf Venom command and add the- a flag for architecture and set it to x64 once the shell code is generated copy it to visual studio and make sure to set the Build architecture to x64 for compatibility now in self injection we have three steps allocate memory write our sh code to the allocated memory and create a thread to execute the injected Shell Code in process injection we'll do the same exact steps but first we have to add one more step which is to first get a handle to the process that we want to inject our Shell Code into again you can think of this process handle as a door we use to get into the memory space of this process and once we do that we can do the same exact three steps as before now in order to get a handle to the process that we want to inject our Shell Code into we use the open process AP API this API takes in three parameters the desired access to process object or the access rights we want to have over the process since we want to access all process resources we use the process all access flag the second parameter takes in a Bine value and we set it to true if you want to make the tri processes created by our process inherit this handle and since we're not going to create any Tri processes we set it to false the third parameter and the most important one is the process ID which we want to access this process ID can be obtained by opening to like process hacker and grabbing the process ID from there this is will be done each time we open the process that we want to inject into since the operating system assigns a different process idea to the same program each time it's executed which is kind of a bummer but since we're pro hackers we're not going to open process hacker every time to get the pet for the process that we want to inject into instead we're going to take a snapshot of all running processes if the term snapshot kind of confuses you you can think of it as taking a screenshot of all running processes and then we Loop through each process and check its name if it matches the process we want we obtain its ped and other information related to it so in a code here we first Define the process entry Theory to struct which will store information related to each process in a snapshot then we set the size member to the size of the whole structure and to understand how the size of a struct is calculated you can imagine for example a struct of four elements 3DW and Sh array of 28 bytes since a dword is four bytes in size and we have three that means we have a total of 12 bytes of dwords plus 28 bytes for the chart array we get a total size of 40 bytes this is basically the math done by this function here it's all about getting the size of each member in the struct and adding them up together again if the concept of a struct confuses you go back to the windows API part in which we discussed structs in detail next we have create tool help 32 snapshot API which takes into parameters ACC curring to Microsoft the first parameter is the portions of the system to be included in a snapshot since we want to include all processes in the system in the snapshot we'll use the dh32 Cs snap process flag the second parameter is supplied for using any of these flanks and since we're not we'll set it to zero keep in mind that these apis are part of the windows API but not including in the windows header so we need to include that TL H 32 header to access their definitions now in order to enumerate the processes in the snapshot we have to use two apis process theory2 first and then process 32 next and no you cannot use process the2 next only without using process 32 first before that both of these processes take in two parameters the processes snapshot and a pointer to process entry 32 struct and in a DUI Lube we enumerate all processes using process 32 next and compare the executable F name with Ms paint. exe or Microsoft Paint the function WCS compare Compares two y strings together and if they match their return value is zero the Windows operating system uses utf16 encoding to encode strings that means each character takes up 16 bits of space in memory or two bites for example if we want to encode the string mware using utf16 encoding it will be represented as follows notice here that each character is separated by a null bite but this is not the case since each character takes up two bytes of his space we will have to pad the remaining bite with a zero to fill up the remaining bite and then the string ends with a null B to indicate end of string so the string malware when stored in memory will be represented like this hence the term wi string so in this function here the exe5 member is a y string which cannot be compared with this normal string so we prefix it with an uppercase L to tell the compiler to convert this normal string to a y string before doing the comparison so to recap we first use the create to help 32 snapshot API to get a snapshot of all running processes and then we use process 32 first and process 32 next to enumerate them and then we check the EXA file member in a process entry through2 struct and see if it matches Ms pain. exe if so we get a handle to this process using its process ID and then the same steps we did in the self injection technique will be done here we use Virtual Al ex to allocate a memory page inside the memory space of Microsoft Paint virtual aloc ex extends the functionality of virtual aloc so that we can allocate memory inside memory space of other processes it takes in the same parameters as virtual aloc the only difference that the first parameter is the handle to the process in which we want to allocate memory after the memory is allocated we use the right process memory API to write our Shell Code into the allocated memory inside Microsoft paint process this API takes in five parameters they handle to the Microsoft paint process a source to copy or read from a destination to write to the size of the copy data and the number of bytes read of the function succeeds we don't really care about that so we'll set it to null finally you will create a thread to execute the injected child code using Create remote thread AP which takes in the same parameters as create thread in addition to the handle to the Microsoft paint process and similar to what we did before we Haul the execution of the program until the thread returns and then we free the allocated memory in Microsoft Paint and finally we close the handles to the thread under the process respectively and break out of the loop now let's run and see some magic we did it we did it we did it did it and again we can look out the address of the allocated memory page in the memory map of Microsoft pain using process hacker we can see that this memory page has our Shell Code injected into it along with the read write and execute permissions awesome I was also planning to explain dll injection what is a dll in the first place and all that but the video is getting really long and it takes forever to edit to so we'll leave that for the next video you can find all the code of my GitHub Link in the description below and I also have a homework for you I want you to do the same process injection in notepad with a different shell coat and let me know if you were able to do that or not finally please give a huge Applause to S who didn't do anything at all throughout the video I did all the explanation all the coding everything you didn't help in any way at all you know what you're fired you f you so yeah that's it everyone thanks a lot for yeah that's it thanks for watching and [Laughter] stop stop stop weeping all right I'll give you back your job but under one condition since you ruined this video if it gets more than 10,000 views you'll have your job back and that's it if you made it this far thanks a lot for watching I really hope that I was able to help you develop a deeper understanding of Mai Concepts and techniques and all that cool stuff you can support the channel by giving this video a thumbs up and sharing that with your friends and whoever might be interested and most importantly don't forget to subscribe so that we can hit 10K Subs as soon as possible you can also check out our patreon or become a member here I'm also now on Twitter I mean X not Twitter not the bluebird just X I'm on X you can follow me there Link in the description below so until next hey s what the hell are you doing no
Info
Channel: Leet Cipher
Views: 271,138
Rating: undefined out of 5
Keywords: malware, malware development, C programming, C++, python, windows api, shellcode, self-injection, process injection, injection attacks, fileless malware, encryption, decryption, cyber security, hacking, coding, basics, beginners, professional
Id: zEk3mi4Pt_E
Channel Id: undefined
Length: 28min 0sec (1680 seconds)
Published: Sun Feb 25 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.