Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.

VirtualProtect

This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
Continue reading

Satana Malware Analysis

I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿

Samples:

Behavior Analysis

As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.

The following is the disassembly corresponding to this event.


Continue reading

Storing a EXE inside MySQL

It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.

CREATE DATABASE testupload;

USE testupload

CREATE TABLE uploads (
 id INT(3) NOT NULL AUTO_INCREMENT,
 name VARCHAR(1000000) NOT NULL,
 PRIMARY KEY (id)
 );

Continue reading