Malware | 🔐Blog of Osanda

Running Shellcode Directly in C

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function 🙂 For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

char main[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.

(more…)

Converting an EXE to a DLL

I’ve been doing some crazy experiments on running an EXE as a DLL. Here are some parts of my research.

Case #1

Let’s take a simple example like a MessageBox.

#include <windows.h>

int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
                     _In_opt_ HINSTANCE hPrevInstance,
                     _In_ LPWSTR    lpCmdLine,
                     _In_ int       nCmdShow) 
{
	MessageBox(NULL, L"@OsandaMalith", L"https://osandamalith.com", MB_ICONINFORMATION | MB_OKCANCEL);
  
}

After compiling to an EXE we have to change the characteristics under NT Header->File Header to a DLL file. I will use the value 0x2000 | 0x2| 0x100 = 0x2102.

#define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
#define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable
#define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.

typedef struct _IMAGE_NT_HEADERS {
    DWORD Signature;
    IMAGE_FILE_HEADER FileHeader;
    IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

typedef struct _IMAGE_FILE_HEADER {
    WORD    Machine;
    WORD    NumberOfSections;
    DWORD   TimeDateStamp;
    DWORD   PointerToSymbolTable;
    DWORD   NumberOfSymbols;
    WORD    SizeOfOptionalHeader;
    WORD    Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

(more…)

Analyzing an AutoHotKey Malware

I found this malware spreading through the Facebook messenger. Thanks to Rashan Hasaranga for notifying me this in the first place. It was targeting Sri Lankan people on Facebook. It was a compressed “.bz” file which was spreading via the messenger. The name had “video_” and a random number.

After I downloaded the files, I checked the file hashes. I couldn’t find any analysis done before. So, I decided to get to the bottom of this. The malicious files have the extension as “.com” instead of an exe. However, it’s a compiled exe, renaming this to “com” will still run as an exe by the Windows loader.

These are the samples I found. However, they all contain the same malware. I found 2 authors compiled this from 2 different machines. Read along 😊
(more…)

APT attack in Bangladesh

One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.
http://mozillatm.com/A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc

VirusTotal: https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.

b = '00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000'

"".join("{0}".format((i+j).replace('00','').decode('hex')) for i, j in zip(b[::2], b[1::2]))

>> 'http://mozillatm.com/loading.html'

This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.
(more…)

Lab 13-02 Analysis

I felt bored and thought of having a look at this exe. These are my rough notes on this one.
Every 5 seconds the function ‘401851’ is called.

Basically, this malware takes screenshots and encrypts them and stores them in the current directory starting with “temp%08x” % GetTickCount().

(more…)

Executing Shellcode Directly

I found this post by Alex Ionescu pretty interesting. I recreated the poc and wrote position independent shellcode. It’s more like executing shellcode directly by the windows loader.

One could develop complete malware by dynamically locating the base address of kernel32.dll and once you locate the functions LoadLibraryA and GetProcAddress, you can load any library in the system and find the exported symbols, in which you have complete access to the win32 API.

You don’t need to specifically write position independent code using assembly. You can directly code in C/C++ and extract the opcodes.

For example using the ‘InMemoryOrderModuleList’ LDR_DATA_TABLE_ENTRY located in the PEB->LDR we can get the base address of kernel32.dll. Usually kernel32.dll can be found in the third LDR_MODULE in the double linked list. If you have done shellcoding under Windows these things should be familiar.
(more…)

Lab01-02 Analysis

This program is packed using UPX and can be easily unpacked.

Lab01-02.exe – https://virustotal.com/en/file/8bcbe24949951d8aae6018b87b5ca799efe47aeb623e6e5d3665814c6d59aeae/analysis/

At the start we see a call to ‘StartServiceCtrlDispatcher’ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as ‘ServiceMain’. The name of the service created would be ‘Malservice’.

(more…)