Slides from my SANS Hackfest 2022 talk. It discusses how to quickly develop malware despite having minimal programming skills. All techniques are covered from the perspective of someone who has limited time and basic programming skills.
By writing custom malware, just like APTs, red teams could provide more value to customers
Questions I asked before
WinAPI allows the interaction between an application and OS. For example, to display a message box, to get an input from a keyboard, and/or to start a process.
Hard to use since they are undocumented but important to understand as they help with evasion.
One of the documented Windows APIs for creating processes is CreateProcess(). Using this API, the created process runs in the context (meaning the same access token) of the calling process. Execution then continues with a call to CreateProcessInternal(), which is responsible for actually creating the user-mode process. CreateProcessInternal() then calls the undocumented and native API NtCreateUserProcess() (located in ntdll.dll) to shift to kernel-mode.
Examples of commonly used APIs by malware.
It is impossible to identify all malware that exists using static signatures because any change to a particular malware may bypass a particular signature, and perhaps even completely bypass the static engine.
Sandbox’s memory is limited and execution of code inside the sandbox is time-limited.
Some malware checks for the presence of sandboxes/debuggers/virtualized environment.
Number of CPU
Memory size
User interaction (mouse movement)
Number of processes running
Uptime
Are they well-documented? Are there libraries you could use to ease your coding?
When malware is written in a new language, there is a need to create new signatures to detect different variants.
For this project, we’ll use C/C++
Important thing is to think about opsec. We don’t want to send an exe via email.
Will build an executable (.exe)
Will talk about process injection
If target process is whitelisted, then we can evade detection.
If target process is running as admin, then our payload will run as admin.
Tons of detection are implemented to detect process injection. Beware!
According to MITRE.
Techniques have sub-techniques and have different variations and implementations.
Where to get sample PoCs as our base code?
Sources provided are written in C/C++ since it’s the language of choice for this project.
We’ll create CPP project (.cpp file) since most headers used are written in cpp. But we’ll use C when writing the code since that’s the language used by the PoC/skeleton code.
Early Bird APC Queue Code Injection
Spawn a process in a suspended state
Allocate memory for shellcode
Write/inject the shellcode on the allocated memory
Queue the APC, which points to the shellcode address, to the main thread
Resume the thread
Shellcode is indeed injected in notepad’s memory.
While obfuscation is a good thing, remember that obfuscation yields higher entropy and could be an indicator.
Will use AES to encrypt the shellcode
Not a comprehensive list.
Original shellcode length is 303. Adding NOP (\x90) makes the length to 304, which is a multiple of 16.
Character array cuts the string up in smaller pieces making them more difficult to extract from a binary.
Can be done with shellcode as well.
A better approach is to store the key/iv in a separate file, fetch it from Internet source or use environment keying (e.g., DOMAIN NAME) as key.
Not a comprehensive list.
This shows the IAT of our base code and it show the functions that were imported from kernel32.dll
Not a comprehensive list.
Imported functions reduced from 21 to 15.
No header-only libraries were found but these resources contains source codes that can be used.
Hooking is now more commonly done in the latter (native API) because hooking on WinAPI is easier to bypass, by using directly the native API.
By disassembling the ntdll.dll file, it’s possible to get the assembler code for every single function contained.
Instead of using functions from ntdll.dll at runtime, we call them directly with their corresponding assembler code.