Malware dev advice
#1
 

Malware dev advice....

Was wondering about comparison of PyWin32 to WinAPI (using C) from a malware development perspective. Documentation states you can access “many” Windows API functions. Doubtful to the extent of C’s WinAPI. Yes i’m aware Python would need to be installed. My question is would it be practical or even possible. Perhaps with the usage of a Cython like program that could convert it into C afterwards?
Reply
#2
I'm not sure if I understand your question correctly. But if you are wanting to use the WinAPI in the malware I think it would be easier if you just do it in a lower level language than python; say for example C or C++. Or maybe a language closer to windows like C#/.NET.

If you use python you would need to get third party libraries. A lot of unnessecary overheard. And some of those libraries are not always maintained. But yeah uising Cython could work, if I remember it correctly you can use C together with Cython. https://cython.readthedocs.io/en/latest/..._code.html

Edit: In my opinion. I would use Python or similar for the dropper. And use C or something else for the malware.
Reply
#3
Practical? Never.
Cython would be marginally better because you do have the capability to write all your C code and compile the Python code into something more native (although not perfect, of course).

You don't need LoadLibraryA() to load a DLL; you can do it manually, so there should be a theoretical 1:1 parity with the 'actual' WinAPI so long as you know where all the functions and definitions are in each respective DLL (use CFFExplorer)

But Cython is still only really used for improving the performance of existing Python code. If you're going to write both C and Python, why not just write C only?
Reply
#4
since windows (and linux) is coded in a mixture of C and c++ the most practical would be either of those.
if you wrote it in python, the user would have to have python installed for it to work. which would make your list of potential "victims" smaller
same goes for java and other high level languages. however python malware would be more suitable if the target is web based as python is more used in web development. java malware would be more suitable for android since androidsdk mostly supports java.
in closing,your malware language will depend on your target, find out what they run , and go from there. windows/linux box? c/c++ android device? java webserver? python iphone? c# etc
Reply
#5
Well,

In theory this is possible, but the exe you will have will be so heavy and require so many ressource, won't be discret at all.

I agree with other answers, this is more realistic to make a c++ malware to use windows api calls.
Reply
#6
IMO, Windows is so much more secure today than it was back in 2010, I'd personally not even bother with traditional computer infection these days.

back in 2010, all it took was 1-click to infect a fully updated with antivirus windows 7 OS.

But today, just simply running a unsigned, brand new software you have to bypass microsoft smartscreen, UAC, AND the .exe gets uploaded to Microsoft to check for viruses.

So even if the modern windows 10 user clicks 'bypass'/'run file anyway' to run your sketchy keygen.exe, the file sample will still get uploaded and detected within days.
Reply
#7
Clearly not a single one of you has ever written a malware in Python. CPython, compiled with PyInstaller packed and compressed with UPX, creates small binaries. Spoof signing a binary is a thing as well. The Ctypes module allows you to inject a shellcode payload with the CreateRemoteThread method and even reflectively inject a DLL if you'd like.

Furthermore every exploit you can think of can be run using Python, the correct knowledge of the exploit in question allows you to execute it. You have access to the Win32 API, the registry, COM Objects, WMI as well as MAPI, to name a few. If you're worried about Windows Defender, or heuristic analysis and even debugging. You can write a Python tool that applies Polymorphic XOR or provide encryption for you binary.

PE Injection is also thing.


Now granted Native, C/C++ will be more efficient but as long as you know what you are doing you can write pretty powerful malware using Python. Sure it won't be a rootkit, but you could certainly write a dropper for a rootkit, and don't forget you can execute system commands with Python. Including powershell invocations, you could even write out a powershell script with embedded C# and execute it of the fly.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How to persist malware in Windows without tripping runtime AV? God Himself 2 3,570 04-21-2021, 10:25 PM
Last Post: Vector
  The Malware Mega Thread. Vector 64 113,984 03-07-2021, 05:40 PM
Last Post: Insider
  Don't Connect Back - Beaconing Malware deviant 3 5,339 02-10-2021, 02:12 AM
Last Post: Insider
  [QUESTION] What are the different ways malware becomes persistant for Windows? ueax 8 7,230 02-08-2021, 10:32 PM
Last Post: ueax