How do malware builder interfaces work?
#1
I notice that a lot of malware products have a builder interface where users can select actions and set variables before generating the malware. How can this be done in C/C++? I have heard about resource files, does that have anything to do with what I am asking?
Reply
#2
Qt framework for c++ is used to create gui.
Reply
#3
(06-19-2021, 12:47 AM)dev Wrote: Qt framework for c++ is used to create gui.

I understand how the GUI is created, just the code generation/variable setting is possible without disclosing the source code or having some external config file.
Reply
#4
If you have a program to generate a code, just change the parameters of the code to be generated. Even if the original source code is encrypted, you know what algorithm is used, you know the positions where the parameters must go, etc. In the end it's just text manipulation. Smile
Reply
#5
(06-19-2021, 02:09 PM)Corvo Wrote: If you have a program to generate a code, just change the parameters of the code to be generated. Even if the original source code is encrypted, you know what algorithm is used, you know the positions where the parameters must go, etc. In the end it's just text manipulation. Smile

Sorry, but this doesn't really help me much. I didn't say anything about the original source code being encrypted, and regardless, you are kind of restating what I am asking. "Just change the parameters of the code to be generated", yes, that is what I am asking how to do. I don't mean to be rude. I want know how to manipulate variables at through an interface and generate the malware through it without resorting to an external configuration file.
Reply
#6
Well,

Dude, this question is weird, because if you really know how to code in c++, this is an easy program to make.

Just create a simple desktop application, and the program create a config file, a .dat, or .txt file with the right information..

Very easy to do...
Reply
#7
(06-20-2021, 07:54 PM)jean_valjean Wrote: Well,

Dude, this question is weird, because if you really know how to code in c++, this is an easy program to make.

Just create a simple desktop application, and the program create a config file, a .dat, or .txt file with the right information..

Very easy to do...

Yeah, just write a program that parses a text file, haha.
Ignore the entire part about modifying binaries or using IL/reflection to generate code at runtime with the right parameters/methods/functions/modules etc.

It's astonishing how confident you all are when you won't even answer the question.



Now, to actually answer...

If you want to build an application from a program, you have two options, really:

1. Write code that modifies the source files of what you are trying to build, then run the toolchain to build the application (and ideally also handle warnings/errors with recognition/suggestions to solve any issues that arise.)
2. Compile a binary with a lot of defaults, then write a builder that modifies the binary directly to change parameters and add/remove code as needed.

Since you mentioned wanting to protect source files in your question, the first option is out of the question, as you would need to provide source files to a client to build from (and you would also need to assume that the client has all the required toolchains on their machine to actually build with.)

Which leaves you with the second option which will work for your purposes, but is much more complicated, at least in C/C++ depending on how you write your code.



First, let's take a look at how QuasarRAT manages to build clients on-the-fly:
https://github.com/quasar/Quasar/blob/ma...Builder.cs

It's not C or C++, rather C# and .NET core libraries for IL and reflection to disassemble/reassemble an application.

Of course, C# can be disassembled really easily, as the actual code is in the runtime and not in the binary itself. But you can get an idea of what it's doing, roughly:

1. Open up the binary and read all its properties/modules
2. Go through the modules and properties and change them as supplied by the user
3. Write the new file to a specified path
4. (Optional) Add extra metadata and perform any final actions on the file

So, you need to be able to do something similar in C/C++, and although there are third-party solutions in some cases, a decent amount of it might be parsing the binary yourself to modify data.

If you are using some sort of reflection in your program to, for instance, put all the information for the socket on the stack (IP Address, Port, Protocol, etc.) then you'll need to work a lot harder than if you put all that data in the .bss or .rsrc of the binary.
If the data is in a static location and you don't need to worry much about offsets, then you can just change the data and forget about it.

Here's a pretty good book on the subject, although it only really covers Linux for the most part.
https://nostarch.com/binaryanalysis
Unfortunately, this is only for the binary analysis part. It also relies a bit on third-party tools like objdump, so if you want a fully self-contained solution for your builder, you might need to homebrew a fair bit.

A decent amount of it can also be ported over to windows if you feel like browsing Microsoft documentation, but again you might need to start relying on homebrew implementations.
Reply
#8
(06-20-2021, 09:14 PM)poppopret Wrote: Now, to actually answer...

If you want to build an application from a program, you have two options, really:

1. Write code that modifies the source files of what you are trying to build, then run the toolchain to build the application (and ideally also handle warnings/errors with recognition/suggestions to solve any issues that arise.)
2. Compile a binary with a lot of defaults, then write a builder that modifies the binary directly to change parameters and add/remove code as needed.

Since you mentioned wanting to protect source files in your question, the first option is out of the question, as you would need to provide source files to a client to build from (and you would also need to assume that the client has all the required toolchains on their machine to actually build with.)

Which leaves you with the second option which will work for your purposes, but is much more complicated, at least in C/C++ depending on how you write your code.



First, let's take a look at how QuasarRAT manages to build clients on-the-fly:
https://github.com/quasar/Quasar/blob/ma...Builder.cs

It's not C or C++, rather C# and .NET core libraries for IL and reflection to disassemble/reassemble an application.

Of course, C# can be disassembled really easily, as the actual code is in the runtime and not in the binary itself. But you can get an idea of what it's doing, roughly:

1. Open up the binary and read all its properties/modules
2. Go through the modules and properties and change them as supplied by the user
3. Write the new file to a specified path
4. (Optional) Add extra metadata and perform any final actions on the file

So, you need to be able to do something similar in C/C++, and although there are third-party solutions in some cases, a decent amount of it might be parsing the binary yourself to modify data.

If you are using some sort of reflection in your program to, for instance, put all the information for the socket on the stack (IP Address, Port, Protocol, etc.) then you'll need to work a lot harder than if you put all that data in the .bss or .rsrc of the binary.
If the data is in a static location and you don't need to worry much about offsets, then you can just change the data and forget about it.

Here's a pretty good book on the subject, although it only really covers Linux for the most part.
https://nostarch.com/binaryanalysis
Unfortunately, this is only for the binary analysis part. It also relies a bit on third-party tools like objdump, so if you want a fully self-contained solution for your builder, you might need to homebrew a fair bit.

A decent amount of it can also be ported over to windows if you feel like browsing Microsoft documentation, but again you might need to start relying on homebrew implementations.

Thanks for the detailed reply!

I plan on storing the data some place inside the binary that I can modify. I was thinking about defining a struct for configuration variables since data there would be sequential. How simple would it be to iterate through the binary, look for the struct, then modify the data based on offsets? How could I create a such a struct that would be easily locatable?
Reply
#9
(06-22-2021, 04:43 AM)cold Wrote: Thanks for the detailed reply!

I plan on storing the data some place inside the binary that I can modify. I was thinking about defining a struct for configuration variables since data there would be sequential. How simple would it be to iterate through the binary, look for the struct, then modify the data based on offsets? How could I create a such a struct that would be easily locatable?

Static allocation of any sort.

In C, if you declare your variables without actually initializing them, they'll be stored in .bss for you.
Of course, if you are trying to use an uninitialized variable in your code, then your compiler will likely throw some warnings/errors preventing you from compiling, so you'll need to be a bit creative here.

Initializing said variable will put it in .data which should also be relatively accessible for simply finding a few bytes in a file and changing them.
Consts are typically put into .rdata.

See https://www.geeksforgeeks.org/memory-lay...c-program/ for some actual examples.

As long as the variables are statically allocated (they most likely are,) then it should be relatively simple to just read the file header, find the offset for the section you want, (optionally) look for a certain symbol and overwrite a few bytes in the location of your struct.

I wouldn't really answer 'how easy' something is, since at the end of the day you're the one with the code, you're the one compiling the code, and you're the one using any compiler flags that will alter the final product. Take your binary, plug it into a debugger, and find the struct yourself. From there, you can start writing a program that will look for some trace of your struct (whether it be a literal file offset, an offset from .data, or a certain symbol) and then actually try modifying things.

Remember that your compiler might make certain optimizations for the sake of speed, which will break functionality of your binary if you modify a few bytes, for instance:

Code:
int x = 5
int y = 10
int z = x + 6

/*you would expect:
push 5
push 10
mov eax [esp-4]
add eax 6
push eax

* but in reality the compiler might just compile to:
push 5
push 6
push 11

* or even
push 5
push 6
mov eax 5
add eax 6
push eax

*/

You can get around some of this behaviour by using the `volatile` keyword on your struct or using gcc's `-O0` flag.
Reply
#10
Hey,

Don't know if it's what you looking for, but this depo is very nice (the dev behind this know his shit in cryp). Just a simple exe to crypt and another to execute crypted app.

https://github.com/hasherezade/pe_to_shellcode
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  The Malware Mega Thread. Vector 70 148,622 09-21-2021, 02:31 AM
Last Post: Vector
  I am interested in making malware... shmoeke 9 3,908 09-06-2021, 01:40 PM
Last Post: Vector
  I want to be a Malware Developer. TheCodeGirl 3 1,693 09-06-2021, 12:45 AM
Last Post: neftis
  experimental malware neftis 0 1,697 08-22-2021, 08:26 PM
Last Post: neftis