Need Advices To Writing Amateur Malwares
#11
Golang can have larger binaries when compiled, so unless you dont mind a larger file size, it could be an option.

C is on any windows device, so in terms of compatibility, it's the best. It can take some time to learn, however providing you have a good work ethic, you can get yourself pretty good at C in not too long. C# is an option for malware, I myself know 0 C and do semi fine, but it really is ideal to know a low level language.
Reply
#12
(07-18-2021, 08:05 AM)DreamDev Wrote:
(07-18-2021, 06:24 AM)Vector Wrote:
(07-18-2021, 05:47 AM)DreamDev Wrote: Thank you for your answers. There is a chance to make exes from ruby projects. Probably I will use these services https://lolbas-project.github.io/

That's all perfectly fine and good, but if you aspire to be a MalDev or Reverse Engineer(Or both). Or at the very least plan on filling most of your days with the study and practice of these disciplines, my suggestion to you would be to try to start learning the low level langs sooner rather than later.

Thank you, Is Golang good or c better or better lowe level language? Please show me the road.

Completely depends on what you value in a language. I personally used to shill it a lot but the more I used it, the more I realized how much of a schizo Rob Pike is.

(07-18-2021, 08:45 AM)Incog Wrote: Golang can have larger binaries when compiled, so unless you dont mind a larger file size, it could be an option.

C is on any windows device, so in terms of compatibility, it's the best. It can take some time to learn, however providing you have a good work ethic, you can get yourself pretty good at C in not too long. C# is an option for malware, I myself know 0 C and do semi fine, but it really is ideal to know a low level language.

C is on any CPU actually Smile
Reply
#13
Hey,

The best fileless rootkit on github is here, check it out: https://github.com/bytecode77/living-off-the-land
Reply
#14
(07-23-2021, 01:39 PM)jean_valjean Wrote: Hey,

The best fileless rootkit on github is here, check it out: https://github.com/bytecode77/living-off-the-land

Out of curiosity, how would this behave in something like a sandbox, it would still use virtual alloc funcs and all that crap which usually trigger behavioral analysis. Also it mentions having persistence with the registry, comparing a clean registry to the current one would also trigger a detection.

I have not analyzed much malware yet, but wouldn't other methods that were out there like storing a rootkit in the UEFI or whatever way more powerful and more difficult to detect?
Reply
#15
(07-23-2021, 05:25 PM)enmafia2 Wrote: Out of curiosity, how would this behave in something like a sandbox, it would still use virtual alloc funcs and all that crap which usually trigger behavioral analysis. Also it mentions having persistence with the registry, comparing a clean registry to the current one would also trigger a detection.

inaccurate, all kinds of software that runs at startup or saves user settings to registry would then trigger a 'detection' (hint: there's a lot of them)
as for `virtualallocex()` and other similar functions, it might trigger heuristic detections (especially if it's modifying memory of a process with a different handle) but keep in mind that it also needs enough privileges to actually modify that segment of memory (process_vm_operation if you wanna be specific) and heuristics aren't always the be-all end-all.

(but yes the runpe is fairly basic, although it does get the job done efficiently.)

(07-23-2021, 05:25 PM)enmafia2 Wrote: I have not analyzed much malware yet, but wouldn't other methods that were out there like storing a rootkit in the UEFI or whatever way more powerful and more difficult to detect?

wat
Reply
#16
(07-24-2021, 07:39 AM)poppopret Wrote:
(07-23-2021, 05:25 PM)enmafia2 Wrote: Out of curiosity, how would this behave in something like a sandbox, it would still use virtual alloc funcs and all that crap which usually trigger behavioral analysis. Also it mentions having persistence with the registry, comparing a clean registry to the current one would also trigger a detection.

inaccurate, all kinds of software that runs at startup or saves user settings to registry would then trigger a 'detection' (hint: there's a lot of them)
as for `virtualallocex()` and other similar functions, it might trigger heuristic detections (especially if it's modifying memory of a process with a different handle) but keep in mind that it also needs enough privileges to actually modify that segment of memory (process_vm_operation if you wanna be specific) and heuristics aren't always the be-all end-all.

(but yes the runpe is fairly basic, although it does get the job done efficiently.)

(07-23-2021, 05:25 PM)enmafia2 Wrote: I have not analyzed much malware yet, but wouldn't other methods that were out there like storing a rootkit in the UEFI or whatever way more powerful and more difficult to detect?

wat

I did not mean that regular AVs would detect it as malware if you create or modify the registry, but most sandboxes which compare two snapshots of the registry will detect it as a warning. As for the second thing I was referring to LoJax or similar samples that were found in the wild.
Reply
#17
(07-25-2021, 07:41 PM)enmafia2 Wrote: I did not mean that regular AVs would detect it as malware if you create or modify the registry, but most sandboxes which compare two snapshots of the registry will detect it as a warning. As for the second thing I was referring to LoJax or similar samples that were found in the wild.

warning is the keyword (heuristics vs actual detection)

also in that document, it specifically says it targets uefi that's misconfigured, as it should be impossible in most cases to dump/overwrite (u)efi firmware without physical access to the spi chip itself (try installing libreboot to see what i mean; it involves actually shorting pins on the mobo).

it was possible for lojax to work because most of the security options weren't enabled by default when the samples were discovered, and it also had a kernelmode driver which needed to be run to actually read the data of the firmware filesystem

also:
Quote:[...] the tool to dump, patch and write to the SPI flash memory is customized for a particular firmware image and cannot be re-used easily on any given system
~from 5. LoJax Technical Analysis

in other words, too many preconditions need to be met to actually overwrite uefi firmware, making it unrealistic to implement in something that's made for larger scales like LotL
Reply
#18
Thank you, everybody. I learned new things. Does anybody know good droppers? I just want to show my skills.
Reply
#19
(07-29-2021, 02:57 AM)DreamDev Wrote: Thank you, everybody. I learned new things. Does anybody know good droppers? I just want to show my skills.

most malware have their own ways of delivering additional payloads already. some are fairly homebrew, some use ideas or small samples of past droppers. the only time people want a dedicated dropper is if initial payload size actually matters, or if they know delivering an actual binary (pe/elf) will trigger some sort of detection rule.

smokeloader is probably what you want to be looking at.
not much out there for actual source files, but look hard enough and you might find some binaries to take apart yourself, and lots of documentation based on past analysis.

check github too for people's attempts.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Need discuss questions about modern HVNC-2021 Alexnavalniy 0 8,811 02-05-2021, 06:14 AM
Last Post: Alexnavalniy