February 2016 – Reverse Engineering, Malware Deep Insight

#define _CRT_SECURE_NO_WARNINGS

#include
#include
#include

typedef int(__stdcall *__MessageBoxA)(HWND, LPCSTR, LPCSTR, UINT);

class cavedata {
public:
char chMessage[256];
char chTitle[256];
DWORD paMessageBoxA;
};

DWORD GetProcId(char* procname)
{
PROCESSENTRY32 pe;
HANDLE hSnap;

pe.dwSize = sizeof(PROCESSENTRY32);
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(hSnap, &pe)) {
do {
if (strcmp(pe.szExeFile, procname) == 0)
break;
} while (Process32Next(hSnap, &pe));
}
return pe.th32ProcessID;
}

DWORD __stdcall RemoteThread(cavedata *cData)
{
__MessageBoxA MsgBox = (__MessageBoxA)cData->paMessageBoxA;
MsgBox(NULL, cData->chMessage, cData->chTitle, MB_ICONINFORMATION); //call it
return EXIT_SUCCESS;
}

int main()
{
cavedata CaveData;
ZeroMemory(&CaveData, sizeof(cavedata));
strcpy_s(CaveData.chMessage, "function called from remote process");
strcpy_s(CaveData.chTitle, "title from codecave");
HINSTANCE hUserModule = LoadLibrary("user32.dll");
CaveData.paMessageBoxA = (DWORD)GetProcAddress(hUserModule, "MessageBoxA");
FreeLibrary(hUserModule);

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcId((char*)"coreshredder.exe"));
LPVOID pRemoteThread = VirtualAllocEx(hProcess, NULL, sizeof(cavedata), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemoteThread, (LPVOID)RemoteThread, sizeof(cavedata), 0);
cavedata *pData = (cavedata*)VirtualAllocEx(hProcess, NULL, sizeof(cavedata), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pData, &CaveData, sizeof(cavedata), NULL);
HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, pData, 0, 0);
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, sizeof(cavedata), MEM_RELEASE);
CloseHandle(hProcess);
getchar();
return 0;
}

I. XOR string function

string XOR(string data, char key[])
{
    string xorstring = data;
    for (int i = 0; i < xorstring.size(); i++) {
        xorstring[i] = data[i] ^ key[i % (sizeof(key) / sizeof(char))];
    }
    return xorstring;
}

II. GetSerialNumber function

LPCWSTR GetSerialNumber(void)
{
    DWORD ser;
    WCHAR sw[32];
    GetVolumeInformationA(NULL, NULL, 0, &ser, NULL, NULL, NULL, 0);
    wsprintfW(sw, L"\nVOLUME INFORMATION: %X", ser);
    return sw;
}

III. GetComputerName function

LPCWSTR GetComputer(void)
{
    WCHAR lu[32];
    WCHAR du[32];
    DWORD  bufCharCount = INFO_BUFFER_SIZE;
    GetComputerNameW(lu, &bufCharCount);
    wsprintfW(du, L"\nLOCAL COMPUTERNAME: %s", lu);
    return du;
}

IV. GetLocalUser function

LPCWSTR LocalUser(void)
{
    WCHAR lu[32];
    WCHAR du[32];
    DWORD  bufCharCount = INFO_BUFFER_SIZE;
    GetUserNameW(lu, &bufCharCount);
    wsprintfW(du, L"\nLOCAL USERNAME: %s", lu);
    return du;
}

V. GetCurrentPath function

LPCWSTR GetCurrentPath(void)
{
    WCHAR proc[MAX_PATH];
    WCHAR du[255];
    GetModuleFileNameW(NULL, proc, sizeof(proc));
    wsprintfW(du, L"\nCURRENT PATH: %s", proc);
    return du;
}

VI. GetLocalTime function

LPCWSTR GetTime(void)
    {
    SYSTEMTIME lt;
    GetLocalTime(&lt);
    WCHAR du[255];
    wsprintfW(du, L"\nSYSTEM TIME IS: %02d:%02d", lt.wHour, lt.wMinute);
    return du;
}

VII. GetLanguage function

LPCWSTR GetLanguage(void)
{
    WCHAR du[255];
    LANGID languer = GetSystemDefaultLangID();
    wsprintfW(du, L"\nSYSTEM LANGUAGE CODE: %d", languer);
    return du;
}

VIII. GetProcessList function

char* GetProcessList()
{
    char ps_buffer1[10030];
    char ps_buffer[10000];
    DWORD pid = 0;
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pInfo;
    pInfo.dwSize = sizeof(PROCESSENTRY32);
    while (Process32Next(snapshot, &pInfo))
    {
        lstrcat(ps_buffer, ":");
        lstrcat(ps_buffer, pInfo.szExeFile);
        //MessageBox(NULL, buffer, buffer, MB_OK);
    }
    CloseHandle(snapshot);
    wsprintf(ps_buffer1, "\nSYSTEM PROCESS LIST: %s", ps_buffer);
    return ps_buffer1;
}

IX. GetProcessByName function

DWORD GetProcessByName(char* pName)
{
    DWORD pid = 0;
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pInfo;
    pInfo.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(snapshot, &pInfo))
        while (Process32Next(snapshot, &pInfo))
        {
            if (_stricmp(pName, pInfo.szExeFile) == 0)
            {
                pid = pInfo.th32ProcessID;
                CloseHandle(snapshot);
                return pid;
            }
        }
    CloseHandle(snapshot);
    return 0;
}

X. ReadMemory function

byte* ReadMemory(DWORD address, DWORD size, DWORD pID)
{
    static byte* bytes = new byte[size];
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
    ReadProcessMemory(hProcess, (void*)address, bytes, size, NULL);
    CloseHandle(hProcess);
    return bytes;
}

XI. str::string to LPCWSTR function (string to LPCWSTR)

std::wstring string_to_lpwstr(const std::string& s)
{
    int len;
    int slength = (int)s.length() + 1;
    len = MultiByteToWideChar(CP_ACP, 0, s.c_str(), slength, 0, 0);
    wchar_t* buf = new wchar_t[len];
    MultiByteToWideChar(CP_ACP, 0, s.c_str(), slength, buf, len);
    std::wstring r(buf);
    delete[] buf;
    return r;
}

std::wstring stemp = string_to_lpwstr(xored);
LPCWSTR result = stemp.c_str();
XII. char_array_to_lpwstr function

LPCWSTR char_array_to_lpwstr(char* characterarray)
{
    size_t newsize = strlen(characterarray) + 1;
    wchar_t * wcstring = new wchar_t[newsize];
    size_t convertedChars = 0;
    mbstowcs_s(&convertedChars, wcstring, newsize, characterarray, _TRUNCATE);
    return wcstring;
}

XIII. GetDebugPrivilege function

void GetDebugPrivilege()
{
    HANDLE hToken;
    LUID sedebugnameValue;

    TOKEN_PRIVILEGES tp;

    OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken);

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);

    tp.PrivilegeCount = 1;

    tp.Privileges[0].Luid = sedebugnameValue;

    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges( hToken,FALSE,&tp,sizeof(tp),NULL,NULL);

    CloseHandle(hToken);

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

Month: February 2016

C++ Code Cave Function Template

C Code Helper Template