QUESTION about a new idea in malware development

alexa · January 23, 2021, 10:48am

hiiii, this is a question in the field of malware development, i want to ask about a possibility of a technique i thought of, i want to know if it is possible or not, so if we got a loader.exe and a payload.dll, in which the payload.dll contains the shellcode we want to execute, and the loader.exe loads this .dll file into the memory…

is there a way to place the loader’s code inside another legit .dll file inside windows,
for example to inject the following line “PayloadDLL = LoadLibrary(L"Payload.dll”);"
that is takin from the loader.exe and place it inside a function like CreateProcess();
so that when CreateProcess() is called, the following line will be called too “PayloadDLL = LoadLibrary(L"Payload.dll”);"…

the idea here is to load my payload.dll from another .dll file, it can be something different from User32.dll or Kernel32.dll or whatever.

i read an article about a malware that infected a software engineering company, the malware waited for a specific function to be launched and then started executing its code, everyday it did the same…

i dont know that much about api hooking but i can say that i know the basics, the idea may be the same,idk, but we are not unhooking our code at the end.

does this idea about api functions injection work? and thank you !!!

lfontesm · January 23, 2021, 3:09pm

hmm sounds like you are looking for something like system call hooking, try taking a look at it and see if that would help.

The above reading is big so theres also this one

alexa · January 24, 2021, 5:21am

much respect man, although i am familiar with this tech, what i want to achieve is persistence, it is like placing a global hook and not unhooking it so that every time this hooked function is called my code is activated, i am going to try this tech on “messagebox” function and see what will happen, ill post the result .

lfontesm · January 28, 2021, 12:40pm

ahh gotcha. Sorry for the bad answer

blkbeak · January 30, 2021, 3:29am

So 1.) Yes, absolutely. It’s even borderline trivial to do so IMO.
If you insist on carrying this out via hooking, I’d advise you at least do so via IAT on PE files. IAT/EAT methods still remain undetected long past their heyday.

Now, I’d advise you avoid API all together. Try VMT hooking or pointer redirection.
There’s also stack hooking, heap hooking, context hooking, forced exception hooking, and more if you’re explicit on hooking / using messagebox. I’d advise you look into DLL replace/rename leveraged in conjunction with DLL proxying, that’s always a fav for max stealth.

Then you could backdoor PE files via shellcode, module stomping for shell injection, inject .net to unmanaged process, etc.

If learning DLLs or wanting to leverage THAT ONE: look into search order hijacking, phantom DLL hijack, rel path hijack, and WinSxS replacement.

alexa · January 30, 2021, 5:11am

thank you man, i really appreciate your help, but i think i just given up, the big idea is so complicated, and will need more people.
i am building a all in one malware, it is a very nice idea and so complicated one,

till now i built code to detect virtual machines, sandboxes, and debuggers, i built a custom aes 256 encryption / decryption algorithm for the shellcode. and a super nice way to inject it, but i still need to bypass the dynamic analysis, the run time check… so i went to use api hooking technique, same idea as here Bypassing Windows Defender Runtime Scanning but ill use create a process that will hook createprocess (from the av) and then trigger CREATE_SUSPENDED to suspend it. (if i was late to detect createprocess launched by windows defender i will create a remote thread from the last process i created so that i’ll make sure windows defender called createprocess) and then i am going to hook ntcreatefile or some api related to files and ill launch notpad.exe

the reason why is that i want to place my shellcode in notepad.exe, this will get me persistence, in which every time notepad is launched my shellcode is luanched back again.

now the only part that i need help with is with api hooking cz i am not that good using windows api functions, and i searched a lot , for months , and yet no result, but everytime a new idea keeps flushing into my mind and that gives me hope but again i fk up again.

qyq · January 30, 2021, 6:02pm

looks like you understand it better. can i gave a project

alexa · February 1, 2021, 2:28pm

i didnt get it what do you want to do ??