[C++] Programming an undetectable trojan dropper

Discussion in 'Chat & Discuss' started by Korittke, Jun 21, 2003.

  1. Korittke

    Korittke Member!

    Joined:
    Dec 30, 2002
    Messages:
    5,993
    Likes received:
    0
    Trophy points:
    0
    ~Guide to programming an undetectable trojan dropper~

    As many of you know, anti-virus programs suck ass, cause they won't let your victim start the trojan you sent them :/. Well, the best way to avoid this is programming your own small program, since the anti virus program won't detect that executable as a virus/trojan(.dropper). This gives you the chance to kill the antivirus/firewall programs and start the trojan. Doing this in C++ is relatively easy, I won't give out a complete source code thou since this will lead to an addition of the dropper signature to most virus scanners making this practically useless. Build your own dropper with this information and regularly test if it gets detected by various virus scanners.

    To do this you only need Microsoft Visual C++ 6.0 (you can grab a 73 MB version off KaZaA).
    A function to kill processes by executable name is available here [link removed - Admin]. You will need that to kill the antivirus programs.
    The list of virusscanners and firewalls (taken from beast 2.00, thx :D) can be downloaded here [link removed - Admin]. It is ready to be used in c++ (as an array of strings).

    Here's what our program is supposed to do:
    a) Kill all active firewalls and virus scanners
    b) Extract the trojan server from the executable resource data
    c) Write the trojan file to the harddrive and execute it from there
    d) Fake error message

    About the trojan server configuration:
    - If available, set the 'Melt server after install'-flag

    °Starting off°
    Create a Win32-Executable project in VC++ and initialize the WINAPI (int WINAPI WinMain...) as the main entry point. Use google and the MSDN to find out about that if you don't already know.

    a) Killing firewalls and virus scanners
    Load the list of virusscanner/firewall exectuable names into an array of strings and try to kill all of them. Use the given process killer function to do so.

    b) Loading the trojan from resource data
    After the scanners have been closed you can proceed and inject the trojan into the enemy system. First of all you need to add the trojan server to your executable as a binary resource (custom resource type). you can add a resource sheet with file->new... Then 'import' the server and give the resource type an appropriate name like 'BIN'. Make sure to include that resource script in the file list of your project.
    You can load resource data into memory like this:
    Code:
    HRSRC hRes = FindResource(NULL, MAKEINTRESOURCE(IDR_BINARY), "BINARY");
    HGLOBAL hBinary = LoadResource(NULL, hRes);
    unsigned char* data = (unsigned char*)LockResource(hBinary);
    
    For IDR_BINARY set the name you have for your trojan server (will be IDR_BINARY1 if you don't change anything). "BINARY" is the resource type name you had to specify. Also don't miss to put <#include "resource.h"> (without <>) to have IDR_BINARY a defined value.
    After doing all of that the trojan server data will be saved in data.

    c) Writing the trojan to a file and starting it
    Now you need to write that data into a file. To do so, use CreateFile, WriteFile and CloseHandle.
    Starting the trojan is easy... The easiest way will be the function ShellExecute or even easier WinExec.

    d) Fake error message
    MessageBox function...



    Finally UPX-pack the server and maybe scramble the UPX header to confuse outdated virusscanners. However that isnt needed at all since the signature of our program isnt considered a sign to harmful content anyway.

    Notes:
    - You can only execute .exe files using functions like ShellExecute. Other extensions won't work (not like in YAB)
    - Make sure you have all needed header files included in your source to avoid compiler errors
    - For final release, set the active configuration to Win32 Release (Build menu) (do this to drastically reduce the size of the program)
    - The result file will be about 20 KB bigger than the original server file

    Getting help:
    - Use www.google.com
    - Use the MSDN library (also available online i think) for looking up functions and their params
    - Only post questions here if you're completely screwed and searched/tried stuff for hours.

    FAQ:
    Q: Will this be easy if I don't know wtf I'm doing?
    A: No
    Q: Why'd you give so little hints and stuff?
    A: i r teh sux ^^

    Laters, Korittke
     
  2. _CM

    _CM Respected Member

    Joined:
    May 19, 2003
    Messages:
    3,869
    Likes received:
    1
    Trophy points:
    38
    From:
    Luxembourg
    hehe nice , great work korittke we love ya :p havent tried it yet but i will if i get the time to .... u can sticky it ;)
     
  3. Starfish

    Starfish Member!

    Joined:
    Feb 23, 2003
    Messages:
    3,594
    Likes received:
    0
    Trophy points:
    0
    Korittke = Knows alot of shit about everything
    Starfish = Doesnt knwo what the **** Korittke is trying to teach him

    ~EDIT: Nice job man ;-)
     
  4. drastik

    drastik Member!

    Joined:
    Jun 9, 2003
    Messages:
    229
    Likes received:
    0
    Trophy points:
    0
    c++ is to advance for most newbs here they could use visual basic which is hella easier :) visual basic can also be downloaded from kazaa..... (damn u can get anything from kazaa)
     
  5. Korittke

    Korittke Member!

    Joined:
    Dec 30, 2002
    Messages:
    5,993
    Likes received:
    0
    Trophy points:
    0
    "u can sticky it "
    i think this information is useful to 10% of the users here at the most, so no sticky atm ^^
    i wouldnt suggest doing this in basic btw