Korittke
Member!
~Guide to programming an undetectable trojan dropper~
As many of you know, anti-virus programs suck ass, cause they won't let your victim start the trojan you sent them :/. Well, the best way to avoid this is programming your own small program, since the anti virus program won't detect that executable as a virus/trojan(.dropper). This gives you the chance to kill the antivirus/firewall programs and start the trojan. Doing this in C++ is relatively easy, I won't give out a complete source code thou since this will lead to an addition of the dropper signature to most virus scanners making this practically useless. Build your own dropper with this information and regularly test if it gets detected by various virus scanners.
To do this you only need Microsoft Visual C++ 6.0 (you can grab a 73 MB version off KaZaA).
A function to kill processes by executable name is available here [link removed - Admin]. You will need that to kill the antivirus programs.
The list of virusscanners and firewalls (taken from beast 2.00, thx
) can be downloaded here [link removed - Admin]. It is ready to be used in c++ (as an array of strings).
Here's what our program is supposed to do:
a) Kill all active firewalls and virus scanners
b) Extract the trojan server from the executable resource data
c) Write the trojan file to the harddrive and execute it from there
d) Fake error message
About the trojan server configuration:
- If available, set the 'Melt server after install'-flag
°Starting off°
Create a Win32-Executable project in VC++ and initialize the WINAPI (int WINAPI WinMain...) as the main entry point. Use google and the MSDN to find out about that if you don't already know.
a) Killing firewalls and virus scanners
Load the list of virusscanner/firewall exectuable names into an array of strings and try to kill all of them. Use the given process killer function to do so.
b) Loading the trojan from resource data
After the scanners have been closed you can proceed and inject the trojan into the enemy system. First of all you need to add the trojan server to your executable as a binary resource (custom resource type). you can add a resource sheet with file->new... Then 'import' the server and give the resource type an appropriate name like 'BIN'. Make sure to include that resource script in the file list of your project.
You can load resource data into memory like this:
For IDR_BINARY set the name you have for your trojan server (will be IDR_BINARY1 if you don't change anything). "BINARY" is the resource type name you had to specify. Also don't miss to put <#include "resource.h"> (without <>) to have IDR_BINARY a defined value.
After doing all of that the trojan server data will be saved in data.
c) Writing the trojan to a file and starting it
Now you need to write that data into a file. To do so, use CreateFile, WriteFile and CloseHandle.
Starting the trojan is easy... The easiest way will be the function ShellExecute or even easier WinExec.
d) Fake error message
MessageBox function...
Finally UPX-pack the server and maybe scramble the UPX header to confuse outdated virusscanners. However that isnt needed at all since the signature of our program isnt considered a sign to harmful content anyway.
Notes:
- You can only execute .exe files using functions like ShellExecute. Other extensions won't work (not like in YAB)
- Make sure you have all needed header files included in your source to avoid compiler errors
- For final release, set the active configuration to Win32 Release (Build menu) (do this to drastically reduce the size of the program)
- The result file will be about 20 KB bigger than the original server file
Getting help:
- Use www.google.com
- Use the MSDN library (also available online i think) for looking up functions and their params
- Only post questions here if you're completely screwed and searched/tried stuff for hours.
FAQ:
Q: Will this be easy if I don't know wtf I'm doing?
A: No
Q: Why'd you give so little hints and stuff?
A: i r teh sux ^^
Laters, Korittke
As many of you know, anti-virus programs suck ass, cause they won't let your victim start the trojan you sent them :/. Well, the best way to avoid this is programming your own small program, since the anti virus program won't detect that executable as a virus/trojan(.dropper). This gives you the chance to kill the antivirus/firewall programs and start the trojan. Doing this in C++ is relatively easy, I won't give out a complete source code thou since this will lead to an addition of the dropper signature to most virus scanners making this practically useless. Build your own dropper with this information and regularly test if it gets detected by various virus scanners.
To do this you only need Microsoft Visual C++ 6.0 (you can grab a 73 MB version off KaZaA).
A function to kill processes by executable name is available here [link removed - Admin]. You will need that to kill the antivirus programs.
The list of virusscanners and firewalls (taken from beast 2.00, thx
) can be downloaded here [link removed - Admin]. It is ready to be used in c++ (as an array of strings).Here's what our program is supposed to do:
a) Kill all active firewalls and virus scanners
b) Extract the trojan server from the executable resource data
c) Write the trojan file to the harddrive and execute it from there
d) Fake error message
About the trojan server configuration:
- If available, set the 'Melt server after install'-flag
°Starting off°
Create a Win32-Executable project in VC++ and initialize the WINAPI (int WINAPI WinMain...) as the main entry point. Use google and the MSDN to find out about that if you don't already know.
a) Killing firewalls and virus scanners
Load the list of virusscanner/firewall exectuable names into an array of strings and try to kill all of them. Use the given process killer function to do so.
b) Loading the trojan from resource data
After the scanners have been closed you can proceed and inject the trojan into the enemy system. First of all you need to add the trojan server to your executable as a binary resource (custom resource type). you can add a resource sheet with file->new... Then 'import' the server and give the resource type an appropriate name like 'BIN'. Make sure to include that resource script in the file list of your project.
You can load resource data into memory like this:
Code:
HRSRC hRes = FindResource(NULL, MAKEINTRESOURCE(IDR_BINARY), "BINARY");
HGLOBAL hBinary = LoadResource(NULL, hRes);
unsigned char* data = (unsigned char*)LockResource(hBinary);After doing all of that the trojan server data will be saved in data.
c) Writing the trojan to a file and starting it
Now you need to write that data into a file. To do so, use CreateFile, WriteFile and CloseHandle.
Starting the trojan is easy... The easiest way will be the function ShellExecute or even easier WinExec.
d) Fake error message
MessageBox function...
Finally UPX-pack the server and maybe scramble the UPX header to confuse outdated virusscanners. However that isnt needed at all since the signature of our program isnt considered a sign to harmful content anyway.
Notes:
- You can only execute .exe files using functions like ShellExecute. Other extensions won't work (not like in YAB)
- Make sure you have all needed header files included in your source to avoid compiler errors
- For final release, set the active configuration to Win32 Release (Build menu) (do this to drastically reduce the size of the program)
- The result file will be about 20 KB bigger than the original server file
Getting help:
- Use www.google.com
- Use the MSDN library (also available online i think) for looking up functions and their params
- Only post questions here if you're completely screwed and searched/tried stuff for hours.
FAQ:
Q: Will this be easy if I don't know wtf I'm doing?
A: No
Q: Why'd you give so little hints and stuff?
A: i r teh sux ^^
Laters, Korittke
