Trojan Virus
Introduction
Welcome to this new article, today I will show you how to create a trojan in 5 minutes, to do this we will try to run a calculator from a well known application like Putty (SSH Windows Client).
In your case you can run anything, it is only the calculator for do my tests and teach you how you can reach the same result.
Trojan:
A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network.
This knowledge it’s from Sektor7 RTO Essentials Course:
Backdooring
Steps to add backdoor in EXE:
1- Detect Code Cave
2- Create memory jump
3- Adding your shellcode
First of all you need to know the bits from process, you can discover this with Process Hacker application, here you can download it:
To do this you need to open Putty exe and in Process Hacker you can see the Putty exe like this:
You click it:
Perfect, it’s 32 bits, now in this case you need to download x32dbg debugger, if the process are 64 bits you need x64dbg.
GitHub – x64dbg/x64dbg: An open-source x64/x32 debugger for windows.
An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not…
Open APP -> File -> Open -> Putty.exe
Result:
1- Detect Code Cave:
Perfect, now you need to search some empty memory space, to do this you only need to scroll down and search a place where the values of all memory addresses is 0000, that means it is empty memory.
Code Cave
Now you need copy and store in notepad the address of first empty memory, you can do this with: Right click -> Copy -> Address.
And in the same memory it’s recommended create one breakpoint with: Right click -> Breakpoint -> Toggle
Now go to Breakpoints section and click in Entry breakpoint.
2- Create memory jump
Now you need to modify assembler instruction: Right click -> Assemble
And put this jump of memory:
jmp 0xFirst0000Address
Reminder:
First address with 0000 value
What this will do is that when the program starts (Entrypoint) it will jump to our shellcode, which is stored in the empty memory.
Now you need to change the assembler instructions of first 2 empty memories.
3- Adding your shellcode
To put your malicious shellcode you need to have hex executable code, in this case the calc executable is this:
calc32.hex
Edit description
Now you need to select MANY addresses with scrolling, you need select more than screenshot:
Copy hex code
Right click -> Binary -> Edit -> Ctrl+V
Perfect it’s ready.
Right click -> Patches -> Select All-> Patch File
And when i execute i receive calculator…
Perfect, our “malicious” code would be executed, the problem is that we also need the application we are executing (Putty) to do this, you have a very easy option which is, after the last instruction of the calculator, add a jump with assembler to return you to the normal flow, basically we have to put a jump in the next memory address of the entrypoint.
This will basically do that when the program starts it runs our calculator, but immediately after that we return the program flow to the memory address it would normally go to.
With this we get to run the calculator(malicious code) and Putty.
To do this you only need 2 steps, first is copy memory address next to Entrypoint:
If you increase one number to entrypoint address you have the address founded:
Now you search the last used memory address and add assembler instruction:
And now i execute…
Conclusions
This is the end of the article, I think it has been very interesting and allows you to see how hackers do to create Trojans, I hope you liked it.