A guide to building basic malware in Python by implementing a keylogger application. If you want even more detail on the Project view my Youtube Series linked here.
This repository is made for the purpose of learning how basic malware can be created, obfuscated, and then deobfuscated for malware analysis. Through this repository, a fully working keylogger with the ability to exfiltrate data as well as persist on host machines will be presented. In addition to this, it will be shown how to bypass Windows Defender, a native Windows anti-virus software.
This repository is soley presented for the sake of learning. Do not use anything from this repository for malicous purposes. Replication of this repository for malicous use on a computer or system that you do not own is strictly prohibited!
The first step is to download the Python programming language on to your computer. The link to the python download page is here. Select Windows, Linux/UNIX or macOS and download the latest version of Python. Note: When installing Python make sure to add to PATH.
Pynput is an external module not included in the default installation of Python. Pynput allows a program to take in a user's key presses. To install Pynput, go to the command prompt in Windows or the terminal in Linux or macOS. Once in the command prompt/terminal, run:
pip install pynput
After implementing this part of the keylogger, the program will take in key presses from the user and log them to a text file where the key presses can be later retreived. If you are wanting further explanation of how the code itself works, visit my youtube video linked here.
The code can be found in the Code folder as malware_part_1 or in the link below:
Searching in Google with Keylogger running:
The resulting contents of of the log.txt file:
This section is explained in greater detail in the corresponding Youtube linked here.
The current state of the keylogger saves user key presses to a log.txt file, but does not do anything with that log file. To exfiltrate the log.txt file we are going to use email. A fake email must be created, so the keylogger can login to this email and then send the log.txt file to an email of your choosing. The email() function must be added and called as it is in the code linked below:
After downloading the code, within the email() function; the email_user, email_password, and email_send variables must be filled in with corresponding values explained in the comments.
After running this updated code and typing in 50 keys or pressing the escape key, the email will be sent from the new email to the email specified. The email will look as follows:
Persistance is the ability to maintain access to a computer or computer system across reboots. If the victim that has malware on their computer shuts down their machine, persistance built into the malware would allow it to survive the shut down and reboot upon the next start up. One way to accomplish this on Windows, is by editing the registry keys. Registry keys define a large amount of system information that Windows references. If able to create a new registry key value, one could change the way the Windows machine behaves. Lets take a look at how registry keys are stored:
To access the Windows Registry:
Hold the Windows button and press R
This will then open the run prompt. To access the Windows Registry type:
regedit
Once in the Registory Editor you will see a similar screen to the image below. Registry keys are laid out in a folder-like structure, so the folders you see here are the top folders, also known as registry hives.
To get to the registry key that is used to specify applications that run on startup, go down the following file path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This will reveal all of the programs that run on boot, and the goal of adding persistance to the keylogger is to add a new registry key value in this folder that allows our malware to relaunch on boot.
To actually get the keylogger to make a new registry key value inside that folder, implement the Add_To_StartUp() function as well as call it as is shown in the following code:
After running this code, if you go back to the Registry editor under the same Run folder, you will see the new "Windows_Sys" program, which means it has been successfully added to startup.
This section will detail how to obfuscate the malware-part-2 code using both binary obfuscation and XOR obfuscation in the attempt to bypass anti-virus software. In addition to this, it will illustrated how to compile a python program into an executable file.
This section is explained in greater detail in my corresponding youtube video linked here.
PyInstaller is a program that allows a python program to be compiled into an executable, so a victim machine is not required to have python or external modules used downloaded. To install open the command prompt/terminal and type the following command:
pip install pyinstaller
This will download the program and allow it to be used.
To then create an executable for malware-part-2, move into the directory in which the file sits, and run the following command:
python -m PyInstaller --noconsole malware_part_2.py
After completing this a new folder should be created inside a "dist" folder. Once going inside the "dist" folder you will see a malware_part_2 folder, this is the folder you need. The following is a picture of such a folder:
Click on the malware_part_2 folder and you should see the executable, highlighted, as well as all of its dependencies as below:
You can now simply double click on the highlighted executable and the program will run as it normally did before. This will work on any Windows machine regardless of if they have python installed!
One possible way to try to obfuscate source code is to transform it into binary, 1's and 0's. You will need a program such as binary-obfuscator to create a binary string that represents your source code.
After running this code, you will be presented with a binary string that looks like the following:
This string is what you need to actually run an obfuscated version of your code. You will need to dowload the binary-obfuscation program and then plug in the binary string into the "binary" variable as follows:
After plugging this in, the program will run as it normally did in the malware-part_2 program, but the source code is now hidden using basic binary obfuscation. This can be majorly improved adding more complexity on top of this, but we will stop here for the sake of the example.
Another way to implement obfuscation is through encrypting your code and then decrypting it on run time. A great, easy way to do this is by using XOR encryption. The XOR operation simply compares two different binary groupings. The operations are as follows in the table:
As seen, the same key in XOR operations can be used to encrypt and decrypt data, meaning this is a symmetric encryption method.
Similar to how the binary obfuscation was done, we will need a program that encrypts our code to give us our ciphertext and key, and then we will plug in this ciphertext and key in to another program that will actually run the obfuscated program and decrypt our code at run time.
The XOR-encrypter program will give the cipher text and 100 digit key that is needed. After running the encrypted code, it will appear as follows:
The 100 digit, symmetric key will appear as follows:
After retreiving the encrypted code and the key, then plug these into the xor-obfuscation file to be able to run the obfuscated program. The code and key will need to be plugged in as is shown below:
Upon plugging in the encrypted code and the key, the program is ready to be ran and will decrypt the code at run time and give the same functionality as the unobfuscated program.
We now need to compile our binary_obfuscation and xor-obfuscation as we did with the malware-part_2 program using PyInstaller.
Retrace the steps taken in the Installing PyInstaller section to form an exexutable for each program. The command should look similar as below with the correct file name inputted:
python -m PyInstaller --noconsole [file_name]
VirusTotal is an awesome online tool where a malicous file can be uploaded and it will run it through various anti-virus software to see if it flags as malicous. It is often used as a way to test suspicous files, but can also be utilized by malware authors.
The link to the website is here.
To test the different programs, simply select the executable file from within the folder that PyInstaller created and upload!
I got the following results:
malaware_part_2 (unobfuscated)
binary_obfuscation
obfuscation_xor
This shows the huge impact that obfuscation can have on malware authors getting their malware past anti-virus software!
For the most part in this project, we have discussed offensive methods of creating malware to better understand how malware is built and how it interacts with detction systems such as antivirus software. In this section, we will take a defensive stance and conduct malware analysis, both static and dynamic.
Dynamic analysis gathers information about malware and its behavior through live execution of the sample. This is often done in a sandboxed environment or virtual machine to prevent infection of the host computer or propagation through the network.
Download the following Dynamic Analysis tools:
Autoruns is a software tool that allows you to clearly see registry key values and especially programs that are set to run on boot. This tool can help find malware that is implementing persistance measures or changing other registry keys in a Windows environment.
Here is an Example of what a malicous program may look like in Autoruns:
As seen above, the key values for different registry keys are shown that correlate with programs that auto start on boot. We have many normal autoboot programs such as: CiscoSpark, EpicGamesLauncher, and Steam. One program that immediately stands out, is the Windows_Sys program. While it may sound like a Windows underlying system process, it is actually our malicous keylogger program from earlier. Some evidence of it being malicous is that fact that it does not have a verified publisher, and the virus total scan came back with 25 antivirus softwares that flagged it as malicous, since I scanned the unobfuscated version here. (Yes, Autoruns checks VirusTotal too!)
Process Explorer is a software tool that allows you to monitor all programs/processes that are actively running on your machine in Windows. It is essentially a very much expanded task manager. One of the really awesome features of Process Explorer is that you can check the properties of any active program on your system. Included in these properties is the performance of the program, i.e. CPU priority and read and write information; TCP/IP information such as where a program may be connecting back too; and string data that is found in the actual executable.
Here is an example of what Process Explorer's main page looks like:
As seen above, you can see lots of information about each program running on the host machine. If you look towards the bottom of the list, you can see the malicous malware_part_2.exe, not very stealth. You can also see that just like Autoruns, Process Explorer also checks the VirusTotal score for each item found, and the malware_part_2.exe gives a score of 25 out of 71.
To take the analysis another step further, we can take a look at the properties associated with the malware_part_2.exe program and get an idea of what the malware is doing.
Below we see the Performance Tab under Properties:
This shows us the performance details associated with the live execution of the malicous program. I/O stands for input/output, which measures the read and write information that occuring from the execution of the program, such as a program reading information from a file or writing information to a file. Here you can see that there is some reading and writing taking place. During this screenshot, I was actively typing, which was leading to a high amount of write data. It seemed that every key press was adding another write to the tally, and that every so often it would write information out somewhere. This is a huge indicator that keys in some way are being logged, which points to keylogging malware.
This read and write activity can also be expressed in a graph form via the Performance Graph as seen below:
The spikes in the I/O section marks the times that keys were being pressed and that those keys were being written to a file somewhere. The faster the typing the higher the spike. This is just another visualization that helps us conclude what the malware is doing.
Next under the TCP/IP tab, Process Explorer allows us to see if and where a certain malware sample may reach out to on the internet to possibly exfiltrate data or talk back to. This is seen below:
Every so often as I would press keys, the malware would connect out from my local computer to a remote address on the internet. As we can see above it is going out to an address, 64.233.185.108 on port 587. The use of port 587 is very important as it is used for SMTP traffic. SMTP stands for the Secure Mail Transfer Protocol, which is used to send email messages. We can now conclude through our analysis so far that the malware sample being tested is a keylogger that writes each key press out to a file somewhere on the host computer, and then every so often reads that file and emails it out to someone, probably the attacker.
Last but not least for Process Explorerer, you can also view Strings found in the executable. Here are some strings I found below:
This string, 'python310.dll', lets us know that this executable is a Python executable and running python 3.10. Fun Fact: There is only a couple ways to make an executable out of Python code this way, being PyInstaller and Py2Exe.
This shows a bunch of strings that contain 'pynput'. Pynput is a module in Python, as used before, that captures key presses. Adding even more evidence that this malware is a keylogger.
RegShot is a tool that allows you to take a snapshot of your machine before executing the malware and after to see what files and registry keys have changed, been removed, and added.
The view below is where you take your 1st shot and then your second shot:
The image below is the resulting comparison of the two shots, giving you what as changed (you can clearly see that the malware program has added itself to the registry keys to run at boot) :
Static Analysis gathers information from a program while it is in rest, or not executing. Some static analysis tools include:
While all of these are great tools we are mainly going to just look at HxD, rather than dnSpy and PeStudio. These two are great for C derivitive executables, but not as useful for Python executables.
HxD is a hex editor that allows you to see inside of an executable. You can actually see the compiled representation of the program. The image below depicts how the hex representation is shown on the left and decoded text on the right:
This hex and decoded text can actually be searched for particular strings that may represent certain functionalities and/or features.
Reverse Engineering is the act of taking an executable or program and getting it back to its original source code or gaining insight into how a program is structured.
The tools needed for this includes:
Unfortunately in Python 3.9 and 3.10, there is currently no compatible decompilers for Python executables, so I used a seperate virtual machine to test it in an older version of Python 3.6 (anything before 3.9 will work).
First we will use the python-exe-unpacker to unpack the malicous program (this time we will use the obfuscated program). You will want to move the malicous program into the same folder in which the python_exe_unpack.py is located. Go to the command prompt, CMD, and type:
python python_exe_unpack.py -i [file to unpack] -o [output folder]
After doing this, you should have a brand new output folder, in my case I named the folder 'unpacked' as seen below:
Once clicking into the output folder, "unpacked", you will see a folder that has the name of the malicous file that was unpacked. Click into this folder and all of the unpacked components of the executable will be in there.
Unfortunately this isn't enough to get us the source code back in its original form. We need to get the obfuscation_xor file listed below to be a compiled file and then we will need to decompile that file.
To get this obfuscation_xor file to a compiled file we just need to simply add what is called a magic number to the beginning of the hex value in HxD. The magic number in python is a value that all .pyc files share that were compiled together. This value is listed at the very beginning of the file, so all we have to do is copy it from a .pyc file that was compiled at the same time as the malicous file. Lucky for us we just unpacked a whole bunch of .pyc files with the obfuscation_xor file.
Select the pycache folder and then the .pyc file and put it into the HxD program:
After pulling up the .pyc file in the hex editor, copy the text highlighted in blue from position 00 to 0B. This is the magic number. Copy this value. See below:
Now paste this value into the obfuscation_xor file as below and save the file:
We can simply just add the .pyc extension to the obfuscation_xor file to make it obfuscation_xor.pyc
Now we need to use uncompyle6 to actually decompile the obfuscation_xor file. Use the following command inside the python-uncompyle6-master folder:
uncompyle6 -o [output folder] [pyc file to decompyle]
After completing this command, you should receive output that says, "Successfully decompiled file". Now there should be a folder called "decompile" that has the orginally source code in it as seen in the pictures below:
