Create Malware

in #powershell13 days ago

Disclaimer: This article is for educational and research purposes only. Do not use the information herein for illegal activities. The author is not responsible for any misuse.

Head of the seasons :

  • Why is PowerShell suitable for writing malware ?

  • How to create malware with PowerShell programming language ?

  • Hide the window when executing a command

  • Malware panel

  • Antivirus bypass

  • Output

  • Summary

  1. Why is PowerShell suitable for writing malware ?

PowerShell is an official and built-in Windows tool and does not require any prerequisite installation, which is why it has attracted the attention of malware writers. Security systems such as firewalls, antivirus, etc. do not specifically monitor PowerShell, but other programming languages ​​such as Python are detected by antivirus.

  1. How to create malware with PowerShell programming language ?

We use the Invoke-Expression command in PowerShell to execute PowerShell commands. In C, Python, etc., cmd and PowerShell commands are also available.

The output of this command is the contents of the path where the malware was executed.
But this command has a problem: sometimes, when executing commands, it displays a special window that causes malware to not hide, which we will discuss below...

  1. Hide the window when executing a command

To fix the problem of the window appearing, we use the Start-Job or Start-Process command, which we will review use together below.

Start-Job
[-Name ]
[-Credential ]
-LiteralPath
[-Authentication ]
[[-InitializationScript] ]
[-WorkingDirectory ]
[-RunAs32]
[-PSVersion ]
[-InputObject ]
[-ArgumentList <Object[]>]
[] [......]
Start-Process
[-FilePath]
[[-ArgumentList] <string[]>]
[-Credential ]
[-WorkingDirectory ]
[-LoadUserProfile]
[-NoNewWindow]
[-PassThru]
[-RedirectStandardError ]
[-RedirectStandardInput ]
[-RedirectStandardOutput ]
[-WindowStyle ]
[-Wait]
[-UseNewEnvironment]
[-Environment ]
[-WhatIf]
[-Confirm]
[] [.....]

  • powershell: Run new PowerShell.
  • -ArgumentList: Arguments given to PowerShell.
  • -WindowStyle Hidden: Run completely hidden without opening a window. ls > $outputFile: Redirect output to file (because in hidden execution we cannot get output directly
  • Start-Sleep: To pause, as if the program is stopped
  • -Seconds 2: To pause for 2 seconds
  • Get-Content: To get the contents of the file
  • $env:temp : environment variable is the path to the Windows temporary folder (for example: C:\Users\Username\AppData\Local\Temp)
  • "$env:temp\out.txt": is the full path to the output file where we want to write the output of a command, for example.

  • Start-Job: Run the script block {} in the background.
  • Wait-Job: Wait for the job to finish.
  • Receive-Job: Receive the job output.

Advantage: You can get the output directly in a variable.

For more information and to see more switches, visit the addresses below.

Start-Job

Start-Process

  1. Malware panel

The malware needs a panel to receive commands from you. There are different panels including web, Telegram bot, Flutter, etc. We will talk about the types of panels in the following articles.

  1. Antivirus bypass

There are many techniques for bypassing antivirus, including Process Hollowing, Fileless, Inject, etc., each of which requires expertise in the writing malware field. Below, we will examine one of the common and easy techniques.

Obfuscation

In this type of technique, we obfuscate PowerShell codes, meaning we make it so that the antivirus does not notice this code and bypasses it.

Command encryption, decryption, and execution

Pasted command letters. Another syntax for the Invoke-Expression command is the iex command.

To execute a string (command), we use the & command.

  1. Output

Once we have written our PowerShell malware, we need to compile it or use different techniques like hta files or Bad USB, etc. to infect the target system.

  1. Summary

In this article, we learned how to run PowerShell commands in the background and bypass antivirus, etc. If there is enough support, I will post longer and better articles such as malware analysis, autominer, fileless technique, process hole, creating a Telegram panel, Android, web, etc. I hope you enjoyed this article, until the next article goodbye ♥️

If you have any questions, you can refer to this Telegram address.

@Malcorex

Posted Using INLEO

#antivirus bypass #Malware #obfuscation #Malcorex
13 days ago in #powershell by
$0.00
    1 vote
    • and 1 more
    Reply 2
    Sort:  
  • Trending
    • [-]
     12 days ago  

    Hello Malcorex!

    Welcome to Hive. Bunch of information I don't understand but I know about Hive a little bit and I can recommend you to take a look around too, communities and their rules. Writing an introduction post might be helpful too. If you will, please don't forget mentioning about how you found Hive, too.

    $0.00
      Reply
      [-]
       12 days ago  

      Hello Beril!

      Thanks ♥️👍

      $0.00
        Reply