Lab 4 - Win32 API
In this lab, you will familiarize yourself with common Windows API functions that are frequently used by malware authors. Instead of being presented with a boring table of function names in lecture, you are going to put yourself in the shoes of the malware authors and ask yourself: "If I wanted to accomplish nefarious task X in a manner that will run on clean Windows systems from Windows 7 onward, how would I accomplish it?" The answer, inevitably, will lead you to the Win32 API, which can be used for either good or evil.
Upload the following items to the Lab 4 Assignment on Canvas when finished.
- Your source code (.h and .cpp)
- The Visual Studio project files (.sln solution file and .vcxproj project file)
- Your compiled binary (.exe) that is statically linked against the C Runtime Library (CRT) - See below
Feel free to upload a .zip file of your entire project folder containing the items listed above.
Acquire Visual Studio for Windows on a convenient computer for your use. Literally any version will do - we're intentionally NOT using the latest APIs for this lab. If you don't have Visual Studio already, you can download the free Visual Studio Community 2022 with C++ from https://www.visualstudio.com/downloads
Note that you only need to install the C++/C workload option. You don't need support for the Universal Windows Platform, the .NET desktop, or any of the other Web & Cloud workloads.
Using Visual Studio, write a Windows Console Application that meets the following standards:
- Implementation language: C++
- Executable filename:
- Architecture: 32 bit (x86, not x64)
- Packaging options for broad release
- Compiled for Release mode, not Debug mode.
- Compiled for Windows 7 and newer
#define NTDDI_VERSION NTDDI_WIN7and
#define _WIN32_WINNT_WIN7- See Using the Windows Headers
- Compiled by statically linking in the C Runtime Library (CRT) instead of requiring it as a separate DLL that users (victims) may or may not have installed - Under Project->Properties->C/C++->Code Generation, change Runtime Library from
Multi-threaded DLL (/MT)to
Multi-threaded (/MT). Also, somewhere early in your header file, put a
#define _STATIC_CPPLIB. (Note: If you compile in DEBUG mode instead of RELEASE mode, then link against the Debug variants of the CRT. The important thing is to remove the "DLL" from the build process).
Your executable should accomplish the following "malware-like" objectives in a terse, demo-like manner:
- Write to the Registry (e.g. malware persistence): Identify the path that your binary was executed from, and add your fake-malware.exe binary to the "Run" key to be automatically executed when the system boots. For consistency across all students, use the registry key
Tip: You can use the RegEdit tool in Windows to verify that your API usage is functional.
- Write to a File (e.g. malware dropper): Create a file called
fake-malware-dropped.exein the same directory as the executable. In this file, write the standard EICAR antivirus test string obtained from https://www.eicar.org/?page_id=3950. This is clever piece of code - it's printable ASCII characters, but is also a legitimate 16-bit DOS program that prints the string "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Anti-virus programs will detect this as a test threat but take real actions, such as quarantining the file and notifying the user. Sorry 64-bit Windows users, you won't be able to run it - I had to launch an old Windows XP VM to run it.
- Communicate over the Internet (e.g. command & control): Retrieve the file stored at
www.pacific.eduvia HTTP. Use the User-Agent of
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) totally not Malware. Print the HTML to the console. Note: Ensure that you have read the entire file, not just the first part of it!
Tip: You may want to investigate the InternetOpen(), InternetConnect(), HttpOpenRequest(), HttpSendRequest(), and InternetReadFile() functions, among others. A good summary page of these functions is also available from MSDN.
- Obtain Process List (e.g. anti-RE): Obtain a list of processes running on the system. If the processes for x32dbg (
x32dbg.exe), IDA Pro (
idag.exe), or Procmon (
Procmon.exe) are running, print a warning to the screen: "Caught red-handed!"
Tip: To obtain the names of 64-bit processes, you must run as a 64-bit program. That conflicts with the lab assignment requirement to produce a 32-bit binary. Don't worry if some process names (specifically the 64-bit ones) are not found.