Lab 4 - Win32 API

In this lab, you will familiarize yourself with common Windows API functions that are frequently used by malware authors. Instead of being presented with a boring table of function names in lecture, you are going to put yourself in the shoes of the malware authors and ask yourself: "If I wanted to accomplish nefarious task X in a manner that will run on clean Windows systems from the ancient Windows XP to the latest Windows 10 update, how would I accomplish it?" The answer, inevitably, will lead you to the Win32 API, which can be used for either good or evil.

Deliverables

Upload the following items to the Lab 4 Assignment on Canvas when finished.

  • Your source code (.h and .cpp)
  • The Visual Studio project files (.sln solution file and .vcxproj project file)
  • Your compiled binary (.exe)

Feel free to upload a .zip file of your entire project folder containing the items listed above.

Pre-Lab

Acquire Visual Studio for Windows on a convenient computer for your use. Literally any version will do - we're intentionally NOT using the latest APIs for this lab. If you don't have Visual Studio already, you can download the free Visual Studio Community 2019 from https://www.visualstudio.com/downloads

In the Visual Studio Community 2019 installer, you only need to install the Desktop development with C++ workload option. You don't need support for the Universal Windows Platform, the .NET desktop, or any of the other Web & Cloud workloads. The install size should be around 6.6GB. Enjoy the download.

Requirements

Using Visual Studio, write a Windows Console Application that meets the following standards:

  • Implementation language: C++
  • Executable filename: fake-malware.exe
  • Architecture: 32 bit (x86, not x64)
  • Packaging options for broad release
    • Compiled for Release mode, not Debug mode.
    • Compiled for Windows XP and newer - Under Project->Properties->General for your project, change Platform Toolset from VisualStudio 2019 (v142) to Visual Studio 2019 - Windows XP (v142_xp).
      • Note: For this build option to succeed, you may need to install Version 7 of the Windows SDK
      • Note: A bug in Visual Studio may result in the error unexpected token 'identifier', expected 'type specifier'. To fix this, change the setting Project->Properties->C/C++->Language->Conformance Mode from Yes (/permissive-) to No.
    • Compiled by statically linking in the C Runtime Library (CRT) instead of requiring it as a separate DLL that users (victims) may or may not have installed - Under Project->Properties->C/C++->Code Generation, change Runtime Library from Multi-threaded DLL (/MT) to Multi-threaded (/MT). Also, somewhere early in your header file, put a #define _STATIC_CPPLIB. (Note: If you compile in DEBUG mode instead of RELEASE mode, then link against the Debug variants of the CRT. The important thing is to remove the "DLL" from the build process).

Your executable should accomplish the following "malware-like" objectives in a terse, demo-like manner:

  • Write to the Registry (e.g. malware persistence): Identify the path that your binary was executed from, and add your fake-malware.exe binary to the "Run" key to be automatically executed when the system boots.

Tip: You may want to investigate the GetModuleFileName() and RegOpenKeyEx() functions, among others.

Tip: You can use the RegEdit tool in Windows to verify that your API usage is functional.

  • Write to a File (e.g. malware dropper): Create a file called fake-malware-dropped.exe in the same directory as the executable. In this file, write the standard EICAR antivirus test string obtained from https://www.eicar.org/?page_id=3950. This is clever piece of code - it's printable ASCII characters, but is also a legitimate 16-bit DOS program that prints the string "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Anti-virus programs will detect this as a test threat but take real actions, such as quarantining the file and notifying the user. Sorry 64-bit Windows users, you won't be able to run it - I had to roll back to a Windows XP VM to run it.

Tip: You may want to investigate the CreateFile() and WriteFile() functions, among others.

  • Communicate over the Internet (e.g. command & control): Retrieve the file stored at www.pacific.edu via HTTP. Use the User-Agent of Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) totally not Malware. Print the HTML to the console. Note: Ensure that you have read the entire file, not just the first part of it!

Tip: You may want to investigate the InternetOpen(), InternetConnect(), HttpOpenRequest(), HttpSendRequest(), and InternetReadFile() functions, among others. A good summary page of these functions is also available from MSDN.

  • Obtain Process List (e.g. anti-RE): Obtain a list of processes running on the system. If the processes for x32dbg (x32dbg.exe), IDA Pro (idag.exe), or Procmon (Procmon.exe) are running, print a warning to the screen: "Caught red-handed!"

Tip: You may want to investigate the CreateToolhelp32Snapshot() function, or alternately the EnumProcesses(), EnumProcessModules(), and OpenProcess() functions, among others.

Tip: To obtain the names of 64-bit processes, you must run as a 64-bit program. That conflicts with the lab assignment requirement to produce a 32-bit binary. Don't worry if some process names (specifically the 64-bit ones) are not found.