Some basic mw tricks realisation writed from scratch:
- Thread injection
- Hooking
- Self deleting executables
- etc
Builded executable tries to inject remote thread and load self copy into predefined list of processes (opera.exe, chrome.exe, notepad.exe) and hook (replace starting instruction of target function with jump to hook function and patch IAT of injected test_inj image to execute replaced instrucions and jump back to target function) list of functions (CreateFile, WinHttpConnect, getaddrinfo). getaddrinfo hook replaces every requested NodeName with google.ru, so, when target process try to open any site it will be forwarded to "google.ru"
NOTE: Chrome process spawn list of target processes inside sandbox, so we need to inject our thread inside Broker process. details of chrome structure: http://www.chromium.org/developers/design-documents/sandbox
Now works under WinXP SP3 (Under Windows 7 fails and I don't know why :()
This project use distorm3 (http://code.google.com/p/distorm/) for disassembling.
Netbot client(written in C now) installs self copy into temp directory and tries to connect to main server (written in python now). After that he executes commands recived from server.
Description of commands you can see at ./cpp/commands.c
It's my first WinAPI experiments and some code (truly almost) looks like shit. May be it's because of WinAPI itself may be it's my "talent". Nevertheless projects uncomplete now may be with some help I can finish it later.