Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Tutorial to compile trojan source code and embed it into a carrier file
1. Tutorial To Compile Trojan Source Code and
Embed it Into a Carrier File (trusted executable)
Open source malware forums openly share malware source code which can be used in
targeted attacks. Educating people about the techniques used by malware authors is the first
step to preventing these attacks. This tutorial aims to teach people how to set up an environment
for developing trojans for Microsoft Windows. Additionally this tutorial aims to teach people to
bind their malicious application to a carrier file using an application binder to demonstrate the
more subversive techniques. This tutorial is for educational purposes only.
FBIRAT is a Remote Administration Tool which enables an attacker to infect a victim's machine
and gain total control of their file system, processes, network activity and more. Additionally
FBIRAT it has a user interface that handles hundreds of victims very well. As its source code is
available online it is an ideal candidate for demonstrating malware development.
Prerequisites (links at the bottom)
You need to Install Windows XP 32 bit.
You need to Install Microsoft Visual C++ 6.0 Standard Edition.
You need to Install Windows Server 2003 SP1 Platform SDK.
You need to Install a tool called Resource Hacker by Angus Johnson
You need to download the libjpeg package from sourceforge.
You need to download a copy of the FBIRAT source code.
Trojan Server Client Architecture
Trojans use an unusual reverse server client architecture where the server connects to the
client. The server will infect your victim. The client is used to send commands to your victims.
This bypasses firewall rules that say a connection must be initiated from inside the network.
64bit or 32bit
Windows Server 2003 SP1 Platform SDK is picky about environment variables depending on
your architecture
To register the SDK bin, include, and library directories with Microsoft Visual Studio® version 6.0
and Visual Studio .NET, click Start, point to All Programs, point to Microsoft Platform SDK for
Windows Server 2003 SP1, point to Visual Studio Registration, and then click Register PSDK
Directories with Visual Studio. This registration process places the SDK bin, include, and library
directories at the beginning of the search paths, which ensures that the latest headers and
3. Configure Visual C++ to include libraries and header files
Despite the installation instructions in the Windows Server 2003 SP1 Platform SDK (which
made no difference to my environment) you should still add the following libraries and header
files to your build path inside the Visual C++ IDE application.
Open Visual C++ > tools > options > directories tab
1. Select the "Include files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKInclude
C:Program FilesMicrosoft Platform SDKjpeg6b
2. Select the "Library files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKLib
3. Select the "Source files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKSrc
Ensure the Include, Src and Lib directories are located at the top of the list.
Setting the Build Type in Visual C++ (debug/release)
Open a FBIRAT workspace in visual c++ by opening "Server.dsw".
In visual c++ set the build type by pressing
build > configurations > release
Do this for all the workspaces “Server.dsw”, “FBIClient.dsw” and “Injection.dsw”.
When building in debug mode the name of the precompiled windows libraries are usually
appended with the letter “d”. For example "nafxcwd .lib" > "nafxcwd.lib".
Compile FBI-RAT
Open the server workspace for FBIRAT in visual c++ "FBIRATInjectionServerServer.dsw"
Step 1: press build > clean
Step 2: then press build > build server.exe
The output should be located in “FBIRATInjectionServerRelease”
Repeat those steps for the other workspaces “FBIRATInjectionInjection.dsw” and
“FBIRATFBIClientFBIClient.dsw”.
Bind server.exe to an innocent file
1.
2.
3.
4.
Place a copy of calc.exe on your desktop.
Open the command line cmd.exe
Launch the microsoft application iexpress.exe in the command line
Select “create new self extraction directive” and press next.
4. 5. Select “extract files and run an installation command” and press next
6. Enter “Calculator” as the package title and press next
7. Select “no prompt” and press next
8. Select “do not display a licence” and press next
9. Add calc.exe and server.exe and press next
10. Select calc.exe as the “install program” and server.exe as the “post install command”
and press next
11. Set your install program to be displayed using the default settings and press next
12. Select “no message” and press next
13. Select a target path for your new binded file such as “malicious.exe” on the desktop
14. Select “hide extraction process from user” and press next
15. Select “no restart” and press next
16. Select “dont save” and press next
17. Press next, next, finish
18. Your binded file should be on the desktop
Cosmetic Adjustment
The malicious file will have an unusual looking icon that does not look like the original calc.exe.
You can use reshack to extract the icon from calc.exe and replace the icon in malicious.exe.
You can use reshack to remove the strings and version info added by iexpress.exe.
Detectability
Try uploading server.exe to VirusTotal to see its detectability. Try making small modifications to
your source code, compile it again, upload the new server.exe to VirusTotal and take note of the
new detectability results.
After compilation (2/46)
https://www.virustotal.com/en/file/ed7f0ccf48785d1cc59df24afd545c92aff27e65e44ee8febdccb4
bd6954d019/analysis/1365542456/
After binding and removing strings (7/46)
https://www.virustotal.com/en/file/2c6b7a2ffa1fa71051024533619dbc47a9029837193f8224ad4c
acbd01165fd5/analysis/1365546255/
Notes:
Also windows server 2003 platform sdk will enable programmers to use winsock.h
This tutorial should be a good starting point for all beginner windows developers.