Windows – RootSecurity

An easy way of creating your own Trojan

In this article I will describe how you can easily create your own Trojan for demos or other fun purposes. The tools used in this article are the following:

The Veil-Evasion Framework & Kali server;
C or C# source code of a program of choice;
Visual Studio or any other development solution;
Windows 8.1 with AV client machine & RSA ECAT agent.

The steps we will follow are listed below and are worked out in more detail in separate paragraphs:

Create a payload in C# code with the Veil-Evasion Framework;
Copy the created payload to your machine that has for example Visual Studio installed;
Include the payload and re-assemble the C# source code program;
Test your newly created Trojan.

Step 1 & 2 Veil-Evasion Framework

The Veil-Evasion Framework is a very nice solution which allows pen testers to create payloads & executables within a few clicks. https://www.veil-framework.com/framework/veil-evasion/

In this example we will be using the framework to create an encrypted reverse https metasploit payload in C# code.

Install Veil-Evasion on your Kali Linux distribution
Start Veil-Evasion

Select Payload cs/meterpreter /rev_https

Set LHOST & LPORT to fit your own environment, make sure to enable the Arya crypter & issue the generate command to create the payload

Provide your preferred file name

Veil has now created an encrypted payload in C# code which we will use is step three of this process.
Copy the created file (calculator-payload.cs) file to your machine running Visual Studio

Step 3 include payload & re-assemble program of choice

In this example we will add the created payload to the C# source code of a calculator program. The source code used will be made available for download.

Open the calculator-payload.cs with notepad++ or any other file editor

Notice the System requirements (System.Collections.Generic, System.Text, System.IO etc.) and the class & static void parts of the program.

Open the source code of your choice or use the attached calculator source code

Once Visual Studio opens it should look similar as shown below:

Now we need to make sure the program includes all required system namespaces. For this we need to add all system namespaces that are not included in the original source code. In this case this will look as shown below:

Notice that System.Text, System.IO & System.Reflection are added

Now we need to add our code in both the Static class and Static void parts of the original program:

This can be done by coping and pasting the code from the notepad session as shown in step 1.

Once you are done the result should look similar as shown below:

When you copy the code in after the Application.Run part, the program will run normally and start Form1() as expected. Once this form is closed, the program will execute the payload before shutting down.

Assemble your new Calculator application

Before we assemble the modified source code you can change the assembly name or Icon to whatever you like. In this case I will make sure the program gets assembled with the name Calculator-Demo.exe and will use the Windows Calculator symbol as an Icon.

Once done, click on Build Solution or F7 in Visual Studio and make sure the outcome does not state any errors:

Your newly created Trojan is now ready to be tested.

Step 4. Test your newly created Trojan

To test your Trojan we will need to do the following:

Copy the Calculator-Demo.exe to a victim machine
Start a metasploit https reverse handler on the attackers machine
Execute the calculator
Check for a successful metapreter connection

Step 1. Copy the Calculator-Demo.exe

In this example I will copy the Calcultor.Demo.exe to a fully patched Windows 8.1 system which is running a TrendMicro antivirus & RSA ECAT agent.

When I scan the copied file with AV no issues are detected:

Step 2. Start a metasploit https reverse handler on the attackers machine

The attacker will be the same machine which we used to create the payload with. When creating the payload Veil-Evasion also created a handler file which we can use to easily startup the https listener

First we need to browse the the veil-output/handlers directory.

After this we can start the metasploit console with a –r command so that the configuration variables within the handler file are loaded.

This will startup a metasploit handler and should look similar as shown below:

Step 3. Execute the calculator

Now we need to go back to the victim’s machine and execute the calculator

As you can see the calculator starts as expected. To execute the payload the program needs to be closed. When doing this AV still does not detect anything..

Step 4. Check for a successful meterpreter connection

When we go back to our attacker machine we should see a successful meterpreter session

Let’s interact with this session and start a keylogger

When we check the victims machine type something and dump the keystrokes on the attackers machine, AV still does not notice anything..

When we check the RSA ECAT server however all activities are detected.

Execution and migration of Calculator-Demo.exe to notepad.exe

Network connection & IOC to attacker’s machine:

Use of floating code (keylogger) in memory

Conclusion

Building a Trojan does not have to be difficult, AV is dead and RSA ECAT rules 😉

Most windows systems (Vista, Windows 7, Window 8 etc.) allow you to access the Utilman.exe “Ease of Access” application on the login page. As the end-user has not yet logged in, Windows will start this application using NT Authority rights.

So if you are able to boot a Windows machine with for example a Kali image and no drive encryption is applied. You can easily replace the Utilman.exe with cmd.exe or your own payload and have it run with NT Authority rights by clicking on the Ease of Access icon on the logon page.

Want to know how? Just follow the steps below:

1. Boot you windows machine with for example Kali or any other Live CD.

2. Browse to the Windows System32 folder of you Windows machine and locate the Utilman.exe