Tutorial to compile trojan source code and embed it into a carrier fileDocument Transcript
Tutorial To Compile Trojan Source Code and
Embed it Into a Carrier File (trusted executable)
Open source malware forums openly share malware source code which can be used in
targeted attacks. Educating people about the techniques used by malware authors is the first
step to preventing these attacks. This tutorial aims to teach people how to set up an environment
for developing trojans for Microsoft Windows. Additionally this tutorial aims to teach people to
bind their malicious application to a carrier file using an application binder to demonstrate the
more subversive techniques. This tutorial is for educational purposes only.
FBIRAT is a Remote Administration Tool which enables an attacker to infect a victim's machine
and gain total control of their file system, processes, network activity and more. Additionally
FBIRAT it has a user interface that handles hundreds of victims very well. As its source code is
available online it is an ideal candidate for demonstrating malware development.
Prerequisites (links at the bottom)
You need to Install Windows XP 32 bit.
You need to Install Microsoft Visual C++ 6.0 Standard Edition.
You need to Install Windows Server 2003 SP1 Platform SDK.
You need to Install a tool called Resource Hacker by Angus Johnson
You need to download the libjpeg package from sourceforge.
You need to download a copy of the FBIRAT source code.
Trojan Server Client Architecture
Trojans use an unusual reverse server client architecture where the server connects to the
client. The server will infect your victim. The client is used to send commands to your victims.
This bypasses firewall rules that say a connection must be initiated from inside the network.
64bit or 32bit
Windows Server 2003 SP1 Platform SDK is picky about environment variables depending on
To register the SDK bin, include, and library directories with Microsoft Visual Studio® version 6.0
and Visual Studio .NET, click Start, point to All Programs, point to Microsoft Platform SDK for
Windows Server 2003 SP1, point to Visual Studio Registration, and then click Register PSDK
Directories with Visual Studio. This registration process places the SDK bin, include, and library
directories at the beginning of the search paths, which ensures that the latest headers and
libraries are used when building applications in the IDE.
Note that for Visual Studio 6.0 integration to succeed, Visual Studio 6.0 must run at least once
before you select Register PSDK Directories with Visual Studio. Also note that when this option
is run, the IDEs should not be running.
To develop a 32bit C/C++ application on 64bit Windows, do not register environment variables
when you install Visual C++ 6.0. Instead, open a command window and run Vcvars32.bat (from
the Visual C++ bin folder), followed by Setenv.bat (from the SDK bin folder), specifying the
appropriate switches (such as /SVR32 /2000 /XP32).
Have a look at the help files for more information
C:Program FilesMicrosoft Platform SDKReleaseNotes.Htm
Microsoft Visual C++ for Linux Users
Most linux users are used to using “./configure”, “make” and “gcc” to compile their source code.
Microsoft Visual C++ comes with similar tools in the installation folder “C:Program
FilesMicrosoft Visual StudioVC98bin”. The application “cl.exe” is the compiler and “nmake.exe”
is a compile script interpreter.
When installing Visual C++ be sure to add environment variables.
"path" variable should contain
C:Program FilesMicrosoft Platform SDKBin;
C:Program FilesMicrosoft Visual StudioCommonToolsWinNT;
C:Program FilesMicrosoft Visual StudioCommonMSDev98Bin;
C:Program FilesMicrosoft Visual StudioCommonTools;
C:Program FilesMicrosoft Visual StudioVC98bin
Setting up libjpeg
Decompress the libjpeg package
Change into the jpeg6b directory using cmd.exe
Rename jconfig.vc to jconfig.h
nmake /f makefile.vc all
Copy the compiled libjpeg folder into the VC++ folder
C:Program FilesMicrosoft Platform SDKjpeg6b
Configure Visual C++ to include libraries and header files
Despite the installation instructions in the Windows Server 2003 SP1 Platform SDK (which
made no difference to my environment) you should still add the following libraries and header
files to your build path inside the Visual C++ IDE application.
Open Visual C++ > tools > options > directories tab
1. Select the "Include files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKInclude
C:Program FilesMicrosoft Platform SDKjpeg6b
2. Select the "Library files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKLib
3. Select the "Source files" from the "show directories for" drop down menu and add
C:Program Files Microsoft Platform SDKSrc
Ensure the Include, Src and Lib directories are located at the top of the list.
Setting the Build Type in Visual C++ (debug/release)
Open a FBIRAT workspace in visual c++ by opening "Server.dsw".
In visual c++ set the build type by pressing
build > configurations > release
Do this for all the workspaces “Server.dsw”, “FBIClient.dsw” and “Injection.dsw”.
When building in debug mode the name of the precompiled windows libraries are usually
appended with the letter “d”. For example "nafxcwd .lib" > "nafxcwd.lib".
Open the server workspace for FBIRAT in visual c++ "FBIRATInjectionServerServer.dsw"
Step 1: press build > clean
Step 2: then press build > build server.exe
The output should be located in “FBIRATInjectionServerRelease”
Repeat those steps for the other workspaces “FBIRATInjectionInjection.dsw” and
Bind server.exe to an innocent file
Place a copy of calc.exe on your desktop.
Open the command line cmd.exe
Launch the microsoft application iexpress.exe in the command line
Select “create new self extraction directive” and press next.
5. Select “extract files and run an installation command” and press next
6. Enter “Calculator” as the package title and press next
7. Select “no prompt” and press next
8. Select “do not display a licence” and press next
9. Add calc.exe and server.exe and press next
10. Select calc.exe as the “install program” and server.exe as the “post install command”
and press next
11. Set your install program to be displayed using the default settings and press next
12. Select “no message” and press next
13. Select a target path for your new binded file such as “malicious.exe” on the desktop
14. Select “hide extraction process from user” and press next
15. Select “no restart” and press next
16. Select “dont save” and press next
17. Press next, next, finish
18. Your binded file should be on the desktop
The malicious file will have an unusual looking icon that does not look like the original calc.exe.
You can use reshack to extract the icon from calc.exe and replace the icon in malicious.exe.
You can use reshack to remove the strings and version info added by iexpress.exe.
Try uploading server.exe to VirusTotal to see its detectability. Try making small modifications to
your source code, compile it again, upload the new server.exe to VirusTotal and take note of the
new detectability results.
After compilation (2/46)
After binding and removing strings (7/46)
Also windows server 2003 platform sdk will enable programmers to use winsock.h
This tutorial should be a good starting point for all beginner windows developers.
The process of compiling source code for known malware and submitting it to VirusTotal has the
potential to be an educational game for people interested in Information Security research. The
game goes as follows:
1. Each student gets a copy of the source code and sets up their own environment.
2. Each student must compile the source code without help and submit a malicious binary
3. The student must modify the executable file using malware evasion techniques in order
to reduce the detection rate on VirusTotal.
4. The student with the lowest number of AV detections wins the game.
Cheating can be prevented by taking the SHA hash from the students submission on VirusTotal
and comparing it to the hash of a local working copy that they must verify by infecting a virtual
machine and controlling it.
Get a copy of FBIRAT source code
Download a copy of visual c++
How to compile libjpeg
Windows Server 2003 SP1 Platform SDK