Open Source Ecosystems

Malware Resurrection

In this project, we will take a look at the technique used to resurrect a malware in case it is deleted or removed from the system. This approach focuses on ensuring the persistence of malware by applying methods that allow the malware to automatically resurrect and re-establish itself even after it has been terminated.

[!Warning] Please note that the content of this repository is intended for educational purposes only. I do not endorse or encourage any illegal activities. The techniques and methods demonstrated here should not be used for malicious purposes or in any unauthorized scenarios.

❓What's Malware Resurrection

Malware Resurrection refers to techniques used to revive and maintain the presence of malware within a system, ensuring that it continues to operate even if it is removed or terminated. The goal of malware resurrection is to establish persistence and ensure that the malware can reappear or re-launch after being removed.

1. Re-Downloading and Re-Executing Payloads: The malware may use a user-mode program or scheduled tasks to periodically check for its presence. If the malware is detected as missing, the program can re-download and reinstall it from a remote server or hidden location on the system.
2.Registry Persistence: The malware may modify or create registry entries to ensure it is executed on system startup. Common registry locations include:
- Run Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Startup Folder: Adding shortcuts to the malware executable in the Startup folder, ensuring it runs automatically when the user logs in.
3.Scheduled Tasks: Malware may create scheduled tasks or cron jobs that periodically execute the malware or related components. These tasks are set to run at specific times or events, such as system startup or user login, ensuring the malware reactivates if removed.
4.Kernel-Level Persistence: Advanced malware may use kernel-mode drivers to embed itself deeply within the operating system. This can involve:
- Rootkits: Modifying kernel data structures to hide files, processes, or network connections.
- Driver Installation: Installing and maintaining a driver that ensures malware persists at a low level.

📁Project

The application I've developed is designed to ensure that malware remains active and concealed within a system, utilizing both user-mode and kernel-mode components. This dual approach enables the application to persistently hide and relaunch malware, while evading detection from standard system tools.

1. Usermode Program

The primary function of the user-mode program is to monitor and maintain the presence of the malware. If it detects that the malware has been terminated or removed, it springs into action. The user-mode program communicates with the kernel-mode driver to facilitate the reinstallation and concealment of the malware.

2. Kernel-Mode Driver

Upon instruction from the user-mode program, the driver creates a hidden directory on the system, typically within a critical location such as C:\Windows\System32. This directory is used to store the malware executable in a manner that is difficult for standard file explorers or system administrators to detect.

Workflow

Monitoring and Recovery: The user-mode program continuously listens for the presence of the malware process. If the process is terminated for any reason, the program alerts the driver.
Hidden File Creation: The kernel-mode driver responds by creating a hidden file path within the specified directory. This ensures that the new malware file is hidden at the OS level before it is even downloaded.
Malware Restoration: Once the file path is in place, the user-mode program downloads the malware to the hidden directory and immediately spawns a new process for it.
Process Concealment (DKOM Attack): To ensure that the malware runs undetected, the user-mode program passes the Process ID (PID) of the newly created malware process to the driver. The driver then uses Direct Kernel Object Manipulation (DKOM) to remove the malware’s PID from the system’s process list, making it invisible to tools like Task Manager and other process monitoring utilities.
Restricting Permissions: Restricting Permissions involves changing the permissions of a hidden file via the driver to prevent any interference after the file has been established as hidden. Once these permissions are modified:
- File Deletion: Users will encounter an "Access Denied" error if they attempt to delete the hidden file.
- Executable Execution: Users will also receive an "Access Denied" error if they try to run the executable contained within the file.

❗Important Considerations Before Running the Project

[!Important] To run this project successfully, you need to execute it on a Windows system in Test Mode. This mode allows the system to load unsigned drivers, which is necessary for the kernel-mode components of the application. Additionally, it is highly recommended to use WinDbg for debugging and closely inspecting the results.

Assuming you have access to development tools such as Visual Studio and the Windows Driver Kit (WDK), you will need to compile the driver and user-mode program yourself. Note that I will not be providing any files with .exe or .sys extensions.

Take a look at both the driver code and the project code and you will find variables that are important:

User-mode Program

In the user-mode program code, you will find the following important variables:

CHAR ExecutablePath[0x80] = "C:\\Windows\\System32";
CHAR ExecutableName[0x80] = "malwarename.exe";
CHAR ExecutableUrl[0x80] = "https://url";

Kernel-mode Driver:

In the kernel-mode driver code, you will encounter:

UNICODE_STRING G_ExecutablePath = RTL_CONSTANT_STRING(L"\\??\\C:\\Windows\\System32\\");

Editing and Compiling Instructions

User-Mode Program

ExecutablePath: Ensure that you do not add a trailing backslash (\) at the end of the path.
ExecutableName: Specify the name of the executable file you intend to use.
ExecutableUrl: Provide the URL from which the executable will be downloaded.

Kernel-Mode Driver

ExecutablePath: Maintain the \??\ prefix and avoid adding a trailing backslash () at the end of the path.

Feel free to modify these values according to your needs. Ensure that paths and URLs are correctly formatted to avoid any issues during compilation and execution.

Once you have everything set up, follow these steps to install and run the driver within a virtual machine:

Install the Driver: Open a command prompt with administrative privileges and execute the following commands:

sc create resurrection type=kernel binPath="C:\path\to\sys" start=demand
sc start resurrection

This will create and start the driver service. The driver will remain inactive and wait for IOCTL codes sent by the user-mode program.

Run the User-Mode Program: Execute the user-mode program with a PID value to test its functionality. For example, you can use the PID of applications like paint or notepad. Use the following command to run the user-mode program:

.\program.exe <PID>

Replace with the actual process ID of the target application.

Observe the Output: After starting the user-mode program, close the application you used as an example (e.g., paint or notepad). Check the output of the user-mode program to observe the results of the interaction with the driver.

💝 Acknowledgements

A special thank you to S12 H4CK, whose remarkable work in the field of malware development has been a tremendous source of knowledge and inspiration. His article on Malware Resurrection laid the foundation for my understanding of this technique, and without the information he shared, this project would not have been realized.

He has also written an article about this project. For this I am very grateful and thank him very much.

You can also check out his article on this technique to explore it further and deepen your understanding.