{"id":17287454,"url":"https://github.com/utoni/w32miller","last_synced_at":"2025-04-14T11:06:55.147Z","repository":{"id":50487335,"uuid":"266542238","full_name":"utoni/w32miller","owner":"utoni","description":"malware development kit for x86 windows based platforms with a linux compatible build system","archived":false,"fork":false,"pushed_at":"2022-10-17T21:36:33.000Z","size":514,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-14T11:06:50.556Z","etag":null,"topics":["build-linux","command-and-control","development-kit","dll-injection","malware-development","wiindows","x86"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/utoni.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-24T13:03:39.000Z","updated_at":"2024-07-11T13:50:38.000Z","dependencies_parsed_at":"2023-01-20T02:52:58.681Z","dependency_job_id":null,"html_url":"https://github.com/utoni/w32miller","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utoni%2Fw32miller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utoni%2Fw32miller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utoni%2Fw32miller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utoni%2Fw32miller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/utoni","download_url":"https://codeload.github.com/utoni/w32miller/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248868766,"owners_count":21174758,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["build-linux","command-and-control","development-kit","dll-injection","malware-development","wiindows","x86"],"created_at":"2024-10-15T10:02:40.459Z","updated_at":"2025-04-14T11:06:55.126Z","avatar_url":"https://github.com/utoni.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Gitlab-CI](https://gitlab.com/utoni/w32miller/badges/master/pipeline.svg)](https://gitlab.com/utoni/w32miller/-/pipelines)\n\nabstract\n========\nThe project emerged during my studies. \u003cbr /\u003e\nIt is a showcase demonstration which covers DLL injection and a (very basic) command\u0026control infrastructure. \u003cbr /\u003e\nHowever, as I never had the time to finished it (and presumably lost focus), it is still premature. So please see this project as a unstable-as-fuck-example and not as a copy-pasta-ready development framework. \u003cbr /\u003e\nAs this project was written by an unexperienced and fault-tolerant student, the code looks ugly w/ limited readability, missing documentation and may crash at any time. \u003cbr /\u003e\n\u003cbr /\u003e\n\nw32miller\n========\nAn educational malware development kit or my preferable abbreviation: **mdk**. \u003cbr /\u003e\nOnly x86 architectures are supported at the moment. Most of the code is written in C, porting it to other architectures isn't wizardry. \u003cbr /\u003e\nThe more complex parts are the assembler sources, which are tied to x86. Porting the loader to x64 may cause some headaches. \u003cbr /\u003e\nIt's name was derived from [Chaim Miller](https://www.imdb.com/title/tt4591236/), the real Inglourious Basterd. \u003cbr /\u003e\nWhy did I choose that name you may ask. Long story - to make it short: I love his attitude! \u003cbr /\u003e\nUsed languages: \u003cb\u003eBash\u003c/b\u003e, \u003cb\u003eCMake\u003c/b\u003e, \u003cb\u003eASM-x86\u003c/b\u003e, \u003cb\u003eC\u003c/b\u003e, \u003cb\u003eGo\u003c/b\u003e, \u003cb\u003ePython\u003c/b\u003e \u003cbr /\u003e\n\u003cbr /\u003e\n\nbuild\n========\nAs my favourite platforms are (Arch|Debian) based, the whole config\u0026build process was designed to work on those platforms. \u003cbr /\u003e\nOther build environments may not produce the desired results. \u003cbr /\u003e\nThe following commands should only be run once. \u003cbr /\u003e\u003cbr /\u003e\n## Pre-Requirements (debian) \u003cbr /\u003e\n`sudo apt-get install g++ gcc autoconf automake flex bison texinfo cmake` \u003cbr /\u003e\nSee \u003cb\u003eINSTALL\u003c/b\u003e for more information. \u003cbr /\u003e\n\u003cbr /\u003e\n## Build miller toolchain \u003cbr /\u003e\n`./deps/makedeps.sh N` (where N is the number of simultaneous build jobs, default: 1)\u003cbr /\u003e\nIt will download/extract/compile basic developer tools (python-2.7.18, nasm-2.12.02, binutils-2.31.1, gcc-8.2.0, mingw-w64-v6.0.0) \u003cbr /\u003e\nThe Toolchain build is necessary, because we will probably use a patched gcc in the future. \u003cbr /\u003e\nThis project may neither compile nor work with other toolchain combinations! \u003cbr /\u003e\n\u003cbr /\u003e\n## Configure project \u003cbr /\u003e\n`cd /path/to/project` \u003cbr /\u003e\n`mkdir build \u0026\u0026 cd build` \u003cbr /\u003e\n`cmake -DBUILD_ALL_TOOLS=ON -DBUILD_CNCPROXY=ON -DBUILD_TESTS=ON -DEXTRA_VERBOSE=ON -DHTTP_LOCALHOST=ON -DINFECT_DUMMY=ON ..`\u003cbr /\u003e\n\u003cbr /\u003e\n## Build project \u003cbr /\u003e\n`make -jN` (where N is the number of simultaneous build jobs) \u003cbr /\u003e\n\u003cbr /\u003e\nTo install all generated binaries use: `make install DESTDIR=[PATH]` \u003cbr /\u003e\n\u003cbr /\u003e\n## Try it! \u003cbr /\u003e\nThere are a several ways to tryout this project. \u003cbr /\u003e\nIf you want a basic CNC communication you should start the cncproxy first with: `[BUILD_DIR]/host-tools/cncproxy-host` \u003cbr /\u003e\n 1. `cd [BUILD_DIR]/bin`\n 2. `wine loader_base.exe` (\u003cb\u003ePART\u003c/b\u003e encrypted binary) \u003cbr /\u003e\n 3. \u003cb\u003eOR\u003c/b\u003e `wine loader_base_enc.exe` (\u003cb\u003eFULL\u003c/b\u003e encrypted binary) \u003cbr /\u003e\n 4. run `wine dummy.exe 120` which should now be infected and try to contact the CNC service \u003cbr /\u003e\n\nOther intresting executables: \u003cbr /\u003e\n * `wine runbin.exe libw32miller_pre-shared.dll` \u003cbr /\u003e\n * `wine runbin.exe libw32miller-shared.dll` \u003cbr /\u003e\n * `wine runbin.exe bin/w32miller_pre.bin` \u003cbr /\u003e\n * `wine runbin.exe bin/w32miller.bin` \u003cbr /\u003e\n\u003cbr /\u003e\n\nTest Windows Portable Executable compliance: \u003cbr /\u003e\n * `wine loadmodule.exe bin/libw32miller_pre-shared.dll` \u003cbr /\u003e\n * `wine loadmodule.exe bin/libw32miller-shared.dll` \u003cbr /\u003e\n\nUNIT tests: \u003cbr /\u003e\n * `wine tests.exe` \u003cbr /\u003e\n\u003cbr /\u003e\nOr use a virtual machine and run it there. (e.g. VirtualBox) \u003cbr /\u003e\n\u003cbr /\u003e\nThis is an educational mdk only: It tries to infect \u003cb\u003eone\u003c/b\u003e windows pe binary named \u003cb\u003edummy.exe\u003c/b\u003e in your current working directory. \u003cbr /\u003e\n\u003cbr /\u003e\nIt is recommended using a VM like \u003cb\u003evirtualbox\u003c/b\u003e. If you do not care about the integrity of your host OS, \u003cb\u003ewine\u003c/b\u003e may work as well. \u003cbr /\u003e\n\nfeatures\n========\n - mingw64 toolchain (and build script) \u003cbr /\u003e\n - minimal x86/x64 disassembler/patcher \u003cbr /\u003e\n - pe code/data injector \u003cbr /\u003e\n - command\u0026control communication \u003cbr /\u003e\n - golang based c\u0026c service \u003cbr /\u003e\n\u003cbr /\u003e\n\nhow it works\n========\nDLL (infect): \u003cbr /\u003e\n\n 1. DLL adds loader section to target (default: .minit) \u003cbr /\u003e\n 2. DLL adds own section to target (default: .miller) \u003cbr /\u003e\n 3. DLL sets const data in loader \u003cbr /\u003e\n 4. DLL copies the loader to its section \u003cbr /\u003e\n 5. DLL copies itself to its very own section \u003cbr /\u003e\n 6. DLL injects FAR JUMP somewhere near the EntryPoint RVA and set the operand to the loader VA \u003cbr /\u003e\n\n\u003cbr /\u003e\nAn infected file: \u003cbr /\u003e\n\n 1. somewhere near the Address of EntryPoint RVA it calls the loader entry address \u003cbr /\u003e\n\n\u003cbr /\u003e\nLOADER: \u003cbr /\u003e\n\n 1. decrypt strings \u003cbr /\u003e\n 2. get some function pointers/data \u003cbr /\u003e\n 3. copy encrypted DLL section to temporary allocated buffer \u003cbr /\u003e\n 4. decrypt DLL if encrypted and read PE header \u003cbr /\u003e\n 5. allocate memory for image sections \u003cbr /\u003e\n 6. copy sections from (parsed/plain PE file) temp buffer to final destinations \u003cbr /\u003e\n 7. do fixups if image relocation is necessary \u003cbr /\u003e\n 8. jump to the CRT \u003cbr /\u003e\n\n\u003cbr /\u003e\nCRT (part of DLL): \u003cbr /\u003e\n\n 1. does minimal initializing \u003cbr /\u003e\n 2. check if started by loader (and set data/register as needed) \u003cbr /\u003e\n 3. setup function parameter \u003cbr /\u003e\n 4. call real dll entry function _main(...) \u003cbr /\u003e\n 5. start some threads e.g. infection/network thread\n 6. cleanup stack \u003cbr /\u003e\n 7. return to the loader \u003cbr /\u003e\n\n\u003cbr /\u003e\nLOADER: \u003cbr /\u003e\n\n 9. cleanup and jump back right after where we were injected \u003cbr /\u003e\n\n\u003cbr /\u003e\n\nCommand'n'Control (\u003cb\u003eCNC\u003c/b\u003e)\n========\nThe Go written CNC proxy which acts as man-in-the-middle between an infected binary and CNC master. \u003cbr /\u003e\nCNC proxy does the basic authentication and receives commands from the CNC master. \u003cbr /\u003e\nKeep in mind that this part of the project is the most ALPHA'ic one. \u003cbr /\u003e\nSo the cncmaster does not do anything useful at the moment. \u003cbr /\u003e\nFor a very basic test, the cncproxy is sufficient. \u003cbr /\u003e\n\u003cbr /\u003e\n\nDocumentation (missing)\n========\n![App Injection Workflow](/doc/apps.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futoni%2Fw32miller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Futoni%2Fw32miller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futoni%2Fw32miller/lists"}