Backdoors embedded along side installers
What is PyInstaller and why do we need it?
PyInstaller is basically a binary that includes bundled within: python, your python dependancies, your python scripts, as well as any other binaries (.exe or .dll) that you would like to include. You may also link in an icon resource on build. Why do I use PyInstaller? Because it’s commonly enough used that it won’t be flagged itself as a virus or as malware, but I can still pack inside malicious code.
What malicious code
A legitamite installer or program can be any piece of compiled code (al la: into an .exe) that is not related to this project’s code can be imported in and executed at the same time my reverse shell starts. The malicious code does it’s business in the background, forking off as another process and copying itself to a new loocation, while the user is using the installer or program as normal, with no knowlwdge of the backdoor that is about to pop back through the firewall connecting “outbound” towards a netcat lisener. While this is happening, a registry key is created which enters our reverse shell into the system’s Administrator level startup chain. It’s easy to spot if you know what you are looking for, but genearlly, this will be persistent long enough that you can allot yourself a couple mistakes and still have access to the machine (not get locked out). If you happen to get disconnected, kill then restart the netcat listener per:
nc -l -p 7777 -v (change the port as necessary), and within a couple seconds the reverse shell loops back aroun and fires off another connection request towardsd your listener with another Administrator shell.
The shell’s code
This isn’t particularly interesting shellcode, howver it is handy. I recommend editing it to your use case in Notepad++ because things like the attacker host and port are hard coded.
The packed loader
Then all you need to do is build the project with:
Then run the .bat and send it on it’s way to be picked up by an unsuspecting computer user.
In the end this is pretty evil code and should never be used against a target. Seriously, under any circumstances, ever. It looks benighn and totally comromises a machine while hiding it’s existance and persistently opens connections to pwn the machine.
Do. Not. Abuse. This. Code.
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Thank you so much and happy hacking!