Below is an example of how you can use the Windows API in C++ to create a communication channel with http.sys. This example demonstrates how to set up a simple HTTP server using the HTTP Server API:

#include <windows.h>
#include <http.h>

#pragma comment(lib, "httpapi.lib")

int main()
{
    ULONG retCode = NO_ERROR;
    HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2;
    HTTP_SERVER_SESSION_ID sessId = NULL;
    HTTP_URL_GROUP_ID groupId = NULL;
    HTTP_REQUEST_ID requestId = NULL;
    HTTP_SERVER_CONTEXT context = 0;

    // Initialize HTTP Server APIs
    retCode = HttpInitialize(HttpApiVersion, HTTP_INITIALIZE_SERVER, NULL);
    if (retCode != NO_ERROR) return retCode;

    // Create a server session
    retCode = HttpCreateServerSession(HttpApiVersion, &sessId, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Create a URL group
    retCode = HttpCreateUrlGroup(sessId, &groupId, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Add a URL to the URL group
    PCWSTR pFullyQualifiedUrl = L"http://localhost:8080/";
    retCode = HttpAddUrlToUrlGroup(groupId, pFullyQualifiedUrl, context, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Your code to handle requests here
    // ...

cleanup:
    // Clean up in case of failure or after serving requests
    if (groupId != NULL) {
        HttpRemoveUrlFromUrlGroup(groupId, pFullyQualifiedUrl, 0);
        HttpCloseUrlGroup(groupId);
    }
    if (sessId != NULL) {
        HttpCloseServerSession(sessId);
    }
    HttpTerminate(HTTP_INITIALIZE_SERVER, NULL);

    return retCode;
}

This code initializes the HTTP service, creates a server session, sets up a URL group, and adds a URL to the group. You would need to add your own code to handle the HTTP requests.

Please note that this is a simplified example and does not include error handling or request processing logic. For a complete implementation, you would need to handle incoming HTTP requests and send appropriate responses. You can find more detailed information and examples in the [Microsoft documentation].

Initialization: The malware first initializes itself upon execution. This may involve setting up hooks or modifying system settings to intercept and handle HTTP requests.

Registration with HTTP.sys: The malware registers itself with HTTP.sys to intercept incoming HTTP requests. This can be achieved by configuring HTTP.sys to route specific URL patterns or by modifying the HTTP request handling process within the system

Listening for Commands: The malware continuously monitors incoming HTTP requests handled by HTTP.sys. It parses incoming requests to identify commands or instructions from the C2 server. These commands may be embedded within specific headers, parameters, or payloads of HTTP requests.


Executing Commands: Upon receiving valid commands from the C2 server, the malware executes the specified actions. These actions may include downloading and executing additional payloads, exfiltrating sensitive data, or performing system reconnaissance.

Sending Responses: After executing commands, the malware may generate responses or status updates to send back to the C2 server. These responses can be embedded within HTTP responses or sent as separate HTTP requests to a predefined endpoint on the C2 server.


Data Exfiltration: In addition to receiving commands, the malware may use the established communication channel to exfiltrate stolen data to the C2 server. This can include sensitive information such as credentials, files, or system information.

Using the WinHTTP C/C++ API - Win32 apps | Microsoft Learn.

c++ - HTTP client example on win32 - Stack Overflow.

c++ - Communication between two windows created using TCP Sockets ....

https://github.com/pedro-vicente/lib_netsockets.

@source_byte
#malware_dev
#windows

🟣 ساخت KeyLogger ویندوزی با استفاده از GetAsyncKeyState

یکی از روش های مرسوم و اولیه برای پیاده سازی کیلاگر ها در ویندوز استفاده از تابع GetAsyncKeyState در Windows API است . به وسیله این تابع میتوان چک کرد آیا یک کلید مدنظر روی صفحه کلید در حال حاضر فشرده شده است یا نه . در این ویدیو میبینیم چطور میتونیم به وسیله این تابع یک کیلاگر ویندوزی پیاده سازی کنیم که به صورت مخفی در پس زمینه اجرا شده و کلید های ضبط شده را در یک فایل ذخیره کند .

Aparat : https://www.aparat.com/v/h29Cp

#توسعه_بدافزار

🆔 : @mrpythonblog

Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released.

tl;dr recursive loader, painful to reverse engineer

Explanation of code:
The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.

Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll.

The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks.

To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods.

HTTPS requests are handled by COM via the WinHttpRequest Object.

The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe.

Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build.

Code written by smelly

You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL

x64 WINAPI Recursive Loader W No Imports.c

obfuscating c2 during a red-team engagement(harden your C2 server)
Jumpsec

#c2

Im going to sleep! 2000’s

🔥List of best security channels on telegram:
https://news.1rj.ru/str/addlist/RPL2r4B8flEyOTI0

If you think that i missed a good channel tell me! -> @Ke3rNel

Injecting code into PPL processes without vulnerable drivers on Windows 11

https://blog.slowerzs.net/posts/pplsystem/

Title: Write Great Code, Volume 2, 2nd Edition

Denoscription: Modern programming languages provide productivity and portability, but also make it easy to write sloppy code that is not optimized for the compiler. The book will teach you how to write code that will turn into good machine code when executed by a compiler.

#book

binaryninja update on auth.lol/binja

WRITE GREAT
VOLUME 3
Engineering Software

#book

Year : 2024
Pages : 616 Edition : null
#security
#cybersecurity
#Cryptography

Unpack DotFix Niceprotect

#unpacking
#reverse

Name: Mach-O Runtime and File Format Reference

Requirements: Compiling Steps, C Programming
Level: Intermediate
Author: Apple Inc.

Contents Index:

1 - Overview of Runtime Architecture
2 - Building Mach-O Files
3 - Executing Mach-O Files
4 - Loading Code At Runtime
5 - Runtime Conversations for PowerPC
6 - Data Types
7 - Data Alignment
8 - Stack Structure
9 - Routine Calls
10 - Dynamic Code Generation
11 - Mach-O File Format Reference
12 - Mach-O Header Data Structure
13 - Load Command Data Structures
14 - Symbol Table and Related Data Structures
15 - Relocation Data Structures
16 - Static Archive Libraries
17 - Multi-CPU Architecture Files

#apple #mac #mach_o #paper #book