hanni
232 posts
hanni retweetledi
Tired of malware development noobs complaining about the WINAPI and process creation stuff.
It's shrimple.
You simply use CreateProcess or ShellExecute. If you want to be extra specific, can you use ShellExecuteEx or CreateProcessAsUser. If you want to be a little more specific you can use CreateProcessWithLogonW. If you want to be specific, but in a slightly different way, you can use CreateProcessWithTokenW
Technically, you can use also the outdated (but still present) function from internet explorer called "OpenURL". OpenURL will treat a file path as a URL and create the process. It's inside IEFRAME.DLL. Very cool.
Also, you can use some weird library on Windows called MSHTML and use RunHTMLApplication. RunHTMLApplication can be used to execute VBS or JavaScript which then runs an executable.
Alternatively, you can use LaunchApplicationW from the PCWUTL library. This will also create a process.
Interestingly, there is a weird goof in Windows. Remember OpenURL from internet explorer? Well, it's also present in a library called shdocvw.dll. You can use OpenURL from there too.
If you don't want to use ShellExecute, or ShellExecuteEx, which comes from the SHELL32 library, you can use ShellExec_RunDLLW from SHELL32. It basically does the same thing.
I suppose if you don't like any of these you can use URL.DLL functionality, specifically FileProtocolHandlerA function. This will treat a file path like a URL and execute a file for you.
If you're not happy with FileProtocolHandlerA, URL.DLL also has OpenURL (the same function from IEFRAME.DLL! Internet explorer stuff!) so you can use OpenURL from URL.DLL too.
If none of these are sufficient, you can also use some weird function called RouteTheCall from the ZIPFLDR library. I'm not sure what's up with this function, it is Windows ZIP stuff. Regardless, RouteTheCall has three parameters. The first two are NULL and the third parameter accepts a file path to a file you want to execute.
Of course, if you're doing low-level development, or want to be more evasive, you can always do the NTDLL stuff and use NtCreateUserProcess, or ZwCreateUserProcess.
Oh, I almost forgot, you can also use RunAsNewUser_RunDLLW from SHELL32. Luckily this library exposes several different ways to create a process (although they're not documented well, no idea why).
My memory is fuzzy, I almost forgot this one, but Windows also exposes a way to create a process from the little "Help" icon thingy on GUIs. You can initialize IHxHelpPaneServer or IHxInteractiveUser from the Windows Component Object Model then invoke the "Execute" method. This method is supposed to be for URLs, but Windows will treat a URL like a file still.
Before I forget, you can also use the Windows Management Instrumentation (WMI) stuff for process creation. If you use the Windows Component Object Model and initialize IWbemLocator you can initialize Win32_ProcessStartup and use that to create a process too.
I guess I should note, if you don't want to use SHELL32 directly, you can use also the Component Object Model and initialize CLSID_ShellWindows, get the Desktop ShellView, find it's COM automation objects, and using the Shell.Application interface you invoke ShellExecuteW
Anyway, it's shrimple, just use one of these to create a process:
- CreateProcess
- ShellExecute
- ShellExecuteEx
- CreateProcessAsUser
- CreateProcessWithLogonW
- CreateProcessWithTokenW
- OpenURL (ieframe.dll)
- RunHTMLApplication
- OpenURL (shdocvw.dll)
- ShellExec_RunDLLW
- FileProtocolHandlerA
- OpenURL (URL.dll)
- RouteTheCall
- NtCreateUserProcess
- RunAsNewUser_RunDLLW
- IHxHelpPaneServer
- IHxInteractiveUser
- Win32_ProcessStartup
- CLSID_ShellWindows (Shell Automation)
I'll skip on the touch pad injection, INF section abuse, in-memory execution, or shellcode injection. That's a different topic.
English
@vxunderground Try to get the system version its super conveniant.
IsWindowsXPOrGreater()
IsWindows7OrGreater()
IsWindows8OrGreater()
IsWindows10OrGreater()
English
Tired of noobs complaining the WINAPI for malware development is weird. It's not.
How do you create a file?
The CreateFile function.
How do you open a file for reading?
The CreateFile function.
How do you open a file for writing?
The CreateFile function.
How do you get a handle to a directory?
The CreateFile function.
How do delete a file?
The CreateFile function.
How do you get access to a physical disk?
The CreateFile function.
How do you get access to a file stream?
The CreateFile function.
How do you get access to the console buffer?
The CreateFile function.
How do you get access to pipes?
The CreateFile function.
How do you perform interprocess communication?
The CreateFile function.
Just make sure you use the appropriate version of CreateFile (CreateFileA for ANSI, or CreateFileW for wide characters).
Alternatively, you can use CreateFile2 which is the same as CreateFile except the parameters are passed as a data structure named CREATEFILE2_EXTENDED_PARAMETERS. However, be aware CreateFile2 only works on Windows 8 and above and designed more or less for programs running from the Windows app store.
Alternatively, alternatively, you could use CreateFile3 which is nearly identical to CreateFile2 except it uses the CREATEFILE3_EXTENDED_PARAMETERS structure and is more or less designed for sandboxed packaged applications. However, be aware CreateFile3 only works on Windows11 24H2 and above.
It's shrimple, honestly.
English
@DailyDarkWeb I kinda want to know how sophiticated their windows implants are
English
🇷🇺 Alleged North Korean APT Arsenal Offered for Sale on Dark Web
Threat actor "Devil Marlboro" is advertising what is claimed to be a collection of North Korean APT-related tools, malware, and operational resources on a cybercrime forum.
According to the advertisement, the package allegedly includes:
* Lazarus-related backdoor samples
* Huawei IP tracking tools
* Multiple North Korean APT toolsets
* Malware archives and operational files
* Threat actor infrastructure resources
* Potential espionage-focused tooling
The seller claims the collection contains materials associated with North Korean cyber operations, including artifacts referencing Lazarus Group activity.
If authentic, such datasets could be valuable for:
* Malware analysis and reverse engineering
* Threat actor attribution research
* Detection engineering and threat hunting
* Intelligence collection on DPRK operations
* Development of defensive signatures and YARA rules
However, cybercriminal forums frequently recycle, repackage, or falsely attribute malware collections to increase their perceived value. Historical samples, publicly available malware, or previously leaked archives are often marketed as exclusive intelligence.
At the time of writing, the authenticity, originality, and operational value of the advertised collection have not been independently verified.
Analyst Note: North Korean threat actors, particularly Lazarus-linked clusters, remain among the most active state-sponsored operators globally. Any claimed leak involving DPRK tooling should be treated with caution until technical validation confirms whether the material is genuine, current, and previously undisclosed.
#DDW #Intelligence #DarkWeb #Lazarus
Credit: iqblack.com/insight/devil-…
English
