Skip to content

pulpocaminante/Stuxnet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
phnt
phnt
 
 
AntiAV.hpp
AntiAV.hpp
 
 
AntiAnalysis.hpp
AntiAnalysis.hpp
 
 
AutoElevation.hpp
AutoElevation.hpp
 
 
BindingInterface.hpp
BindingInterface.hpp
 
 
Cipher.hpp
Cipher.hpp
 
 
ClassFactory.hpp
ClassFactory.hpp
 
 
ComWrapper.hpp
ComWrapper.hpp
 
 
DebugTests.cpp
DebugTests.cpp
 
 
Elevated Ultron Installer.vcxproj.filters
Elevated Ultron Installer.vcxproj.filters
 
 
Elevated Ultron Installer.vcxproj.user
Elevated Ultron Installer.vcxproj.user
 
 
ExceptionWrapper.hpp
ExceptionWrapper.hpp
 
 
ExportInterface.hpp
ExportInterface.hpp
 
 
KernelbaseWrapper.hpp
KernelbaseWrapper.hpp
 
 
NtWrapper.hpp
NtWrapper.hpp
 
 
Persistence.hpp
Persistence.hpp
 
 
QueryInterface.hpp
QueryInterface.hpp
 
 
README.md
README.md
 
 
RegInterface.hpp
RegInterface.hpp
 
 
Resource.aps
Resource.aps
 
 
Resource.rc
Resource.rc
 
 
Resource1.aps
Resource1.aps
 
 
Resource1.rc
Resource1.rc
 
 
SetupAPIWrapper.hpp
SetupAPIWrapper.hpp
 
 
Shell32Wrapper.hpp
Shell32Wrapper.hpp
 
 
StringTable.hpp
StringTable.hpp
 
 
UACInterface.hpp
UACInterface.hpp
 
 
Ultron Installer.vcxproj
Ultron Installer.vcxproj
 
 
Ultron Installer.vcxproj.filters
Ultron Installer.vcxproj.filters
 
 
Ultron Installer.vcxproj.user
Ultron Installer.vcxproj.user
 
 
WMIConnection.hpp
WMIConnection.hpp
 
 
WMIFS.hpp
WMIFS.hpp
 
 
WMIFSInterface.hpp
WMIFSInterface.hpp
 
 
Win32Interface.hpp
Win32Interface.hpp
 
 
Win32Wrapper.hpp
Win32Wrapper.hpp
 
 
config.h
config.h
 
 
favicon.ico
favicon.ico
 
 
icon1.ico
icon1.ico
 
 
interfaces.hpp
interfaces.hpp
 
 
loader.cpp
loader.cpp
 
 
loader.h
loader.h
 
 
resource.h
resource.h
 
 
resource1.h
resource1.h
 
 
retrieve-file.ps1
retrieve-file.ps1
 
 
util.cpp
util.cpp
 
 
util.h
util.h
 
 
wdk.h
wdk.h
 
 
wmi.h
wmi.h
 
 
wmi_defs.h
wmi_defs.h
 
 
wmicfg.hpp
wmicfg.hpp
 
 

Repository files navigation

Proof of concept WMI virus. Does what it looks like it does. Virus isn't stored on the filsystem (in any way an AV would detect), but within the WMI. Contains PoC code for extracting it from the WMI- which can also be achieved at boot from within the WMI itself using powershell. So, self-extracting WMI virus that never touches the disk.

Main WMI stuff for reading/writing files to the WMI:

https://raw.githubusercontent.com/pulpocaminante/Stuxnet/refs/heads/main/WMIFSInterface.hpp

https://github.com/pulpocaminante/Stuxnet/blob/main/wmi.h

Of particular interest to people wanting to understand how it reads/writes file, my main debugging function:

https://github.com/pulpocaminante/Stuxnet/blob/main/wmi.h#L324

WMI based race condition 0day for demoting protected anti-malware services to less than a guest user:

https://github.com/pulpocaminante/Stuxnet/blob/main/AntiAV.hpp

For those who are unfamiliar:

The WMI is an extension of the Windows Driver Model. It's a CIM interface that provides all kinds of information about the system hardware, and provides for a lot of the core functionality in Windows. For example, when you create a startup registry key for an an application, that's really acting on the WMI at boot.

You can use the WMI to start applications directly. This is a known technique and antiviruses already detect it. The WMI stores triggers for events, among other things. Its a kind of database, which is accessed using a more cursed version of SQL called WQL.

So... you can write small amounts of data to it. So... I figured why not go a step further and use the WMI as a filsystem?

You can write the binary payload to the WMI, and then create a startup entry that stores a powershell script which then extracts the binary from the WMI and loads the whole program into memory. Bam. The virus never touches the disk.

Contains a novel privilege escalation technique and some other fun and/or novel stuff. Fully undetected by all antiviruses and sandboxing suites like virustotal. Loads system libraries on-demand, finds function offsets for its hardcoded prototypes, that way all of its system API calls are undetectable. Maybe some more novel AV evasion stuff, its been a while since I wrote it. Think I implemented polymorphism or dynamic runtime string encryption. Has wrappers for system libraries for AV evasion. If I recall correctly I used the "stolen bytes" technique for some of them but I don't care to look. If you care enough you'll figure it out anyway.

As a side note, and probably a free $100k for a bounty hunter:

The WMI has no buffer overflow protection for key/value pairs. Its also directly accessed by the kernel. And WMI buffer overflows can cause very strange system behavior when that data is malformed. Its my gut feeling that this could be leveraged to access kernelspace and load an unsigned device driver. But I've never gotten around to investigating it.

About

WMI virus, because funny

Resources

Readme
Activity

Stars

263 stars

Watchers

4 watching

Forks

53 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages