malware_v1.py , malware_v2.py, malware_v3.py require a minor update.

[lif314]

If I embed hello.exe (the function is to open a local program) into 1.jpg through Injecting Malware Into JPG.exe, malwareJPG.jpg will be generated. So running malware_v1.exe in the same directory should be equivalent to running hello.exe?

# hello.py
import os
path = r"D:\AppData\Notepad++\notepad++.exe"
res = os.startfile(path)

But I have not been able to run successfully, the debug is as follows: Thank you!

[abdulkadir-gungor]

Dear "lif314 ",

Before answering the question, I would like to make a few clarifications. I usually try to get back to anyone who asks for help, even if it's late. That's why my responses may take time, so I thank you for your tolerance.

Before the codes were published, they were both tested and recorded on video. Although the codes here are only published for Windows, versions for various platforms such as mobile devices and Linux are also available. However, the codes here are "Open Source" as a simple example to show the working logic. Also, other types of versions were not put by me to prevent the spread of malware.

Coming to the question, the above question, source code and screenshot are all unrelated. So the source code does not belong to me, the screenshot looks like it belongs to "InjectingMalwareIntoJPG.py", not "malware_v1.py". Also, the question is not related to them. If you provide more detailed and relevant questions and pictures, I'll try to help.

I'll try to answer as much as I can from what you wrote. The program "InjectingMalwareIntoJPG.py" or "InjectingMalwareIntoJPG.exe" embeds the executable file inside the image file.

From what I understand from your code, you saw the "notepad++.exe" file inside the image file. There is an error here. The program "notepad++.exe" has dependencies on different files such as dll. And it doesn't work alone. [You can look at the pictures below]

Screenshot 1 [The program needs the dll in this folder and the files in the subfolders to run.]

Screenshot 2 [If you copy this stand-alone "notepad++.exe" program to a folder, you will see that it does not work when you click it.]

"malwareJPG.jpg" and "malware_v1.exe" should be in the same folder. Then clicking "malware_v1.exe" will create a random folder inside the "C:\Users\ [user] \AppData\Local\Temp" folder. And it extracts the executable file in the "malwareJPG.jpg" file to this folder. Finally it runs this executable.

I wish you success in your work. I'm not closing this issue right away. If you have another problem, add it under this comment and I'll try to help.

[abdulkadir-gungor]

Looking at the screenshot again, I compared it to the malware2.py code. I guess if there are "0xff,0xd9" codes in the executable file in the image, it will give an error. This seems like my fault. But with a simple update I will fix this problem.

Thanks again for your feedback.

[lif314]

Looking at the screenshot again, I compared it to the malware2.py code. I guess if there are "0xff,0xd9" codes in the executable file in the image, it will give an error. This seems like my fault. But with a simple update I will fix this problem.

Thanks again for your feedback.

I also thank you very much.

[abdulkadir-gungor]

Problem: If the executable file contains "0xffd9" codes, malware_v1.py, malware_v2.py, malware_v3.py files will cause an error while extracting the code.

        if len(rb_list) < 3:
            return False
        else:
            if len(rb_list) == 3:
                payload = rb_list[1]
            else:
                payload = b''
                for ii in range(1, (len(rb_list) - 1)):
                    if ii == 1:
                        payload += rb_list[ii]
                    else:
                        payload += (b'\xff\xd9' + rb_list[ii])

  I added the above codes to the malware_v1.py , malware_v2.py, malware_v3.py files to solve the problem. I haven't had a chance to test it. But I hope these codes will solve the problem. I added the compiled version to the link "https://drive.google.com/file/d/1EyEURlNeSDOxUUdVcrfq_J7InFiJxfG4/view?usp=sharing".

  The executable files I tested did not give an error because these codes did not exist. However, I do not have a test file containing these codes in ready-made executable files. That's why I didn't get a chance to test it. However, the "notepad++.exe" file you tried is not a suitable test file as it does not work alone.

  If you have the opportunity, I would be glad if you test it and give feedback. Your report has been very valuable to me. Also thank you very much.

[abdulkadir-gungor]

With the new updates, I tested with 3 different files containing the code "0xffd9". The codes worked flawlessly.

[lif314]

With the new updates, I tested with 3 different files containing the code "0xffd9". The codes worked flawlessly.

Amazing! I also tested some files, they worked flawlessly! Have you ever thought about silently running the embedded malicious program when you double click on a jpg file? I don't have a way to do it yet. Thank you!

[abdulkadir-gungor]

  In the old days it was possible to exploit when clicking on image exploits or when Windows OS was creating a thumbnail to show the image file itself as an icon. However, with the recent kernel-level updates of the operating system (ASLR, DEP, etc.), the Windows operating system has become difficult to exploit even if there is a new vulnerability. It didn't work out well in my few attempts. However, the situation is different in browsers. It is possible to run malware only when viewing file contents such as pictures, audio, video via browsers. It is not mentioned much yet that such vulnerabilities create a very dangerous situation for mobile devices.

  Thank you for your valuable time and contribution to the project.