Self-extracting archive (SFX) as Creative Virus Handler
Yesterday I Found and interesting article about "Self-extracting archive (SFX)" on Unremote.org by DarkCoderSc. SFX is a little application that contains compressed files. Creating a customized WinRAR SFX archives is a very easy task, but not all people know how to do it. It is therefore exactly the same as a .ZIP or .RAR archive. The only difference is that, when you execute it, will automatically extract the files. However, if you add some parameters, you can execute them after extraction or execute a shell command before extraction. So this feature can be used as good virus handler. Let's See how?
DarkCoderSc shared his experience with us using a Video Demonstration as shown Below.
- Start up the WinRAR application; click 'Browse for folder' under the 'File' menu and browse to the location of the file.
- With the file highlighted, clicking on the 'Add' button will kickoff the archiving process and selecting the 'Create SFX archive' option will give the file its self-extracting feature.
- Under the 'Advanced' tab and clicking on the 'SFX options' button, where we can now configure our 'Advanced SFX options'.
- In the first input field you can add a file name that already exist on the current drive or one of the extracted files to execute after the extraction.
- In the second input field you can add a file name that already exist in the current drive to execute before the extraction.
PART 1: Run Basic Windows Shell Commands using SFX:
Example 1: %SYSTEMDRIVE%\windows\system32\cmd.exe /k shutdown -s -f -t 3600
In the first input enter this command if we generate the SFX package and run it after the extraction we see a DOS window and a windows notification saying our computer will shutdown in 1 hour.
Example 2: %SYSTEMDRIVE%\windows\notepad.exe c:\atextfile.txt
You can do this with any other present application on the system such as opening a notepad file.
Example 3: %SYSTEMDRIVE%\Program Files\Internet Explorer\iexplore.exe https://unremote.org/
Opening a webpage using Internet Explorer
PART 2: Run Advance Tricky Commands using SFX
Using only a little .dll in the SFX package attacker can download and execute an application on victim's system that can or cannot be a virus and For this we just required "Rundll32 Microsoft application" and "FASM (Flat Assembler) Compiler".
Now Create a new folder and a new file called ourdll.asm when its done open this file in FASM and paste this code in the file. Edit the path to Files in sample Code for personal Usage.
In the first input enter this command if we generate the SFX package and run it after the extraction we see a DOS window and a windows notification saying our computer will shutdown in 1 hour.
Example 2: %SYSTEMDRIVE%\windows\notepad.exe c:\atextfile.txt
You can do this with any other present application on the system such as opening a notepad file.
Example 3: %SYSTEMDRIVE%\Program Files\Internet Explorer\iexplore.exe https://unremote.org/
Opening a webpage using Internet Explorer
PART 2: Run Advance Tricky Commands using SFX
Using only a little .dll in the SFX package attacker can download and execute an application on victim's system that can or cannot be a virus and For this we just required "Rundll32 Microsoft application" and "FASM (Flat Assembler) Compiler".
Now Create a new folder and a new file called ourdll.asm when its done open this file in FASM and paste this code in the file. Edit the path to Files in sample Code for personal Usage.
Now in the menu bar click on "Run" >> "Compile". Our dll is ready now, Let's create our SFX file downloader .
You need to follow the next steps:
- Right click on the dll and click on "Add to archive" << WinRAR explorer option
- Choose SFX package in the options list
- Go to Advanced Settings tab
- Click on SFX Settings button
- In extract to input add this line - "%APPDATA%\dcsc\ourdll.dll"
- In the first input parameter enter this line
%SYSTEMDRIVE%\windows\system32\rundll32.exe %APPDATA%\dcsc\ourdll.dll, dcscdownload
Now we can generate our archive, if we have correctly setup the SFX, then it will download and execute the chosen file after the full extractions.
PART 3: SFX as System Killer
The SFX manager includes two other dangerous functions (Run as administrator and Delete files after extraction). The option Run as administrator will ask to run it as admin, so the SFX will have all the rights on the system and, after extraction, the delete files will be usefull to do harmful things in the system.
To Get the Steps of this Method, You should Read the Original Article Written By Unremote.org.
