Since you are here , i am going to assume that you know basic about syscalls and how to call them as well as how to assemble and link the assembly files . You may have a question . Why assembly ? Well there are two reasons . My life was boring so it gave my brain something to work on . The second reason is that we get absolute control over the code and its really small . A simple C program has many other functions that gets executed even before main() . Although it does not effect our performance but its hard when you are trying to make a metamorphic malware . With less instructions the file is less chaotic and its easy to make a metamorphic malwares(My personal opinion) .
The dropper will carry python code in it . The python code is an one-liner to connect to a website and get a file and run it in memory . Nothing will be saved in the hard disk . Python has a function called exec that allows us to do that . I will use python socket to make requests since library such as requests,urllib may not be installed in our target machine .
I ran the code using the python -c command . This will help me to run the initial code in memory . I will declare three variables which will contain the command as well as the code to run . Then I will call the execve syscall to run the command . RAX register will store the syscall id . This is how the OS knows what syscall to call . The syscall takes three arguments . The first is the binary name in my case its python . The next is the arguments and the third is the environment varibles . The environment variables can be null . The arguments should be in an array . Here is the code
I just have to assemble it and link it . If everything was right the python script that is the malware i wanted to drop is running in memory without leaving a trace in hard disk/ssd
