Hiding our malware window

In the previous lessson we included all the libraries we are going to use. Now let’s start working in the malware itself, let’s begin with the main function, this will be in charge of performing the client/server connection.

Let’s define an int APIENTRY function called “WinMain”. APIENTRY? What is that? As we are creating a windows application, there must be a function called “WinMain” and we specify APIENTRY, so we can use some methods and constants we’ll need throughout the code, this function also takes some arguments:

  • hInstance”, whose type is HINSTANCE
  • hPrev”, whose type is HINSTANCE
  • lpCmdLine”, whose type is LPSTR
  • nCmdShow”, whose type is an integer (int)

hInstance” is the handler of an instance or a module. The operating system uses this value to identify the executable of a software when it’s loaded in the memory.

hPrev” this is not important as it will be always “0”

lpCmdLine” contains a command-line command arguments

nCmdShow” is the value that determines whether a window is maximised, minimised or with a custom sized declared by the user

So far, our main main function code looks like this:

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow) {
}

The first thing we’ll need to do, is that, by default our window will not be visible, as you don’t want your victim to know something is being executed in the background in their computer, or you want to make them think that the software they opened is corrupt, and therefore, that’s why it doesn’t open.

To do that, we’ll need to create a new variable, whose type will be “HWND” (console window handle), in my case I’ll call it “stealth” y call the “AllocConsole()” function. What does this function do, is to assign a console to the process that is being executed (in our case, a malware).

The value of “stealth” will be the console we just “created”, to do so, in the next line we’ll type: “stealth = FindWindowA(“ConsoleWindowClass”, NULL)”. This function requires two arguments, the first, is the name of the class of the window we are looking for, and the second one, is the name of the window, in our case, it’s null (as we haven’t assigned a name to it).

Then, we’ll call another function called “ShowWindow” that will allow us to determine if the window will be shown or not, as we are developing a malware, we don’t want it to execute anything else, but to stay in the background. To do so, we’ll pass this function two arguments, the first, is the window handler (the one we called “stealth” before) and the second is a value that represents “nCmdShow” and we will set it to 0. Why 0? 0 represents the “hidden” state of a window.

This is how our code looks so far:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <winsock2.h>
#include <windows.h>
#include <winuser.h>
#include <wininet.h>
#include <windowsx.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow) {
  HWND stealth;
  AllocConsole();
  stealth = FindWindowA("ConsoleWindow", NULL);

  ShowWindow(stealth, 0);
}