Dongonata (12-21-2015),fwsefwsgrgwhergr (12-14-2015)
I've seen lots of RATs that have functions where you can show messages to the user using MsgBox or whatever. The problem is, you can find out what process the message box originates from through the task manager etc. I ended up finding a much better way: just use the built in windows function for sending messages on remote desktop sessions, WTSSendMessage. I originally saw this function in Process Hacker 2 and after taking a look at the source, I made my VB source (also posted it on pinvoke):
I haven't really tried tracing it back too much, but it seems to be a lot harder to trace back to the origins. Enjoy.Code:<DllImport("wtsapi32.dll", SetLastError:=True)> Private Shared Function WTSSendMessage(ByVal hServer As IntPtr, ByVal SessionId As Int32, ByVal title As String, ByVal titleLength As UInt32, ByVal message As String, ByVal messageLength As UInt32, ByVal style As UInt32, ByVal timeout As UInt32, ByRef pResponse As UInt32, ByVal bWait As Boolean) As Boolean End Function Public Shared WTS_CURRENT_SERVER_HANDLE As IntPtr = IntPtr.Zero Public Shared WTS_CURRENT_SESSION As Integer = -1 Dim title As String = "MessageBox Title" Dim content As String = "Hello World!" ''In a Sub/Function, shows MessageBox with exclamation icon. WTSSendMessage(WTS_CURRENT_SERVER_HANDLE, WTS_CURRENT_SESSION, title, title.Length, content, content.Length, MessageBoxIcon.Exclamation, Nothing, Nothing, False)
Dongonata (12-21-2015),fwsefwsgrgwhergr (12-14-2015)
Thanks m8 i will need this for my updater i dont wanna my software testers to see dat
Well, that's pretty clever.
Optionally, you can inject some simple stub code that calls MessageBoxA/MessageBoxW and then call CreateRemoteThread to execute it.
Also hard to trace ( If you close the process handle prior to MessageBoxA() being calls ).