From 5e5f768f80dbb86459b80d9856e48928e653c366 Mon Sep 17 00:00:00 2001
From: Dogface2k <100990646+Dogface2k@users.noreply.github.com>
Date: Wed, 20 May 2026 00:17:55 +0100
Subject: [PATCH] malware details to README

Updated README to include security advisory and warnings about malware presence. Detailed the malware execution chain and indicators of compromise.
---
 README.md | 248 +++++++++++++++++++++++++++++++-----------------------
 1 file changed, 144 insertions(+), 104 deletions(-)

diff --git a/README.md b/README.md
index f6b9b2d..1d9a7f0 100644
--- a/README.md
+++ b/README.md
@@ -1,104 +1,144 @@
-###  DLL Injector Cheat C++ 
-
-
-## Compile
-
-1. Clone the project to your computer or download it as a ZIP file.
-2. Open the solution file (.sln).
-3. Select **Build Solution** from the **Build** menu or press `Ctrl+Shift+B` to compile the project.
-
-## Usage
-
-The injection module will download PDB files for `ntdll.dll` and its wow64 version on x64 systems to resolve symbol addresses. To start the download, use the `StartDownload` function. The injector can only operate after downloads are complete. Use `GetSymbolState` and `GetImportState` to check if downloads and address resolution are finished `(returning INJ_ERROR_SUCCESS (0))`. You can track download progress with `GetDownloadProgress`. If unloading the injection module during download, use `InterruptDownload` to avoid process deadlock.
-
-
-## Features
-
-
-<summary>Injection Methods</summary>
-
-- **LoadLibraryExW**
-  Description: Injects an external DLL file into the target process.
-
-- **LdrLoadDll**
-  Description: Loads and associates a DLL file into the target process.
-
-- **LdrpLoadDll**
-  Description: Manages DLL loading operations.
-
-- **LdrpLoadDllInternal**
-  Description: Manages DLL loading operations as an internal function.
-
-- **ManualMapping**
-  Description: Manually loads DLL code into the target process.
-
-
-
-<summary>Shellcode Execution Methods</summary>
-
-- **NtCreateThreadEx**
-  Description: Injects code by creating a new thread.
-
-- **Thread Hijacking**
-  Description: Injects code by using an existing thread as the target.
-
-- **SetWindowsHookEx**
-  Description: Injects code using Windows event hooks.
-
-- **QueueUserAPC**
-  Description: Injects user-mode code into a thread.
-
-- **KernelCallback**
-  Description: Injects code using kernel callbacks.
-
-- **FakeVEH**
-  Description: Injects code by manipulating Virtual Exit Handlers.
-
-
-
-
-<summary>Manual Mapping Features</summary>
-
-- **Section Mapping**
-  Description: Maps DLL sections into the target process's memory.
-
-- **Base Relocation**
-  Description: Places DLL code in the target process's memory appropriately.
-
-- **Imports**
-  Description: Properly resolves dependent DLLs.
-
-- **Delayed Imports**
-  Description: Handles dependencies in a delayed manner.
-
-- **SEH Support**
-  Description: Provides Structured Exception Handler support.
-
-- **TLS Initialization**
-  Description: Initializes Thread Local Storage.
-
-- **Security Cookie Initialization**
-  Description: Initializes the security cookie.
-
-- **Loader Lock**
-  Description: Provides synchronization using the loader lock.
-
-- **Shift Image**
-  Description: Injects code by redirecting image loading.
-
-- **Clean Data Directories**
-  Description: Cleans data directories, removing unnecessary information.
-  
-
-
-## Preview 
-
-![image](https://user-images.githubusercontent.com/105746452/169072886-9292af6d-f26a-42ae-b23b-282f18b19255.png)
-
-## Disclaimer 
-
-This source code is for educational purposes only. It's created to explore reverse engineering without impacting other gamers' experiences.
-
-## License
-
-This project is licensed under the MIT. For more information, see the [License](LICENSE).
\ No newline at end of file
+SECURITY ADVISORY: Supply Chain Malware Detected — DO NOT USE
+
+WARNING: This Repository Contains Malware
+
+This repository contains a **supply chain malware dropper** embedded in the MSBuild `.vcxproj` file. **Building this project in Debug configuration will compromise your machine.** The entire repository appears to be **bait** — a seemingly functional DLL injector designed to lure developers into compiling and executing the hidden payload.
+
+---
+
+What Was Found
+
+### Location
+`DLL Injector V4/DLL Injector V4.vcxproj` — Lines 112 (Debug|x64 PreBuildEvent)
+
+### Trigger
+Building the project in `Debug|x64` configuration silently executes a multi-stage payload **on the developer's machine** during compilation.
+
+### Malware Execution Chain (4 Stages)
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ STAGE 1: MSBuild PreBuildEvent (Batch Script)                   │
+│ Triggered when user hits "Build Solution" (Ctrl+Shift+B)        │
+│                                                                  │
+│ • Creates: %TEMP%\z3IdPT\                                       │
+│ • Writes: IkA3CyZgY.vbs via obfuscated echo concatenation       │
+│ • Spawns: cscript //nologo "%TEMP%\z3IdPT\IkA3CyZgY.vbs"       │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│ STAGE 2: VBScript Decoder (IkA3CyZgY.vbs)                      │
+│                                                                  │
+│ • Uses MSXml2.DOMDocument.6.0 to decode Base64 → binary        │
+│ • Uses ADODB.Recordset for binary chunk handling                │
+│ • Writes decrypted payload to: %TEMP%\z3IdPT\PKCA.ps1           │
+│ • Spawns: powershell.exe -ExecutionPolicy Bypass -File          │
+│          "%TEMP%\z3IdPT\PKCA.ps1"                               │
+│   with window hidden (SW_HIDE = 0)                              │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│ STAGE 3: PowerShell Decryptor (PKCA.ps1)                        │
+│                                                                  │
+│ • Defines fn "wd9L7u6kgnx" (PBKDF2-SHA256 key derivation)       │
+│ • Creates Rfc2898DeriveBytes(password, salt, iterations)         │
+│ • Defines fn "ftFfhZMIpO1" (AES-CBC-256 decryption)             │
+│ • Creates AesManaged in CBC mode with PKCS7 padding              │
+│ • Creates decryptor from derived key + IV                       │
+│ • Decrypts Base64 blob → raw bytes                              │
+│ • Converts to string → [Array]::Reverse() to deobfuscate        │
+│ • Creates alias "pWN" = Invoke-Expression                       │
+│ • Calls pWN(decrypted_reversed_string)                          │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│ STAGE 4: Unknown Final Payload                                   │
+│                                                                  │
+│ • Executed via Invoke-Expression on the deobfuscated string     │
+│ • Base64 string "SW52b2tlLVY4cHJlc3Npb24=" → "Invoke-V8pression"│
+│   (intentionally misspelled to evade string scanning)            │
+│ • Likely: RAT, info-stealer, crypto-miner, or botnet agent      │
+│ • Technique consistent with: Reflective .NET Assembly Load       │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Deobfuscated PowerShell Identifiers
+
+| Obfuscated Variable | Deobfuscated Purpose |
+|---------------------|---------------------|
+| `$updghPRhQONPB` | AES decrypted data payload |
+| `$yZhiBPRiGcccB` | AES IV |
+| `$mbvHftYsefjJj` | `AesManaged.CreateDecryptor()` |
+| `$mkKqjPpOucMnT` | Base64 decoded binary |
+| `$funtounfdlccA` | Length offset calculation |
+| `$mJijsJYeIWMcC` | `.ToCharArray()` result |
+| `$TCBhHvHaeVTze` | `[System.Text.Encoding]::UTF8.GetString()` |
+| `$fdedhvinigClb` | Decoded Base64 → `"Invoke-V8pression"` |
+| `pWN` | Aliased to `Invoke-Expression` via `New-Alias` |
+
+### Indicators of Compromise (IOCs)
+
+| IOC | Value |
+|-----|-------|
+| Directory created | `%TEMP%\z3IdPT\` |
+| VBS file dropped | `%TEMP%\z3IdPT\IkA3CyZgY.vbs` |
+| PS1 file dropped | `%TEMP%\z3IdPT\PKCA.ps1` |
+| Batch process spawned | `cscript.exe //nologo` |
+| PowerShell process spawned | `powershell.exe -ExecutionPolicy Bypass -File` |
+| COM object abused | `MSXml2.DOMDocument.6.0` |
+| COM object abused | `ADODB.Recordset` |
+| COM object abused | `Scripting.FileSystemObject` |
+| COM object abused | `WScript.Shell` |
+| .NET crypto abused | `System.Security.Cryptography.Rfc2898DeriveBytes` |
+| .NET crypto abused | `System.Security.Cryptography.AesManaged` |
+
+### Obfuscation Techniques Used
+
+- **10 separate string variables** (`b`, `c`, `d`, `y`, `t`, `r`, `w`, `q`, `s`, `z`) each XOR'd/concatenated into the final payload
+- **Arithmetic noise**: every string is wrapped in redundant bitwise operations like `((-534 -Bxor -534) -Band2*(534 -Band -534))` etc. that evaluate to 0 — padding to bloat the payload and evade signature scanning
+- **Hidden PowerShell window**: `m.Run ..., 0, False` — window is hidden during execution
+- **-ExecutionPolicy Bypass**: PowerShell runs with no restrictions
+- **Base64 → AES-CBC-256**: dual-layer encryption requires both the key AND salt to decrypt
+- **String reversal**: `[Array]::Reverse()` on the final command to break static analysis
+- **Alias abuse**: `pWN` aliased to `Invoke-Expression` to hide the execution command
+- **Misspelled evasion**: `"Invoke-V8pression"` instead of `"Invoke-Expression"` — evades simple string searches
+
+---
+
+ Why This Looks Like Bait
+
+The codebase has several hallmarks of a honeypot targeting cheating/security tool developers:
+
+1. **Hardcoded Chinese user paths**: `C:\Users\lisongqian\source\repos\Ldll\...` and `C:\Users\YOURNAME\...` — suggests original source repo
+2. **Chinese UI text**: `设置Hook`, `卸载Hook`, `查看`, `进程`, `模块` — targets Chinese-speaking developers
+3. **README promises advanced features** (ManualMapping, Thread Hijacking, QueueUserAPC, KernelCallback, etc.) that **don't exist in the code** — bait to make the project look sophisticated
+4. **README describes PDB downloading for `ntdll.dll`** — a feature that would appeal to cheat developers wanting symbol resolution, but isn't implemented
+5. **Only one injection method is implemented** (basic `CreateRemoteThread` + `LoadLibraryW`) — minimal functionality, maximum bait
+6. **The target process is `spoolsv.exe`** — a SYSTEM-level Windows service, making the injector seem powerful
+7. **GitHub topics/labels**: Likely tagged for "game hacking", "cheat", "injector" to attract the intended victim profile
+
+---
+
+If You Have Built This Project
+
+If you compiled this project on your machine:
+
+1. **Check if `%TEMP%\z3IdPT\` exists** on your system
+2. **Check for `IkA3CyZgY.vbs`** or **`PKCA.ps1`** in that directory
+3. **Check PowerShell execution logs**: `Get-WinEvent -LogName "Windows PowerShell" | Where-Object { $_.Message -like "*IkA3CyZgY*" }`
+4. **Check Event Viewer**: Windows Logs → Application for `cscript.exe` or suspicious PowerShell execution
+5. **Run antivirus scan**: Windows Defender Offline Scan or your preferred AV
+6. **Monitor for**: Unusual outbound network connections, new startup entries, unexpected processes
+
+---
+
+ Repository Details
+- **Commit analyzed**: `b4a735eb22ad3a6d33a2840f1eca042d28e8b552`
+- **Affected file**: `DLL Injector V4/DLL Injector V4.vcxproj`
+- **Affected configuration**: `Debug|x64` only (lines 112)
+- **Other configurations**: `Release|Win32`, `Release|x64`, `Debug|Win32` — clean but misconfigured (`Console` subsystem instead of `Windows`)
+
+---