Home Grown Red Team: Adding Icons To Windows Based Executables Compiled In Linux
Hi all! So, today we’re going to go over something that I haven’t seen anywhere else. This isn’t some super secret task, but when I went to look for a procedure I didn’t see one laid out specifically for compling EXEs on Linux with icons.
Typically, people develop their malware on Visual Studio and then add an icon via Resource Hacker or directly through VS. But if you’re building a Linux based packer (Freeze, ScareCrow, PEzor, Harriet, etc) and you want to use an icon file to blend in with the File Explorer, here’s a quick tutorial on how to do it.
Setting The Stage
Okay so since we’re just going to demo how to do this, I’m going to turn off Defender on my Windows box.
The demo EXE that we’re going to compile will probably throw Defender alerts.
Now let’s create our demo EXE. We’ll start with possibly the simplest Windows program I can think of.
1337, right?
Okay, so we’ll compile this using mingw and make sure it works.
I transfer it to my Windows box and execute.
Perfect. We have our POC. Now if we look at the program in File Explorer we see that generic EXE icon.
Let’s change that.
Picking An Icon
We will start by finding a PNG file that we want to use. A simple Google search will give you a lot of PNG file sites. I’m going with https://www.freepik.com/
While I have heard of people going directly to using an ICO file, it’s never worked for me for some reason. This is just the way I do it so you might find a better method.
Since our program launches calc, let’s find a calculator PNG file. I downloaded this one.
Converting The File
There are a lot of file converter sites out there. This is one I use.
You can then covert and download your ico file.
I’ll rename the ico file to calc.ico for simplicity and now we can create our Resource.rc file.
Create Resource.rc File
Here’s a simple resource.rc file.
Notice we use our ICO file name in quotes.
Simple, right?
Creating The Resource.res File
To create the resource.res file, we’re going to use the windres tool that comes with mingw.
Back on the command line, if we try to use the command, it gives us an error.
That’s because, more than likely, windres is not your path. But if we do a quick ls and grep of bin, we see a few programs.
And now we can create our resource.res file.
And we can compile our POC with our resource.res file.
Did It Work?
We download our EXE to our Windows box and we see that we have a nice icon on our POC.
Pretty cool, huh?
So now you can script this out to create .res files to compile with your linux compiled malware.
I know it’s not ground breaking, but it’s another piece of social engineering to help with engagements.
Smell ya later!
