Threads

Usually, GDI Trojans works with Threading system:

//Shaking
	HANDLE hBB1 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hPML1 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hBytebeat1 = CreateThread(NULL, NULL, &Bytebeats::Bytebeat1, hBB1, NULL, NULL);
	HANDLE hPayload1 = CreateThread(NULL, NULL, &GDIPayloads::GDIPayload1, hPML1, NULL, NULL);
	Sleep(1000 * 15); //15 Seconds 

	//Shaders
	HANDLE hPML2 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hPayload2 = CreateThread(NULL, NULL, &GDIPayloads::GDIPayload2, hPML2, NULL, NULL);
	Sleep(1000 * 10); //10 Seconds 
	System::EndPayload(hPayload2, hPML2);
	System::EndPayload(hBytebeat1, hBB1);

	//Icons
	HANDLE hBB2 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hPML3 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hBytebeat2 = CreateThread(NULL, NULL, &Bytebeats::Bytebeat2, hBB2, NULL, NULL);
	HANDLE hPayload3 = CreateThread(NULL, NULL, &GDIPayloads::GDIPayload3, hPML3, NULL, NULL);
	Sleep(1000 * 5); //5 Seconds 

	//PatBlt
	HANDLE hPML4 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hPayload4 = CreateThread(NULL, NULL, &GDIPayloads::GDIPayload4, hPML4, NULL, NULL);
	Sleep(1000 * 15); //15 Seconds 

	//AlphaBlend
	HANDLE hPML5 = HeapCreate(HEAP_NO_SERIALIZE | HEAP_CREATE_ENABLE_EXECUTE, sizeof(char) * 8192 * 64, 0);
	HANDLE hPayload5 = CreateThread(NULL, NULL, &GDIPayloads::GDIPayload5, hPML5, NULL, NULL);
	Sleep(1000 * 15); //15 Seconds

Threading is a way to run 2 or more functions at same time, like a visual payload along with a bytebeat function.

Is that secure?

 Most GDI Trojans have warning and are non-destructive (aka. clean, safe):

//If the computer wasn't infected before, it shows the warning messages.
	if (GetFileAttributesW(L"C:\\Windows\\WinNet.exe") == INVALID_FILE_ATTRIBUTES)
	{
		if (MessageBoxW(NULL, L"WARNING!\n\nYou're about to run a potentially harmful program that can cause your system's death & data loss. This program also displays flashing lights and plays loud sounds.\n\nBy running this program, you accept full responsibility for any damages that may occur. The creator (ArTic aka JhoPro) will not be responsible for anything caused by this software. By the way, this was created for educational and entertainment purposes.\n\nWould you like to proceed with running this program?", L"'We all make choices, but in the end our choices make us...'", MB_ICONWARNING | MB_YESNO) != IDYES) return 1;
		if (MessageBoxW(NULL, L"FINAL WARNING!\n\nIf you really want to run it and you're already aware of the risks, press 'Yes'. Otherwise, press 'No'.\n\nProceed at your own risk...", L"Lixo.exe - FINAL WARNING", MB_ICONWARNING | MB_YESNO) != IDYES) return 1;
	}

Usually, 1 warning is NOT RECOMMENDED, 2 or 3 are the most used since users can acidentally run the trojan.

What is GDI Trojans and Windows GDI API?

GDI is how Windows draws things on the screen, apps, etc.

You can basically force it to draw in "0", aka over EVERYTHING.

This is basically the full history of GDI Trojans and how it works.

 

An example is Lixo (GDI-Trojan.Win32.Lixo), created by JhoPro:

https://github.com/ArTicZera/GDI-Trojan.Win32.Lixo 

 

🤔 What is Lixo.exe?

Lixo.exe is a small trojan made in C++ and 8086 Assembly for WINDOWS XP. In general, it modifies some registry keys, create copies of itself to critical Windows directories, play some bytebeats, show some GDI-Effects, overwrites the bootsector (MBR) to 10 Payloads made in ASM, and many other things. By the way, this is my 3rd GDI-Trojan and probably the last one...

⚠️ Important!!!

This is a potentially harmful program that can cause your system's death & data loss. This software also displays flashing lights and plays loud sounds, so if you have a photosensitive disease like epilepsy, don't run this or watch any video about it for your security.

By running this program, you accept full responsibility for any damages that may occur. So, the creator (ArTic a.k.a JhoPro) will not be responsible for anything caused by this software. By the way, this was created for educational and entertainment purposes, consequently, don't use it to do malicious acts like sharing with a friend.