GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → loreloc → mkpoly

loreloc / mkpoly

Licence: GPL-3.0 license
A simple polymorphic engine

Programming Languages

assembly
5116 projects
c
50402 projects - #5 most used programming language
Makefile
30231 projects

Labels

malwareself-modifying-codepolymorphic-engine

Projects that are alternatives of or similar to mkpoly

Elfparser
Cross Platform ELF analysis
Stars: ✭ 228 (+714.29%)
Mutual labels:  malware
FIDL
A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Stars: ✭ 421 (+1403.57%)
Mutual labels:  malware
DFIR Resources REvil Kaseya
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
Stars: ✭ 172 (+514.29%)
Mutual labels:  malware
Malware Samples
Malware samples, analysis exercises and other interesting resources.
Stars: ✭ 241 (+760.71%)
Mutual labels:  malware
Runpe In Memory
Run a Exe File (PE Module) in memory (like an Application Loader)
Stars: ✭ 249 (+789.29%)
Mutual labels:  malware
Kernel-dll-injector
Kernel-Mode Driver that loads a dll into every new created process that loads kernel32.dll module
Stars: ✭ 256 (+814.29%)
Mutual labels:  malware
Lime Crypter
Simple obfuscation tool
Stars: ✭ 217 (+675%)
Mutual labels:  malware
Owlyshield
Owlyshield is an EDR framework designed to safeguard vulnerable applications from potential exploitation (C&C, exfiltration and impact))..
Stars: ✭ 281 (+903.57%)
Mutual labels:  malware
rhino
Agile Sandbox for analyzing Windows, Linux and macOS malware and execution behaviors
Stars: ✭ 49 (+75%)
Mutual labels:  malware
IAT API
Assembly block for finding and calling the windows API functions inside import address table(IAT) of the running PE file.
Stars: ✭ 63 (+125%)
Mutual labels:  malware
Pepper
An open source script to perform malware static analysis on Portable Executable
Stars: ✭ 250 (+792.86%)
Mutual labels:  malware
Telnet Iot Honeypot
Python telnet honeypot for catching botnet binaries
Stars: ✭ 252 (+800%)
Mutual labels:  malware
windows-defender
Malice Windows Defender AntiVirus Plugin
Stars: ✭ 31 (+10.71%)
Mutual labels:  malware
Filewatcher
A simple auditing utility for macOS
Stars: ✭ 233 (+732.14%)
Mutual labels:  malware
mirai
The Mirai malware modified for use on NCL/a virtual/simulated environment.
Stars: ✭ 32 (+14.29%)
Mutual labels:  malware
Kicomav
KicomAV is an open source (GPL v2) antivirus engine designed for detecting malware and disinfecting it.
Stars: ✭ 227 (+710.71%)
Mutual labels:  malware
VX-API
Collection of various malicious functionality to aid in malware development
Stars: ✭ 904 (+3128.57%)
Mutual labels:  malware
Abused-Legitimate-Services
Cloud, CDN, and marketing services leveraged by cybercriminals and APT groups
Stars: ✭ 42 (+50%)
Mutual labels:  malware
malware api class
Malware dataset for security researchers, data scientists. Public malware dataset generated by Cuckoo Sandbox based on Windows OS API calls analysis for cyber security researchers
Stars: ✭ 134 (+378.57%)
Mutual labels:  malware
Umbra
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.
Stars: ✭ 98 (+250%)
Mutual labels:  malware
View All Similar Projects ➔

mkpoly

mkpoly is a simple program that can make any executable polymorphic.

platform

The target platform is the Linux operating system.

installation

git clone https://github.com/loreloc/mkpoly.git
cd mkpoly
make
sudo make install

Additionaly, build the example with:

nasm -f elf64 example.asm
gcc -no-pie example.o -o example

usage

In order to use mkpoly, the target executable must contains a DECRYPTOR_SECTION (see mkpoly.inc and example.asm) that is a piece of code that contains the function used by the program to decrypt itself. Also, the section to encrypt must be aligned to 16 bytes and its size must be a multiple of 16. The macro DECRYPTOR_SECTION defines two local labels: .mkpoly_loop and .mkpoly_func that are, respectively, the begin of the decryptor loop and the begin of the decryption function.

mkpoly takes 4 input parameters (all in the hexadecimal format):

  • The filename of the binary to make polymorphic
  • The offset in the binary file of the section to encrypt
  • The size of the section to encrypt
  • The offset in the binary file where to place the decrypt function

When executed, the polymorphic engine randomly generates the encryption and the decryption functions. The encryption function is used to encrypt the section specified by the user. The decryption function is placed in the DECRYPTOR_SECTION at the offset specified by the user. So, when the output binary is executed, it will decrypt parts of itself executing the DECRYPTOR_SECTION.

example

Executing the following commands we know the offset of the section to encrypt (hello), the size of the section to encrypt (the difference between the offsets of the labels hello.end and hello), and the offset in which to place the decrypt function (decrypt.mkpoly_func).

$ objdump -h example | grep -E ".text"
 12 .text         00000315  0000000000401060  0000000000401060  00001060  2**4

$ objdump -x example | grep -E "hello|decrypt"
000000000040115e l       .text	0000000000000000              decrypt
00000000004011b0 l       .text	0000000000000000              decrypt.mkpoly_loop
00000000004011bb l       .text	0000000000000000              decrypt.mkpoly_func
00000000004012f0 l       .text	0000000000000000              hello
0000000000401300 l       .text	0000000000000000              hello.end

This will create a random encrypted version of the program example called example.crypt.

$ mkpoly example 12f0 10 11bb
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].