GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nickcano → Relocbonus

nickcano / Relocbonus

Licence: gpl-3.0
An obfuscation tool for Windows which instruments the Windows Loader into acting as an unpacking engine.

Labels

windowsmalwareobfuscation

Projects that are alternatives of or similar to Relocbonus

Nt wrapper
A wrapper library around native windows sytem APIs
Stars: ✭ 287 (+170.75%)
Mutual labels:  malware, obfuscation
kiteshield
Packer/Protector for x86-64 ELF binaries on Linux
Stars: ✭ 71 (-33.02%)
Mutual labels:  obfuscation, malware
Lime Crypter
Simple obfuscation tool
Stars: ✭ 217 (+104.72%)
Mutual labels:  malware, obfuscation
Lazy importer
library for importing functions from dlls in a hidden, reverse engineer unfriendly way
Stars: ✭ 544 (+413.21%)
Mutual labels:  malware, obfuscation
Archivist
A ctypes powered python keylogger.
Stars: ✭ 92 (-13.21%)
Mutual labels:  malware
Malice
VirusTotal Wanna Be - Now with 100% more Hipster
Stars: ✭ 1,253 (+1082.08%)
Mutual labels:  malware
Php Malware Finder
Detect potentially malicious PHP files
Stars: ✭ 1,245 (+1074.53%)
Mutual labels:  malware
Php Malware Analysis
Deobfuscation and analysis of PHP malware captured by a WordPress honey pot
Stars: ✭ 82 (-22.64%)
Mutual labels:  malware
Malwarepersistencescripts
A collection of scripts I've written to help red and blue teams with malware persistence techniques.
Stars: ✭ 103 (-2.83%)
Mutual labels:  malware
Arsenal
Extensible Red Team Framework
Stars: ✭ 99 (-6.6%)
Mutual labels:  malware
Injectallthethings
Seven different DLL injection techniques in one single project.
Stars: ✭ 1,297 (+1123.58%)
Mutual labels:  malware
Sinkholes
🐛 Malware Sinkhole List in various formats
Stars: ✭ 84 (-20.75%)
Mutual labels:  malware
Python Ransomware
Python Ransomware Tutorial - YouTube tutorial explaining code + showcasing the ransomware with victim/target roles
Stars: ✭ 96 (-9.43%)
Mutual labels:  malware
Apt
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 83 (-21.7%)
Mutual labels:  malware
Emojify
Obfuscate your python script by converting it to emoji icons
Stars: ✭ 99 (-6.6%)
Mutual labels:  obfuscation
Teleshadow3
Telegram Desktop Session Stealer
Stars: ✭ 83 (-21.7%)
Mutual labels:  malware
Keylogger
A powerful C keylogger for Windows.
Stars: ✭ 89 (-16.04%)
Mutual labels:  malware
Artifacts Kit
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
Stars: ✭ 99 (-6.6%)
Mutual labels:  malware
Malwoverview
Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Valhalla, Malware Bazaar, ThreatFox and it is able to scan Android devices against VT and HA.
Stars: ✭ 1,276 (+1103.77%)
Mutual labels:  malware
Coinhive Block
To block the malware domains of coin-hive systemwide.
Stars: ✭ 85 (-19.81%)
Mutual labels:  malware
View All Similar Projects ➔

RelocBonus

RelocBonus is an obfuscation tool for Windows which instruments the Windows Loader into acting as an unpacking engine.

I gave a talk about this tool at DEFCON 26; here is the abstract:

The arbiters of defense wield many static analysis tools; disassemblers, PE viewers, and anti-viruses are among them. When you peer into their minds, these tools reveal their perilous implementations of PE file parsing. They assume PE files come as-is, but the Windows Loader actually applies many mutations (some at the command of the PE itself) before execution ever begins. This talk is about bending that loader to one's whim with the Relocations Table as a command spell. It will demonstrate how the loader can be instrumented into a mutation engine capable of transforming an utterly mangled PE file into a valid executable. This method starts with multiple ASLR Preselection attacks that force binary mapping at a predictable address. It then mangles the PE file, garbling any byte not required prior to relocation. Finally, it embeds a new Relocations Table which, when paired with a preselected base address, causes the loader to reconstruct the PE and execute it with ease.

This isn't a packer or a POC, it is a PE rebuilder which generates completely valid, stable, and vastly tool-breaking executables. This talk will show you how this attack twists the protocols of a machine against the controls meant to protect it. It flexes on tools with various look-what-I-can-break demonstrations and, if you write similar tools, it'll make you rethink how you do it.

Features

There are quite a few nifty capabilities built right into the tool:

  • Targeting specific sections with --section
  • Doing multiple passes of obfuscation using --multipass
  • Obfuscating only specific strings using --stringMatch="string to obfuscate"
  • Obfuscating imports (on by default; turned off with --noImports)

Code

The code is written in C++ and the project files are for Visual Studio 2017. There is a dependency on PeLib; a version slightly modified to work with the C++17 standard lives in deps/.

Because of the usage of some C++17 features, this project and it's dependencies won't cleanly backport to earlier Visual Studio versions.

Usage

Usage is fully described by running reloc.exe with no arguments. Here are some example invocations:

Standard reloc.exe malware.exe obfuscated_malware.exe

Standard Multipass reloc.exe --multipass malware.exe obfuscated_malware.exe

Standard Win10 reloc.exe --win10 malware.exe obfuscated_malware.exe

Obfuscate Strings reloc.exe --stringMatch="hello world" malware.exe obfuscated_malware.exe

Samples

Some pre-built samples exist in the samples/ directory.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].