stubborn is a runtime crypter built as a web service. It allows uploading an executable file, which will be encrypted and embedded into a stub. When the stub is executed, it will decrypt the original file in memory, inject it to a selected process and start its execution.
This is an ongoing project on its early stages. Its aim is to build a crypter that allows a full customization of the stub, that is, choosing among different process injection techniques, encryption algorithms, anti-analysis techniques, etc.
To start the service, you just need to start the Docker container:
docker-compose up -dThis will start a Flask app. The UI can then be accessed at http://127.0.0.1:5000. You'll see the following form:
Upload your file, select the desired options, and you're ready to go!
You can find a packed HelloWorld.exe produced by stubborn in the example folder. Also, in this folder
you will find all the code of the corresponding stub.
- Supports Windows .exe files, both 32 and 64 bits
- The stub is compiled at the same moment the executable is uploaded
- Currently, the process injection is done only via Process Hollowing
- You can select among different target executables to inject the process, including the same stub
- The stub includes some code emulation and sandbox detection techniques, as well as some junk imports
- The imports that are typical for Process Hollowing are resolved by the stub itself, parsing the exports table of the corresponding DLLs
- If the build type "Debug" is selected, when you execute the stub you will get information about all the steps that are being made at each moment
All the techniques used are known and have been implemented multiple times. The main references that I have used are the following:
- One packer to rule them all, by Arne Swinnen and Alaeddine Mesbahi. See the Black Hat paper, the Black Hat talk or the BruCON talk.
- Process Hollowing, by John Leitch. See the paper or this GitHub repo.
- RunPE, the implementation of Process Hollowing by @hasherezade. See the GitHub repo.
- Microsoft's documentation on the PE format as well as Matt Pietrek's Peering Inside the PE: A Tour of the Win32 Portable Executable File Format.
Many things, among which (in no particular order):
- Improve UI
- Add more process injection techniques
- Add more encryption algorithms
- Add more antivirus evasion techniques and make them customizable
- Support Linux binaries
- Validate executable file format on upload
- Add tests
- ...
Thanks to @newlog who gave me the idea of building a crypter in the first place, and build it as a web service!