Search the Community

Features : the packer only support x64 exe's (altho planning to make x32 version but idk when it'll be done) no crt imports api hashing library ( custom getmodulehandle and getprocaddress ) direct syscalls ( for the part that i do the ntdll unhooking ) ntdll unhooking from \KnownDlls\ support tls callbacks support reallocation in case of needed ( the image is mapped to the preferable address first ) no rwx section allocation support exception handling uses elzma compression algorithm to do the compression (reducing the final file size) its local run pe, so it support arguments fake imported functions to add more friendly look to the iat Release v1 The Builder Supporting 3 outputs: exe - dll - hidden exe output - x64 native only [Hidden Content]

MD5-Monomorphic Shellcode Packer – all payloads have the same MD5 hash What does it do? It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401 Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5. It would also be possible to use a multi-platform polyglot file like APE. Example usage: $ python3 monomorph.py bin/monomorph.linux.x86-64.benign bin/monomorph.linux.x86-64.meterpreter sample_payloads/bin/linux.x64.meterpreter.bind_tcp.bin How does it work? For every bit we want to encode, a colliding MD5 block has been pre-calculated using FastColl. As summarised here, each collision gives us a pair of blocks that we can swap out without changing the overall MD5 hash. The loader checks which block was chosen at runtime, to decode the bit. To encode 4KB of data, we need to generate 4*1024*8 collisions (which takes a few hours), taking up 4MB of space in the final file. To speed this up, I made some small tweaks to FastColl to make it even faster in practice, enabling it to be run in parallel. I’m sure there are smarter ways to parallelise it, but my naive approach is to start N instances simultaneously and wait for the first one to complete, then kill all the others. Since I’ve already done the pre-computation, reconfiguring the payload can be done near-instantly. Swapping the state of the pre-computed blocks is done using a technique implemented by Ange Albertini. Is it detectable? Yes. It’s not very stealthy at all, nor does it try to be. You can detect the collision blocks using detectcoll. Download [hide][Hidden Content]]

NimPackt is a Nim-based packer for .NET (C#) executables and shellcode targeting Windows. It automatically wraps the payload in a Nim binary that is compiled to Native C and as such harder to detect and reverse engineer. There are two main execution methods: Execute-Assembly re-packs a .NET executable and runs it, optionally applying evasive measures such as API unhooking, AMSI patching, or disabling ETW. Shinject takes raw a .bin file with raw, position-independent shellcode and executes it locally or in a remote process, optionally using direct syscalls to trigger the shellcode or patching API hooks to evade EDR. Currently, NimPackt has the following features. Uses static syscalls to patch execute to evade EDR Unhooks user-mode APIs for the spawned thread by refreshing NTDLL.dll using ShellyCoat Patches Event Tracing for Windows (ETW) Patches the Anti-Malware Scan Interface (AMSI) AES-encrypts payload with a random key to preventing static analysis or fingerprinting Compiles to exe or dll Supports cross-platform compilation (from both Linux and Windows) Integrates with CobaltStrike for ezpz payload generation 😎 A great source for C#-based binaries for offensive tooling can be found here. It is highly recommended to compile the C# binaries yourself. Even though embedded binaries are encrypted, you should obfuscate sensitive binaries (such as Mimikatz) to lower the risk of detection. [hide][Hidden Content]]

Open-Source Shellcode & PE Packer [hide][Hidden Content]]

PE-Packer PE-Packer is a simple packer for Windows PE files. The new PE file after packing can obstruct the process of reverse engineering. It will do the following things when packing a PE file: Transforming the original import table. Encrypting sections. Clearing section names. Installing the shell-entry. When running a packed PE file, the shell-entry will decrypt and load the original program as follows: Decrypting sections. Initializing the original import table. Relocation. Before packing, using some disassembly tools can disassemble the executable file to analyze the code, such as IDA Pro. [hide][Hidden Content]]

[hide][Hidden Content]]

Description BoxedApp Packer is a utility for compressing all software related files into one executable file. This tool is very useful for programmers. When writing software, various libraries and accessory files are usually used. Maybe not publishing a large number of ActiviX dll files or video, audio and video resources along with executable program files. You can easily import all these files into the BoxedApp Packer application and pack them inside the executable file. When the user opens the application file. There are all the requirements of the program inside that single file. Using this tool will not affect the performance of the application. However, the speed of running the program is slightly reduced, which is not impressive. Also note that the number of files you inject into the main program file will increase the final volume of your program. Therefore, this method is only recommended for programs with low external dependencies. This is why heavy applications like Office and Photoshop do not use these tools as the final file size increases and more memory space is opened. Along with this package, there is also the BoxedApp Packer API as a programming interface and the BoxedAPP SDK, which developers will have access to through a library of functions for virtualizing applications. For example, they can simulate file system, registry, and the like. Using these functions you can create a virtual file, define fake registry keys, and so on. This library is available for the C ++, C #, VB.Net, VB6, Delphi, Builder C languages. Required system All the products of the BoxedApp family support both 32-bit and 64-bit environments. Supports all current versions of Windows, beginning with Windows 2000. BoxedApp Packer packs both 32-bit and 64-bit executable files. It can even pack 64-bit files on a 32-bit Windows system (and vice versa). BoxedApp does not have any special requirements for RAM or disk space. [hide][Hidden Content]]

amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. New Features x64 support added ! Support for MacOS and Windows (Currently supporting all major platforms) Assembly stubs rewritten External dependencies reduced to two C++ stubs converted to go All project converted into a go package [HIDE][Hidden Content]]

What is BoxedApp Packer? Introduction BoxedApp Packer is a packer application for packing exe files, DLLs, ActiveXs and other files into a single executable file. You can place all libraries that the original exe file depends on, ActiveX controls, and just all kinds of files in it. The primary problem that BoxedApp Packer resolves is creating applications that don't require the installation. But, at the same time, you would be free to choose components for creating the application - you can use any third-party DLL, any ActiveX. Simply "tell" BoxedApp Packer which files the application depends on, and it will generate a self-sustaining exe file. An executable file made this way doesn't create temporary files on the disk, it doesn't modify the registry to ensure that all the embedded files run as if they were real. The embedded files are extracted directly to the memory, while ActiveX / COM libraries are registered in the virtual registry. Moreover, you can further expand the functionality of the obtained application by creating a plugin - a special DLL - for it. Plugins are called when the application starts or terminates. Plugins provide a special API - BoxedApp SDK, which allows creating virtual files "on the fly", working with the virtual registry, and a lot more. Thus, you can create truly flexible applications. For instance, your application, when it starts, could load necessary DLL over network or through the Internet and then use them as if they were really present on the disk. [Hidden Content] 12/10/2018 December 2018 Version 2018.14 FIX: improved building speed. ------------------------------------------------- [HIDE][Hidden Content]] Pass: level23hacktools.com

RDG Packer Detector es un detector de packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers. +Nuevas signaturas +Windows 7 Compatible +Windows 8 Compatible +Windows 10 Compatible +Menos Falsos Positivos +Mayor Estabilidad +Deteccion 32/64 bits PE -Posee sistema de detección Rápida. -Posee sistema de detección Potente Analizando el archivo completo, permitiendo la muli-detección de packers en varios casos. -Permite crear signaturas tus propias signaturas de detección. -Posee Analizador Crypto-Grafico. -Permite calcular el checksum de un archivo. -Permite calcular el Entropy, informando si el programa analizado esta comprimido, encriptado o no. -Detector de OEP (Punto de entrada Original) de un programa. -Puedes Chequear y descargar signaturas.Así siempre tú RDG Packer Detector estará Actualizado. -Loader de Plug-ins.. -Convertidor de Signaturas. -Detector de Falseadores de Entry Point. -De-Binder un extractor de archivos adjuntos. -Sistema Heuristico Mejorado. [HIDE][Hidden Content]]