|
1 | 1 | # Win32.Nebula |
2 | | -Nebula is a \[**P**\]acked and \[**P**\]rotected \[**M**\]odule \[**L**\]oader. (**PPML**)\ |
3 | | -Named after a space phenomenon that describes a interstellar cloud\ |
4 | | -(its internally still refered to as _rift or rift as this was the original Name) |
5 | | - |
6 | | -Nebula aims to be able to launch a payload of choice in a protected environment hidden from the eyes of a user.\ |
7 | | -It tries to achive this by using many well know malware techniques and even some less know ones.\ |
8 | | -Im planning to add a lot more features to this even stuff outside of the original intentions such as a PE-File infector. |
| 2 | +Nebula is a **P**acked and **P**rotected **M**odule **L**oader. (**PPML**)\ |
| 3 | +Named after a space phenomenon that describes a interstellar cloud.\ |
| 4 | +(it may internally still be refered to as _rift or rift) |
| 5 | + |
| 6 | +Nebula aims to be able to launch a payload of choice in a protected environment.\ |
| 7 | +It tries to achive this by using various techniques used to obfuscated and protect code,\ |
| 8 | +these include well known tricks commonly used in e.g. malware, anticheats and others.\ |
| 9 | +It serves as an absolute base and will provide a small framework through an SDK and API.\ |
| 10 | +This Framwork will have basic functionality in order to control the loader from a payload,\ |
| 11 | +but will be extensible through a dynamic service interface allowing extenstions, |
| 12 | +that can be attached to Nebula, to allow registering functions that the payload may use. |
9 | 13 |
|
10 | 14 | This project is currently in development and currently serves as a POC or template to build onto.\ |
11 | | -In the future this could be build out into a fully fletched "basic"-protector. |
| 15 | +In the future this could be build out into a fully fledged "basic"-protector. |
12 | 16 |
|
13 | 17 | ## Components: |
14 | | -- **riftldr:**\ |
15 | | - Main executable containing the Core-Loader (S1 & S2) and its packed resources, |
16 | | - as well as many other features and services. |
17 | | - |
18 | | -- **riftbld:**\ |
19 | | - Build utility used to compress/encrypt, |
20 | | - obfuscate internal data, patch Nebula and more.\ |
21 | | - what will be featured in her only depends on what i plan to add in riftldr itself |
22 | | - |
23 | | - |
24 | | -- **riftrk:**\ |
25 | | - The rootKit dll that will primarily hide processes, files and maybe more. |
26 | | - |
27 | | -## Feature List: |
28 | | -Note: Some of them have not been implmented yet... |
29 | | - |
30 | | -- Usermode Rootkit: |
31 | | - - hide processes |
32 | | - - hide files |
33 | | - - hide registry |
34 | | - - limit access to specific Handles |
35 | | - |
36 | | -- Anti Reverse-Engineering: |
37 | | - - Anti analysis |
38 | | - - Anti debugging |
39 | | - - basic anti module injection |
40 | | - - Binary integrity checks |
41 | | - - Self decryption/decompression |
42 | | - - Self monitoring |
43 | | - |
44 | | -General: |
45 | | -- Function obfuscation |
46 | | -- String and resource encryption |
47 | | -- Resource compression |
48 | | -- Manualmapping for modules and remote processes |
49 | | -- PE-File infection |
50 | | -- Process hollowing |
51 | | -- Threadhijacking |
52 | | - |
53 | | -more to come or to be added to the list... |
| 18 | +Nebula is mainly split into 2 components, the base (loader) and its builder utility.\ |
| 19 | +- The loader can/will be shiped in 2 forms, |
| 20 | + either as a standalone executable which will be prepacked |
| 21 | + and will require the payload to be in a dll like form specifically made to respond to the laoder. |
| 22 | + The builder would be responsible to attach this payload to teh loader binary.\ |
| 23 | + Or as a static lib which could be linked into a payload executable by setting it up to be the entrypoint, |
| 24 | + the builder would later finalize the image by obfuscating the rest and properly linking up the functions. |
| 25 | + |
| 26 | +- The builder that is responsible for patching, crypting, packing and generally messing with binaries.\ |
| 27 | + It provides the interface for modifying images used by the loader or the loader itself.\ |
| 28 | + It serves as a tool to finalize the binary into and turn it into a proper executable image. |
54 | 29 |
|
55 | 30 | ## Disclaimer: |
56 | | -**Im aware that this is totaly malware or could be used for malware.\ |
57 | | -It is not meant to be used with malicous intends |
58 | | -and should only serve as a learning resource, |
59 | | -demonstration or proof of concept (PoC).** |
| 31 | +**Im totally aware that this could be used for malware.**\ |
| 32 | +It is not meant to be used for malicous intends and should only serve as a learning resource, |
| 33 | +demonstration or proof of concept (PoC). |
60 | 34 |
|
61 | 35 | **I do not encourage the spreading of malware for several obvious reasons.\ |
62 | 36 | ! THE CREATOR IS NOT RESPONSIBLE FOR ANYTHING DONE USING THIS SOFTWARE !** |
63 | 37 |
|
64 | 38 | ### Why did I decide to make this public then ? |
65 | | -The reason is the same as why you can find alot of open source projects that could be used for malicous purposes.\ |
66 | | -Or why you can find books about how Rootkits work and how to build them, as well as other stuff. |
| 39 | +The reason is the same as why you can find alot of other open source projects that could be used for malicous purposes.\ |
| 40 | +Or why you can find books about how rootkits work and how to build them, as well as other stuff. |
67 | 41 |
|
68 | 42 | It serves as a learning resource and most of the techniques contained are already publicly optainable,\ |
69 | 43 | the actual bad guys already have all the knowledge if not even more... |
0 commit comments