Version 6 of Unprotect has just been released, packed with numerous enhancements! This update includes an improved user experience, various bug fixes, improved performance and code optimizations. The most expected feature in this release is the introduction of Unprotect Scan, which in its initial version matches uploaded samples against YARA rules to detect and match with existing evasion techniques.

A bind shell option was added to redirect stdin, stdout, and stderr of the spawned interactive system process. A bind shell is a type of shell where the target machine listens on a specific port, waiting for an incoming connection from an attacker. Once the attacker connects to this port, they gain command-line access to the target system, allowing them to execute commands remotely.

This version includes global improvements to the code, structure, and logic. The most notable addition is support for input/output redirection through reverse shell, allowing interaction with an interactive spawned process without needing access to the desktop (e.g., via SSH or WinRM).

• Mouse Positioning Fix: Resolved an issue where the mouse position was incorrect when the remote desktop is smaller than the local desktop in mirror mode. The mouse is now accurately positioned across screens of different sizes.
• CTRL+[A-Z] Shortcut Fix for Windows: Fixed a bug on the Windows client where CTRL + [A-Z] keyboard shortcuts were not functioning properly. Shortcuts are now correctly processed.
• Connection Window Enhancements: Pressing ESC on the connection window now closes the application. Pressing ENTER or RETURN starts the connection process immediately.

Windows x86-64 executable is now available, making Arcane Viewer deployment even easier.

• Dynamic Resolution/Scaling Update Support: When the remote display resolution or HDPI scaling settings change, the viewer is notified and automatically updates the current window to accommodate the new display constraints.
• Secure Desktop (Automatic Desktop Context Switching) is now fully supported for both Desktop Streaming and Input (Keyboard, Mouse, Outgoing Clipboard). To capture Secure Desktop, Arcane Server must be run as an Interactive SYSTEM user. You can use PsExec or PowerRunAsSystem to achieve this. This feature is crucial for logging into a remote user account when the session is locked or for accepting or rejecting UAC prompts.
• Keyboard Simulation Enhancement: Keyboard simulation has been improved by moving from .NET to the pure Windows API SendInput for simulating both individual key inputs and shortcuts. This transition offers several advantages: it supports a broader range of applications and windows (all) and it simplifies the detection and switching of Secure Desktop updates.
• New Shortcuts Supported: Arcane now supports additional keyboard shortcuts, including CTRL+[A-Z] and ALT+[F1-F16]. The Windows key (Meta Key) is also supported. The shortcut for locking the workstation, WIN + L, has been added.
• Optimizations and Enhancements: This update includes multiple optimizations, cleaner code, and improved presentation mode handling. In presentation mode (view only), event threads are no longer required for both the viewer and the server.

Arcane Protocol Update: The protocol has been upgraded to version 5.0.2, bringing support for several server improvements, including dynamic display resolution updates, HDPI settings changes, and Secure Desktop support for Remote Desktop Streaming and Input (Mouse, Keyboard, Clipboard).

This release focuses on improving the code structure through extensive refactoring and resolving infrequent bugs caused by previously unhandled edge cases. Type hinting has been fully implemented, and the code is now nearly ready for production deployment.

Arcane 1.0.4 has been released with support for reciprocal clipboard synchronization between the server and client. Users can now configure clipboard synchronization strategies, including Receive Only, Send Only, Bidirectional, and Disabled modes. Additionally, this update includes several minor improvements.

Arcane 1.0.3 (Beta) PowerShell Full-fledged Remote Desktop has been released and now support server-certificate fingerprint validation with an option to remember your choice. Options window has been added to at the moment handle some remote desktop streaming settings and manage the trusted server fingerprints (Add, Edit, Remove)

Full Change log:

• The connection window interface has been streamlined, with additional options now accessible in a dedicated settings window.
• Server certificate validation has been introduced. When connecting to a server for the first time, users will be prompted to trust the certificate and can choose to remember their decision.
• A new settings window has been implemented, offering support for additional remote desktop parameters and managing trusted server certificates, including options to add, edit, and remove certificates.
• Various code refactoring and structural improvements have been made to enhance the overall performance and maintainability of the application.

• The issue of the Arcane Viewer Virtual Desktop Window freezing when manually closing the connection with Remote Desktop has now been fixed.
• The Arcane Viewer Virtual Desktop Window now has an icon on the taskbar.
• HDPI and scaling support have been improved.
• Arcane Viewer Virtual Desktop Window placement has been improved.

A new article has been published on Medium that delves into what Arcane is, providing a detailed explanation of how it works and why it stands out from typical remote desktop applications.

The article not only covers the installation process but also provides a comprehensive guide on how to use Arcane. It walks you through both the automated, recommended installation method as well as the manual method, which includes instructions on how to build your own version and install it.

Arcane, formerly known as PowerRemoteDesktop, is a unique remote control application distinguished by its server being entirely coded in PowerShell. It is currently the only remote desktop application with this characteristic. The project was renamed to Arcane to give it a more distinctive identity, moving away from the generic nature of its former name. This rebranding also coincided with a major rewrite of the viewer component.

While the server remains fully written in PowerShell, the viewer has been rewritten in Python, making it cross-platform. The transition to using Qt (PyQt6) as the graphical engine has further enhanced its usability and compatibility across different operating systems.

The features of Arcane are consistent with the latest version of PowerRemoteDesktop. However, the viewer is now more stable, user-friendly, and supports multiple platforms. Future updates will focus on expanding features as the viewer's stability is further refined through testing. I plan to introduce new functionalities once I'm confident in the viewer's stability accros different platforms.

We are excited to announce the release of DLest v3.0! This major update brings a host of performance enhancements, user interface improvements, and powerful new features including:

Process Spy: Debug processes to monitor DLL Load events in real-time. File Hash Tools: Easily generate and compare file hashes. Enumeration of Lone Ordinals: Identify and analyze anonymous functions with improved accuracy. Enhanced Filtering System: Experience a more robust and intuitive export filtering system.

In this second article, we demonstrates how malware authors exploit Microsoft Windows application resources as malicious vectors to either store their dynamic configuration or additional payloads. The focus is on the Windows API, but it also details some aspects of the PE (Portable Executable) header, allowing for manual inspection and manipulation of resources.

Welcome to the grand opening of Malware Gallery 1.0! We're excited to announce several new features that have been added since the beta version. One significant addition is the Archive mode, which expose a comprehensive database referencing over 10,000 malware and hack tool entries. This archive is compiled from a partial reconstruction of Mega Security's data spanning from 1998 to 2010.

But that's not all! We're dedicated to continuously updating our collection with new families and releases. Stay in the loop by subscribing to our RSS feed or following us on our social media channels to ensure you never miss a single update.

In this new series of articles, we're looking at how malware authors deal with spreading their work, especially when they keep the source code secret. Malware configuration is key because it lets its malicious users to change settings to suit their needs. The first article will focus on a method called EOF, also known as PE Overlay, to show how it's used to store and read malware configuration.

A new Unprotect evasion technique has been added, showcasing a sophisticated evasion technique named FuncIn with a working open-source demo. In short, FuncIn employs a payload staging strategy, diverging from the conventional method where all malicious functionalities are embedded within the malware file or stored in a third-party file/network location, such as a web server. Rather, with FuncIn, these functionalities are transmitted over the network selectively, triggered by the Command and Control (C2) server as needed.

Here is a short example demonstrating the reflective loading of a Dynamic Link Library (DLL) into memory, whether sourced from disk or memory (supporting streams). This approach supports both 32-bit (PE) and 64-bit (PE+) DLLs. The technique enables the loading of exported functions either by their ordinal value or by the exported function name.

In this latest installment of our "Malware Retrospective" series, we shift our lens to PrjRAPTOR, a lesser-known Remote Access Trojan that made its mark around 2008-2009, closing out the golden era of Trojan development before the focus shifted to profit-driven cybercrime. Our exclusive interview with its creator, "Ryan," provides invaluable insights into the Trojan's unique interface, development, and impact on the scene. This exploration offers a rare chance to connect with key figures who laid the groundwork for modern malware, enriching our understanding of this intricate landscape.

Introducing "The Malware Gallery" - Your interactive, living museum showcasing the most notorious trojans and malware from past decades. Now in its beta phase, this ever-evolving collection is set to expand, so stay tuned for updates!

There are two primary motivations behind the project: First, it serves as a homage to the ingenious, albeit malicious, software creations that inspired many of us, myself included, to pursue a career in cybersecurity. These "pieces of art" so to speak, have played a pivotal role in shaping the trajectory of my professional life.

Second, it's an educational resource for newcomers to the field. Understanding the history of malware is essential for comprehending the complexities of today's cybersecurity landscape. For those who didn't grow up exposed to these early examples, The Malware Gallery offers a rare glimpse into the origins of cyber threats, enriching your knowledge.

Additionally, this project complements my recent article series, "Malware Retrospective" adding a layer of depth and reciprocity to the topics covered.