Reverse Engineering
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide crucial insights that aid in devising effective defensive strategies, contributing to a better understanding and stronger defense against emerging cyber threats.
We offer penetration testing services, identifying vulnerabilities by simulating real-world attacks on your digital infrastructure. Our process uncovers potential threats, providing actionable insights for improved security measures, ensuring robust defense and resilience for your business operations.
Our involvement in open-source focuses on offensive security techniques and tools. We utilize and contribute to community-driven projects. This collaborative approach promotes innovative solutions, ultimately strengthening defense against evolving cyber threats.
GitHub Profile Showcasing Our Open-Source Projects, Proof of Concept (POCs) and Snippets related to Malware and Offensive Security.
MoreMalware Museum: Showcasing the Most Impactful Malware from the 1990s to the Early 2000s. Get Ready to Journey Back to the Golden Age of Malware.
MoreMedium Account Showcasing Our High-Quality Articles focusing on Malware Research, General Information Security and Programming.
MoreComprehensive C# Project to Understand the Concept of Malware Command and Control (C2) Using FTP as a Communication Channel.
MoreOpen-Source Application for Comprehensive Search and Exploration of Windows DLL Exported Functions for Malware Research and Analysis.
MoreComplete and Optimized Remote Desktop Application Entirely Coded in PowerShell (Multi-Screen, Keyboard Sync, Mouse Sync, Clipboard Sync, and More)
MoreSecure remote desktop application for Microsoft Windows entirely written in PowerShell for the server and a cross-platform client.
MoreComprehensive Search Engine for Malware Evasion Techniques (Documentation, Code Snippets, YARA Rules, and More)
MoreVersion 6 of Unprotect has just been released, packed with numerous enhancements! This update includes an improved user experience, various bug fixes, improved performance and code optimizations. The most expected feature in this release is the introduction of Unprotect Scan, which in its initial version matches uploaded samples against YARA rules to detect and match with existing evasion techniques.
1 week ago
A bind shell option was added to redirect stdin, stdout, and stderr of the spawned interactive system process. A bind shell is a type of shell where the target machine listens on a specific port, waiting for an incoming connection from an attacker. Once the attacker connects to this port, they gain command-line access to the target system, allowing them to execute commands remotely.
1 month ago
This version includes global improvements to the code, structure, and logic. The most notable addition is support for input/output redirection through reverse shell, allowing interaction with an interactive spawned process without needing access to the desktop (e.g., via SSH or WinRM).
1 month, 1 week ago
CTRL + [A-Z]
keyboard shortcuts were not functioning properly. Shortcuts are now correctly processed.ESC
on the connection window now closes the application. Pressing ENTER
or RETURN
starts the connection process immediately.Windows x86-64 executable is now available, making Arcane Viewer deployment even easier.
1 month, 3 weeks ago
SYSTEM
user. You can use PsExec
or PowerRunAsSystem
to achieve this. This feature is crucial for logging into a remote user account when the session is locked or for accepting or rejecting UAC prompts.SendInput
for simulating both individual key inputs and shortcuts. This transition offers several advantages: it supports a broader range of applications and windows (all) and it simplifies the detection and switching of Secure Desktop updates.CTRL+[A-Z]
and ALT+[F1-F16]
. The Windows key (Meta Key) is also supported. The shortcut for locking the workstation, WIN + L
, has been added.2 months ago
Arcane Protocol Update: The protocol has been upgraded to version 5.0.2, bringing support for several server improvements, including dynamic display resolution updates, HDPI settings changes, and Secure Desktop support for Remote Desktop Streaming and Input (Mouse, Keyboard, Clipboard).
2 months ago
This release focuses on improving the code structure through extensive refactoring and resolving infrequent bugs caused by previously unhandled edge cases. Type hinting has been fully implemented, and the code is now nearly ready for production deployment.
2 months, 4 weeks ago
Arcane 1.0.4 has been released with support for reciprocal clipboard synchronization between the server and client. Users can now configure clipboard synchronization strategies, including Receive Only, Send Only, Bidirectional, and Disabled modes. Additionally, this update includes several minor improvements.
3 months ago
Arcane 1.0.3 (Beta) PowerShell Full-fledged Remote Desktop has been released and now support server-certificate fingerprint validation with an option to remember your choice. Options window has been added to at the moment handle some remote desktop streaming settings and manage the trusted server fingerprints (Add, Edit, Remove)
Full Change log:
3 months, 1 week ago
3 months, 2 weeks ago
A new article has been published on Medium that delves into what Arcane is, providing a detailed explanation of how it works and why it stands out from typical remote desktop applications.
The article not only covers the installation process but also provides a comprehensive guide on how to use Arcane. It walks you through both the automated, recommended installation method as well as the manual method, which includes instructions on how to build your own version and install it.
3 months, 2 weeks ago
Arcane, formerly known as PowerRemoteDesktop, is a unique remote control application distinguished by its server being entirely coded in PowerShell. It is currently the only remote desktop application with this characteristic. The project was renamed to Arcane to give it a more distinctive identity, moving away from the generic nature of its former name. This rebranding also coincided with a major rewrite of the viewer component.
While the server remains fully written in PowerShell, the viewer has been rewritten in Python, making it cross-platform. The transition to using Qt (PyQt6) as the graphical engine has further enhanced its usability and compatibility across different operating systems.
The features of Arcane are consistent with the latest version of PowerRemoteDesktop. However, the viewer is now more stable, user-friendly, and supports multiple platforms. Future updates will focus on expanding features as the viewer's stability is further refined through testing. I plan to introduce new functionalities once I'm confident in the viewer's stability accros different platforms.
3 months, 2 weeks ago
We are excited to announce the release of DLest v3.0! This major update brings a host of performance enhancements, user interface improvements, and powerful new features including:
Process Spy: Debug processes to monitor DLL Load events in real-time. File Hash Tools: Easily generate and compare file hashes. Enumeration of Lone Ordinals: Identify and analyze anonymous functions with improved accuracy. Enhanced Filtering System: Experience a more robust and intuitive export filtering system.
5 months, 1 week ago
In this second article, we demonstrates how malware authors exploit Microsoft Windows application resources as malicious vectors to either store their dynamic configuration or additional payloads. The focus is on the Windows API, but it also details some aspects of the PE (Portable Executable) header, allowing for manual inspection and manipulation of resources.
6 months ago
Welcome to the grand opening of Malware Gallery 1.0! We're excited to announce several new features that have been added since the beta version. One significant addition is the Archive mode, which expose a comprehensive database referencing over 10,000 malware and hack tool entries. This archive is compiled from a partial reconstruction of Mega Security's data spanning from 1998 to 2010.
But that's not all! We're dedicated to continuously updating our collection with new families and releases. Stay in the loop by subscribing to our RSS feed or following us on our social media channels to ensure you never miss a single update.
8 months ago
In this new series of articles, we're looking at how malware authors deal with spreading their work, especially when they keep the source code secret. Malware configuration is key because it lets its malicious users to change settings to suit their needs. The first article will focus on a method called EOF, also known as PE Overlay, to show how it's used to store and read malware configuration.
9 months, 1 week ago
A new Unprotect evasion technique has been added, showcasing a sophisticated evasion technique named FuncIn with a working open-source demo. In short, FuncIn employs a payload staging strategy, diverging from the conventional method where all malicious functionalities are embedded within the malware file or stored in a third-party file/network location, such as a web server. Rather, with FuncIn, these functionalities are transmitted over the network selectively, triggered by the Command and Control (C2) server as needed.
11 months, 1 week ago
Here is a short example demonstrating the reflective loading of a Dynamic Link Library (DLL) into memory, whether sourced from disk or memory (supporting streams). This approach supports both 32-bit (PE) and 64-bit (PE+) DLLs. The technique enables the loading of exported functions either by their ordinal value or by the exported function name.
11 months, 4 weeks ago
In this latest installment of our "Malware Retrospective" series, we shift our lens to PrjRAPTOR, a lesser-known Remote Access Trojan that made its mark around 2008-2009, closing out the golden era of Trojan development before the focus shifted to profit-driven cybercrime. Our exclusive interview with its creator, "Ryan," provides invaluable insights into the Trojan's unique interface, development, and impact on the scene. This exploration offers a rare chance to connect with key figures who laid the groundwork for modern malware, enriching our understanding of this intricate landscape.
1 year, 2 months ago
Introducing "The Malware Gallery" - Your interactive, living museum showcasing the most notorious trojans and malware from past decades. Now in its beta phase, this ever-evolving collection is set to expand, so stay tuned for updates!
There are two primary motivations behind the project: First, it serves as a homage to the ingenious, albeit malicious, software creations that inspired many of us, myself included, to pursue a career in cybersecurity. These "pieces of art" so to speak, have played a pivotal role in shaping the trajectory of my professional life.
Second, it's an educational resource for newcomers to the field. Understanding the history of malware is essential for comprehending the complexities of today's cybersecurity landscape. For those who didn't grow up exposed to these early examples, The Malware Gallery offers a rare glimpse into the origins of cyber threats, enriching your knowledge.
Additionally, this project complements my recent article series, "Malware Retrospective" adding a layer of depth and reciprocity to the topics covered.
1 year, 2 months ago