๐ŸฆŽ Prototypes on polymorphic, metamorphic and poly-metamorphic malwares in Rust ๐ŸฆŽ

Overview

chameleon-rs

Chameleons

Prototypes on polymorphic, metamorphic and poly-metamorphic malwares in Rust.

Disclaimer

This project is for educational purposes only. It has been made to get a better understanding of polymorphic and metamorphic code concepts.

Quartz and its members are not responsible for your usage of this project.

Acknowledgments

This project is inspired by the great work of the PoC Innovation team on the WhiteComet-Research project.

Go check their work as well as their other projects to learn more about innovative topics!

Introduction

A unique yet very elegant technique for a malware to avoid being detected by anti-viruses is to alter its signature.

There are many ways to achieve this:

  • Polymorphism: The dedicated page on Wikipedia explains the concept very well, "the code changes itself every time it runs, but the function of the code (its semantics) will not change at all".

  • Metamorphism: When the malware edits and rewrites its own code each time it is run. Here the semantics changes, but the injected code can be composed of NOPs only.

  • Poly-Metamorphism: Combining both previous techniques, the malware will change and encrypt its own code each time it is run.

In this project, chameleon-rs, we developed prototypes for each one of the techniques described above.

To make things more challenging, we used the Rust programming language to demonstrate the capacity of using modern tools with a lot of external support available. That is, shaping malwares that could use modern third-party libraries (the Rust crates).

Getting Started

To be able to test all the malwares on all platforms, we wrote a Dockerfile for a simple container which builds the binaries.

You can build and run it using the following commands:

docker build . -t chameleon-rs
docker run --rm -it chameleon-rs

Once in the container, execute the malware as many times as you wish. In the following example, we compute the sha256 hash for the binary (which must change between each execution):

# Initial binary hash.
sha256sum ./target/debug/polymorphic #549a821e28b6dd03e6d430852447d6f7b425f2e26da3eab49e044c86a53cf59b

# Execute the binary for the first time.
./target/debug/polymorphic

# New binary hash, malware signature has changed.
sha256sum ./target/debug/polymorphic #e0479c6b7d2af8b5f6ccf55561e4ba400653450dccd8871f8b558fcf29fa1cb3

Polymorphic Malware

The sources for this prototype are available in the polymorphic folder.

Want to learn more about how it works ? Check out the dedicated README file !

Metamorphic Malware

Coming soon !

Poly-Metamorphic Malware

Coming soon !

Conclusion

We learned a lot during the development of those prototypes. Go on and take a look at the code, try to understand what it does, how things could be improved, invent new ways to prevent those attacks.

Authors

Made with ๐Ÿ” and โค๏ธ by the ๐ŸฆŽ at Quartz.

You might also like...
Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows

trust Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows Featur

Warp is a blazingly fast, Rust-based terminal that makes you and your team more productive at running, debugging, and deploying code and infrastructure.
Warp is a blazingly fast, Rust-based terminal that makes you and your team more productive at running, debugging, and deploying code and infrastructure.

Warp is a blazingly fast, Rust-based terminal that makes you and your team more productive at running, debugging, and deploying code and infrastructure.

A Rust proc-macro crate which derives functions to compile and parse back enums and structs to and from a bytecode representation

Bytecode A simple way to derive bytecode for you Enums and Structs. What is this This is a crate that provides a proc macro which will derive bytecode

Client for integrating private analytics in fast and reliable libraries and apps using Rust and WebAssembly

TelemetryDeck Client Client for integrating private analytics in fast and reliable libraries and apps using Rust and WebAssembly The library provides

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust.

Deno Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Features Secure by default. No file,

Sets of libraries and tools to write applications and libraries mixing OCaml and Rust

Sets of libraries and tools to write applications and libraries mixing OCaml and Rust. These libraries will help keeping your types and data structures synchronized, and enable seamless exchange between OCaml and Rust

A comprehensive collection of resources and learning materials for Rust programming, empowering developers to explore and master the modern, safe, and blazingly fast language.

๐Ÿฆ€ Awesome Rust Lang โ›ฐ๏ธ Project Description : Welcome to the Awesome Rust Lang repository! This is a comprehensive collection of resources for Rust, a

REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. ๐Ÿฆ€
REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. ๐Ÿฆ€

Information: REC2 is an old personal project (early 2023) that I didn't continue development on. It's part of a list of projects that helped me to lea

A lightweight and high-performance order-book designed to process level 2 and trades data. Available in Rust and Python

ninjabook A lightweight and high-performance order-book implemented in Rust, designed to process level 2 and trades data. Available in Python and Rust

A crate to convert bytes to something more useable and the other way around in a way Compatible with the Confluent Schema Registry. Supporting Avro, Protobuf, Json schema, and both async and blocking.
A crate to convert bytes to something more useable and the other way around in a way Compatible with the Confluent Schema Registry. Supporting Avro, Protobuf, Json schema, and both async and blocking.

#schema_registry_converter This library provides a way of using the Confluent Schema Registry in a way that is compliant with the Java client. The rel

This is a simple lnd poller and web front-end to see and read boosts and boostagrams.

Helipad This package will poll a Lightning LND node for invoices related to Podcasting 2.0 and display them in a web interface. It's intended for use

Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources

Kepler โ€” Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data so

Downloads and provides debug symbols and source code for nix derivations to gdb and other debuginfod-capable debuggers as needed.

nixseparatedebuginfod Downloads and provides debug symbols and source code for nix derivations to gdb and other debuginfod-capable debuggers as needed

Tooling and library for generation, validation and verification of supply chain metadata documents and frameworks

Spector Spector is both tooling and a library for the generation, validation and verification of supply chain metadata documents and frameworks. Many

ratlab is a programming platform designed loosely for hobbyist and masochist to analyse and design stuff and things that transform our world?
ratlab is a programming platform designed loosely for hobbyist and masochist to analyse and design stuff and things that transform our world?

ratlab A programming language developed by Quinn Horton and Jay Hunter. ratlab is a programming platform designed loosely for hobbyists and masochists

Comments
  • feat(polymorphic): remove code duplication

    feat(polymorphic): remove code duplication

    Description

    This PR removes code duplication in the polymorphic malware prototype.

    Changes include

    • [ ] Bugfix (non-breaking change that solves an issue).
    • [ ] Hotfix (change that solves an urgent issue, and requires immediate attention).
    • [x] New feature (non-breaking change that adds functionality).
    • [ ] Breaking change (change that is not backwards-compatible and/or changes current functionality).
    • [ ] Documentation update (change added to any kind of documentation).

    Checklist

    • [x] I have assigned this PR to myself.
    • [ ] I have added at least 1 reviewer.
    • [x] I have added the relevant labels.
    • [ ] I have updated the official documentation.
    • [ ] I have added sufficient documentation in code.
    enhancement 
    opened by 0xpanoramix 0
  • docs: add project cover

    docs: add project cover

    Description

    This PR adds a project cover image.

    Changes include

    • [ ] Bugfix (non-breaking change that solves an issue).
    • [ ] Hotfix (change that solves an urgent issue, and requires immediate attention).
    • [ ] New feature (non-breaking change that adds functionality).
    • [ ] Breaking change (change that is not backwards-compatible and/or changes current functionality).
    • [x] Documentation update (change added to any kind of documentation).

    Checklist

    • [x] I have assigned this PR to myself.
    • [ ] I have added at least 1 reviewer.
    • [x] I have added the relevant labels.
    • [x] I have updated the official documentation.
    • [ ] I have added sufficient documentation in code.
    documentation 
    opened by 0xpanoramix 0
  • feat: add polymorphic prototype

    feat: add polymorphic prototype

    Description

    This PR adds the sources and general documentation about the polymorphic malware prototype.

    Changes include

    • [ ] Bugfix (non-breaking change that solves an issue).
    • [ ] Hotfix (change that solves an urgent issue, and requires immediate attention).
    • [x] New feature (non-breaking change that adds functionality).
    • [ ] Breaking change (change that is not backwards-compatible and/or changes current functionality).
    • [ ] Documentation update (change added to any kind of documentation).

    Checklist

    • [x] I have assigned this PR to myself.
    • [ ] I have added at least 1 reviewer.
    • [x] I have added the relevant labels.
    • [x] I have updated the official documentation.
    • [ ] I have added sufficient documentation in code.

    Testing

    • [ ] I have tested this code with the official test suite.
    • [x] I have tested this code manually.

    Manual tests

    As explained in the main README file.

    enhancement 
    opened by 0xpanoramix 0
  • โœจ Add code documentation for polymorphic malware

    โœจ Add code documentation for polymorphic malware

    ๐ŸŽฏ Target

    Who is affected by this feature ?

    This feature has an impact on the people exploring the code of the polymorphic malware prototype.

    ๐Ÿ“ Description

    Describe here what the feature is.

    This feature consists of documenting the code "line-by-line" by providing more context on what is being done and why it matters in the context of this malware obfuscation technique specifically.

    ๐Ÿงช Consequence

    How this feature will improve the project.

    This feature will improve the project by helping newcomers to understand the concepts of polymorphic code easily and faster.

    โš ๏ธ DoD

    Describe what are the steps required to complete this feature.

    • [ ] Add documentation in the polymorphic code.
    documentation enhancement 
    opened by 0xpanoramix 0
Owner
Quartz Technology
Just a few friends building tech projects.
Quartz Technology
A simple library for use one Rust code in multi platforms such as WebAssembly, Android and iOS

chameleon chameleon is a simple library for use one Rust code in multi platforms such as WebAssembly, Android and iOS. Key Features TBA Quick Start TB

Chris Ohk 3 Oct 18, 2021
ttvm is a runtime and compiler infrastructure written in Rust.

ttvm - Runtime and compiler infrastructure ttvm is a runtime and compiler infrastructure written in Rust. Usage Add the following to your Cargo.toml:

maDeveloper 1 Apr 19, 2022
Easy to use, configurable C/C++ package manager and build system

Easy to use, configurable C/C++ package manager and build system

Nebula 3 Oct 5, 2022
An example project showing usage of CMake with Rust

An example of using CMake with Rust. Try it! mkdir build cd build cmake .. -DCMAKE_INSTALL_PREFIX=/tmp make -j make test -j make doc -j make install

null 104 Nov 8, 2022
Rust github action

Rust Github Action 'Silverbullet' for a quickstart Rust CI based upon Github Actions What's inside the "box": Rust 1.50.0 Rustfmt Clippy Cargo Release

Stefan Ruzitschka 76 Dec 28, 2022
Webpack loader for Rust files. DEPRECATED, use WasmPack instead

The project is in low maintance now Use WasmPack instead Webpack Rust loader Webpack loader for Rust Example add.rs #[no_mangle] pub fn add(a: i32, b:

Max Eliseev 36 Jan 12, 2022
Generate a Python module from a single Rust file.

cargo-single-pyo3 Utility to build Python modules from a single Rust files via pyo3. Inspired by cargo-single. Installation cargo install cargo-single

Will Crichton 6 Dec 30, 2022
tokio-console prototypes

tokio-console prototypes โš ๏ธ extremely serious warning: this is pre-alpha, proof-of-concept software! currently, the wire format has no stability guara

Tokio 2.3k Jan 3, 2023
An implementation of a predicative polymorphic language with bidirectional type inference and algebraic data types

Vinilla Lang Vanilla is a pure functional programming language based on System F, a classic but powerful type system. Merits Simple as it is, Vanilla

Zehao Chen 73 Aug 4, 2022
A set of utilities to better enable polymorphic behavior in Rust

Polymorph A set of utilities to better enable polymorphic behavior in Rust. Introduction Rust is a wonderful language, with a strong emphasis on fast,

null 3 Mar 17, 2022