Wednesday, January 31, 2024
Sunday, January 28, 2024
Fhex - A Full-Featured HexEditor
This project is born with the aim to develop a lightweight, but useful tool. The reason is that the existing hex editors have some different limitations (e.g. too many dependencies, missing hex coloring features, etc.).
This project is based on qhexedit2, capstone and keystone engines. New features could be added in the future, PRs are welcomed.
Features- Chunks loader - Used to load only a portion of large files without exhaust the memory (use alt + left/right arrows to move among chunks). Please note that in chunk mode, all the operations (e.g. search) applies only to the current chunk except for file save (the entire file is saved). However, each time you edit a chunk, save it before to move to another chunk, otherwise you will lose your changes.
- Search and replace (UTF-8, HEX, regex, reverse search supported) [
CTRL + F
] - Colored output (white spaces, ASCII characters, 0xFF, UTF-8 and NULL bytes have different colors)
- Interpret selected bytes as integer, long, unsigned long [
CTRL + B
] - Copy & Paste [
CTRL + C
andCTRL + V
] - Copy selected unicode characters [
CTRL + Space
] - Zeroing all the selected bytes [
Delete
orCTRL + D
] - Undo & Redo [
CTRL + Z
andCTRL + Y
] - Drag & Drop (Hint: Drag&Drop two files to diff them)
- Overwrite the same file or create a new one [
CTRL + S
] - Goto offset [
CTRL + G
] - Insert mode supported in order to insert new bytes instead to overwrite the existing one [
INS
] - Create new instances [
CTRL + N
] - Basic text viewer for the selected text [
CTRL + T
] - Reload the current file [
F5
] - Compare two different files at byte level
- Browsable Binary Chart (see later for details) [
F1
] - Hex - Dec number converter [
F2
] - Hex String escaper (e.g from 010203 to \x01\x02\x03) [
F3
] - Pattern Matching Engine (see later for details)
- Disassebler based on Capstone Engine [
F4
] - Assembler based on Keystone Engine [
F4
] - Zoom-Out/Zoom-In bytes view (
CTRL + Up/Down
orCTRL + -/+
) - Shortcuts for all these features
Fhex can load at startup a configuration file (from ~/fhex/config.json
) in JSON format with a list of strings or bytes to highlight and a comment/label to add close to the matches.
Examples:
{
"PatternMatching":
[
{
"string" : "://www.",
"color" : "rgba(250,200,200,50)",
"message" : "Found url"
},
{
"bytes" : "414243",
"color" : "rgba(250,200,200,50)",
"message" : "Found ABC"
}
]
}
To activate pattern matching press CTRL + P
At the end, Fhex will show also an offset list with all the result references. Note: Labels with comments are added only if the window is maximized, if labels are not displayed correctly please try to run pattern matching again.
Fhex has the feature to chart the loaded binary file (Note: In order to compile the project, now you need also qt5-charts
installed on the system). The y-axis range is between 0 and 255 (in hex 0x0 and 0xff, i.e. the byte values). The x-axis range is between 0 and the filesize.
The chart plots the byte values of the binary file and let you focus only on the relevant sections. For example, if in a binary file there is an area full of null bytes, you can easily detect it from the chart.
LicenseGPL-3
Related posts
- Hack Tools For Mac
- Hacking Apps
- Hacking Tools 2019
- Free Pentest Tools For Windows
- Hack Tools
- Hacker Tool Kit
- How To Install Pentest Tools In Ubuntu
- Hackrf Tools
- Pentest Tools Apk
- Pentest Tools For Mac
- Black Hat Hacker Tools
- How To Install Pentest Tools In Ubuntu
- Hack Tool Apk
- Hackers Toolbox
- Pentest Automation Tools
- Hacking Tools Software
- Pentest Tools List
- Hacking Tools Github
- Pentest Tools Open Source
- Hacking Tools Github
- Hacker Security Tools
- Free Pentest Tools For Windows
- Hack Tools For Games
- World No 1 Hacker Software
- Pentest Tools Tcp Port Scanner
- Hacking Tools Mac
- Hacking Tools Software
- Install Pentest Tools Ubuntu
- Hacking Tools Pc
- Hack App
- Top Pentest Tools
- Blackhat Hacker Tools
- Hacking Tools Windows
- Best Hacking Tools 2019
- Ethical Hacker Tools
- Hacker Search Tools
- Hacker Tools 2019
- Hacker Tools For Ios
- Hacking Apps
- Hacker Tools For Pc
- Black Hat Hacker Tools
- Hacking Tools Usb
- Pentest Tools Github
- Hacker Tools For Ios
- Hacking Tools Mac
- Hacker Tools Github
- Easy Hack Tools
- Hacker Tools Free
- Hack And Tools
- Hacker Tools For Mac
- Hack Tools
- Game Hacking
- Hacking Tools Usb
- Hack Tools Github
- Github Hacking Tools
- Hacks And Tools
- Hack Tools For Games
- Hacker Tools Online
- Tools 4 Hack
- Pentest Tools Port Scanner
- Nsa Hack Tools Download
- Pentest Tools Linux
- Pentest Tools Open Source
- Pentest Tools Nmap
EXOCET - AV-evading, Undetectable, Payload Delivery Tool
EXOCET is superior to Metasploit's "Evasive Payloads" modules as EXOCET uses AES-256 in GCM Mode (Galois/Counter Mode). Metasploit's Evasion Payloads uses a easy to detect RC4 encryption. While RC4 can decrypt faster, AES-256 is much more difficult to ascertain the intent of the malware.
However, it is possible to use Metasploit to build a Evasive Payload, and then chain that with EXOCET. So EXOCET will decrypt via AES-256, and then the Metasploit Evasive Payload then decrypts itself from RC4.
Much like my previous project, DarkLordObama, this toolkit is designed to be a delivery/launch vehicle, much like Veil-Evasion does.
However, EXOCET is not limited to a single codebase or platforms that are running Python. EXOCET works on ALL supported platforms and architectures that Go supports.
Exocet Overview
EXOCET, is effectively a crypter-type malware dropper that can recycle easily detectable payloads like WannaCry, encrypt them using AES-GCM (Galois/Counter Mode), which is more secure than AES-CBC, and then create a dropper file for a majority of architectures and platforms out there.
Basically...
- It ingests dangerous malware that are now detectable by antivirus engines
- It then encrypts them and produces it's own Go file
- Then that Go file can be cross-compiled to 99% of known architectures
- Upon execution, the encrypted payload is written to the disk and immediately executed on the command line
- Alternatively, instead of a file-drop, it will execute the reconstitute shellcode in memory using amenzhinsky's go-memexec module github.com/amenzhinsky/go-memexec
- A custom shellcode executor is in the works, it takes ordinary C shellcode and after num-transform, it will run it by creating a new process after allocating the correct virtual address space and granting it RWX permissions on Windows
That means 32-bit, and 64-bit architectures, and it works on Linux, Windows, Macs, Unix, Android, iPhone, etc. You take, anything, and I mean ANYTHING, like the 1988 Morris Worm that nearly brought down the internet (which exploited a flaw in the fingerd listener daemon on UNIX), and make it a viable cyberweapon again.
EXOCET is designed to be used with the DSX Program, or the "Cyber Metal Gear" as I envisioned it. Being able to launch and proliferate dangerous malware without a traceable launch trail.
EXOCET is written entirely in Go.
How to use
EXOCET, regardless of which binary you use to run it, requires Golang to work. By default, it generates a crypter .go file.
- Windows users: Install Go Here
- Linux users: run
sudo apt-get update && sudo apt-get install -y golang
- You must install the EXOCET source files in golang
go get github.com/tanc7/EXOCET-AV-Evasion
- Sub-requirements will also be downloaded and installed
- For Windows and Mac x64 Users, pre-compiled binaries are in the /bin folder
To run it
go run EXOCET.go detectablemalware.exe outputmalware.go
A key is automatically generated for you. The key is 64-characters long and is entirely composed of bash and cmd.exe shell pipe redirectors to confuse and disrupt brute-forcing attempts against the key by causing unpredictable, destructive behavior on the forensic analyst's device.
For 64-bit Windows Targets...
env GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.exe outputmalware.go
And out comes a outputmalware.exe
file
For 64-bit MacOS Targets
env GOOS=darwin GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.macho outputmalware.go
For 64-bit Linux Targets
env GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.elf outputmalware.go
See this reference on github for your parameters for other operating systems like Android Reference for Go Cross Compilation
Note that the key can still be found with the strings
command, please use the upx-ucl
command to pack binary to conceal the key.
Furthermore, there are prebuilt binaries that I have made, meaning you just have to run ./EXOCET
or EXOCET-Windows.exe
Legal Information
I, Chang Tan, and the creators of the main module and submodules of Exocet and the packages it incorporates are NOT responsible for the misuse of this tool. This is merely a penetration testing tool. You are strictly prohibited from deploying Exocet output binaries against unauthorized protected systems or unauthorized protected government systems.
I am aware that threat actors of APT41 and the NSO Group have used and/or adopted code from this tool, particularly the go-memexec method. If I were to be approached by Federal Investigators regarding the misuse of this tool, I am not claiming responsibility.
This is the same stuff that happened to the developers of Mimikatz and PowerShell Empire (who deprecated their own development upon realization of its use among threat actors). The successors have picked up development of Empire, and there are free alternatives such as Covenant C2.
EXOCET live demo
<iframe width="560" height="315" src="https://github.com/tanc7/EXOCET-AV-Evasion/blob/master/media/exocetdemo.mp4" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Reason for the name
On May 4th, 1982, during the Falklands War, a squadron of Argentinan Super Eterdards launched a French made Exocet missile at the HMS Sheffield. Despite the Royal Navy's attempts to stop the missile, one struck, sinking the Sheffield. That incident literally put Argentina on the map as a show of force against a global colonial power.
News Article of the sinking of the HMS Sheffield
Very much like how Onel de Guzman's actions with the ILOVEYOU virus put the Philippines on the map as a cyber threat.
Incoming update, notes and ambitions
So this month, and the next month is going to be a busy month for me, and there will be delays in implementing these methods. But I am excited to get started on implementing new AV evasion techniques such as...
- Inline hooking
- Obfuscation by emulating BlackRota and the gobfuscate module
- Process hollowing
- Reflective DLL injection
- Remote process injection
- ThreadLocalStorage Callbacks
- Registration of Top-Level Exception Handlers
- Custom UPX packing
I am a very busy man, I have the following priorities and I would like to request some help, some pull requests to aid in the project. Since I have the following things to do
- A court appearance in late October
- National Cyber League
- Accounting and Finance Classes, Computer Science was NEVER my college major and in the following weeks I will have exams back-to-back
- Federal Supervised Release Conditions and the FBI trying to implicate me in new unproven crimes. I have dash camera videos I uploaded to the cloud to prove it that I am sending to my lawyers. I have documented multiple attacks against me, vandalism of my car, my house, filed police reports and counter reports and will be building my case to file a Federal lawsuit. One of the perpetrators, who ripped out my front bumper of my car, has been arrested.
- A private project involving interaction with the CoinGeckoAPI
- Running the cryptoscopeinitiative.org, a to-be-filed 501c3 Non-Profit Organization
- Teaching three online classes on Exploit Development
Upcoming update! Direct encrypted shellcode execution! (Implemented in test versions, not released yet)
I need a bit of help, because I successfully implemented CGO to execute encrypted shellcode but it is throwing memory access violations exit status 0xc0000005. It shouldn't be anything related to DEP (Data Execution Prevention) because the file CGOTest/working-template-shellcode-executor.go did run.
Problem Discovered
As it turns out, VirtualAlloc must be called from kernel32.dll and ntdll.dll to properly make the memory page where the shellcode lands, readable, writable, and executable, in other word, set the PAGE_EXECUTE_READWRITE to ON. Read the Note on Memory Access Violation Problem below.
Once I figure this out, CGO was a pain in the ass to implement, we can now create crypters that execute INLINE-ASSEMBLY. Which was considered a impossibility until now.
Note this requires Golang and the MinGW toolchain to be installed on Windows with you running and generating the shellcode on Windows. The reason why, is because CGO cannot be cross-compiled like our other EXOCET modules. To install the toolchain you need to go to https://www.msys2.org/ and follow the guide. Then you must add gcc to your environment variables in Windows
Step 1: Generate shellcode, this could be from msfvenom Meterpreter payloads, Cobalt Strike Beacons, or your own custom shellcode in C compatible format
Step 2: Copy only the bytes of the shellcode, excluding the quotes into a text file like sc.txt
Step 3: Your shellcode file should look like this. Raw shellcode
Step 4: Now run the command go run exocet-shellcode-exec.go sc.txt shellcodetest.go KEY
Step 5: You can attempt to run it but you'll run into memory access violation errors for some reason, which I am still working on
Note on Memory Access Violation Problem
Apparently, aside from the major limitations of CGO that prohibit or dramatically frustrates cross-compilation, the issue is that the shellcode we want to execute is landing in a section of memory (analyzed in WinDBG x64) that is not RWX. In other words, unless we write C code that explicitly allows execution in memory of the shellcode, it will always throw access violation errors.
The other method, that I observed other developers of rudimentary Go modules https://gist.github.com/mgeeky/bb0fd5652b234fbd1c7630d7e5c8542d, is that they use Go's Windows API to interact with ntdll.dll and kernel32.dll to call VirtualAlloc and specify areas of RWX memory pages. This method works better, but it seems that the shellcode must be in num-transformed format only for it to work.
I am still working on this you guys. I may combine multiple programming languages together to write a proper shellcode execution module
Note on Apple M1 Chips for precompiled binaries
Unfortunately I am running into errors for making a pre-compiled binary for MacBooks running the new M1 CPUs. It may be a issue with my Golang installation
â"Œâ"€â"€(rootðŸ'€kali)-[/opt/EXOCET-AV-Evasion]
â""â"€# GOOS=darwin GOARCH=arm64 go build exocet.go
# command-line-arguments
/usr/lib/go-1.15/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/tmp/go-link-477718799/go.o: file not recognized: file format not recognized
collect2: error: ld returned 1 exit status
Either way, you still require Golang to compile or cross-compile the malware to the platform you are targeting.
Related news
- Bluetooth Hacking Tools Kali
- Hacker Tools Free Download
- Pentest Tools For Ubuntu
- Pentest Tools Android
- Hacking Tools For Kali Linux
- Hacker Hardware Tools
- Pentest Tools Website Vulnerability
- Hacker Tools 2019
- Hack Tools For Games
- Hacking Tools Download
- Hack Tools Github
- Hackrf Tools
- Hack Tools Mac
- Pentest Tools Open Source
- Hacker Tools For Mac
- Nsa Hack Tools Download
- Hack And Tools
- Pentest Tools Framework
- Pentest Tools Apk
- Hacking Tools Usb
- Pentest Tools Port Scanner
- Hacker Tools Mac
- Hack Rom Tools
- Blackhat Hacker Tools
- Pentest Tools Apk
- Usb Pentest Tools
- Pentest Tools Open Source
- How To Install Pentest Tools In Ubuntu
- Physical Pentest Tools
- Hacker Tools For Windows
- World No 1 Hacker Software
- Hacking Tools 2019
- Pentest Tools
- Hacker Tools For Ios
- Pentest Tools Linux
- Pentest Tools Online
- Black Hat Hacker Tools
- Pentest Tools For Ubuntu
- Install Pentest Tools Ubuntu
- Pentest Tools Nmap
- Pentest Tools
- Pentest Automation Tools
- Hack Tools For Mac
- Pentest Tools Open Source
- Nsa Hacker Tools
- Best Hacking Tools 2019
- Hacking Tools 2019
- Hack Tool Apk
- Hacker Tools Hardware
- Termux Hacking Tools 2019
- Tools Used For Hacking
- Hacking Tools Software
- Pentest Tools Free
- Pentest Tools Port Scanner
- Hack Apps
Response for you're doing.
I want to inform you about a very bad situation for you. However, you can benefit from it, if you will act wisely.
Have you heard of Pegasus?
This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners.
It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, and Windows.
I guess, you already figured out where I'm getting at.
It's been a few months since I installed it on all your devices because you were not quite choosy about what links to click on the internet.
During this period, I've learned about all aspects of your private life, but one is of special significance to me.
I've recorded many videos of you jerking off to highly controversial porn videos.
Given that the "questionable" genre is almost always the same, I can conclude that you have sick perversion.
I doubt you'd want your friends, family and co-workers to know about it. However, I can do it in a few clicks.
Every number in your contact book will suddenly receive these videos - on WhatsApp, on Telegram, on Skype, on email - everywhere.
It is going to be a tsunami that will sweep away everything in its path, and first of all, your former life.
Don't think of yourself as an innocent victim. No one knows where your perversion might lead in the future, so consider this a kind of deserved punishment to stop you.
Better late than never.
I'm some kind of God who sees everything.
However, don't panic. As we know, God is merciful and forgiving, and so do I.
But my mercy is not free.
Transfer $1220 USD to my bitcoin wallet: 1A28fiWUfQnqEMqoDmMf7KZcjSDY7mEjfs
Once I receive confirmation of the transaction, I will permanently delete all videos compromising you,
uninstall Pegasus from all of your devices, and disappear from your life. You can be sure - my benefit is only money.
Otherwise, I wouldn't be writing to you, but destroy your life without a word in a second.
I'll be notified when you open my email, and from that moment you have exactly 48 hours to send the money.
If cryptocurrencies are unchartered waters for you, don't worry, it's very simple.
Just google "crypto exchange" and then it will be no harder than buying some useless stuff on Amazon.
I strongly warn you against the following:
) Do not reply to this email. I sent it from a temp email so I am untraceable.
) Do not contact the police. I have access to all your devices, and as soon as I find out you ran to the cops, videos will be published.
) Don't try to reset or destroy your devices.
As I mentioned above: I'm monitoring all your activity, so you either agree to my terms or the videos are published.
Also, don't forget that cryptocurrencies are anonymous, so it's impossible to identify me using the provided address.
Good luck, my perverted friend. I hope this is the last time we hear from each other.
And some friendly advice: from now on, don't be so careless about your online security.