Ever have that not so safe feeling uploading your malware binaries to VirusTotal or other AV sites because you can look up binaries by hashes? Recomposer will take your binary and randomly do the following:
By the way, your file will still execute, so upload away!*
Supports win32/64 PE Files!!
Two modes:
Tested by creating 11200 samples from one binary. Results:
Also Read – HRShell : HTTPS/HTTP Reverse Shell Built With Flask
./recomposer.py -f live.sysinternals.com/Tcpview.exe -a
Old file name: live.sysinternals.com/Tcpview.exe
New file name: zYmycO4NO2LYW.exe
[] Checking if binary is supported [] Gathering file info
1 Section: .text | SectionFlags: 0x60000020
2 Section: .rdata | SectionFlags: 0x40000040
3 Section: .data | SectionFlags: 0xc0000040
4 Section: .rsrc | SectionFlags: 0x40000040
[] Changing Section .text Name [] Changing Section .rdata Name
[] Changing Section .data Flags [] Changing Section .data Name
[] Changing Section .rsrc Name Updated Binary: updatedfile/zYmycO4NO2LYW.exe [] Checking if binary is supported
[*] Gathering file info
1 Section: .mhz | SectionFlags: 0x60000020
2 Section: .p1k | SectionFlags: 0x40000040
3 Section: .FSr0U | SectionFlags: 0xd0000443
4 Section: .q2X | SectionFlags: 0x40000040
Writing to log_recomposer.txt
You might see this warning:\
[!] Warning, .text section hash is not changed!
[!] No caves available for nop injection.
Which means that the .text section hash will be the same as the original file and be searchable (on the web) once google indexes the VT results (if you upload the file of course). If this happens, upx encoding the recomposed file should take care of that problem (unless the file is already upx encoded).
After recomposer completes, your file will be in the updatedfile directory. Feel free to upload it to your favorite malware sandbox service!
A simple PE Editor:
./recomposer.py -f live.sysinternals.com/Tcpview.exe -m
[] Checking if binary is supported [] Gathering file info
[?] What sections would you like to change:
1 Section: .text | SectionFlags: 0x60000020
2 Section: .rdata | SectionFlags: 0x40000040
3 Section: .data | SectionFlags: 0xc0000040
4 Section: .rsrc | SectionFlags: 0x40000040
Section number:1
[-] You picked the .text section.
[?] Would you like to (A) change the section name or (B) the section flags? b
[-] You picked: b
[*] Current attributes:
.text | 0x60000020
[-] IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_EXECUTE
[-] IMAGE_SCN_CNT_CODE
[] Commands ‘zero’ out the flags, ‘help’, ‘write’, or (‘exit’, ‘quit’, ‘q’, ‘done’) [] Use ‘write’ to commit your changes or ‘clear’ to start over.
[?] Enter an attribute to add or type ‘help’ or ‘exit’:
[…]
Just follow the menu and your results will be in updatedfile directory as change.filename.exe or whatever the output you chose when using the -o flag.
If you are confused about where your files are, just look at log_recomposer.txt for location and hashes of files changed:
filename|filename_hash|changedfile|changedfile_hash
psinfo.exe|ae1554f2c1b1454a91c5610747603824|updatedfile/8dV5.exe|791ff4d4b2010accebc718afda58f83a psexec.exe|d0df366711c8b296680002840336b6fd|updatedfile/udi6ieIVFi.exe|6fafa108d697a46a271a918436e60cd5 live.sysinternals.com/Tcpview.exe|9aa5a93712c584acdcaa7eef9d25ef4d|updatedfile/zYmycO4NO2LYW.exe|fd984b833443c457668a480a37cf9904 live.sysinternals.com/Tcpview.exe|9aa5a93712c584acdcaa7eef9d25ef4d|updatedfile/change.Tcpview.exe|c43eeec089a3e4f9e6fd0218a27ca4c2
Recomposer does not stop malware from notifying the malware owner of their binary running outside of an expected environment.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…