Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks

Related tags

Debug malware rat
Overview

RATwurst

logo

Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks. For educational purposes only.

The reason behind this project

The aim of this project is for me to learn about the techniques used by malware by making a Remote Access Tool.

The more I understand the inner workings of malware and the reasoning behind how they were built, the better I can protect against them.

Only used for educational purposes. See disclaimer below.

I've also written about this project here.

Noteworthy features (so far)

  • Runtime loading of DLLs
  • Anti-virus evasion via simple strings obfuscation
  • Deletes itself and runs from temporary folder
  • Anti-debugging via rdtsc timing
  • Anti-sandbox via process enumeration

TODOs

  • Client-server communication via sockets
  • Multiple clients
  • Fetch client host information
  • Shutdown client
  • Remote command execution
  • Client to server file transfer
  • Server to client file transfer
  • Persistence
  • Encrypt messages
  • Anti-debugging
  • Anti-emulation/Anti-sandbox
  • and more... (?)

Screenshots

screen1

screen2

How to build

Currently only works with Visual Studio 2019 with Visual C++ build tools. Makes use of the MVSC Compiler.

Check out build.bat under the tools folder on how a build is done.

Resources

These resources helped me a lot when developing this project:

  • ParadoxiaRAT - Native Windows Remote access Tool project
  • Ghost - RAT (Remote Access Trojan) - Silent Botnet - Full Remote Command-Line Access - Download & Execute Programs - Spread Virus' & Malware
  • DarkRAT - DarkRAT loader leaked source code
  • WinAPI-Tricks - Collection of various WINAPI tricks / features used or abused by Malware
  • Engineering Anti-Virus Evasion - Blog post about anti-virus evasion techniques for malware
  • Sandbox detection and evasion techniques - Research that shows how sandbox evasion techniques have evolved in the last 10 years.

Disclaimer

Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, federal, and international laws. The developers to this repository assume no liability and are not responsible for any misuse or damage caused by this program.

You might also like...
HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger 🐞
HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger 🐞

HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing and reversing. 🐞

HyperDbg 2k Dec 30, 2022
A tool to automatically benchmark the most performant core based on X% lows/percentile fps in lava-lamp.
A tool to automatically benchmark the most performant core based on X% lows/percentile fps in lava-lamp.

AutoGpuAffinity A tool to automatically benchmark the best physical CPU for the GPU to execute dpcs/isrs on based on 0.1% percentile/lows fps. Tips to

AMIT 0 Jun 12, 2022
DotX64Dbg aims to provide a seamless way to write and test plugins for X64Dbg using .Net 5.0 and C#.
DotX64Dbg aims to provide a seamless way to write and test plugins for X64Dbg using .Net 5.0 and C#.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

ζeh Matt 7 Oct 16, 2022
CppUTest unit testing and mocking framework for C/C++

CppUTest CppUTest unit testing and mocking framework for C/C++ More information on the project page Slack channel: Join if link not expired Getting St

CppUTest 1.1k Dec 26, 2022
Googletest - Google Testing and Mocking Framework

GoogleTest OSS Builds Status Announcements Release 1.10.x Release 1.10.x is now available. Coming Soon Post 1.10.x googletest will follow Abseil Live

Google 28.7k Jan 7, 2023
A simple C++ 03/11/etc timer class for ~microsecond-precision cross-platform benchmarking. The implementation is as limited and as simple as possible to create the lowest amount of overhead.

plf_nanotimer A simple C++ 03/11/etc timer class for ~microsecond-precision cross-platform benchmarking. The implementation is as limited and simple a

Matt Bentley 102 Dec 4, 2022
🧪 single header unit testing framework for C and C++

🧪 utest.h A simple one header solution to unit testing for C/C++. Usage Just #include "utest.h" in your code! The current supported platforms are Lin

Neil Henning 560 Jan 1, 2023
Watch for file changes and auto restart an application using fork checkpoints to continue the process (for quick live development)

Forkmon Watch for file changes and auto restart an application using fork checkpoints to continue. Intended for quick live development. This works onl

Eduardo Bart 12 Aug 27, 2022
Palanteer is a set of high performance visual profiler, debugger, tests enabler for C++ and Python
Palanteer is a set of high performance visual profiler, debugger, tests enabler for C++ and Python

Palanteer is a set of lean and efficient tools to improve the general software quality, for C++ and Python programs.

Damien Feneyrou 1.9k Dec 29, 2022
Owner
AccidentalRebel
Cyber Security Engineer - Security tools developer - Malware analyst - Former co-founder and dev at @mindcakes - Maker of electronics and machines
AccidentalRebel
GitHub
Hypervisor based anti anti debug plugin for x64dbg

HyperHide Table of Contents Description Compilation Support Usage Information Examples Features 1. Process Environment Block (PEB) 2. Heap Flags 3. Pr

Air 677 Jan 8, 2023
🍦IceCream-Cpp is a little (single header) library to help with the print debugging on C++11 and forward.

??IceCream-Cpp is a little (single header) library to help with the print debugging on C++11 and forward.

Renato Garcia 422 Dec 28, 2022
Hibizcus is a collection of tools - Font proofing and debugging tools

Hibizcus Font proofing and debugging tools. Written by: Muthu Nedumaran Hibizcus is a collection of tools written to proof and debug in-house develope

Muthu Nedumaran 23 Oct 31, 2022
Debugging like a sir (in C)

Debugging like a sir (in C) #include "debug.h" int answer(void) { return 42; } int main(void) { int num = 1; char *str = "hello";

Dario Sneidermanis 263 Dec 5, 2022
Single C file, Realtime CPU/GPU Profiler with Remote Web Viewer

Remotery A realtime CPU/GPU profiler hosted in a single C file with a viewer that runs in a web browser. Supported Platforms: Windows Windows UWP (Hol

Celtoys 2.4k Jan 8, 2023
A Garry's Mod module that creates a Remote DeBugger server

gm_rdb A Garry's Mod module that creates a Remote DeBugger server. Provides Lua debugging (using LRDB) and access to the Source engine console. Compil

Daniel 14 Jul 7, 2022
A modern, C++-native, header-only, test framework for unit-tests, TDD and BDD - using C++11, C++14, C++17 and later (or C++03 on the Catch1.x branch)

Catch2 v3 is being developed! You are on the devel branch, where the next major version, v3, of Catch2 is being developed. As it is a significant rewo

Catch Org 16k Jan 8, 2023
A modern, C++-native, header-only, test framework for unit-tests, TDD and BDD - using C++11, C++14, C++17 and later (or C++03 on the Catch1.x branch)

Catch2 v3 is being developed! You are on the devel branch, where the next major version, v3, of Catch2 is being developed. As it is a significant rewo

Catch Org 16k Jan 8, 2023
The world's first free and open-source PlayStation 3 emulator/debugger, written in C++ for Windows and Linux.

The world's first free and open-source PlayStation 3 emulator/debugger, written in C++ for Windows and Linux.

null 12.1k Jan 2, 2023
An efficient OpenFST-based tool for calculating WER and aligning two transcript sequences.

fstalign Overview Installation Dependencies Build Docker Quickstart WER Subcommand Align Subcommand Inputs Outputs Overview fstalign is a tool for cre

Rev 108 Dec 12, 2022