NUKE Cryptor is an example cryptor designed for the protection of executable files from antivirus detection. This project is purely experimental and created for educational purposes. It demonstrates a wide array of protection methods including encryption, obfuscation, and anti-analysis features, making it an effective learning tool for malware analysis and security research.
The cryptor includes a built-in packer, providing additional protection against static signature detection by hiding file attributes and patching AMSI (Antimalware Scan Interface) to evade Windows Defender. Other notable features include:
- 🔥 Self-Removal (Melting): Removes itself from the disk after execution.
- 🕵️♂️ Anti-Analysis Techniques: Includes detection of virtual machines, debuggers, and anti-analysis techniques to hinder reverse engineering.
- 👻 HideFile: Changes the file's attributes to hidden.
- 🚀 Autorun: Adds a file to startup.
- 🛠️ Mutex Control: Prevents re-execute on the system.
- 🔑 Run As Administrator: Executing with elevated permissions.
- ⚙️ Conditional Compilation: Allows the cryptor to include only the features and options chosen by the user, making the final build more streamlined.
- 🔒 Custom Renaming and Obfuscation: Includes customizable renaming of functions and string encryption to make the code less readable and harder to analyze.
- 🛡️ Advanced Protection Layer: Adds extra layers of code obfuscation, call hiding, and mutation techniques on top of the base protector using .NET Reactor.
Cryptor supports 3-nd injection methods:
- Self-Injection (Standard PE-Load): Injects the payload into the stub own process.
- Native Process Injection: Randomly selects a native system process for injection.
- .NET Process Injection: Injecting into other random .NET process.
Cryptor uses a layered approach to protection:
- AES-256 Decryption: The primary loader module decrypts the payload using AES-256, ensuring a decryption process in memory for the main executable.
- XOR Encryption: The packer includes an additional layer of XOR-based encryption, which, if enabled by the user, performs decryption in primary module, adding a third layer of security.
The first select your file that you want to protect, then select the necessary options (I recommend the combination Obfuscation + Protect + Packer with Standart-PE-Load) then to compile the final file, click on the last button on the left side of the program bar and the compilation process will begin.
This project is for educational purposes only, intended for studying malware and security techniques. The author is not responsible for any malicious use of this software.
- Author: @K3rnel-Dev
- dnlib: A library for manipulating .NET assemblies.
GitHub: https://github.com/0xd4d/dnlib - Eziriz .NET Reactor: .NET Extended protector.
Web: https://www.eziriz.com/dotnet_reactor.htm - Guna.UI2: Library for program customization and design.