InsanityProtector

Private Version 1.7 (05-05-2019)
  • Added functionality to run .NET compiled using CLR Memory Hosting. (Works perfectly together with the privilege elevation "UAC Bypass - Mocking Trusted Directory")
  • Small errors were corrected for perfect execution in some versions of Windows 10.
  • It has an interface with more insanity than ever.

Vídeo:



Private Version 1.6 (29
-11-2018)
  • Development in FASM an UAC Bypass - Mocking Trusted Directory.
 

Private Version 1.5 (04-02-2018)
  • Bypass RunPE detector personal method.
  • New method of compressing executables with obfuscate packer.

  
Insanity Protector 1.4 (23-09-2017)

Insanity has been tested running alongside RATs with the following antivirus applications and their default settings:

  • Kaspersky Internet Security
  • McAfee
  • Avast Professional
  • AVG Professional
  • NOD32 Internet Security
  • Avira Professional
  • Avira Free
  • Windows Defender 7, 8.1 and 10

It is important to emphasize that the tests have been done with completely new trojans or modifications have been made to the known trojans to avoid antivirus detection based on their connection frames, file creation or access to registry paths.

New selection options:

  • Different persistence methods have been added to the system, such as by direct access (LNK).
  • Using the default configuration all loaders are polymorphic.
  • It has been increased in five seconds the delay time to avoid the analysis in memory by some antivirus.
  • Fixed a bug with the modified RunPE Shellcode.

DISCLAIMER
This application is designed exclusively for educational purposes and I am not responsible for the misuse that other people may give Insanity Protector software or the information set forth herein.

Insanity Protector 1.3 (26-04-2017)

This new version of Insanity Protector, is again completely undetectable.

Four new features have been added to the tool:
  • The names of the controls for each loader are modified.
  • The contents of the internal images are modified for each loader.
  • The PE header is modified by adding the actual timestamp for each loader.
  • Important, Intelligent... If you use any polymorphic mode check this option. The PE header is modified by adding the CheckSum of the new loader.

Fixed bugs:
  • Now I am much more attractive ;)
Making loader:

DISCLAIMER
This application is designed exclusively for educational purposes and I am not responsible for the misuse that other people may give Insanity Protector software or the information set forth herein.
Pass: 4n0nym0us

Insanity Protector 1.2 (01-02-2017)

This new version of Insanity Protector, is again completely undetectable.

Four new features have been added to the tool:


  • It is now possible to sleep the process before the malware is decoded in memory, this will help to avoid the analysis of the antivirus in memory, is working perfectly with the new technologies CyberCapture (DeepScreen) Avast and AVG.
  •  Added a modified RunPE Shellcode, to avoid detections with hooks.
  • The "Installation Name" button has been added, with which it is possible to modify the Loader name and the Windows registry path.
  • A new function allows you to generate a different loader for each use, adding polymorphism.

Fixed bugs:

  • Now it works on all Windows 10 operating systems.
  • Fixed problems with UPX compression and creation of encrypted binary
Making loader:

FUD Scans
DISCLAIMER
This application is designed exclusively for educational purposes and I am not responsible for the misuse that other people may give Insanity Protector software or the information set forth herein.

Download Insanity Protector
Pass: 4n0nym0us

Insanity Protector v1.1 (24-12-2016)

This new version of Insanity Protector, it's again fully undetectable. In the anti-virus evasion tests I've done this time, I want to emphasize the good functioning of NOD32 antivirus detection routines.

It has been added two options to the tool, so you can choose whether you want to compress your sample with UPX or even run it with the system start.


If you choose the option "Start the loader with Windows", by default the installation path is in% AppData% and the auto start key is the one of the current user.

The problems of execution of the samples in Windows 10, come from Minor/MajorOSVersion. I encourage you to make tests.

Making loader:



FUD Scans

DISCLAIMER
This application is designed exclusively for educational purposes and I am not responsible for the misuse that other people may give Insanity Protector software or the information set forth herein.

Pass: 4n0nym0us

Insanity Protector v1.0 (23-11-2016)

The proof of concept that in this blog is shown, is based on making a completely undetectable software protector for all the antivirus without making modifications on the binary after the compilation.


Tested Insanity Protector
Windows 7, 8.1, 10.

Loader
  • It uses two encryption algorithms to prevent antivirus detection after joining with your app. This method is able to Bypass AVs proactives.
  • The loader is developed in Visual Basic 6, currently compiled in PECode and FUD.
  • Your application will be compressed with UPX by Insanity Software before being encrypted.
  • An encrypted RunPE method is used and is out of the loader.
  • The loader and the encrypted file are joined with Iexpress. It is also FUD.


Loader content

(Loader & Protected.exe)

DISCLAIMER This application is designed exclusively for educational purposes and I am not responsible for the misuse that other people may give Insanity Protector software or the information set forth herein.

Pass: 4n0nym0us

17 comentarios:

  1. Hola amigo. Le comento que en mi sistema de windows 10 x64 no funciona. Pero si funciona e Win 7 x32/x64.

    Es un gran trabajo y gracias.

    ResponderEliminar
  2. Hola! Muchas gracias por probarlo! A ver si me hago con esa versión y miro que puede estar pasando!
    Un saludo! :)

    ResponderEliminar
  3. Me interesa saber que algoritmos has usado para encriptar ya que tarda muchisimo.
    Juegas con el PE del archivo a encriptar? Ya que ciertos ejecutables no se dejan de encriptar.

    ResponderEliminar
    Respuestas
    1. He utilizado un simple Cesar y un ROT13, tiene un sentido el haber utilizado estos algoritmos y sobretodo la manera en la que se abre el archivo para ser cifrado. Abro el binario como si se tratase de un archivo de texto, por eso necesito UPX, pues ocuparía el doble en disco. Para que tarde menos sácalo de una Virtual y ponlo en una máquina potente para cifrar los binarios jeje

      Saludos!

      Eliminar
    2. La verdad es que si, al usar Cesar y ROT13 ya que en el archivo encriptado todos los caracteres son reconocidos en ASCII por lo tanto puedes abrirlo como un texto como tu dices. Ahora lo entiendo mas.

      Aunque hoy en dia que los disco duros son muy espaciosos y el internet es de alta velocidad la verdad es que el UPX no es necesario. Has sacado un buen metodo y que si tiene que ocupar un poco mas, no pasa nada la gente lo agradece igual.

      He estado usando mi i7 con 16gb de RAM y algunos tardan o se quedan pillados. He esperado hasta 15 minutos, por eso pregunte sobre el PE.

      Eliminar
  4. Es cierto 4n0nym0us, a mi tampoco me funcionó en Windows 10 x64 ni en Vista también x64.
    Espero que puedas solucionarlo, ya que se ve que hiciste un gran trabajo.
    Saludos.

    ResponderEliminar
    Respuestas
    1. Hola buenas noches!

      No sé por qué me da... pero creo que de la versión Vista voy a pasar. Tengo que hacerme con un Windows 10 x64 para echarle un vistazo, estoy desarrollando una segunda versión con la opción de auto-inicio con el sistema y ya se encuentra funcionando totalmente FUD. Si tienen ideas, como algún shellexecute interesante, me lo pueden comentar para ver si lo incluyo en futuras versiones.

      Adelanto una imagen: http://bit.ly/2hr08H1

      Saludos!

      Eliminar
  5. Hello 4n0nym0us Sorry but its not possible to download Insanity Protector

    Thanks

    ResponderEliminar
  6. los enlaces estan rotos saludos!

    ResponderEliminar
  7. Gracias por el regalito de Navidad. ¡¡¡Super FUD!!! Se aprecia mucho la labor de calidad y desinteresada. Seguí así. Yo por mi parte en cuanto pueda testeo. ¡Feliz Navidad!

    ResponderEliminar
  8. Ambas versiones funcionan perfectamente en Windows 10 x32 y x64 recién instalados, lo que sí he podido ver, es que si se encuentra actualizado, han cambiado sus ordinales.

    ResponderEliminar
  9. Gracias Germán. Sería excelente si para la próxima versión pudieras mostrar brevemente el uso y funciones con una pequeña demo en video para los más dummies :P

    Saludos!

    ResponderEliminar
  10. el antivirus 360 segurity los detecta . Podrías buscar la manera de hacer de que burle ese antivirus?

    PD: Gracias por la herramientas, soy del "foro el hacker .net"

    ResponderEliminar
  11. jajaj que bien Germán, buen trabajo que te has tirado te felicito. vi los agradecimientos que te dio Kevin Mitnick, eres un crack, saludos...

    ResponderEliminar
    Respuestas
    1. Muchas gracias! sí la verdad que ha sido un reto divertido este Insanity =)

      Eliminar