Rakabulle Presentation :
Welcome to the Rakabulle project, basically this project is first of all a challenge for a French University located at Paris. The goal is to be the first on search engine with the Keyword Rakabulle. If we are first we win!
Me Fabio Pinto and my friend DarkCoderSc (Known for his past security project such as DarkComet RAT which is not a part of this University but gladly help me to win using his knowledge in Windows programming) choose few strategy to hopefully succeed in our task :
- The first strategy in comparison of others challengers was to propose an attractive software instead of a basic website relaying information with the regular keyword Rakabulle.
Since DarkCoderSc is an expert in the field of Microsoft Windows and security coding he chose to propose to his public a tool specially design for professional in security field.
- The second strategy to keep bringing people in the site regularly is to propose a plugin system to the software; regularly DarkCoderSc will propose some new plugins which are more and more attractive.
- Also the website propose a handmade blog to propose some content, always with the keyword Rakabulle to attract the search engines bots even more.
- Since DarkCoderSc got much relation in this domain, we have the chance to propel the website and his Software in a very fast way.
- Finally the challenge duration is only 2 weeks, so we decide to put a counter of two weeks before the project and download link definitively died. Then people are more stressed to have their own copy of the Software. We also hope people will share in their favorite forums and website the link and the application. I would like to thanks in advance everybody for their contribution. This is not a tiny project but something real, we put many time to make it EPIC and we seriously hope that Rakabulle will be enjoy by the community.
Rakabulle in one word is a file binder with few novel features which could transform a simple binder program to something very complex.
What is a file binder? In few words a file binder is a tiny tool which allows merging any kind of files in a single application.
When you execute the application, all previous merged files will be extracted to a temporary location then be executed normally.
Winrar for example propose a kind of function called SFX for Self Extraction Package, the only difference is that the binder doesn’t show any dialog. It will extract and execute the files in transparency.
Why do we class file binder in security field?
Many hackers / script kiddies use such tool to dissimulate in legitimate application some malwares; it is a good project to learn how such tools work.
Also it had many legitimate uses such as making none-form installers. You could in a single application merge many different installers instead of executing them one by one.
How the binder technically works? - The builder “Rakabulle” application will create a stub and inject in its resource the target files to extract and execute.
- The stub is the little generate part of the program which is design to extract from its resource the target files to a temporary location and execute.
In our application the stub also got a part to inject in Explorer or Internet Explorer process and load custom made plugins.
- The plugins are application which will be executed directly from the trusted Microsoft Windows Process.
So basically using the build you select which files you want to bind and which plugins you want to use to run in the host process.
The binder or the dropper (which means the same thing) are executed once time, at its first execution.
However the Remote Code Execution (REM) plugins of Rakabulle are only executed on the host target process (Explorer or Internet Explorer).
We also propose a function to register the stub in Microsoft Windows startup. Then at each Windows boot the stub will be again executed.
Notice at Windows startup only the plugins are load in the target host process. Like previously said the binder/dropper are executed once time.
- File binder, auto file extractor and executor.
- REM (Remote Code Execution), Execute code (Plugins) in target process (Explorer or Internet Explorer)
- Support 32 and 64 Process.
- The application is a 32bit Application (Soon we will compile the 64bit version)
- Support UPX compression for the stub (Without compression stub size is about 38KiB using pure Windows API no extra libraries; with compression stub size is approximately 16KiB) The UPX compression doesn’t change the way the application work only the final size.
- Support Windows startup.
- Doesn’t require administrative privileges.
- Plugins and File list support drag n drop.
- Support plugins with an open source example.
- The stub and the builder are coded using Unicode encoding.
Plugins:- Remote Desktop Capture
- Reverse Shell (Multi window)
- To define
Functionalities:- Load plugins directly from memory (DLL never written)
- Propose a 64bit stub
- Encrypt the plugins / file in resources
- To define