{"id":29108522,"url":"https://github.com/nemuelw/cheska","last_synced_at":"2025-08-01T17:06:57.876Z","repository":{"id":299690789,"uuid":"992800514","full_name":"nemuelw/cheska","owner":"nemuelw","description":"Builder for analysis-aware Windows droppers","archived":false,"fork":false,"pushed_at":"2025-06-17T19:43:36.000Z","size":23,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-29T06:11:36.267Z","etag":null,"topics":["anti-analysis","anti-debugging","anti-sandbox","anti-vm","cpp","defense-evasion","detection-evasion","dropper","malware-development","python","security-research","windows-malware"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nemuelw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-29T18:24:50.000Z","updated_at":"2025-06-20T04:10:10.000Z","dependencies_parsed_at":"2025-06-17T20:40:57.501Z","dependency_job_id":null,"html_url":"https://github.com/nemuelw/cheska","commit_stats":null,"previous_names":["nemuelw/cheska"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nemuelw/cheska","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemuelw%2Fcheska","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemuelw%2Fcheska/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemuelw%2Fcheska/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemuelw%2Fcheska/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nemuelw","download_url":"https://codeload.github.com/nemuelw/cheska/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemuelw%2Fcheska/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268265824,"owners_count":24222524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-01T02:00:08.611Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-analysis","anti-debugging","anti-sandbox","anti-vm","cpp","defense-evasion","detection-evasion","dropper","malware-development","python","security-research","windows-malware"],"created_at":"2025-06-29T06:11:35.436Z","updated_at":"2025-08-01T17:06:57.819Z","avatar_url":"https://github.com/nemuelw.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eCheska\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003eBuilder for analysis-aware Windows droppers\u003c/p\u003e\n\n## DISCLAIMER\n\n\u003e This project is intended solely for educational and ethical research purposes, such as testing detection\n\u003e systems or studying malware behavior in a controlled environment. The author disclaims any liability for\n\u003e misuse.\n\n## RESPONSIBLE USE\n\n\u003e Cheska is intended for red teamers, researchers, and malware analysts operating within legal boundaries and\n\u003e in controlled, consented environments. Unauthorized deployment or use against systems you do not own or have\n\u003e explicit permission to test is illegal.\n\n## Requirements\n\n- [Python 3](https://www.python.org/downloads)\n- MinGW-w64 (`sudo apt install mingw-w64`)\n\n## How it works\n\nCheska is a builder for analysis-aware Windows droppers. All the user has to provide is the payload file and\nan optional output path where the resulting dropper will be saved.\n\nWhen executed, the build script does the following in a nutshell:\n- validates that the provided payload is a valid Windows PE executable.\n- generates a random 3-character key used to XOR encode the payload and strings in the stub (e.g. DLL names).\n- generates a random 3-5-character string to be used as the resource name for the encoded payload.\n- configures the stub with the key and now encoded string values.\n- compiles the stub and embeds the encoded payload as a resource.\n\nThe dropper, upon execution, does the following:\n\n- Performs anti-analysis checks (detailed below)\n- Loads and decodes the payload from the resources section\n- Drops and executes the payload\n\n### Anti-Analysis Techniques\n\n| Category       | Technique                   | Description                                           |\n|----------------|-----------------------------|-------------------------------------------------------|\n| Anti-debugging | Unhandled exception filter  | Detects attached debugger via custom exception logic. |\n| Anti-sandbox   | Mouse presence check        | Detects whether a mouse device is installed.          |\n|                | Number of processors (\u003c=2)  | Flags limited CPU environments.                       |\n|                | RAM size (\u003c2GB)             | Detects low-memory VMs or sandboxes.                  |\n| Anti-VM        | Virtualization feature flag | Uses PF_VIRTUALIZATION_ENABLED to detect VT-x/AMD-V.  |\n|                | Native VHD boot check       | Detects OS booted from VHD, common in VMs/sandboxes.  |\n \n### Additional Defense Evasion Techniques\n\nTo further minimize detection and complicate analysis, the stub also employs:\n\n- **PEB walking** for stealthy module enumeration\n- **Dynamic API resolution** to bypass static import detection\n- **String obfuscation** (e.g. XOR-encoded DLL and function names)\n\n\n## Setup\n\n\u003e The builder was developed and tested on a Linux environment, leveraging MinGW-w64 for cross-compiling\n\u003e Windows binaries.\n\n- Clone this repository\n\n```bash\ngit clone https://github.com/nemuelw/cheska.git\n```\n\n- Navigate to the project directory\n- Create a virtual environment and activate it\n\n```bash\npython3 -m venv .venv\n```\n\n```bash\n. .venv/bin/activate\n```\n\n- Install project dependencies\n  \n```bash\npip3 install -r requirements.txt\n```\n\n## Usage\n\n```bash\npython3 cheska.py -p \u003cPAYLOAD_FILE\u003e [-o \u003cOUTPUT_FILE\u003e]\n```\n\n## Contribution\n\nContributions are welcome! Ideas for improvement include:\n\n- Better anti-VM techniques (e.g. VM driver or MAC address checks)\n- Additional anti-sandbox methods\n- Stub optimization or improved evasion heuristics\n\nFeel free to open an issue for discussion or submit a pull request.\n\n## Developers \u0026 Maintainers\n\n- Nemuel Wainaina ([nemuelwainaina@proton.me](mailto:nemuelwainaina@proton.me))\n\n## License\n\nThis project is licensed under the terms of the [GNU General Public License v3.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemuelw%2Fcheska","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnemuelw%2Fcheska","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemuelw%2Fcheska/lists"}