{"id":18110722,"url":"https://github.com/secretsquirrel/recomposer","last_synced_at":"2025-04-14T01:07:55.623Z","repository":{"id":11115049,"uuid":"13472369","full_name":"secretsquirrel/recomposer","owner":"secretsquirrel","description":"Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites.","archived":false,"fork":false,"pushed_at":"2013-10-30T14:26:24.000Z","size":116,"stargazers_count":131,"open_issues_count":0,"forks_count":38,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-04-14T01:07:46.621Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretsquirrel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-10-10T13:42:42.000Z","updated_at":"2025-02-04T11:04:13.000Z","dependencies_parsed_at":"2022-09-10T20:00:44.376Z","dependency_job_id":null,"html_url":"https://github.com/secretsquirrel/recomposer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Frecomposer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Frecomposer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Frecomposer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsquirrel%2Frecomposer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretsquirrel","download_url":"https://codeload.github.com/secretsquirrel/recomposer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248804803,"owners_count":21164134,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-01T00:11:15.684Z","updated_at":"2025-04-14T01:07:55.547Z","avatar_url":"https://github.com/secretsquirrel.png","language":"Python","funding_links":[],"categories":["Online Scanners and Sandboxes"],"sub_categories":["Other Resources"],"readme":"Recomposer.py\n==========\n\nEver have that not so safe feeling uploading your malware binaries to VirusTotal or other AV sites because you can look up binaries by hashes?  (Example: https://github.com/mubix/vt-notify)\n\nFeel somewhat safer with Recomposer!*\n\nRecomposer will take your binary and randomly do the following:\n\n* Change the file name\n* Change the section names\n* Change the section flags\n* Injection random number of five different types of nops into each available code cave over 20 bytes in length\n\nBy the way, your file will still execute, so upload away!*\n\n**Supports win32/64 PE Files!!**\n\nTwo modes:\n\n* Manual: Works like a PE Editor, change section names and flags\n* Auto: Randomly changes the binary\n\nTested by creating 11200 samples from one binary. Results:\n\n* No hash collisions\n* ssdeep matching percentage to the original file ranged from 94% to 77%\n\n# **Usage:** \n\n## Auto Mode:\n\t\n\t./recomposer.py -f live.sysinternals.com/Tcpview.exe -a\n\tOld file name: live.sysinternals.com/Tcpview.exe\n\tNew file name: zYmycO4NO2LYW.exe\n\t[*] Checking if binary is supported\n\t[*] Gathering file info\n\t1 Section: .text | SectionFlags: 0x60000020\n\t2 Section: .rdata | SectionFlags: 0x40000040\n\t3 Section: .data | SectionFlags: 0xc0000040\n\t4 Section: .rsrc | SectionFlags: 0x40000040\n\t[*] Changing Section .text Name\n\t[*] Changing Section .rdata Name\n\t[*] Changing Section .data Flags\n\t[*] Changing Section .data Name\n\t[*] Changing Section .rsrc Name\n\tUpdated Binary:\n\t\tupdatedfile/zYmycO4NO2LYW.exe\n\t[*] Checking if binary is supported\n\t[*] Gathering file info\n\t1 Section: .mhz | SectionFlags: 0x60000020\n\t2 Section: .p1k | SectionFlags: 0x40000040\n\t3 Section: .FSr0U | SectionFlags: 0xd0000443\n\t4 Section: .q2X | SectionFlags: 0x40000040\n\tWriting to log_recomposer.txt\n\nYou might see this warning:\n\t\n\t[!] Warning, .text section hash is not changed!\n\t[!] No caves available for nop injection.\n\nWhich means that the .text section hash will be the same as the original file and be searchable (on the web) once google indexes the VT results (if you upload the file of course).  If this happens, upx encoding the recomposed file should take care of that problem (unless the file is already upx encoded).\n\nAfter recomposer completes, your file will be in the updatedfile directory. Feel free to upload it to your favorite malware sandbox service!\n\n## Manual Mode:\n\nA simple PE Editor:\t\n\n\t./recomposer.py -f live.sysinternals.com/Tcpview.exe -m\n\t[*] Checking if binary is supported\n\t[*] Gathering file info\n\t[?] What sections would you like to change:\n\t1 Section: .text | SectionFlags: 0x60000020\n\t2 Section: .rdata | SectionFlags: 0x40000040\n\t3 Section: .data | SectionFlags: 0xc0000040\n\t4 Section: .rsrc | SectionFlags: 0x40000040\n\tSection number:1\n\t[-] You picked the .text section.\n\t[?] Would you like to (A) change the section name or (B) the section flags? b\n\t[-] You picked: b\n\t=========================\n\t[*] Current attributes:\n\t.text | 0x60000020\n\t[-] IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_EXECUTE\n\t[-] IMAGE_SCN_CNT_CODE\n\t=========================\n\t[*] Commands 'zero' out the flags, 'help', 'write', or ('exit', 'quit', 'q', 'done')\n\t[*] Use 'write' to commit your changes or 'clear' to start over.\n\t[?] Enter an attribute to add or type 'help' or 'exit': \n\t[...]\n\nJust follow the menu and your results will be in updatedfile directory as change.filename.exe or whatever the output you chose when using the -o flag.\n\nIf you are confused about where your files are, just look at log_recomposer.txt for location and hashes of files changed:\n\t\n\tfilename|filename_hash|changedfile|changedfile_hash\n\t\n\tpsinfo.exe|ae1554f2c1b1454a91c5610747603824|updatedfile/8dV5.exe|791ff4d4b2010accebc718afda58f83a\n\tpsexec.exe|d0df366711c8b296680002840336b6fd|updatedfile/udi6ieIVFi.exe|6fafa108d697a46a271a918436e60cd5\n\tlive.sysinternals.com/Tcpview.exe|9aa5a93712c584acdcaa7eef9d25ef4d|updatedfile/zYmycO4NO2LYW.exe|fd984b833443c457668a480a37cf9904\n\tlive.sysinternals.com/Tcpview.exe|9aa5a93712c584acdcaa7eef9d25ef4d|updatedfile/change.Tcpview.exe|c43eeec089a3e4f9e6fd0218a27ca4c2\n\n\n\\*Recomposer does not stop malware from notifying the malware owner of their binary running outside of an expected environment.\\*\\*\n\n\n\\*\\*I.E.: Your environment.\\*\\*\\*\n\n\\*\\*\\*But if you don't care, go for it!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2Frecomposer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretsquirrel%2Frecomposer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsquirrel%2Frecomposer/lists"}