The new version of Shellter is almost ready to be released, so this is a good time to provide an overview of the main updates that have been applied.
First of all, some optimizations have been applied in the engine that generates thread-context-aware polymorphic code for obfuscating various stubs generated by Shellter. Some instructions that previously were excluded from Stealth Mode, now they can be used as well in the obfuscation.
Furthermore, the backup functionality of Shellter has been enhanced. In fact, Shellter will now create a new directory called ‘Shellter_Backups’ and every time you use a new (by name) PE file to infect it will move there a copy of the original. In case you try to re-infect the same PE file, as it is supported if you use Stealth Mode for all infection attempts, Shellter will not overwrite anymore the original file. However, it will notify the user that this file has probably been re-used in order to avoid to unintentionally work on a previously infected file.
In addition, the error notifications functionality has been further improved to display along with the error code, a system-defined and human readable explanation of the error as is defined by Windows OS.
Moreover, Shellter will now notify the user when it is not running as Administrator, which means that the tool couldn’t enable extra privileges that might be important to trace and complete the payload injection is some rare cases. Latest putty release (v0.67) is a good example for this. It further restricts on runtime the access granted to the user under which the process was initially created and this prevents Shellter to detach from it and proceed. The problem didn’t seem to apply when using Shellter in Wine with the default configurarion (XP mode). In any case, running future releases of Shellter as Administrator should fix this rare problem.
Finally, some minor optimizations have been applied in the tracing engine and extra SDL checks have been addressed.
I am planning to implement some extra optimizations in the future (possibly in 6.3) that will speed up the tracing engine even more.
Cheers,
kyREcon