Riode Crypter is a proof-of-concept crypter for Windows, written in Go with a modern Wails-based frontend.
It demonstrates how to combine payload encryption, process injection (RunPE), anti-analysis, persistence, and other evasion techniques.
Disclaimer:
This project is for educational and research purposes only.
The RunPE technique is based on public sources and the code is widely detected by antivirus software.
This repository is not intended for malicious use.
Use responsibly and only in controlled, legal environments.
-
Modern Wails UI:
Responsive and modern Windows interface for all configuration and build steps, with real-time progress and error reporting. -
AES-256-GCM Payload Encryption:
All payloads are encrypted using AES-256-GCM before being embedded in the stub. This prevents static extraction and signature-based detection of the payload from the stub binary. -
Polymorphic Payload Embedding:
Each build embeds the encrypted payload at a random location within the stub binary, with random padding and size metadata. This means every output file is unique—even with the same payload and settings—making hash-based and simple signature detection by AVs much harder. -
String Encryption (XOR):
All string literals in the stub source (except critical Go syntax and directives) are encrypted at build time with a random XOR key. At runtime, strings are decrypted only as needed. This avoids static analysis and YARA rules that look for suspicious strings (like API names, URLs, or registry keys). -
Process Injection (RunPE):
Implements the RunPE technique for process hollowing, allowing the payload to be injected into a legitimate process (e.g., explorer.exe). This is a classic AV evasion method, and the target process is fully user-configurable. -
Anti-Analysis Features:
- Anti-VM: Detects common virtualization environments (VirtualBox, VMware, Hyper-V, etc.) via GPU and username checks.
- Anti-Debug: Uses multiple methods (IsDebuggerPresent, CheckRemoteDebuggerPresent, timing attacks) to detect debuggers and exit if found.
-
Persistence Mechanisms:
Optionally installs the stub to a hidden/system directory and adds a registry key for startup persistence. Checks for existing installation and only copies if needed. -
Bypass Defender (ForceUAC):
Optionally attempts to elevate privileges and add a Windows Defender exclusion for the system drive, using a technique from my other repo. This increases the chance of payload execution on protected systems. -
Melt File:
Optionally deletes the stub executable after successful injection, reducing forensic evidence on disk. -
Downloader Mode:
Optionally downloads and executes a secondary payload from a user-specified URL, supporting staged attacks or payload updates. -
Assembly & Resource Spoofing:
Fully customizable version info, product/company name, original filename, and icon. This helps the stub blend in with legitimate software and evade basic user interest. -
Randomization & Build Polymorphism:
Every build uses random encryption keys, randomizes payload placement, and string encryption keys, ensuring that no two stubs are ever identical—even with the same settings. This is critical for evading hash-based and static AV detection. -
Progress Reporting:
The frontend receives real-time updates from the backend for each build step, including errors, making the build process transparent and user-friendly.
-
String Encryption:
Prevents AVs and researchers from finding suspicious strings in the binary, which are often used for detection and reverse engineering. -
Polymorphic Embedding:
Ensures every output is unique, making it much harder for AVs to use hashes or simple binary signatures to detect your stubs. -
Combinable Evasion:
By allowing you to mix and match anti-debug, anti-VM, persistence, and other options, you can tailor each build for specific targets or testing scenarios. -
User-Friendly:
The combination of a modern UI, detailed configuration, and advanced evasion techniques makes this project ideal for red teamers, researchers, and those studying AV evasion.
- Select a Payload:
Choose any Windows executable to encrypt and embed. - Configure Options:
Set anti-analysis, persistence, injection, and spoofing options. - Build Stub:
The crypter encrypts the payload, generates a custom stub, and compiles it with your settings. - Run Stub:
The stub decrypts the payload at runtime and injects it into the target process using RunPE.
-
Currently Supported:
- 64-bit (x64) payloads and targets only.
- The stub and RunPE logic are designed for 64-bit Windows executables and processes.
-
32-bit Support:
- Not yet implemented.
- I plan to add 32-bit (x86) support in the future, likely with my own custom RunPE implementation for improved stealth and flexibility.
Note:
If you attempt to use a 32-bit payload or target process, the build or injection will fail.
Full cross-architecture support is a planned feature.
A sample stub built scanned on VirusTotal:
Why so many detections?
- The RunPE technique is public and widely used in malware, so AV vendors have strong signatures for them.
- This project is a demonstration and not a FUD (fully undetectable) crypter.
- For better results, you would need to heavily obfuscate, mutate, and customize the stub for each build.
-
Clone the repository:
git clone https://github.com/Roman0x0/riode-crypter.git cd riode-crypter -
Install dependencies:
go mod init go mod tidy
-
Build the app:
wails build
-
Build the test payload:
go build -ldflags="-H=windowsgui" -o simple-test.exe simple-test.go -
Run in development mode (or use the final .exe in the build directory):
wails dev
-
This project is for:
- Security researchers
- Red teamers
- Malware analysts
- Educational demonstration
-
This project is NOT for:
- Malicious use
- Unauthorized access or harm
- abdullah2993/go-runpe (RunPE logic)
- Wails (UI framework)
- Joseph Spurrier/goversioninfo (Version info tool)
This project is released under the MIT License.
See LICENSE for details.
For questions, research collaboration, or anything else, contact me via GitHub or open an issue.