DEDSEC_NULLBYTE

NullByte - Advanced Python Code Injection & Obfuscation Tool

DESCRIPTION

NullByte is a sophisticated penetration testing tool that demonstrates advanced code injection techniques used in real-world supply chain attacks. It can inject invisible, obfuscated malicious code into legitimate Python projects while maintaining their original functionality. The tool now includes built-in reverse shell generation and handler integration for comprehensive attack simulations.

Key Features:

• Multiple Obfuscation Methods - 5 different encoding techniques using invisible characters
• Reverse Shell Integration - Generate and inject Meterpreter payloads directly
• Metasploit Handler Automation - Auto-start listeners for reverse shells
• Invisible Character Encoding - Uses Zero-Width Joiner (ZWJ) and other invisible Unicode characters
• Stealth Integration - Injects into existing Python files without breaking functionality
• Compression & Encoding - Zlib, Base64, ROT13 combinations
• Built-in Obfuscation - Hides function calls using character arrays and unusual variable names
• Intelligent Injection - Automatically finds safe injection points in Python code
• Cross-Platform Payloads - Works on Linux, Windows, and macOS systems

Usage Guide

1. CREATE - Generate Obfuscated Payload

Creates a standalone Python script with your code obfuscated using invisible characters.

Steps:

1. Select option 1 from main menu
2. Enter source file path
3. Choose output filename
4. Select encoding method (1-5)
5. Tool generates obfuscated payload file

Encoding Methods:

• Method 1: Zlib compression + Invisible binary encoding
• Method 2: Zlib + Base64 + ROT13 + Invisible encoding
• Method 3: Method 2 + Obfuscated built-in functions
• Method 4: Direct invisible character encoding
• Method 5: Direct encoding + Obfuscated built-ins

2. INJECT INTO EXISTING FILE - Complete Attack Simulation

Injects obfuscated code into legitimate Python projects with reverse shell capabilities.

Steps:

1. Select option 2 from main menu
2. Specify target Python file (victim's project)
3. Choose payload type:
   • Option 1: Custom payload from file
   • Option 2: Reverse shell
4. If choosing reverse shell:
   • Select payload type:
     1. BIND TCP - python/meterpreter_bind_tcp
     2. REVERSE TCP - python/meterpreter_reverse_tcp
     3. REVERSE HTTP - python/meterpreter_reverse_http
     4. REVERSE HTTPS - python/meterpreter_reverse_https
   • Enter LHOST (default: 127.0.0.1)
   • Enter LPORT (default: 4444)
5. Choose encoding method (1-5)
6. Select injection point from valid locations
7. Choose injection type (new line or append)
8. Save output (overwrite or create new file)
9. Optionally start Metasploit handler automatically

Injection Types:

• New Line Injection: Inserts obfuscated code as a new line
• Append Injection: Appends code to existing lines using semicolons

Reverse Shell Payloads:

• Bind TCP: Listens on target machine for incoming connections
• Reverse TCP: Connects back to attacker's machine (most common)
• Reverse HTTP: Uses HTTP protocol for connection (evades some firewalls)
• Reverse HTTPS: Encrypted HTTPS connection (most stealthy)

INSTALLATION

git clone https://github.com/0xbitx/DEDSEC_NULLBYTE.git
cd DEDSEC_NULLBYTE
sudo pip3 install tabulate
chmod +x dedsec_nullbyte
sudo ./dedsec_nullbyte

TESTED ON FOLLOWING

• Kali Linux
• Parrot OS

Detection & Prevention

Indicators of Compromise

• File Size Anomalies: Unexpected increase in Python file sizes
• Invisible Characters: Files containing \u200c, \u200d, or other zero-width characters
• Unusual Imports: Unexpected zlib, codecs, base64, or subprocess usage in non-related code
• Obfuscated Strings: Arrays of numbers being joined with chr() calls
• Suspicious Variable Names: Uncommon Unicode variable names (e.g., invisible characters)
• Network Indicators: Connections to unusual ports or known C2 infrastructure

Prevention Best Practices

• Code Review: Always review third-party code and dependencies before integration
• Hash Verification: Verify package integrity with checksums and digital signatures
• Static Analysis: Use tools like Bandit, Semgrep, or custom rules to detect obfuscated code
• Network Monitoring: Monitor for unusual outbound connections from development systems
• Least Privilege: Run code with minimal necessary privileges
• Regular Updates: Keep dependencies updated with security patches
• Supply Chain Security: Implement SBOM (Software Bill of Materials) and dependency scanning
• Runtime Protection: Use application control and behavioral monitoring tools

Support

If you find my work helpful and want to support me, consider making a donation. Your contribution will help me continue working on projects.

Bitcoin Address: 36ALguYpTgFF3RztL4h2uFb3cRMzQALAcm

⚠️ IMPORTANT DISCLAIMER

NullByte is designed for:

• Authorized security testing and research
• Educational purposes in controlled environments
• Improving defensive capabilities

NEVER use this tool for:

• Unauthorized testing or attacks
• Malicious purposes
• Compromising systems without explicit permission
• Illegal activities

Always ensure you have written permission before testing any system that you do not own or administrate.

I'm not responsible for anything you do with this program, so please only use it for good and educational purposes.