Rakabulle in one word is a file binder with few novel features which could transform a simple binder program to something very complex.
What is a file binder? In few words a file binder is a tiny tool which allows merging any kind of files in a single application.
When you execute the application, all previous merged files will be extracted to a temporary location then be executed normally.
Winrar for example propose a kind of function called SFX for Self Extraction Package, the only difference is that the binder doesn't show any dialog. It will extract and execute the files in transparency.
Why do we class file binder in security field?
Many hackers / script kiddies use such tool to dissimulate in legitimate application some malwares; it is a good project to learn how such tools work.
Also it had many legitimate uses such as making none-form installers. You could in a single application merge many different installers instead of executing them one by one.
How the binder technically works? - The builder "Rakabulle" application will create a stub and inject in its resource the target files to extract and execute.
- The stub is the little generate part of the program which is design to extract from its resource the target files to a temporary location and execute.
In our application the stub also got a part to inject in Explorer or Internet Explorer process and load custom made plugins.
- The plugins are application which will be executed directly from the trusted Microsoft Windows Process.
So basically using the build you select which files you want to bind and which plugins you want to use to run in the host process.
The binder or the dropper (which means the same thing) are executed once time, at its first execution.
However the Remote Code Execution (REM) plugins of Rakabulle are only executed on the host target process (Explorer or Internet Explorer).
We also propose a function to register the stub in Microsoft Windows startup. Then at each Windows boot the stub will be again executed.
Notice at Windows startup only the plugins are load in the target host process. Like previously said the binder/dropper are executed once time.