[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-79036":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":37,"readmeContent":38,"aiSummary":39,"trendingCount":16,"starSnapshotCount":16,"syncStatus":40,"lastSyncTime":41,"discoverSource":42},79036,"OpenPetya","iss4cf0ng\u002FOpenPetya","iss4cf0ng","A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++","https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F05\u002F23\u002F2026-5-23-OpenPetya\u002F",null,"C",244,44,3,1,0,5,10,183,15,69.96,"MIT License",false,"main",true,[27,28,29,30,31,32,33,34,35,36],"assembly","bootkit","bootloader","c-language","cpp","nasm","nasm-assembly","petya","petya-rewrite","ransomware","2026-06-12 04:01:24","# OpenPetya\n\nA Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\"https:\u002F\u002Fiss4cf0ng.github.io\u002Fimages\u002Fmeme\u002FRio\u002F4.png\" width=200\u002F>\n\u003C\u002Fp>\n\nIf you find this project helpful or informative, I would truly appreciate a ⭐ on the repository. Your support would be a great motivation for me to continue improving this tool.\n\n# Overview\n\nOpenPetya is an educational project designed to study how bootkits and low-level ransomware operate internally.\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\"https:\u002F\u002Fiss4cf0ng.github.io\u002Fimages\u002Farticle\u002F2026-5-23-OpenPetya\u002F5.png\" width=700\u002F>\n\u003C\u002Fp>\n\nThe project focuses on:\n- custom MBR bootloading\n- multi-stage boot process\n- Protected Mode transition\n- NTFS Master File Table (MFT) encryption\n- Salsa20-based cryptography\n- password validation and restoration workflow\n\nOpenPetya is **NOT** intended to be an exact reimplementation of either Petya or NotPetya. Instead, it is a simplified Proof-of-Concept designed for learning and research purposes.\n\nIt is worth mentioning that OpenPetya does not include Command-and-Control (C2) functionality. In addition, OpenPetya stores plaintext MFT backup data inside hidden sectors after encryption. This behavior is intentionally designed for educational purposes because those features are relatively trival compared to the core bootloader and cryptographic mechanisms implemented in this project. However, you can still modify or remove these features if necessary.\n\n---\n\n# Project Motivation\n\nOver the past few months, I have been studying:\n- malware analysis\n- bootloaders\n- rootkits and bootkits\n- Windows internals\n- operating system fundamentals\n- low-level Assembly programming\n\nWhile researching Petya and NotPetya, I realized that many online resources only briefly explain the overall workflow without demonstrating how the underlying boot process actually works.\n\nIn addition, many existing Petya-related projects rely on extracted bootloader binaries or modified original components rather than implementing the logic from scratch.\n\nTherefore, I decided to develop OpenPetya as a practical project for understanding:\n- how custom MBR bootkits work\n- how stage-2 bootloaders operate\n- how disk encryption workflows function\n- how password validation and restoration mechanisms are implemented\n\nThe project also serves as part of my ongoing research into bootkits, low-level malware, and operating system internals.\n\nRelated articles:\n- [Analyzing Petya](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F04\u002F12\u002F2026-4-12-Petya\u002F)\n- [Analyzing NotPetya](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F04\u002F13\u002F2026-4-13-NotPetya\u002F)\n- [Simple MBR And Bootloader](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F04\u002F08\u002F2026-4-8-MbrAndBootLoader\u002F)\n- [OpenBootloader](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F05\u002F10\u002F2026-5-10-OpenBootloader\u002F)\n- [Rootkits and Bootkits Notes](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F04\u002F28\u002F2026-4-28-RootkitAndBootkit\u002F)\n- [PC Assembly Language Notes](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F04\u002F21\u002F2026-4-21-PcAsmLang\u002F)\n- [Serious Cryptography Notes](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F05\u002F16\u002F2026-5-16-SeriousCryptography\u002F)\n\n---\n\n# Features\n\n- **Custom MBR**\n  \n  OpenPetya uses a custom Master Boot Record (MBR) to load the stage-2 payload.\n\n- **Custom Stage-2 Bootloader**\n  \n  The stage-2 bootloader contains the core functionality of the project, including:\n  - Salsa20 encryption\u002Fdecryption\n  - password validation\n  - restoration logic\n  - user interface\n\n- **Protected Mode Transition**\n  \n  The bootloader switches from 16-bit Real Mode to 32-bit Protected Mode before executing higher-level logic.\n\n- **MFT Encryption**\n  \n  Similar to the original Petya, OpenPetya encrypts critical parts of the NTFS Master File Table (MFT) using Salsa20.\n\n- **Password Validation**\n  \n  OpenPetya validates the input password before decryption to prevent irreversible corruption caused by invalid keys.\n\n- **Automatic Restoration**\n  \n  Once the correct password is entered:\n  - encrypted data is restored\n  - the original boot chain is recovered\n  - OpenPetya removes itself automatically\n\n---\n\n# Components\n\n## `OpenPetya.exe`\n\nUser-mode installer and controller application.\n\nFunctions:\n- drive selection\n- installation\n- reboot triggering\n- utility interface\n\n## `mbr.bin`\n\nCustom Master Boot Record (MBR) code responsible for:\n- stage-2 loading\n- early boot execution\n\n## `stage2.bin`\n\nThe core payload of OpenPetya.\n\nResponsibilities:\n- Protected Mode transition\n- Salsa20 cryptographic operations\n- MFT encryption\u002Fdecryption\n- password validation\n- restoration\n- boot-time interface\n\n---\n\n# Workflow\n\nThe workflow of OpenPetya is summarized below.\n\n1. Users install OpenPetya using `OpenPetya.exe` and choose a password.\n\n2. The machine is rebooted manually or through the BSOD (via `NtRaiseHardError`) mechanism provided by the installer.\n\n3. During boot, the custom MBR loads the stage-2 payload.\n\n4. The stage-2 payload switches the CPU into Protected Mode.\n\n5. OpenPetya encrypts selected parts of the NTFS Master File Table (MFT).\n\n6. After encryption, the machine reboots again.\n\n7. A boot-time interface prompts the user for the password.\n\n8. If the password is correct:\n   - encrypted data is decrypted\n   - the original boot chain is restored\n   - OpenPetya removes itself automatically\n\n9. Windows boots normally again.\n\n> Unlike the original Petya ransomware, OpenPetya does not attempt to deceive users with fake CHKDSK screens or social engineering behavior. The project is designed purely for educational and research purposes.\n\n---\n\n# Build\n\nYou can build the project using the commands below.\n\n```bash\nmake            # Build mbr.bin and stage2.bin\n.\u002Fbuild.exe     # Build OpenPetya.exe\n```\n\n# Usage\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\"https:\u002F\u002Fiss4cf0ng.github.io\u002Fimages\u002Farticle\u002F2026-5-23-OpenPetya\u002F6.png\" width=700\u002F>\n\u003C\u002Fp>\n\n> Warning: Please execute it in your virtual machine!\n\nThe commands below shows how to install custom MBR and stage-2 bootloader (Administrative privilege is required):\n\n```batch\nOpenPetya.exe --list\nOpenPetya.exe --drive 0 --install mbr.bin stage2.bin\n```\n\n# Technical Notes\n\nDetailed explanations about:\n- MBR boot process\n- Real Mode and Protected Mode\n- Salsa20 implementation\n- MFT encryption workflow\n- bootkit design\n- More discussions about Petya and NotPetya\n- How to use undocumented APIs (such as `NtRaiseHardError`)\n\nAre documented in [this article](https:\u002F\u002Fiss4cf0ng.github.io\u002F2026\u002F05\u002F23\u002F2026-5-23-OpenPetya\u002F).\n\n# Disclaimer\n\nThis project was developed purely for educational and research purposes.\n\nThe goal of OpenPetya is to study:\n\n- bootkits\n- operating system internals\n- low-level malware techniques\n- bootloader architecture\n\nDo **NOT** use this project for illegal activities or against systems you do not own or explicitly have permission to test.\n\nThe author is **NOT** responsible for any misuse of this software.\n\n# Demonstration (Windows 7)\n\n## Screenshots\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\"https:\u002F\u002Fiss4cf0ng.github.io\u002Fimages\u002Farticle\u002F2026-5-23-OpenPetya\u002F4.png\" width=800\u002F>\n\u003C\u002Fp>\n\n## Runtime Demo\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\"https:\u002F\u002Fiss4cf0ng.github.io\u002Fimages\u002Farticle\u002F2026-5-23-OpenPetya\u002Fdemo.gif\" width=800\u002F>\n\u003C\u002Fp>\n\n# Future Plans\n\n- Improved recovery workflow\n- Better NTFS parsing\n- More accurate Petya behavior simulation\n- UEFI experiments\n- Additional bootkit research\n- Full-screen Graphics Mode\n- Windows 10 support\n\n# Thanks\n\nThanks for checking out this project. Feedback and suggestions are welcome.","OpenPetya 是一个受 Petya 勒索软件启发的教育性项目，使用 Assembly、C 和 C++ 编写，旨在研究引导套件和低级勒索软件的内部工作原理。其核心功能包括自定义 MBR 引导加载、多阶段引导过程、保护模式切换、NTFS 主文件表 (MFT) 加密以及基于 Salsa20 的密码学机制。该项目适合安全研究人员、恶意软件分析师以及对操作系统底层机制感兴趣的开发者学习和研究使用。需要注意的是，OpenPetya 并非 Petya 或 NotPetya 的精确复现，而是为教学和研究目的设计的一个简化版概念验证工具。",2,"2026-06-11 03:57:22","CREATED_QUERY"]