brandbowcrucible /
OpenPetya-tool
A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++
Loading repository data…
iss4cf0ng / repository
A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++
A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++
If you find this project helpful or informative, I would truly appreciate a ⭐ on the repository. Your support would be a great motivation for me to continue improving this tool.
OpenPetya is an educational project designed to study how bootkits and low-level ransomware operate internally.
The project focuses on:
OpenPetya is NOT intended to be an exact reimplementation of either Petya or NotPetya. Instead, it is a simplified Proof-of-Concept designed for learning and research purposes.
It is worth mentioning that OpenPetya does not include Command-and-Control (C2) functionality. In addition, OpenPetya stores plaintext MFT backup data inside hidden sectors after encryption. This behavior is intentionally designed for educational purposes because those features are relatively trival compared to the core bootloader and cryptographic mechanisms implemented in this project. However, you can still modify or remove these features if necessary.
Over the past few months, I have been studying:
While researching Petya and NotPetya, I realized that many online resources only briefly explain the overall workflow without demonstrating how the underlying boot process actually works.
In addition, many existing Petya-related projects rely on extracted bootloader binaries or modified original components rather than implementing the logic from scratch.
Therefore, I decided to develop OpenPetya as a practical project for understanding:
The project also serves as part of my ongoing research into bootkits, low-level malware, and operating system internals.
Related articles:
Custom MBR
OpenPetya uses a custom Master Boot Record (MBR) to load the stage-2 payload.
Custom Stage-2 Bootloader
The stage-2 bootloader contains the core functionality of the project, including:
Protected Mode Transition
The bootloader switches from 16-bit Real Mode to 32-bit Protected Mode before executing higher-level logic.
MFT Encryption
Similar to the original Petya, OpenPetya encrypts critical parts of the NTFS Master File Table (MFT) using Salsa20.
Password Validation
OpenPetya validates the input password before decryption to prevent irreversible corruption caused by invalid keys.
Automatic Restoration
Once the correct password is entered:
OpenPetya.exeUser-mode installer and controller application.
Functions:
mbr.binCustom Master Boot Record (MBR) code responsible for:
stage2.binThe core payload of OpenPetya.
Responsibilities:
The workflow of OpenPetya is summarized below.
Users install OpenPetya using OpenPetya.exe and choose a password.
The machine is rebooted manually or through the BSOD (via NtRaiseHardError) mechanism provided by the installer.
During boot, the custom MBR loads the stage-2 payload.
The stage-2 payload switches the CPU into Protected Mode.
OpenPetya encrypts selected parts of the NTFS Master File Table (MFT).
After encryption, the machine reboots again.
A boot-time interface prompts the user for the password.
If the password is correct:
Windows boots normally again.
Unlike the original Petya ransomware, OpenPetya does not attempt to deceive users with fake CHKDSK screens or social engineering behavior. The project is designed purely for educational and research purposes.
You can build the project using the commands below.
make # Build mbr.bin and stage2.bin
./build.exe # Build OpenPetya.exe
Warning: Please execute it in your virtual machine!
The commands below shows how to install custom MBR and stage-2 bootloader (Administrative privilege is required):
OpenPetya.exe --list
OpenPetya.exe --drive 0 --install mbr.bin stage2.bin
Detailed explanations about:
NtRaiseHardError)Are documented in this article.
This project was developed purely for educational and research purposes.
The goal of OpenPetya is to study:
Do NOT use this project for illegal activities or against systems you do not own or explicitly have permission to test.
The author is NOT responsible for any misuse of this software.
Thanks for checking out this project. Feedback and suggestions are welcome.
Selected from shared topics, language and repository description—not editorial ratings.
brandbowcrucible /
A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++