DrIdle |
I'm not going to explain a completely new method of how executables can be made FUD. I guess most of the public available crypters do it similarly. But the problem with those crypters is that they get detected very soon after they were published. So I figured out a way to write my own crypter in C++. In this tutorial I'm going to explain how you can implement your own crypter and how you can play around with the code to get your exe FUD again if it gets detected some day.
Maybe these ideas are not new to you and someone else posted them already here somewhere. In this case please let me know.
I tested it with two RATs:
- Poison Ivy server (v2.3.2)
- Cybergate server (v1.07.5) (Hint: "Compress with UPX" must be disabled)
(other tools might also work with this technique, just test with your exe)
The system is a Windows XP SP3 machine. I don't know if this also works for Vista and 7. Maybe someone can try?
Server size:
- Poison Ivy: 10KB (before), 46KB (after)
- Cybergate: 290KB (before), 327KB (after)
Antivirus (AV) detection:
!!Important!! If you want to test your crypted exe with online AVs, do it only here (http://scanner2.novirusthanks.org/) and don't forget to check the checkbox "Do not distribute the sample"! Otherwise your exe will be distributed to the AV companies so they can exermine it and update their virus databases.
So let's get started!
Agenda:
1. Stuff you need
2. Implement the Encrypter
3. Implement the Stub (Decrypter)
4. Bind your encrypted exe with the Stub
5. Play around with code to get your exe to be FUD again
1. Stuff you need
- Microsoft Visual C++ Express 2010: http://www.microsoft.com/express/Downloads (the Express edition it is free)
- Resource Hacker: http://www.angusj.com/resourcehacker
- my implementations of the Encrypter and the Stub (Visual Studio projects): http://www.mediafire.com/?uvst74qimxjvoi1
2. Implement the Encrypter
Open the Visual Studio project "MyEncrypter" by double clicking on "MyEncrypter.sln" (see "1. Stuff you need" for a download link). It should look like this (sorry, I have the german version of Visual Studio):
(for all of you C++ pros out there: I know my code can be optimized. I'm not used to C++ coding, so please be lenient... this is for educational purpose, not for max performance)
The Encrypter is a console application. You need it to encrypt your exe, so AVs are not able to find pattern matches. The encryption algorithm I used is the AES algorithm.
These are the steps the Encrypter takes:
1. open a given binary file
2. encrypt the data with an AES key (you may change this key as you like)
3. write the encrypted data to an output file
(try to understand what the C++ code does!)
Compile the Visual Studio project by pressing F7. Now you have got your Encrypter application "MyEncrypter.exe" in the project output directory.
The binary file to encrypt is passed to the Encrypter as the first parameter (e.g. "MyEncrypter.exe server_to_encrypt.exe"). Either you do this by typing the command at the Win command prompt or you can also drag "server_to_encrypt.exe" onto "MyEncrypter.exe".
If the Encrypter runs successfully a file called "encrypted.dat" will be generated in the same directory as the Encrypter. This encrypted file should have exact the same size as the unencrypted file.
This was the easy part of the tut ;) Now let's move on to the Stub.
3. Implement the Stub (Decrypter)
A Stub is the part of an exe, that is responsible for decrypting the rest of the exe on runtime and to run the decrypted code in memory. This way AVs which do only support a static code analysis (most of the AVs) do not have the chance to detect your exe. Only AVs which support dynamic code analysis are still able to detect it. But the dynamic analysis is very resource intensive so AVs running on normal end user computers don't support it.
Open the Visual Studio project "MyStub" by double clicking on "MyStub.sln" (see "1. Stuff you need" for a download link). It should look like this:
Screenshot
The Stub is a Win32 application. It decrypts the binary data found in the resource of the exe. At the time of decryption, all parts of the exe is loaded into memory and is therefore invisible for the AVs. As we used the AES for encryption we need the same algorithm and the same AES key again for decryption. These are the steps the Stub takes:
1. search for the resource with the type "BIN" and the name "132" (you may change this as you like but remember what you put in here. We need it later again! Also don't use the name "0")
2. copy the encrypted resource data to the heap
3. decrypt data
4. run decrypted code (your exe) inside memory
(try to understand what the C++ code does!)
With these steps I was able to trick 15 from 16 AVs. Only the AV "VBA32" managed to get through the AES decryption. But the VBA32 also does only support a static code analysis (at least the online scanner provided with novirusthanks.org) so I came up with the idea to include the system time to get the correct AES key. If the system time is ignored (which is the case in static analysis), a wrong key is used to decrypt the data and VBA32 doesn't find anything. This step comes right before step 3 (AES decryption).
This is the main idea:
1. take system time
2. sleep for 2 seconds
3. take system time again
4. compare system times. If more then one second has passed, then take the correct key value, otherwise take a wrong key value.
When VBA32 traces the code, it ignores the sleep statement and therefore takes the wrong key value. So now all 16 AVs are tricked.
Compile the Visual Studio project by pressing F7 (make sure that the Release profile is active).
Now you have got your Stub application "MyStub.exe" in the project output directory.
Okay, now we have our Stub compiled but no resource (encrypted data) attached to it. Unfortunatelly the Express version of Visual Studio does not allow us to add resources to our project. So we have to find another way to accomplish this. The tool Resource Hacker (see "1. Stuff you need" for a download link) will help us out of this misery.
4. Bind your encrypted exe with the Stub
Start the tool Resource Hacker and open "MyStub.exe" you just compiled in step 3. It should look like this:
Screenshot
Now navigate to "Action" -> "Add new Resource" and open your encrypted file "encrypted.dat" from step 2. As Resource Type fill in "BIN" and as Resource Name fill in "132". Important: these identifiers must match exactly what you coded into your MyStub.exe (MyStub.cpp) from step 3. If you have changed them you have to insert the correct values here too.
Screenshot
Click on "Add Resource". Now your resource tree should look like this:
Screenshot
Save your Stub with "File" -> "Save as" as a new application, e.g. "fud_server.exe" (the exe size should be the size of MyStub.exe + the size of encrypted.dat). Now your Stub is complete.
As a result you now have a crypted and working exe which is FUD (at the time of writing this tut).
Remeber: the stub exe will sleep 2 seconds at the beginning in order to get the correct decryption key.
5. Play around with code to get your exe to be FUD again
The more people trying to get their exe FUD with the ideas of this tutorial, the more likely the AVs have already developed a new recognition pattern to detect this kind of crypter. I gave you the source code, so you have the power and possibility to modify the code. I would say there are at least 4 places you can edit, modify, replace code. As menshioned above many AVs do only support static code analysis and that means when you manage to reorganise your Stub in some ways, it is FUD again because the pattern recognition of the AVs won't work anymore. So here come some ideas:
1. Change the encryption algorithm. There are many other algorithms out there like Blowfish, RC6, T-DES, ... you just need to search for C++ implementations at google.
2. Modify the sleep statement trick (see step 3). I guess this is an easy finding for AVs so be creative and find other tricks that can distinguish between real execution and code analysis.
3. Change the way, how the resource (encrypted data) is handled. Maybe there are other ways to embed a resource inside an exe.
4. Change the way, how the decrypted code is executed in memory. I think the way I have implemented right now is also an easy finding for AVs.
how to Change the encryption algorithm?? tutorial plz need help
ReplyDeleteHi when i run the stub i have this error :
ReplyDeleteThe applicatin failed initialize properly (0x000007b). Click OK to terminate the applicatin.
Please can you help me.
Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. Data Encoder Crypter
ReplyDelete