Hyperion: Implementation of a PE-Crypter

[Nytro]

Hyperion: Implementation of a PE-Crypter

Christian Ammann

May 8, 2012

1 Introduction

Runtime crypter accepts binary executable files as input and transforms them into an

encrypted version (preserving its original behaviour). The encrypted file decrypts itself

on startup and executes it’s original content. This approach allows the deployment of

malicious executables in protected environments: A pattern based anti virus (AV) solution

detects the signature of suspicious files and blocks their execution. The encrypted

counterpart contains an unknown signature, it’s content can not be analysed by heuristics

and is therefore executed normally without an intervention by the AV scanner. Other

uses are protection of binaries against reversing or the replacement of the encryption

routine with a packer to reduce the size of an executable.

This paper reveals the theoretic aspects behind run-time crypters and describes a reference

implementation for Portable Executables (PE) [1] which is the windows file format

for dynamic-link libraries (DLLs), object files and regular executables. The encryption of

Windows executables requires a general understanding of the following aspects:

PE layout: The PE header, section headers and data directory entries.

PE loader: How and where are process images loaded and executed in virtual

memory.

We give a beginner friendly introduction to these two important topics in section 2. Afterwards,

we present and explain the PE crypter reference implementation Hyperion in

section 3 for 32-bit executables which can be divided into two parts (see figure 1 for details):

A crypter and a container. The crypter (which is explained in more detail in section

3.1) gets a PE binary as input, copies the complete input file into memory, calculates

a checksum and prepends the checksum to the input file. Afterwards, a random key is

generated which is used to encrypt the checksum and the input file with the AES-128

[2] encryption algorithm. Finally, the encrypted result is copied into the containers data

section.

Download:

http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf

[wanted99]

ms mult,foarte interesant

[giv]

Buna referinta.

De regula crypterele functioneaza dupa o metoda simpla:

Criptare:

Imput data (necriptat)->Crypt routine (si optional pack)->crypted data

Decriptare:

Crypted data->Decrypt routine (care este exact inversul rutinei de criptare si optional despachetare daca s-a optat) -> Unencrypted data

In ASM cea mai simpla metoda este cea de criptare este:

XOR, target, source

Spre xemplu:

XOR EAX, EBX

DEcriptarea este operatiunea inversa:

XOR EBX, EAX

Vulnerabilitatea consta in faptul ca decriptarea se face in momentul rularii si un BP in memory pe Code section poate surprinde codul decriptat. Un dump de memorie dupa ce codul a fost decryptat este de regula suficient in cazul cryptarilor simpliste....