Jump to content
h05th

How to make your own 100% FUD crypter with C++

By h05th, in Tutoriale in engleza

Recommended Posts

h05th Newbie

h05th

Posted
Posted

This tutorial is strictly for educational purposes only, I am not responsible for any of the action you may take upon others. Please, Don't abuse this tutorial, Use it wisely.

--

I'm not going to explain a completely new method of how executables can be made FUD. I guess most of the public available crypters do it similarly. But the problem with those crypters is that they get detected very soon after they were published. So I figured out a way to write my own crypter in C++. In this tutorial I'm going to explain how you can implement your own crypter and how you can play around with the code to get your exe FUD again if it gets detected some day.

Maybe these ideas are not new to you and someone else posted them already here somewhere. In this case please let me know.

I tested it with two RATs:

- Poison Ivy server (v2.3.2)

- Cybergate server (v1.07.5) (Hint: "Compress with UPX" must be disabled)

(other tools might also work with this technique, just test with your exe)

The system is a Windows XP SP3 machine. I don't know if this also works for Vista and 7. Maybe someone can try?

Server size:

- Poison Ivy: 10KB (before), 46KB (after)

- Cybergate: 290KB (before), 327KB (after)

Antivirus (AV) detection:

Screenshot

96612968.png

!!Important!! If you want to test your crypted exe with online AVs, do it only here (http://scanner2.novirusthanks.org/) and don't forget to check the checkbox "Do not distribute the sample"! Otherwise your exe will be distributed to the AV companies so they can exermine it and update their virus databases.

So let's get started!

Agenda:

1. Stuff you need

2. Implement the Encrypter

3. Implement the Stub (Decrypter)

4. Bind your encrypted exe with the Stub

5. Play around with code to get your exe to be FUD again

1. Stuff you need

- Microsoft Visual C++ Express 2010: Visual Studio Express 2012 Products | Microsoft Visual Studio | Microsoft Visual Studio (the Express edition it is free)

- Resource Hacker: Resource Hacker

- my implementations of the Encrypter and the Stub (Visual Studio projects): DrIdle_crypter.zip

2. Implement the Encrypter

Open the Visual Studio project "MyEncrypter" by double clicking on "MyEncrypter.sln" (see "1. Stuff you need" for a download link). It should look like this (sorry, I have the german version of Visual Studio):

Screenshot

62911495.png

(for all of you C++ pros out there: I know my code can be optimized. I'm not used to C++ coding, so please be lenient... this is for educational purpose, not for max performance)

The Encrypter is a console application. You need it to encrypt your exe, so AVs are not able to find pattern matches. The encryption algorithm I used is the AES algorithm.

These are the steps the Encrypter takes:

1. open a given binary file

2. encrypt the data with an AES key (you may change this key as you like)

3. write the encrypted data to an output file

(try to understand what the C++ code does!)

Compile the Visual Studio project by pressing F7. Now you have got your Encrypter application "MyEncrypter.exe" in the project output directory.

54674939.png

The binary file to encrypt is passed to the Encrypter as the first parameter (e.g. "MyEncrypter.exe server_to_encrypt.exe"). Either you do this by typing the command at the Win command prompt or you can also drag "server_to_encrypt.exe" onto "MyEncrypter.exe".

If the Encrypter runs successfully a file called "encrypted.dat" will be generated in the same directory as the Encrypter. This encrypted file should have exact the same size as the unencrypted file.

82795263.png

This was the easy part of the tut Now let's move on to the Stub.

3. Implement the Stub (Decrypter)

A Stub is the part of an exe, that is responsible for decrypting the rest of the exe on runtime and to run the decrypted code in memory. This way AVs which do only support a static code analysis (most of the AVs) do not have the chance to detect your exe. Only AVs which support dynamic code analysis are still able to detect it. But the dynamic analysis is very resource intensive so AVs running on normal end user computers don't support it.

Open the Visual Studio project "MyStub" by double clicking on "MyStub.sln" (see "1. Stuff you need" for a download link). It should look like this:

Screenshot

30350841.png

The Stub is a Win32 application. It decrypts the binary data found in the resource of the exe. At the time of decryption, all parts of the exe is loaded into memory and is therefore invisible for the AVs. As we used the AES for encryption we need the same algorithm and the same AES key again for decryption. These are the steps the Stub takes:

1. search for the resource with the type "BIN" and the name "132" (you may change this as you like but remember what you put in here. We need it later again! Also don't use the name "0")

2. copy the encrypted resource data to the heap

3. decrypt data

4. run decrypted code (your exe) inside memory

(try to understand what the C++ code does!)

With these steps I was able to trick 15 from 16 AVs. Only the AV "VBA32" managed to get through the AES decryption. But the VBA32 also does only support a static code analysis (at least the online scanner provided with novirusthanks.org) so I came up with the idea to include the system time to get the correct AES key. If the system time is ignored (which is the case in static analysis), a wrong key is used to decrypt the data and VBA32 doesn't find anything. This step comes right before step 3 (AES decryption).

This is the main idea:

1. take system time

2. sleep for 2 seconds

3. take system time again

4. compare system times. If more then one second has passed, then take the correct key value, otherwise take a wrong key value.

When VBA32 traces the code, it ignores the sleep statement and therefore takes the wrong key value. So now all 16 AVs are tricked.

Compile the Visual Studio project by pressing F7 (make sure that the Release profile is active).

80184133.png

Now you have got your Stub application "MyStub.exe" in the project output directory.

31472659.png

Okay, now we have our Stub compiled but no resource (encrypted data) attached to it. Unfortunatelly the Express version of Visual Studio does not allow us to add resources to our project. So we have to find another way to accomplish this. The tool Resource Hacker (see "1. Stuff you need" for a download link) will help us out of this misery.

4. Bind your encrypted exe with the Stub

Start the tool Resource Hacker and open "MyStub.exe" you just compiled in step 3. It should look like this:

Screenshot

50923097.png

Now navigate to "Action" -> "Add new Resource" and open your encrypted file "encrypted.dat" from step 2. As Resource Type fill in "BIN" and as Resource Name fill in "132". Important: these identifiers must match exactly what you coded into your MyStub.exe (MyStub.cpp) from step 3. If you have changed them you have to insert the correct values here too.

Screenshot

Click on "Add Resource". Now your resource tree should look like this:

Screenshot

63396687.png

Save your Stub with "File" -> "Save as" as a new application, e.g. "fud_server.exe" (the exe size should be the size of MyStub.exe + the size of encrypted.dat). Now your Stub is complete.

As a result you now have a crypted and working exe which is FUD (at the time of writing this tut).

Remeber: the stub exe will sleep 2 seconds at the beginning in order to get the correct decryption key.

5. Play around with code to get your exe to be FUD again

The more people trying to get their exe FUD with the ideas of this tutorial, the more likely the AVs have already developed a new recognition pattern to detect this kind of crypter. I gave you the source code, so you have the power and possibility to modify the code. I would say there are at least 4 places you can edit, modify, replace code. As menshioned above many AVs do only support static code analysis and that means when you manage to reorganise your Stub in some ways, it is FUD again because the pattern recognition of the AVs won't work anymore. So here come some ideas:

1. Change the encryption algorithm. There are many other algorithms out there like Blowfish, RC6, T-DES, ... you just need to search for C++ implementations at google.

2. Modify the sleep statement trick (see step 3). I guess this is an easy finding for AVs so be creative and find other tricks that can distinguish between real execution and code analysis.

3. Change the way, how the resource (encrypted data) is handled. Maybe there are other ways to embed a resource inside an exe.

4. Change the way, how the decrypted code is executed in memory. I think the way I have implemented right now is also an easy finding for AVs.

  • Upvote 1
Link to comment
Share on other sites
doizece1 Newbie

doizece1

Posted
Posted
Asta este copy-paste la o metoda expirata de cel putin 2 ani... nu inteleg de ce te'ai mai obosit

Habar nu aveam. Am tot cautat in ultimele zile o sursa c++ cat de cat la zi si functionala din care sa pot sa inteleg mai bine conceptul si dupa sa lucrez pe ea sau sa imi fac propriul crypter. Singura pe care am gasit-o a fost asta pe 17 milioane de forumuri diferite pe langa altele in VB6, VB.NET, Delphi etc...limbaje pe care nu le cunosc.

Ma poti ajuta cu ceva mai bun? Mersi ^^

Link to comment
Share on other sites
cybervu Newbie

cybervu

Posted
Posted

Intradevar, in C++ nu s'au prea scris cryptoare. Sunt destul de putine surse pentru "inspirat" si nu exista nimic nou, cel putin public. Vezi asta si asta , poate gasesti ceva interesant acolo.

Daca sti C++ bine (atat de bine ca sa scri un crypter), consider ca nu ar fi asa greu sa intelegi surse VB. :)

Tip: in VB se poate face usor si rapid, aproape fud (3/47), iar cu putina imaginatie se poate si mai bine

Link to comment
Share on other sites
Gh0stByte Newbie

Gh0stByte

Posted
Posted
This tutorial is strictly for educational purposes only, I am not responsible for any of the action you may take upon others. Please, Don't abuse this tutorial, Use it wisely.

--

I'm not going to explain a completely new method of how executables can be made FUD. I guess most of the public available crypters do it similarly. But the problem with those crypters is that they get detected very soon after they were published. So I figured out a way to write my own crypter in C++. In this tutorial I'm going to explain how you can implement your own crypter and how you can play around with the code to get your exe FUD again if it gets detected some day.

Maybe these ideas are not new to you and someone else posted them already here somewhere. In this case please let me know.

I tested it with two RATs:

- Poison Ivy server (v2.3.2)

- Cybergate server (v1.07.5) (Hint: "Compress with UPX" must be disabled)

(other tools might also work with this technique, just test with your exe)

The system is a Windows XP SP3 machine. I don't know if this also works for Vista and 7. Maybe someone can try?

Server size:

- Poison Ivy: 10KB (before), 46KB (after)

- Cybergate: 290KB (before), 327KB (after)

Antivirus (AV) detection:

Screenshot

96612968.png

!!Important!! If you want to test your crypted exe with online AVs, do it only here (NoVirusThanks: Security Software and Services) and don't forget to check the checkbox "Do not distribute the sample"! Otherwise your exe will be distributed to the AV companies so they can exermine it and update their virus databases.

So let's get started!

Agenda:

1. Stuff you need

2. Implement the Encrypter

3. Implement the Stub (Decrypter)

4. Bind your encrypted exe with the Stub

5. Play around with code to get your exe to be FUD again

1. Stuff you need

- Microsoft Visual C++ Express 2010: Visual Studio Express 2012 Products | Microsoft Visual Studio | Microsoft Visual Studio (the Express edition it is free)

- Resource Hacker: Resource Hacker

- my implementations of the Encrypter and the Stub (Visual Studio projects): DrIdle_crypter.zip

2. Implement the Encrypter

Open the Visual Studio project "MyEncrypter" by double clicking on "MyEncrypter.sln" (see "1. Stuff you need" for a download link). It should look like this (sorry, I have the german version of Visual Studio):

Screenshot

62911495.png

(for all of you C++ pros out there: I know my code can be optimized. I'm not used to C++ coding, so please be lenient... this is for educational purpose, not for max performance)

The Encrypter is a console application. You need it to encrypt your exe, so AVs are not able to find pattern matches. The encryption algorithm I used is the AES algorithm.

These are the steps the Encrypter takes:

1. open a given binary file

2. encrypt the data with an AES key (you may change this key as you like)

3. write the encrypted data to an output file

(try to understand what the C++ code does!)

Compile the Visual Studio project by pressing F7. Now you have got your Encrypter application "MyEncrypter.exe" in the project output directory.

54674939.png

The binary file to encrypt is passed to the Encrypter as the first parameter (e.g. "MyEncrypter.exe server_to_encrypt.exe"). Either you do this by typing the command at the Win command prompt or you can also drag "server_to_encrypt.exe" onto "MyEncrypter.exe".

If the Encrypter runs successfully a file called "encrypted.dat" will be generated in the same directory as the Encrypter. This encrypted file should have exact the same size as the unencrypted file.

82795263.png

This was the easy part of the tut Now let's move on to the Stub.

3. Implement the Stub (Decrypter)

A Stub is the part of an exe, that is responsible for decrypting the rest of the exe on runtime and to run the decrypted code in memory. This way AVs which do only support a static code analysis (most of the AVs) do not have the chance to detect your exe. Only AVs which support dynamic code analysis are still able to detect it. But the dynamic analysis is very resource intensive so AVs running on normal end user computers don't support it.

Open the Visual Studio project "MyStub" by double clicking on "MyStub.sln" (see "1. Stuff you need" for a download link). It should look like this:

Screenshot

30350841.png

The Stub is a Win32 application. It decrypts the binary data found in the resource of the exe. At the time of decryption, all parts of the exe is loaded into memory and is therefore invisible for the AVs. As we used the AES for encryption we need the same algorithm and the same AES key again for decryption. These are the steps the Stub takes:

1. search for the resource with the type "BIN" and the name "132" (you may change this as you like but remember what you put in here. We need it later again! Also don't use the name "0")

2. copy the encrypted resource data to the heap

3. decrypt data

4. run decrypted code (your exe) inside memory

(try to understand what the C++ code does!)

With these steps I was able to trick 15 from 16 AVs. Only the AV "VBA32" managed to get through the AES decryption. But the VBA32 also does only support a static code analysis (at least the online scanner provided with novirusthanks.org) so I came up with the idea to include the system time to get the correct AES key. If the system time is ignored (which is the case in static analysis), a wrong key is used to decrypt the data and VBA32 doesn't find anything. This step comes right before step 3 (AES decryption).

This is the main idea:

1. take system time

2. sleep for 2 seconds

3. take system time again

4. compare system times. If more then one second has passed, then take the correct key value, otherwise take a wrong key value.

When VBA32 traces the code, it ignores the sleep statement and therefore takes the wrong key value. So now all 16 AVs are tricked.

Compile the Visual Studio project by pressing F7 (make sure that the Release profile is active).

80184133.png

Now you have got your Stub application "MyStub.exe" in the project output directory.

31472659.png

Okay, now we have our Stub compiled but no resource (encrypted data) attached to it. Unfortunatelly the Express version of Visual Studio does not allow us to add resources to our project. So we have to find another way to accomplish this. The tool Resource Hacker (see "1. Stuff you need" for a download link) will help us out of this misery.

4. Bind your encrypted exe with the Stub

Start the tool Resource Hacker and open "MyStub.exe" you just compiled in step 3. It should look like this:

Screenshot

50923097.png

Now navigate to "Action" -> "Add new Resource" and open your encrypted file "encrypted.dat" from step 2. As Resource Type fill in "BIN" and as Resource Name fill in "132". Important: these identifiers must match exactly what you coded into your MyStub.exe (MyStub.cpp) from step 3. If you have changed them you have to insert the correct values here too.

Screenshot

Click on "Add Resource". Now your resource tree should look like this:

Screenshot

63396687.png

Save your Stub with "File" -> "Save as" as a new application, e.g. "fud_server.exe" (the exe size should be the size of MyStub.exe + the size of encrypted.dat). Now your Stub is complete.

As a result you now have a crypted and working exe which is FUD (at the time of writing this tut).

Remeber: the stub exe will sleep 2 seconds at the beginning in order to get the correct decryption key.

5. Play around with code to get your exe to be FUD again

The more people trying to get their exe FUD with the ideas of this tutorial, the more likely the AVs have already developed a new recognition pattern to detect this kind of crypter. I gave you the source code, so you have the power and possibility to modify the code. I would say there are at least 4 places you can edit, modify, replace code. As menshioned above many AVs do only support static code analysis and that means when you manage to reorganise your Stub in some ways, it is FUD again because the pattern recognition of the AVs won't work anymore. So here come some ideas:

1. Change the encryption algorithm. There are many other algorithms out there like Blowfish, RC6, T-DES, ... you just need to search for C++ implementations at google.

2. Modify the sleep statement trick (see step 3). I guess this is an easy finding for AVs so be creative and find other tricks that can distinguish between real execution and code analysis.

3. Change the way, how the resource (encrypted data) is handled. Maybe there are other ways to embed a resource inside an exe.

4. Change the way, how the decrypted code is executed in memory. I think the way I have implemented right now is also an easy finding for AVs.

Awesome tut! One problem though;

I followed these instructions but I keep getting this error: Screenshot by Lightshot

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...