PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

    
   

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
This folder contains all the assignment of the course COL759 : Cryptography & Computer Security

Cryptography This folder contains all the assignment of the course COL759 : "Cryptography & Computer Security" Assignment 1 : Encyption, Decryption &

0 Jan 21, 2022
Python implementation of EIP 1577 content hash

ContentHash for Python Python implementation of EIP 1577 content hash. Description This is a simple package made for encoding and decoding content has

Filip Š 11 Jul 19, 2022
Random Password Generator With Python

Random_Password_Generator example output length

Mahdi Rostami Pooya 2 Dec 22, 2021
A python implementation of our standard object-oriented encryption package, shipped with most apps.

Encryption Manager (python edition) VerseGroup's native encryption manager adapted for python applications. Function Generate new set of private and p

Verse Group LLC 2 Oct 30, 2022
An extreme encryption for everyone, encrypt your text before sending to anyone.

An extreme encryption for everyone, encrypt your text before sending to anyone. Alphabets and numbers are going to be encrypted like a hell

Saad 6 Oct 28, 2022
Quant & Systematic Crypto Research Tools

qsec Quant & Systematic Crypto Research Tools --WORK IN PROGRESS-- This repo is a collection of research tools to help in exploring and building sys

Darren Smith 3 Jul 12, 2022
Salted Crypto Python library

Salted Crypto Python library. Allows to encrypt and decrypt files and directories using popular cryptographic algorithms with salty key(s).

7 Jul 18, 2022
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

pyca/cryptography cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "c

Python Cryptographic Authority 5.2k Dec 30, 2022
Retrieve ECDSA signature R,S,Z values from blockchain rawtx or txid.

rsz Retrieve ECDSA signature R,S,Z values from blockchain rawtx or txid. Info The script parse the data of rawtx to fetch all the inputs in the transa

iceland 29 Nov 18, 2022
Generate Random ETH addresses and Private Keys and Saved to file.

ethgen.py Generate Random ETH addresses and Private Keys and Saved to file. ETH address the file is stored in ETH-address.txt. ETH private keys the fi

deanondroid 2 Dec 21, 2021
Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

29.5k Dec 31, 2022
Audits Python environments and dependency trees for known vulnerabilities

pip-audit pip-audit is a prototype tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisor

Trail of Bits 701 Dec 28, 2022
Gridlock - Encryption and decryption python project

Gridlock Encryption Encryption and decryption of plain text messages inspired by

Matthew 2 Mar 23, 2022
An encryption format offering better security, performance and ease of use than PGP.

An encryption format offering better security, performance and ease of use than PGP. File a bug if you found anything where we are worse than our competition, and we will fix it.

27 Dec 25, 2022
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 12.9k Jan 05, 2023
Python-RSA is a pure-Python RSA implementation.

Pure Python RSA implementation Python-RSA is a pure-Python RSA implementation. It supports encryption and decryption, signing and verifying signatures

Sybren A. Stüvel 418 Jan 04, 2023
SHIBgreen is a cryptocurrency forked from Chia and uses the Proof of Space and Time consensus algorithm

SHIBgreen is a cryptocurrency forked from Chia and uses the Proof of Space and Time consensus algorithm

13 Jul 13, 2022
Create and finder all address wallet bitcoin and check balance , transaction

BTCCrackWallet Create and finder all address wallet bitcoin and check balance , transaction bitcoin wallet generator generated address wallet , public

MMDRZA 11 Nov 26, 2022
Decrypting winrm traffic using password/ntlm hash

Decrypting winrm traffic using password/ntlm hash

Haoxi Tan 9 Jan 05, 2022
offline half-random brute force script for Ethereum private keys

eth200swinger offline half-random brute force script for Ethereum private keys, goes from the beginning to end of range and vice versa, saves any foun

2 Oct 06, 2022