PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
Python Dash app that tracks whale activity in cryptocurrency markets.

Introduction Welcome! This is a Python-based Dash app meant to track whale activity in buy / sell walls on crypto-currency exchanges (presently just o

Paul Jeffries 549 Dec 25, 2022
Mina is a new cryptocurrency with a constant size blockchain, improving scaling while maintaining decentralization and security.

Mina Mina is the first cryptocurrency with a lightweight, constant-sized blockchain. This is the main source code repository for the Mina project. It

1.6k Jan 07, 2023
Random Password Generator With Python

Random_Password_Generator example output length

Mahdi Rostami Pooya 2 Dec 22, 2021
Salted Crypto Python library

Salted Crypto Python library. Allows to encrypt and decrypt files and directories using popular cryptographic algorithms with salty key(s).

7 Jul 18, 2022
A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python.

pyhcrypt A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python. Usage Pytho

Hongfei Xu 3 Feb 08, 2022
💰 An Alfred Workflow that provides current price of cryptocurrency

Coin Ticker for Alfred Workflow An Alfred Workflow that provides current price and status about cryptocurrency from cryptocompare.com. Supports Alfred

Bumsoo Kim (Ian) 14 Nov 17, 2022
Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Rand Gallery 16 Jul 10, 2022
Python implementation of EIP 1577 content hash

ContentHash for Python Python implementation of EIP 1577 content hash. Description This is a simple package made for encoding and decoding content has

Filip Å  11 Jul 19, 2022
Powerful Tool to encrypt and decrypt files using AES.

AEScryptor Tool Description Encrypt and Decrypt files with AES-128 (16bytes key). AES mode = CFB (cipher Feedback) security = super safe! Usage [1] Ch

5 Jan 12, 2022
RSI Algorithmic Trading with Python

In this repository you can see my first algorithhmic trading script. I use 5 cryptocurrencies: Bitcoin (BTC), Ethereum (ETH), Bitcoin Cash (BCH), Litecoin (LTC) and Chainlink (LINK).

Jon Aldekoa 4 Mar 16, 2022
theHasher Tool created for generate strong and unbreakable passwords by using Hash Functions.Generate Hashes and store them in txt files.Use the txt files as lists to execute Brute Force Attacks!

$theHasher theHasher is a Tool for generating hashes using some of the most Famous Hashes Functions ever created. You can save your hashes to correspo

SR18 6 Feb 02, 2022
Python binding to the Networking and Cryptography (NaCl) library

PyNaCl: Python binding to the libsodium library PyNaCl is a Python binding to libsodium, which is a fork of the Networking and Cryptography library. T

Python Cryptographic Authority 941 Jan 04, 2023
s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, execute the decrypt.py file and paste the password in the txt file into the incoming question.

s-pass v1.1 s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, ex

Alpkunt 9 Sep 09, 2022
SDU experiment of introduction to the cryptography

Lab 01 (2 hrs): Programming Basics Program 1: Type Hint, String, Bytes, Hex, Base64 Lab 02 (4 hrs): Classical Cryptography Part 1 (3 hrs): Program 1:

1 Jan 03, 2022
Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters.

modeval Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters. Basic U

2 Jan 01, 2022
Tool to compare smart contracts source code

smartdiffer Tool to compare smart contracts source code. Heavily relies on API of Etherscan and Diffchecker. Installation pip install smartdiffer API

Roman Moskalenko 23 Nov 16, 2022
This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3.

This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3. It generates a Private Key in different formats (hex, wif and compressed wif) and corresponding Public Addresses

7 Dec 22, 2022
A bot that escrows crypto transactions on Reddit

EscrowBot I NEED BCH TESTNET FOR TESTING. Please send me some BCH testnet if you have some: bchtest:qz5eur3prqyvd8u77m6fzf9z6cruz9q7vq4qvgdnuk Depende

Nathan Lim 10 Nov 10, 2022
Vaulty - Encrypt/Decrypt with ChaCha20-Poly1305

Vaulty Encrypt/Decrypt with ChaCha20-Poly1305 Vaulty is an extremely lightweight encryption/decryption tool which uses ChaCha20-Poly1305 to provide 25

Chris Mason 1 Jul 04, 2022
Generate simple encrypted messages!

Premio's Shift is a very simple text encryption, you can use it to send secret messages to your friends. Table of Content Table of Content How it work

Peterson Adami Candido 3 Aug 06, 2021