Skip to content

ALittlePatate/patate-crypter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

patate-crypter

I am not responsible for any damage caused by this program. It was made as a learning experiment to gather more knowledge about anti virus.
The project structure is very messy because i wasn't planning on releasing it, sorry i guess.
I will not provide any support for running the program, it is only made for people interested in cyber security to learn more about how AV work. patate crypter officially supports 32bit and 64bit DLLs and PEs.
Note that the final payload does not use any Windows API, indirect syscalls are used instead.

Limitations

There is an issue where the reallocations would fail for specific payloads, TOFIX.
There is code in the metadata.py file to generate random BMP images in the metadata of the PE but it makes the entropy go way to high (from 6.4 to 7.4) (see link).

Detection rate

There is currently 0/40 detections for a crypted meterperter :

How does it work ?

The crypter (compile time) works by :

  • storing the raw bytes of the payload into a buffer (XOR encrypted)
  • adding junk code/control flow flattening to the decryption stub
  • copying a Windows file signature on the generated PE (using SigThief)

Then the stub (at runtime) :

  • if a VM is detected, proceeds to compute 20k digits of pi before exiting
  • decrypts the sections of the payload one by one and encrypts them back after copying them into the memory (bypasses ESET AV emulation)
  • rebases the payload to its new base address
  • calls (Dll)main

Here are screenshots of the same function before and after the obfuscation pass :
Without obfuscation :
no_obfuscation
With obfuscation (only showing a few nodes, the original graph was more than 40K nodes) :
obfuscated

How to run

cd Builder
python gui.py

Credits

About

patate's crypter

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published