FileGuard - File crypter and packing utility

Related tags

CryptographyFileGuard
Overview

FILEGUARD

FILEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

FileGuard

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the FileGuard packed binary, however, FileGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk alongside its sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 FileGuard.py calc.exe calc_packed.exe

[+] Usage: python FileGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
Python Steganography data hiding in image

Python-Steganography Python Steganography data hiding in image data encryption and decryption im here you have to import stepic module 1.open CMD 2.ty

JehanKandy 10 Jul 13, 2022
Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any online tools.

Stark Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any onl

cliphd 3 Sep 10, 2021
A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

Ciscoquan 3 Aug 16, 2022
That Hash will name that hash type! Identify MD5, SHA256 and 300+ other hashes Comes with

Call for translators! We're looking for translators to help translate this spec for everyone! Read this documentation in the following languages 한국어 中

All Contributors 6.8k Jan 05, 2023
Audit of classmate's smart contract in blockchain seminar

Solidity-contract-audit Audit of classmate's smart contract in blockchain seminar Assignment: The task was to create a complete audit, including unit

smrza 0 Feb 04, 2022
Gridlock - Encryption and decryption python project

Gridlock Encryption Encryption and decryption of plain text messages inspired by

Matthew 2 Mar 23, 2022
PyBeacon is a collection of scripts for dealing with Cobalt Strike's encrypted traffic.

PyBeacon is a collection of scripts for dealing with Cobalt Strike's encrypted traffic. It can encrypt/decrypt beacon metadata, as well as pa

NCC Group Plc 162 Dec 21, 2022
Coins farmer for dank memer

Created by TheRider#5308 [feel free to drop by to talk]. Note to some Dank Memer staff reading this: Nah I don't self bot, already got banned for that

Siddhant Kumar 3 Nov 10, 2021
Message Encrypt and decrypt software // allows you to encrypt the secrete message and decrypt Another Encryption Message. |

Message-Encrypy-Decrypt-App Message Encrypt and decrypt software // allows you to encrypt the secrete message and decrypt Another Encryption Message.

Abdulrahman-Haji 2 Dec 16, 2021
The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications

The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications, as well, other protocols and algorithms, built using IBM’s open-source Software Development Kit for

Qiskrypt 14 Oct 31, 2022
Deriving RSA public keys from message-signature pairs

The repository contains: Experimental code to calculate RSA public keys based on two known message-signature pairs

Silent Signal 120 Dec 31, 2022
Bitcoin Wallet Address Generator

Bitcoin Wallet Address Generator This is a simple Bitcoin non-deterministic wallet address generator coded in Python 3. It generates a Private Key in different formats (hex, wif and compressed wif) a

11 Dec 29, 2022
A python script for AES Angecryption in Steganography

Angecryption is an encryption or an decryption result from a file to create an other file with the same / or not type.

ISIS 3 Jul 25, 2022
Pool funds to bootstrap a Uniswap pair

Seed liquidity A contract to pool funds which are then used to boostrap a new Uniswap liquidity pair. Specification A new SeedLiquidity contract is de

66 Dec 09, 2022
Stai Beta Of Staiking Chain - Food, Water And Electricity - Worldwide

Stai Beta Of Staiking Chain - Food, Water And Electricity - Worldwide

STATION-I 2 Feb 05, 2022
Vaulty - Encrypt/Decrypt with ChaCha20-Poly1305

Vaulty Encrypt/Decrypt with ChaCha20-Poly1305 Vaulty is an extremely lightweight encryption/decryption tool which uses ChaCha20-Poly1305 to provide 25

Chris Mason 1 Jul 04, 2022
Quant & Systematic Crypto Research Tools

qsec Quant & Systematic Crypto Research Tools --WORK IN PROGRESS-- This repo is a collection of research tools to help in exploring and building sys

Darren Smith 3 Jul 12, 2022
Generate Random ETH addresses and Private Keys and Saved to file.

ethgen.py Generate Random ETH addresses and Private Keys and Saved to file. ETH address the file is stored in ETH-address.txt. ETH private keys the fi

deanondroid 2 Dec 21, 2021
Python App To Encrypt Data (image, text, all data)

Python App To Encrypt Data (image, text, all data)

1 Oct 29, 2021
BOT para o BombCrypto para infinitas contas em simultâneo!!!

BOT - MultiContas para BombCrypto - v 0.4.0 Funções extras: Envios de notificações via Telegram: Aviso de Inicialização do Bot Aviso de Conclusão de M

Rai Zancanaro 19 Dec 20, 2022