FileGuard - File crypter and packing utility

Related tags

CryptographyFileGuard
Overview

FILEGUARD

FILEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

FileGuard

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the FileGuard packed binary, however, FileGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk alongside its sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 FileGuard.py calc.exe calc_packed.exe

[+] Usage: python FileGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
EncryptAGit - Encrypt Your Git Repos

EncryptAGit - Encrypt Your Git Repos

midnite_runr 25 Oct 06, 2022
Django-based Crypto Portfolio Tracker – keep an eye on Shiba Inu and other Crypto

Crypto Tracker 🐍 📈 – Central Portfolio Tracking Easy asset tracking – at a glance 🚀 Dashboard to centrally monitor current crypto portfolio develop

65 Jan 08, 2023
Best blockchain in the world

alphachain Best blockchain in the world!!! Can be used to implement Layer 2 cryptocurrency protocol just click alphachain.py and it will execute autom

Niño Sison 0 Feb 18, 2022
Gearbox-vyper-contracts - Auxillary contracts for the Gearbox Protocol written in Vyper

Gearbox Vyper Contracts Auxillary contracts for the Gearbox Protocol written in

Edward Amor 4 Jan 07, 2022
SysWhispers integrated shellcode loader w/ ETW patching & anti-sandboxing

TymSpecial Shellcode Loader Description This project was made as a way for myself to learn C++ and gain insight into how EDR products work. TymSpecial

Nick Frischkorn 145 Dec 20, 2022
Implementation of Smart Batch Auction for NFT launches on Tezos.

NFT Smart Batch Auction Smart Batch Auctions are an improvement over the traditional first come first serve (FCFS) NFT drops. FCFS design has been in

Anshu Jalan 5 May 06, 2022
Image AES256 crypt-decrypt

Image AES256 crypt-decrypt

Damian Panek 37 Nov 09, 2021
Crypto Stats and Tweets Data Pipeline using Airflow

Crypto Stats and Tweets Data Pipeline using Airflow Introduction Project Overview This project was brought upon through Udacity's nanodegree program.

Matthew Greene 1 Nov 24, 2021
This program can encrypt and decrypt your files so that they can no longer be identified.

File_Cryptographer Table of Contents: About the Program Features Requirements Preview Credits Reach Me See Also About the Program: with this program,

Sina.f 6 Nov 20, 2022
This is a webpage that contains login and signup page by which the password is stored using elliptic curve cryptography

LoginPage_using_Elliptic_curve_cryptography- This is a webpage that contains login and signup page by which the password is stored using elliptic curv

1 Oct 15, 2021
Mina is a new cryptocurrency with a constant size blockchain, improving scaling while maintaining decentralization and security.

Mina Mina is the first cryptocurrency with a lightweight, constant-sized blockchain. This is the main source code repository for the Mina project. It

1.6k Jan 07, 2023
Python binding to the Networking and Cryptography (NaCl) library

PyNaCl: Python binding to the libsodium library PyNaCl is a Python binding to libsodium, which is a fork of the Networking and Cryptography library. T

Python Cryptographic Authority 941 Jan 04, 2023
Python implementation of EIP 1577 content hash

ContentHash for Python Python implementation of EIP 1577 content hash. Description This is a simple package made for encoding and decoding content has

Filip Š 11 Jul 19, 2022
The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications

The Qis|krypt⟩ is a software suite of protocols of quantum cryptography and quantum communications, as well, other protocols and algorithms, built using IBM’s open-source Software Development Kit for

Qiskrypt 14 Oct 31, 2022
Tutela: an Ethereum and Tornado Cash Anonymity Tool

Tutela: an Ethereum and Tornado Cash Anonymity Tool The repo contains open-source code for Tutela, an anonymity tool for Ethereum and Tornado Cash use

TutelaLabs 96 Dec 05, 2022
GmJEWEL - The monorepo for the Greedy Merchants Guild

Greedy Merchants Guild Hello! Welcome to the monorepo for the Greedy Merchants G

Greedy Merchants Guild 5 Mar 09, 2022
A Python Tool to encrypt all types of files using AES and XOR Algorithm.

DataShield This project intends to protect user’s data, it stores files in encrypted format in device provided the passcode and path of the file. AES

ADITYA SHINDE 4 Dec 20, 2021
Audit of classmate's smart contract in blockchain seminar

Solidity-contract-audit Audit of classmate's smart contract in blockchain seminar Assignment: The task was to create a complete audit, including unit

smrza 0 Feb 04, 2022
Use this script to track the gains of cryptocurrencies using historical data and display it on a super-imposed chart in order to find the highest performing cryptocurrencies historically

crypto-performance-tracker Use this script to track the gains of cryptocurrencies using historical data and display it on a super-imposed chart in ord

Andrei 25 Aug 31, 2022
A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

Md Rasel Bhuyan 3 Feb 28, 2022