FileGuard - File crypter and packing utility

Related tags

CryptographyFileGuard
Overview

FILEGUARD

FILEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

FileGuard

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the FileGuard packed binary, however, FileGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk alongside its sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 FileGuard.py calc.exe calc_packed.exe

[+] Usage: python FileGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
Persian caesar and rot16 encryptor and decryptor

persian caesar and rot16 encrypt and decrypt how to install if you use windows python -m venv .venv .\.venv\Script\activate python -m pip install -r r

Mehdi Radfar 5 Oct 28, 2022
Blockchain online Voting System

decentralized-voting-system A decentralized voting system where a user can walk into a government authorized center (Ex- banks, telecom companies etc.

Mahima Arora 1 Dec 28, 2021
Hyval will store your information encrypted and decrypt it when needed

Hyval will store your information encrypted and decrypt it when needed

soroush safari 3 Oct 31, 2021
A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

Ciscoquan 3 Aug 16, 2022
SVSHI - Secure and Verified Smart Home Infrastructure

The SVSHI (Secure and Verified Smart Home Infrastructure) (pronounced like "sushi") project is a platform/runtime/toolchain for developing and running formally verified smart infrastructures, such as

Dependable Systems Laboratory 3 Oct 28, 2022
Tutela: an Ethereum and Tornado Cash Anonymity Tool

Tutela: an Ethereum and Tornado Cash Anonymity Tool The repo contains open-source code for Tutela, an anonymity tool for Ethereum and Tornado Cash use

TutelaLabs 96 Dec 05, 2022
Image AES256 crypt-decrypt

Image AES256 crypt-decrypt

Damian Panek 37 Nov 09, 2021
A repository for Algogenous Smart Contracts created on the Algorand Blockchain.

Smart Contacts This Repository is dedicated to code for Alogrand Smart Contracts using Choice Coin. Read Docs for how to implement Algogenous Smart Co

Choice Coin 3 Dec 20, 2022
A simple, terminal password manager in Python.

A simple, terminal password manager in Python.

81 Nov 22, 2022
Random Password Generator With Python

Random_Password_Generator example output length

Mahdi Rostami Pooya 2 Dec 22, 2021
Skepticoin is a peer-to-peer digital currency that enables you to send money online

What is Skepticoin? Skepticoin is a peer-to-peer digital currency that enables you to send money online. It's also the central community of people who

64 Aug 06, 2022
High Performance Blockchain Deserializer

bitcoin_explorer is an efficient library for reading bitcoin-core binary blockchain file as a database (utilising multi-threading).

Congyu 2 Dec 28, 2021
Encrypt Your Script Python

EncryptScritpPY Encrypt Your Script Python This Script For Encrypt Your File Python Tutorial Install [+] Open Termnal [+] Type: git clone https://gith

1 Oct 07, 2021
Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any online tools.

Stark Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any onl

cliphd 3 Sep 10, 2021
BOT para o BombCrypto para infinitas contas em simultâneo!!!

BOT - MultiContas para BombCrypto - v 0.4.0 Funções extras: Envios de notificações via Telegram: Aviso de Inicialização do Bot Aviso de Conclusão de M

Rai Zancanaro 19 Dec 20, 2022
Simple encryption/decryption utility using Pycryptodome module. Working with AES and RSA algorithms.

EncypherUtil Simple encryption/decryption utility using PyCryptodome module. Working with AES and RSA algorithms. THIS UTILITY IS NOT LICENSED AS CRYP

Egor Yakubovich 0 Jun 14, 2022
Small utility to encrypt and decrypt messages

Safe Safe is a small utility to encrypt and decrypt messages using a pair of public and private keys. Installation You need to have GPG installed in y

Gustavo Eguez 2 Dec 21, 2021
Quant & Systematic Crypto Research Tools

qsec Quant & Systematic Crypto Research Tools --WORK IN PROGRESS-- This repo is a collection of research tools to help in exploring and building sys

Darren Smith 3 Jul 12, 2022
Python Cryptocurrency with stealth addresses

Python Cryptocurrency with stealth addresses. Goal is to have create a cryptocurency that hides transactions totally. I.E. Cant see ammount sent, to who, or from who.

3 Aug 04, 2022
PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password !

PyCrypter PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password ! Requirements pyfiglet And colorama Usage First Clone The

1 Nov 12, 2021