FileGuard - File crypter and packing utility

Related tags

CryptographyFileGuard
Overview

FILEGUARD

FILEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

FileGuard

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the FileGuard packed binary, however, FileGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk alongside its sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 FileGuard.py calc.exe calc_packed.exe

[+] Usage: python FileGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
A discord bot to crop an NFT image living on the Solana blockchain.

NFT Discord Cropper This discord bot crops an NFT in your set measures by getting it through the .cache file which has been used to make a candy machi

Rude Golems 7 Mar 21, 2022
Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any online tools.

Stark Encrypt your code without a worry. Stark utilizes the base64, hashlib and Crypto lib to encrypt your code which cannot be decrypted with any onl

cliphd 3 Sep 10, 2021
Retrieve ECDSA signature R,S,Z values from blockchain rawtx or txid.

rsz Retrieve ECDSA signature R,S,Z values from blockchain rawtx or txid. Info The script parse the data of rawtx to fetch all the inputs in the transa

iceland 29 Nov 18, 2022
Gold(Gold) is a modern cryptocurrency built from scratch, designed to be efficient, decentralized, and secure

gold-blockchain (Gold) Gold(Gold) is a modern cryptocurrency built from scratch, designed to be efficient, decentralized, and secure. Here are some of

zcomputerwiz 3 Mar 09, 2022
Pogramme de chiffrement et déchiffrement césar d'un message en python3.

Chiffrement Cesar En Python3 Pogramme de chiffrement et déchiffrement césar d'un message en python3. Explication du chiffrement César avec complexité

Malik Makkes 1 Mar 26, 2022
Address Validator (Bitcoin & Monero)

The Bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1, 3 or bc1. 0, O, I, l are removed to avoid visual a

0 Mar 29, 2022
Discord webhooks for alerting crypto currency price changes & historical data.

Crypto-Discord Discord Webhooks for alerting crypto currency price changes & historical data. Create virtual environment and install requirements. $ s

Филип Арсовски 1 Sep 02, 2022
Given a string or a text file with plain text , returns his encryption using SHA256 method

Encryption using SHA256 Given a string or a .txt file with plain text. Returns his encryption using SHA256 method Requirements : pip install pyperclip

yuno 3 Jan 24, 2022
Linear encryption software programmed with python

Echoder linear encryption software programmed with python How does it work? The text in the text section runs a function with two keys entered keys mu

Emre Orhan 4 Dec 20, 2021
Simple encryption-at-rest with key rotation support for Python.

keyring Simple encryption-at-rest with key rotation support for Python. N.B.: keyring is not for encrypting passwords--for that, you should use someth

Dann Luciano 1 Dec 23, 2021
Django-based Crypto Portfolio Tracker – keep an eye on Shiba Inu and other Crypto

Crypto Tracker 🐍 📈 – Central Portfolio Tracking Easy asset tracking – at a glance 🚀 Dashboard to centrally monitor current crypto portfolio develop

65 Jan 08, 2023
This is an experimental AES-encrypted RPC API for ESP 8266.

URPC This is an experimental AES-encrypted RPC API for ESP 8266. Usage The server folder contains a sample ESP 8266 project. Simply set the values in

Ian Walton 1 Oct 26, 2021
Technical_indicators_cryptos - Using technical indicators to find optimal trading strategies to deploy onto trading bot.

technical_indicators_cryptos Using technical indicators to find optimal trading strategies to deploy onto trading bot. In the Jup Notebook you wil

Van 4 Jul 03, 2022
Tools for running airdrop and token distribution campaigns on the Solana blockchain.

Overview This repository contains some of the scripts we have used for running our airdrop campaigns and other distributions. Initially, all of these

147 Nov 17, 2022
Python implementation of EIP 1577 content hash

ContentHash for Python Python implementation of EIP 1577 content hash. Description This is a simple package made for encoding and decoding content has

Filip Š 11 Jul 19, 2022
PeGuard - Windows PE crypter and packing utility

PEGUARD PEGUARD is a file crypter and packing utility. This project was original

11 Nov 28, 2022
Simple BRender SDK KeyGen.

Super Simple BRender KeyGen Simple BRender SDK KeyGen. Info This is just a super simple keygen for the BRender SDK installer coded in python. All test

1 Jan 15, 2022
Python binding to the Networking and Cryptography (NaCl) library

PyNaCl: Python binding to the libsodium library PyNaCl is a Python binding to libsodium, which is a fork of the Networking and Cryptography library. T

Python Cryptographic Authority 941 Jan 04, 2023
The leading native Python SSHv2 protocol library.

Paramiko Paramiko: Python SSH module Copyright: Copyright (c) 2009 Robey Pointer 8.1k Jan 08, 2023

A simple key-based text encryption process that encrypts a string based in a list of characteres pairs.

Simple Cipher Encrypter About | New Features | Exemple | How To Use | License ℹ️ About A simple key-based text encryption process that encrypts a stri

Guilherme Farrel 1 Oct 21, 2021