PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
Random Password Generator With Python

Random_Password_Generator example output length

Mahdi Rostami Pooya 2 Dec 22, 2021
The (Python-based) mining software required for the Game Boy mining project.

The (Python-based) mining software required for the Game Boy mining project.

Ghidra Ninja 31 Nov 04, 2022
Python-RSA is a pure-Python RSA implementation.

Pure Python RSA implementation Python-RSA is a pure-Python RSA implementation. It supports encryption and decryption, signing and verifying signatures

Sybren A. Stüvel 418 Jan 04, 2023
Modern(-ish) password hashing for your software and your servers

bcrypt Good password hashing for your software and your servers Installation To install bcrypt, simply: $ pip install bcrypt Note that bcrypt should b

Python Cryptographic Authority 947 Dec 28, 2022
A simple web application with tools of cryptography, made with Flask and Cryptography.

Crypto Tools A web application made with Flask that allows the use of some cryptography tools like message digest, RSA key pair generation and a decip

Felipe Valentin 0 Jan 20, 2022
A community effort to bring back Duino-Coin

Duino-Coin-Revived A community effort to bring back Duino-Coin! Along with reviving the cryptocurrency, we will add many improvements to it, including

1 Dec 22, 2021
TON Command Line Interface - easy smart contract manipulation

toncli The Open Network cross-platform smart contract command line interface. Easy to deploy and interact with TON smart contracts. Installation Toncl

Disintar IO 100 Dec 18, 2022
Cyber Security Starter Kit Platform

Cyber Security Starter Kit Platform (CSSKP) allows to instantiate new self-assessment products such as Fit4Cybersecurity, Fit4Privacy, Fit4Contract and the like.

CASES Luxembourg 3 Oct 21, 2021
Simple one-time pad (OTP) encryption

Introduction What you will make In this resource you will learn how to create and use an encryption technique known as the one-time pad. This method o

Rabih ND 6 Nov 06, 2022
Repository detailing Choice Coin's Creation and Documentation

Choice Coin V1 This Repository provides code and documentation detailing Choice Coin V1, a utility token built on the Algorand Blockchain. Choice Coin

Choice Coin 245 Dec 29, 2022
A simple key-based text encryption process that encrypts a string based in a list of characteres pairs.

Simple Cipher Encrypter About | New Features | Exemple | How To Use | License ℹ️ About A simple key-based text encryption process that encrypts a stri

Guilherme Farrel 1 Oct 21, 2021
FileGuard - File crypter and packing utility

FILEGUARD FILEGUARD is a file crypter and packing utility. This project was orig

11 Nov 28, 2022
Looks for Bitcoin Wallets starting 1 compresses and Uncompressesed, segwit address and MultiSig starting 3.

Looks for Bitcoin Wallets starting 1 compresses and Uncompressesed, segwit address and MultiSig starting 3. Pick your starting and stop numbers to start looking. Need a database of addresses to check

10 Dec 22, 2022
Programme de chiffrement et déchiffrement affine d'un message en python3.

Chiffrement Affine En Python3 Programme de chiffrement et déchiffrement affine d'un message en python3. Explication du chiffrement affine avec complex

Malik Makkes 1 Mar 26, 2022
C0mptCrypt - An object-oriented, minamalistic, simple encryption library in Python

C0mptCrypt allows you to encrypt strings of text. It can only be decrypted using C0mptCrypt and not by random online tools. You can use this for a variety of things from creating passwords, to encryp

c0mpt0 4 Aug 22, 2022
s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, execute the decrypt.py file and paste the password in the txt file into the incoming question.

s-pass v1.1 s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, ex

Alpkunt 9 Sep 09, 2022
The (Python-based) mining software required for the Nintendo Switch mining project.

ntgbtminer - Nintendo Switch edition This is a version of ntgbtminer that works with the Nintendo Switch bitcoin miner. ntgbtminer ntgbtminer is a no

4 Jun 03, 2021
A cairo port for Rari Capital Vaults

crypts • Architecture contracts ├─ CryptFactory — "Factory for deploying Crypt contracts for any ERC20 token." ├─ Crypt — "Flexible, minimalist, and g

alucard 9 Sep 02, 2022
Python based project to pull useful account statistics from the Algorand block chain.

PlanetWatchStats Python based project to pull useful account statistics from the Algorand block chain. Setup pip install -r requirements.txt Run pytho

M0x40 1 Jan 27, 2022
A discord bot to crop an NFT image living on the Solana blockchain.

NFT Discord Cropper This discord bot crops an NFT in your set measures by getting it through the .cache file which has been used to make a candy machi

Rude Golems 7 Mar 21, 2022