PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
A lightweight encryption library in python.

XCrypt About This was initially a project to prove that I could make a strong encryption but I decided to publish it so that the internet peoples coul

Anonymous 8 Sep 10, 2022
Microllect - Fully automated btc wallet hack,using advanced protocols

Microllect - Fully automated btc wallet hack,using advanced protocols

Arya kaghazkanani 40 Dec 17, 2022
E2EE disabling plugin for Synapse

E2EE disabling plugin for Synapse This Pluggable Module disables end-to-end encryption in a self-hosted Synapse servers. It works by stripping out req

Konstantin Sharlaimov 9 Nov 30, 2022
Signarly is a cryptocurrency trading bot.

Signarly is a cryptocurrency trading bot.

Zakaria EL Mesaoudi 5 Oct 06, 2022
Python Encryption Name Game

Python 3.9.7 Encryption Name Game Encrypt a name with numbers using a Caesar cipher! You can choose different numbers to encrypt your name from 1 to o

Armand Brunelle 3 Dec 24, 2021
dashboard to track crypto prices and change via the coinmarketcap APIs

crypto-dashboard Dashboard to track crypto prices and change via the coinmarketcap APIs. Uses chart.js and ag-grid. Requirements: python 3 (was writte

4 Nov 09, 2021
Python implementation of EIP 1577 content hash

ContentHash for Python Python implementation of EIP 1577 content hash. Description This is a simple package made for encoding and decoding content has

Filip Š 11 Jul 19, 2022
Tools for running airdrop and token distribution campaigns on the Solana blockchain.

Overview This repository contains some of the scripts we have used for running our airdrop campaigns and other distributions. Initially, all of these

147 Nov 17, 2022
Vaulty - Encrypt/Decrypt with ChaCha20-Poly1305

Vaulty Encrypt/Decrypt with ChaCha20-Poly1305 Vaulty is an extremely lightweight encryption/decryption tool which uses ChaCha20-Poly1305 to provide 25

Chris Mason 1 Jul 04, 2022
Python FFI bindings for libsecp256k1 (maintained)

secp256k1-py Python FFI bindings for libsecp256k1 (an experimental and optimized C library for EC operations on curve secp256k1). Previously maintaine

Rusty Russell 29 Dec 29, 2022
Dicoding Machine Learning for Expert Submission 1 - Predictive Analytics

Laporan Proyek Machine Learning - Azhar Rizki Zulma Domain Proyek Domain proyek yang dipilih dalam proyek machine learning ini adalah mengenai keuanga

Azhar Rizki Zulma 6 Jul 23, 2022
Discord webhooks for alerting crypto currency price changes & historical data.

Crypto-Discord Discord Webhooks for alerting crypto currency price changes & historical data. Create virtual environment and install requirements. $ s

Филип Арсовски 1 Sep 02, 2022
Python program that handles the creation, encryption and storage of log/journal files. Kinda works like a diary of sorts.

LucaSoft J.O.U.R.N.A.L The J.O.U.R.N.A.L (Just anOther User Redaction & Navigation Assistant by Lucaspec72) is a Python program that handles the creat

Lucaspec72 8 Oct 27, 2021
This program can encrypt/ decrypt any string

Ceasar_cipher Hey this is J0ey, this program is a very basic Caesar cipher encoder/decoder. In order to use this program, you will need to have Python

1 Jan 11, 2022
I coded the sha256 algorithm into python without using any modules.

sha256.py I coded the sha256 algorithm in python without using any modules. The purpose of the code was to better understand the algorithm and learn h

4 Dec 12, 2022
A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python.

pyhcrypt A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python. Usage Pytho

Hongfei Xu 3 Feb 08, 2022
s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, execute the decrypt.py file and paste the password in the txt file into the incoming question.

s-pass v1.1 s-pass is a program that creates strong passwords and then encrypts the password and saves it to a file. To see the encrypted password, ex

Alpkunt 9 Sep 09, 2022
Enchpyter, is able to encrypt and decrypt words as you determine, of course, according to the alphabet.

Enchpyter Enchpyter is a program do encrypt and decrypt any word you want (just letters). You enter how many letters jumps and write the word, so, the

João Assalim 2 Oct 10, 2022
Aplicação de monitoramento de valores de criptos através da API do Mercado Bitcoin.

myCrypto_MercadoBitcoin Aplicação de monitoramento de valores de criptos através da API do Mercado Bitcoin. Apoie esse projeto! 💵 💵 Olá! Você pode r

Vinícius Azevedo 122 Nov 27, 2022
Hide secret texts inside an image, optionally encrypt them with a password using AES-256.

Hide secret texts/messages inside an image. You can optionally encrypt your texts with a password using AES-256 before encoding into the image.

Teja Swaroop 97 Dec 29, 2022