PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
This program can encrypt/ decrypt any string

Ceasar_cipher Hey this is J0ey, this program is a very basic Caesar cipher encoder/decoder. In order to use this program, you will need to have Python

1 Jan 11, 2022
Dicoding Machine Learning for Expert Submission 1 - Predictive Analytics

Laporan Proyek Machine Learning - Azhar Rizki Zulma Domain Proyek Domain proyek yang dipilih dalam proyek machine learning ini adalah mengenai keuanga

Azhar Rizki Zulma 6 Jul 23, 2022
Best blockchain in the world

alphachain Best blockchain in the world!!! Can be used to implement Layer 2 cryptocurrency protocol just click alphachain.py and it will execute autom

NiƱo Sison 0 Feb 18, 2022
Python repo to create blockchain CSVs

staketaxcsv Python repo to create blockchain CSVs for Terra (LUNA), Solana (SOL), and Cosmos (ATOM). CSV codebase for stake.tax Community contribution

187 Dec 31, 2022
Connects to an active BitCoin Peer and communicates in order to locate a specific block number (height)

BitCoin-Peer-Client Connects to an active BitCoin Peer, and locates a predetermined block number (height) by downloading block headers. Once required

Henry Song 1 Jan 16, 2022
This python module can analyse cryptocurrency news for any number of coins given and return a sentiment. Can be easily integrated with a Trading bot to keep an eye on the news.

Python script that analyses news headline or body sentiment and returns the overall media sentiment of any given coin. It can take multiple coins an

185 Dec 22, 2022
Mizogg-Bitcoin-Tools - A Python Tools for Bitcoin Information Balance, HASH160, DEC

Mizogg-Bitcoin-Tools Tools for Bitcoin Information Balance, HASH160, DEC, Englis

48 Jan 02, 2023
A Trading strategy for the Freqtrade crypto bot.

Important Thing to notice 1) Do not use this strategy on live. It is still undergoing dry-run. 2) The Hyperopt is highly optimized towards "shitcoin"

160 Dec 26, 2022
Advanced Digital Envelope System Using Cryptography Techniques (Encryption & Decryption)

Advanced-Digital-Envelope-System Advanced Digital Envelope System Using Cryptography Encryption Techniques The digital envelope system is the techniqu

NelakurthiSudheer 2 Jan 03, 2022
Solutions to all 6 programming assignments in Dan Boneh's course Cryptography I, in statically typed Python.

Solutions to Cryptography I programming exercises Dan Boneh from Stanford University has an excellent online course on cryptography, hosted on Courser

Axel Lindeberg 8 Dec 16, 2022
Python wrapper for the Equibles cryptos API.

Equibles Cryptos API for Python Requirements. Python 2.7 and 3.4+ Installation & Usage pip install If the python package is hosted on Github, you can

Equibles 1 Feb 02, 2022
Ethereum ETL lets you convert blockchain data into convenient formats like CSVs and relational databases.

Python scripts for ETL (extract, transform and load) jobs for Ethereum blocks, transactions, ERC20 / ERC721 tokens, transfers, receipts, logs, contracts, internal transactions.

Blockchain ETL 2.3k Jan 01, 2023
Generate simple encrypted messages!

Premio's Shift is a very simple text encryption, you can use it to send secret messages to your friends. Table of Content Table of Content How it work

Peterson Adami Candido 3 Aug 06, 2021
A python tool to track prices of various cryptocurrencies and alert

CryptoPriceTracker This is a tool to track prices of various cryptocurrencies and alert the user once the user defined maximum & minimum target is rea

1 Oct 01, 2021
BETCOIN BET is a digital currency system created with python

BETCOIN BET is a digital currency created with python and flask with features of a centralized bank, wallet system, and open transaction history of al

Ujjwal Kumar 3 Nov 16, 2021
Image Encryption/Decryption based on Rubik Cube 's principle and AES

Image Encryption/Decryption based on Rubik Cube 's principle and AES Our final project for Theory of Crytography class. Our Image Encryption/Decryptio

Danny 5 Apr 11, 2022
A simple Ethereum mining pool

A simple getWork pool for ethereum mining Payouts are still manual. TODO: write payouts when someone mines 10 blocks. Also, make the submit actually

93 Oct 05, 2022
JS Deobfuscation is a Python script that deobfuscates JS code and it's time saver for you

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you. Although it may not work with high degrees of obfuscation, it's a pretty nice tool to help you even if it's j

Quatrecentquatre 3 May 01, 2022
Hasher Hash, Compare and Verify your files Translations

Hasher Hash, Compare and Verify your files Translations In order to translate Hasher to a language you must add a folder with the language abbreviatio

Jeyson Flores 14 Apr 01, 2022
A bot for FaucetCrypto a cryptocurrency faucet. The bot can currently claim PTC ads, main reward and all the shortlinks except exe.io and fc.lc.

A bot for the high paying popular cryptocurrency faucet Faucet Crypto. The bot is built using Python and Selenium, currently it is under active develo

Sourav R S 81 Dec 19, 2022