PeGuard - Windows PE crypter and packing utility

Related tags

CryptographyPeGuard
Overview

PEGUARD

PEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

PeGuard

PeGuard takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. PeGuard compresses the input file using GZIP and writes a copy to disk
  3. PeGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the PeGuard packed binary, however PeGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk along-side it's sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 PeGuard.py calc.exe calc_packed.exe

[+] Usage: python PeGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
Audits Python environments and dependency trees for known vulnerabilities

pip-audit pip-audit is a prototype tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisor

Trail of Bits 701 Dec 28, 2022
SVSHI - Secure and Verified Smart Home Infrastructure

The SVSHI (Secure and Verified Smart Home Infrastructure) (pronounced like "sushi") project is a platform/runtime/toolchain for developing and running formally verified smart infrastructures, such as

Dependable Systems Laboratory 3 Oct 28, 2022
Python Script for signingn LetsEncrypt certificate with certbot, and update them into Fortigate

Python Script for signingn LetsEncrypt certificate with certbot, and update them into Fortigate (to be used into the WEB VPN or Load Balancer certificate)

6 Jan 03, 2023
Privfiles - Encrypted file storage using Fernet with zero Javascript

Privfiles - Encrypted file storage using Fernet with zero Javascript Source code for the onion service: l3n6v6dm63frml22tlmzacnasvp7co7wylu4hhcs34ukxe

5 Jul 30, 2022
obj-encrypt is an encryption library based on the AES-256 algorithm.

obj-encrypt is an encryption library based on the AES-256 algorithm. It uses Python objects as the basic unit, which can convert objects into binary ciphertext and support decryption. Objects encrypt

Cyberbolt 2 May 04, 2022
SDU experiment of introduction to the cryptography

Lab 01 (2 hrs): Programming Basics Program 1: Type Hint, String, Bytes, Hex, Base64 Lab 02 (4 hrs): Classical Cryptography Part 1 (3 hrs): Program 1:

1 Jan 03, 2022
Python binding to the Networking and Cryptography (NaCl) library

PyNaCl: Python binding to the libsodium library PyNaCl is a Python binding to libsodium, which is a fork of the Networking and Cryptography library. T

Python Cryptographic Authority 941 Jan 04, 2023
Algo-burner - Burner account for the Algorand blockchain

algo-burner Burner address for Algorand's blockchain Apparently it was a problem

1 Jan 12, 2022
Secure open-source password manager.

aes256_passwd_store This script securely encrypts or decrypts passwords on disk within a custom database file. It also features functionality to retri

14 Nov 15, 2022
Python ASN.1 library with a focus on performance and a pythonic API

asn1crypto A fast, pure Python library for parsing and serializing ASN.1 structures. Features Why Another Python ASN.1 Library? Related Crypto Librari

Will Bond 282 Dec 11, 2022
Tutela: an Ethereum and Tornado Cash Anonymity Tool

Tutela: an Ethereum and Tornado Cash Anonymity Tool The repo contains open-source code for Tutela, an anonymity tool for Ethereum and Tornado Cash use

TutelaLabs 96 Dec 05, 2022
Gearbox-vyper-contracts - Auxillary contracts for the Gearbox Protocol written in Vyper

Gearbox Vyper Contracts Auxillary contracts for the Gearbox Protocol written in

Edward Amor 4 Jan 07, 2022
An BlockChain Based solution for storing the medical records

Blockchain-based Medical Records 📄 Abstract Blockchain has the ability to keep an incorruptible, decentralized, and transparent log of all patient da

Yuvraj Singh Deora 3 Jan 14, 2022
This is a Sharding Simulator to study blockchain scalability

Sharding Simulator This is a Sharding Simulator to study blockchain scalability. How to run on Ubuntu First make sure you have the header file for Pyt

1 Jan 23, 2022
Python App To Encrypt Data (image, text, all data)

Python App To Encrypt Data (image, text, all data)

1 Oct 29, 2021
Using with Jupyter making live crypto currency action

Make-Live-Crypto-Currency-With-Python Using with Jupyter making live crypto currency action 1.Note: 💣 You must Create a Binance account and also clic

Mahmut Can Gönül 5 Dec 13, 2021
A Python script to implement Hill's Cipher Encryption and Decryption.

Hill_Cipher-Encryption_and_Decryption A Python script to implement Hill's Cipher Encryption and Decryption. Initially in the Encryption part, the Plai

Vishvendra Singh 1 Jan 19, 2022
An advanced caesar cypher python module

CaesarPlus An advanced caesar cypher python module What is CaesarPlus CaesarPlus is a advanced caesar cypher python module that is more secure than ca

1 Mar 18, 2022
Python based project to pull useful account statistics from the Algorand block chain.

PlanetWatchStats Python based project to pull useful account statistics from the Algorand block chain. Setup pip install -r requirements.txt Run pytho

M0x40 1 Jan 27, 2022
This is a simple application to generate HD wallet addresses for cryptocurrency coins.

HD-Wallet-Address This is a mini service to generate addresses in the master HD-Wallet. It will use py_crypto_hd_wallet package as a base. Prerequisit

Amin Abbasi 1 Dec 16, 2021