Skip to main content

Custom Crypter x86 - SLAE Assignment 0x7

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding - http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

AGENDA :
1. Write encryption and decryption algorithm using high level language
2. Test encryption algorithm on shellcode
3. Verify decryption algorithm on encrypted shellcode

I have used C# language and made a window based gui application in order to encrypt and decrypt shellcode using AES encryption schema.

Crypter :
A crypter is a program which encrypts the shellcode (in our case) so that anti-virus evasion can be done and has a module called decrypter which decrypts and execute the original shellcode.

I will use execve shellcode and encrypt,decrypt it using our newly made custom crypter.

execve Shellcode : 

Extracted shellcode -
"\x31\xdb\xf7\xe3\x04\x0b\x53\x53\x59\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"

C# code for Crypter :



Proof Of Concept -
1. AES encrypt :
2.  AES Decrypt shellcode :
3. Executed the newly generated shellcode.c :

[x] All the codes can be found here at my github :
https://github.com/hexachordanu/SLAE/blob/master/Assignment-7/

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE-1219

Comments

Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Exit Shellcode x86

Exit in Assembly : For writing exit assembly program we need to check exit syscall reference number . I use this online man page : https://syscalls.kernelgrok.com / From above we can conclude that for exit system call we need 2 registers : [x] EAX => Eax should contain exit sys call number (0x01) [x] EBX => Ebx should contain  error code (0 for normal exit) A good shell-code : [x] Should be Null free [x] Smaller in length [x] Position Independent Below is my code : I wrote a small script to compile and assemble nasm program and extract the shellcode from it then saving the shellcode into a c file and compiling the new c program. Here is my script : Tweaked some instructions :p Next you can debug and check the execution in gdb by setting breakpoints and stepping instructions one by one . Below is my gdb console before calling interrupt int 0x80 showing the value of eax and ebx as expected :)