Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
Full Version: Codecrypt 0.0 Packer
GovernmentSecurity.org > System Security > File Downloads
Pages: 1, 2
tibbar
Jul 13 2005, 01:30 AM
The other day I thought I wonder if i can write my own packer, and 3 evenings later here it is.

Nothing too advanced so far, it just applies an incredibly simple "encryption" to the code section of the input file, which makes it undetectable to AV.

It only will work with an unpacked input file and only exe's.

I plan to extend this in the future, so please report any binaries it fails to encrypt and report if AV detect a crypted file.

Future plans include encrypting all sections and moving to a polymorphic stub + encryption.

Usage is as follows:

CODE

D:\\Packer\packer\Release>codecrypt.exe
*** Code Crypt 0.0 by Tibbar@GovernmentSecurity.org ***
***                                                 ***
*** Usage: codecrypt filename.exe                   ***
*** Will encrypt the codesection to avoid detection ***
*** Disclaimer: This software is for educational    ***
*** purposes only.  No responsibility is held or    ***
*** accepted for misuse.                            ***


Source code is in the programming forum.

Enjoy!
Erra
Jul 13 2005, 01:59 AM
wow dude thats impressive. Excellent work.

Will just have to give it a whirl and see how it goes... Will post back here my findings as well smile.gif

Thanks again!
apoc_neo
Jul 13 2005, 02:17 AM
yea it shure is impressvie thanks for the hardwork man i am going to put it to the test.
sz0n
Jul 13 2005, 02:17 AM
Detected by NOD32 and Kav (only tested with those two), damn they are fast.
Anyway great job, it must be hard to write something like that
apoc_neo
Jul 13 2005, 02:19 AM
Nice work dude i used your tool on hackerdefender and kav suspected it as a virus but could not tell wich virus it was, so then i packed hackderdefender nice and tight after using it and kav found nothing smile.gif good work man big respect to you.
jjfrost
Jul 13 2005, 02:27 AM
ive just tested it on the mirc.exe (winxp), but after this it doesnt start anymore. there is no error message or something like that sad.gif
apoc_neo
Jul 13 2005, 02:30 AM
QUOTE(jjfrost @ Jul 13 2005, 02:27 AM)
ive just tested it on the mirc.exe (winxp), but after this it doesnt start anymore. there is no error message or something like that sad.gif
*



maybe because the latest version of mirc is tamper proof?
vnet576
Jul 13 2005, 03:02 AM
Yep, it is tamper proof via checksum validation. Theres the next challenge for you tibbar, making it retain the same checksum.

On second thought that might be impractical since the only methods I've heard of are too program specific. Still this is something to think about.
tibbar
Jul 13 2005, 03:05 AM
isnt the checksum algorithm secret known to MS only?
vnet576
Jul 13 2005, 03:06 AM
QUOTE(tibbar @ Jul 12 2005, 11:05 PM)
isnt the checksum algorithm secret known to MS only?
*



Are we thinking about the same thing? I'm talking about CRC or MD5 checksums...
tibbar
Jul 13 2005, 03:07 AM
oh i thought u meant the one in the pe header
tibbar
Jul 13 2005, 04:03 AM
this is the one i meant:

http://216.239.59.104/search?q=cache:pW9pD...lient=firefox-a

QUOTE
A checksum value is used to validate the executable file at load time.
The value is set and verified by the linker. The algorithm used for
creating these checksum values is proprietary information and will not be
published.

...............

So that's all. The algorithm is just simply adding the file (by words). Whenever overflow
occurs, checksum is cut to word and incremented. The position of the checksum itself is
excluded from this processing. After "summing" the whole file, this checksum is expanded
to DWORD and the file length is added. That's all. Simple but effective. Just two remarks:


1) If you wanna easily get inside the checksum test, set breakpoint on ZwOpenFile. When
you get there, type P RET once. I'm sure you'll find the way then :-)


2) As you can see from the code "above,.class" the PE EXE file checksum is stored at
offset 05A, starting from "PE". For more info see the relative Microsoft documentation.
gr33dy
Jul 13 2005, 05:54 AM
Excellent work, tibbar. File sizes are kept small after packing unlike some other packers I've seen. This will come in very handy.
cazad0r
Jul 13 2005, 06:55 AM
Correcting the version of the Web tongue.gif
This biggrin.gif smile.gif
AdmiralB
Jul 13 2005, 10:57 AM
well maybe u could try to mimic armadillo smile.gif
they have to good shit in the world.
no cracks for their latest version
and last i heard is that the last crack took the power of a entire uni's comps to break 1 key
Killaloop
Jul 13 2005, 11:41 AM
QUOTE(AdmiralB @ Jul 13 2005, 10:57 AM)
well maybe u could try to mimic armadillo smile.gif
they have to good shit in the world.
no cracks for their latest version
and last i heard is that the last crack took the power of a entire uni's comps to break 1 key
*


well there is a hudge difference between packer/crypter and pe protector like armadillo.
and by the way I tried armadillo with some viri and rootkits and kav detected them.
realloader
Jul 13 2005, 12:28 PM
Kaspersky still detect my file.exe!
satknis
Jul 13 2005, 12:45 PM
smile.gif nice work tibbar, but it is not undetected. have you tested it with Norton ? tongue.gif
I tested it with F-Secure and Ewido both detected the files wich where crypted.
And that with old Updates, older than your post. F-Secure just told me "Type 32", but
Ewido told me the right Name of the trojan.
Maybe u just crypt the Header of the EXE files, that could be the reason that
your crypter can't fool the detections.
A other point is that your crypter doesn't tell me if it is crypted or not, it just quits
after crypting, so u maybe add a line to say "done".
Killaloop
Jul 13 2005, 12:54 PM
QUOTE(tibbar @ Jul 13 2005, 01:30 AM)
Nothing too advanced so far, it just applies an incredibly simple "encryption" to the code section of the input file, which makes it undetectable to AV.

as you can read the code section is crypted.
nothing more and it only increments and decrements.
if the virus signature is somewhere else and not only in the code section it wont help you.
[R]
Jul 13 2005, 02:07 PM
no it does not work...


if i crypt my files and exec it, i only got an error msg. bad. huh.gif

tibbar
Jul 13 2005, 02:59 PM
killaloop is right. i am only crypting the code section, so signitures based on other sections will not be stopped...that's for next version.

note that i tested iroffer and lithium rat, these both became undetected to mcafee and both functioned correctly.

if the prog is already packed, or does checksum check it will fail.
tibbar
Jul 13 2005, 03:01 PM
QUOTE([R] @ Jul 13 2005, 02:07 PM)
no it does not work...


if i crypt my files and exec it, i only got an error msg. bad.  huh.gif
*



can you send me the file in question, i can debug it to see what went wrong. perhaps it was already packed?
cazad0r
Jul 13 2005, 07:50 PM
With the Stud_pe it leaves an error like this one: "PE import Dir corrupted"
but if they are possible to be seen entry point and the sections but, at the moment for compiling it remotely, because in the machine where it found me was with win98 and it did not work, raising the server the remote machine, in a Windows xp tongue.gif without antivirus I executed the Codecrypt and when me I bring it for here (FTP) leaves the following errors:

Image001

Image002
And executing it in Win Xp:

ImageWinxp
Not in which I make bad, but to tell the truth the program is good, not in what failure, and if he is indetectable, proven with KAV. laugh.gif
nolimit
Jul 13 2005, 08:27 PM
The latest armadillo has been cracked, how else would 0-day groups be releasing apps protected by them. armadillo is nothing compared to star force and safedisc, and groups have cracked those.

Any protection can be cracked, The amount of effort required is the only moderator.
tibbar
Jul 13 2005, 08:28 PM
is this ftp.exe from microsoft windows? if so it wont work as they do a checksum verification.
belgther
Jul 13 2005, 08:41 PM
tibbar, this verification is only done for PE header. I tested it with some windows tools(net.exe), modifying the raw data doesn't matter.
cazad0r
Jul 13 2005, 10:21 PM
tibbar,What happens is that it was in a machine with Windows 98 (192.168.1.36) and, good when executing codecrypt foot me a tie export to kernel32.dll "GetFIleSize" that does not exist dry.gif and that made me migrate to Windows xp, in a network, but as it were to the other side and it is of my good friend tongue.gif , which hize was to use RPC GUI of r3l4x (exploit) and to send by FTP updater.exe, decompressed (server of bifrost 1.1.02) and codec.exe (codecrypt.exe) to win xp (192.168.1.30), single that, single FTP login without password, that is everything. smile.gif

But that the single thing does not come the previous case of saying to him that I believe that it would have I who to make some modifications, to cracking to server.exe modified with codecrypt, am to say codecrypt it would be beta? ph34r.gif
thanks cool.gif
tibbar
Jul 13 2005, 10:28 PM
QUOTE(belgther @ Jul 13 2005, 08:41 PM)
tibbar, this verification is only done for PE header. I tested it with some windows tools(net.exe), modifying the raw data doesn't matter.
*



yes but i add code and increase the file size, but dont bother recalculating the checksum.
tibbar
Jul 13 2005, 10:30 PM
QUOTE(cazad0r @ Jul 13 2005, 10:21 PM)
tibbar,What happens is that it was in a machine with Windows 98 (192.168.1.36) and, good when executing codecrypt foot me a tie export to kernel32.dll "GetFIleSize" that does not exist  dry.gif and that made me migrate to Windows xp, in a network, but as it were to the other side and it is of my good friend tongue.gif , which hize was to use RPC GUI of r3l4x (exploit) and to send by FTP updater.exe, decompressed (server of bifrost 1.1.02) and codec.exe (codecrypt.exe) to win xp (192.168.1.30), single that, single FTP login without password, that is everything.  smile.gif

But that the single thing does not come the previous case of saying to him that I believe that it would have I who to make some modifications, to cracking to server.exe modified with codecrypt, am to say codecrypt it would be beta? ph34r.gif
thanks cool.gif
*



this is release 0.0, so bugs are likely. could you email me the file that fails, to:

tibbarDOTgsoATgmailDOTcom

replace DOT with .
and AT with @

same goes for anyone else who has problems, email me the file.

vnet576
Jul 13 2005, 10:40 PM
Yep, this is what I meant when I said that removing the md5 checksum would be too program specific. You would have to manually find exactly where the program performs the checksum and physically change it or change it when its being calculated in the memory. And this would be different with every program, but maybe some else has ideas for this.

On a side note, armadillo and programs like it place the target exe inside a "container" without actually altering the file. So its pointless to compare tibbar's program to it. Completely different concept.
[R]
Jul 14 2005, 07:48 AM
ImageWinxp


i got the same error messages like cazad0r

please fix it...


(i tried to crypt optix pro and Serv-U)



Serv-U isn't important because its already undetected (my work)
andi1983
Jul 14 2005, 08:00 AM
i testet around with this nice little tool

it made some filez undetectable for visuchaser and mcafee, very nice one
good work man wink.gif
Erra
Jul 16 2005, 11:24 PM
Well it worked fine for about 3 .exe's and one sys file that I tried.

One EXE didnt work, but thats fine.....

Awesome job mate. Great stuff.

One question, I have a DLL file that I want to make undetectable, but this doesnt do it... any ideas?
tibbar
Jul 16 2005, 11:46 PM
it doesnt support dll's at the moment.

btw all, latest version is attached. This encrypts code and data section (first 2 sections). I am looking at which other sections can be encrypted, but thats to come later on.

Also i intend to move to a proper encryption soon.

I find McAfee flags some packed files as "win32 new", which is apparently an msn worm. i guess i must be doing something that looks similar, it may just be a result of byte+1 being the encryption, which makes a pattern of bytes look like the worm's signiture.

anyway, tested so far on: tinyftpd, win32bnc, iroffer which all come clean on mcafee.

Many other prog like servu, sub7 wont pack right for reasons like checksum verification and reliance on file structure (s7).

Here's latest binary & source, which is version 0.1.
Erra
Jul 17 2005, 01:36 AM
Thanks for the info on the DLL's I will have to check for something else that might do that smile.gif

Have downloaded the new version as well. This is a great tool mate.
netxman
Jul 17 2005, 04:54 AM
sad.gif

Still be detected by McAfee as New Win32 Virus after encryption.
slb33
Jul 17 2005, 06:28 AM
I tried a few different exe's just to play around with this.
Most that I tried had errors after crypting with this program but the ones that you say you have tried definately work.
So this is a very good app, just needs improvement to apply to more exe files.
And it would be nice if you could have a way to change the encryption so all exe's wouldn't have the same encryption.

Not sure if that's possible though!
tibbar
Jul 17 2005, 10:09 AM
the new win32 thing seems to only happen to some exes, ive not figured out why yet. it may be sticking the entry point in the last data section that is doing it.

im trying to work out what causes some exes to fail. im sure i will get to the bottom of it...

finally proper polymorphic encryption is coming soon...it will 100% random from a statistical perspective. impossible to decrypt for a AV.
G777
Jul 17 2005, 12:33 PM
real nice code tibbar smile.gif
it doesnt quite get files past kav but it does stop it identifying them
tibbar
Jul 17 2005, 02:33 PM
what does KAV say it finds?
G777
Jul 17 2005, 03:21 PM
according to KAV smile.gif
QUOTE
file.exe - is possibly infected with a virus Type_Win32
AdmiralB
Jul 18 2005, 04:54 AM
lol tibbar it seems ur becomming quite the real packer
well go job :X
i tried on some and it seems ur on the right track now :X
CJ.
Jul 18 2005, 11:45 AM
nice work ! tested it with some avs, only antivir still detects the files.
vnet576
Jul 18 2005, 02:10 PM
QUOTE(CJ. @ Jul 18 2005, 07:45 AM)
nice work ! tested it with some avs, only antivir still detects the files.
*




And how is this kind of post useful to tibbar? Post what AV, what version, etc...otherwise this post is little more than an extended thanks post.
CJ.
Jul 19 2005, 06:01 AM
i posted what av wink.gif -> antivir (http://www.hbedv.com)
maybe you don't know it.

edit : kk sorry, i tested it with the Personal Edition VDF Version 6.31.0.179 & 6.31.00.237.
it detected hxdef the same way as unpacked file : BDS/HacDef.
vnet576
Jul 19 2005, 06:36 AM
QUOTE(CJ. @ Jul 19 2005, 02:01 AM)
i posted what av wink.gif -> antivir (http://www.hbedv.com)
maybe you don't know it.
*



Thats fine, did you list what version of the AV? Did you mention what kind of virus did it detect it as?
tibbar
Jul 19 2005, 06:43 AM
well all AV are now beaten... unfortuntely for u guys, i wont release it until it's got a polymorphic stub...
jead99
Jul 20 2005, 02:54 AM
QUOTE(tibbar @ Jul 19 2005, 06:43 AM)
well all AV are now beaten... unfortuntely for u guys, i wont release it until it's got a polymorphic stub...
*



Nice work tibbar smile.gif Perhaps you could give ppl a few tips on what you did ?
tibbar
Jul 20 2005, 04:07 AM
several things:

1) encrypt TEXT, DATA and .rsrc sections

2) at original EP, copy first x bytes in a buffer at end of file and replace with a undetected detour to my stub EP.

3) stub must decrypt the above 3 sections then restore original EP code, then jmp to original EP.
chris105
Jul 21 2005, 02:08 AM
Great work Tibbar,

Sorry if this seems a little dense mate but doesnt this mean that the file would still be detected at run time? As the code will still be run once decrypted?

And sorry if I forgot any s' my s key is broken so I copy pasted them all in.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.