# AES-Encrypted Cross-Platform Payload Injector

Secure AES-CBC encrypted malware injection for Windows (DLL) and Linux (SO) with embedded payloads.

## 🚀 Quick Start

```bash
# Place your malware files in the root directory:
# - libphotoshop.dll (Windows DLL)
# - libphotoshop.so (Linux SO)

# Run the automated build script:
./build_injectors.sh

# This creates:
# - linux_injector (ready to run on Linux)
# - windows_injector.cpp + dll_payload_data.h (for Windows compilation)
```

## 📦 What It Does

### Encryption
- **AES-128-CBC** encryption with random IVs
- **SHA256 key derivation** (password + salt)
- **PKCS7 padding** with validation
- Single `encrypted_payload.bin` file per platform

### Injection
- **Windows:** NT API DLL injection with job freezing + APC queuing
- **Linux:** SO injection with dlopen + function calling
- **Embedded payloads:** No external file dependencies
- **Silent execution:** No visible output or errors

## 🔧 Manual Usage

### Linux Build & Run
```bash
g++ -std=c++11 linux_injector.cpp -o linux_injector -lssl -lcrypto -ldl
./linux_injector  # Decrypts and injects embedded SO
```

### Windows Build & Run
```bash
# On Windows with Visual Studio:
cl.exe /EHsc windows_injector.cpp advapi32.lib

# Run the injector:
windows_injector.exe  # Decrypts and injects embedded DLL
```

### Custom Encryption
```bash
cd crypt
cargo run ../your_malware.dll  # Creates encrypted_payload.bin
# Embed the data in injector source code
```

## 🔒 Security Features

- **AES-128-CBC** with cryptographically secure random IVs
- **SHA256 key derivation** using password + random salt
- **PKCS7 padding** with validation
- **No embedded keys** (derived at runtime)
- **Cross-platform isolation** (Windows code ≠ Linux code)

## 📋 Architecture

```
├── crypt/           # Rust AES encryption tool
├── linux_injector   # Linux SO injector (compiled)
├── windows_injector.cpp # Windows DLL injector (source)
├── build_injectors.sh   # Automated build script
├── dll_payload_data.h   # Windows embedded encrypted DLL
├── so_payload_data.h    # Linux embedded encrypted SO
└── decryptor.cpp    # Standalone decryption utility
```

## ✅ Verification

**Linux Testing:** ✅ AES decryption + SO injection + mining activity confirmed
**Windows Ready:** ✅ Source prepared with real encrypted DLL payload

## ⚠️ Disclaimer

This is a tool for testing AV/EDR detection capabilities. Use at your own risk.

## 🔍 MITRE ATT&CK

- **T1204.002** - User Execution: Malicious File
- **T1140** - Deobfuscate/Decode Files or Information
- **T1027.009** - Embedded Payloads
- **T1620** - Reflective Code Loading
- **T1055** - Process Injection

## 📚 References

- AES-CBC encryption standard
- OpenSSL crypto library
- Windows CryptoAPI
- Linux dlopen/dlsym