| binaries | ||
| crypt | ||
| stub | ||
| .gitignore | ||
| COMPILATION_README.md | ||
| dec_and_inject.exe | ||
| decrypted_binary | ||
| decryptor | ||
| decryptor.cpp | ||
| dll_metadata_data.h | ||
| dll_payload_data.h | ||
| encrypted_dll.dll | ||
| libphotoshop.dll | ||
| libphotoshop.so | ||
| linux_injector | ||
| linux_injector.cpp | ||
| metadata_data.h | ||
| payload_data.h | ||
| README.md | ||
| simple_batch.sh | ||
| test.cpp | ||
| windows_injector.cpp | ||
| windows_injector.exe | ||
Rust Crypter
x86-64 Crypter built in Rust for Windows with Anti-VM, powered by memexec
Usage
Single File
- Put your .exe in
/crypt/ cd crypt && cargo run <filename.exe>mv encrypted_Input.bin key.txt ../stub/src/cd ../stub && cargo build --target x86_64-pc-windows-gnu --release- Your encrypted exe is in
stub/target/x86_64-pc-windows-gnu/release/stub.exe
Batch Processing (Multiple Files)
./simple_batch.sh /path/to/folder/with/exe/files
Output: batch_output/ folder with {filename}_encrypted.exe files
Supported targets
- Windows x86-64
- Windows x86
Limitations
- .NET not supported
- Files over 600MB not supported
TODO
- File dialogue choose file instead of renaming code strings/executable names
- Automatically move encrypted bytes and key into stub for compiling
- GUI
- Obfuscated Strings
Disclaimer
This is a tool used to test the Static + Dynamic detection capabilites of AV and EDR, use of this project is at your own risk
MITRE TTPs (Indicators)
- User Execution: Malicious File T1204.002
- Deobfuscate/Decode Files or Information T1140
- Embedded Payloads T1027.009
- System Checks T1497.001
- Reflective Code Loading T1620
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001
References
https://crates.io/crates/memexec https://crates.io/crates/inside-vm