Hacking and Security > Hacking and Security

Encrypting Programs - How does that work?

<< < (3/4) > >>

Tsar:

--- Quote from: ca0s on May 20, 2011, 09:59:51 pm ---This would be like:
- Have some crypted binary code somewhere in memory.
- Open, read, decrypt.
- Assign execution permissions (if you are working in your own process you usually have this rights, this is only problematic if you are trying to inject your code in another process) with VirtualProtect (http://msdn.microsoft.com/en-us/library/aa366898%28v=vs.85%29.aspx).
- Create a function pointer and point it to decrypted code in memory.
- Launch that function.

--- End quote ---

Nice the only problem I can see with that is then would be that it would have to encrypt itself upon exiting otherwise next time it was started it would be unencrypted and possibly detected by the AV.


--- Quote ---This is turning into a nice investigation/development thread, I like it :D

--- End quote ---

I agree, these are the type of threads I like to see on EZ, discussions on interesting stuff, problem solving where everyone gives input, etc

ca0s:

--- Quote ---Nice the only problem I can see with that is then would be that it would have to encrypt itself upon exiting otherwise next time it was started it would be unencrypted and possibly detected by the AV.
--- End quote ---

No! Decryption process would be done in memory! It has not to crypt itself again, as the binary would stay always crypted.
Also, a good Idea would be to change the crypt key in each crypted block of code, getting the next key from the previous decrypted block. Well, this is a good point to start coding, isn't it?

Tsar:

--- Quote from: ca0s on May 21, 2011, 01:16:06 am ---No! Decryption process would be done in memory! It has not to crypt itself again, as the binary would stay always crypted.
Also, a good Idea would be to change the crypt key in each crypted block of code, getting the next key from the previous decrypted block. Well, this is a good point to start coding, isn't it?

--- End quote ---

Is it possible to create a function in memory? I'm unsure how it would work. Lets say we read the encrypted bytes of the exe in, and store them in chars, decrypt them and have the binary instructions all decoded, how would you then go about executing the instructions in memory?

ca0s:

--- Quote from: Tsar on May 21, 2011, 02:21:11 am ---Is it possible to create a function in memory? I'm unsure how it would work. Lets say we read the encrypted bytes of the exe in, and store them in chars, decrypt them and have the binary instructions all decoded, how would you then go about executing the instructions in memory?

--- End quote ---

Take a look at the post I put (inyecting code in another process). It is something like that. In C pseudocode would be:

void *code=malloc(sizeOfCode);
decryptCode(code, cryptedCode); // Decrypts crypted code in cryptedCode in code
DWORD prot; // This is needed for the next function
VirtualProtect(code, sizeOfCode, PAGE_EXECUTE_READWRITE, &prot); // Execution privileges
void (*pFun)(void);
pFun=code; // We assign the pFun function pointer to our in memory decrypted code
pFun(); // And then call it!

This code might have errors, but I am too sleepy to care about it now. But that's it.

Tsar:

--- Quote from: ca0s on May 21, 2011, 02:39:16 am ---Take a look at the post I put (inyecting code in another process). It is something like that. In C pseudocode would be:

void *code=malloc(sizeOfCode);
decryptCode(code, cryptedCode); // Decrypts crypted code in cryptedCode in code
DWORD prot; // This is needed for the next function
VirtualProtect(code, sizeOfCode, PAGE_EXECUTE_READWRITE, &prot); // Execution privileges
void (*pFun)(void);
pFun=code; // We assign the pFun function pointer to our in memory decrypted code
pFun(); // And then call it!

This code might have errors, but I am too sleepy to care about it now. But that's it.

--- End quote ---

I guess what I'm not quite understanding is when it is decrypted how is it storing the binary for calling?

I'm assuming to decrypt it you will
1. need to read it in somewhere
2. need to store that somewhere in a special way before calling it so it knows it is a function/exe/whatever.

Part I am confused about:
Decrypt()
-read in code, store in byte/char array (byte by byte)
-Decrypt the array
-??? Do we have to write the code somewhere, perhaps to memory, but how will it know it is code to execute and not say a char array or something?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version