Crypter Architecture - Automation Method
1. Crypter Architecture
The concept of encrypting a file “crypting” in order
to make the crypted file undetectable to antivirus software or to make
unpacking the file harder.
Stub
|
Encrypted File
|
Figure.1
Memory executing crypter stub
The stub is the core of the program. It’s the stub’s
mission to carry out file decryption in memory and file execution or other
custom options a programmer has given the crypter. Programmers reduce the size
of the stub in order to reduce the file size of the output file (stub +
encrypted file). This will help of the stub go unnoticed, if there is only few
bytes difference from the original input file and output file (input file –
output file = stub size). A stub should be judged on the functionality as well
as stability and security.
Figure 2:
Crypter program execution
Figure 3: Stub
program execution
2. Crypter automation method
There are usually 2 files, the Crypter and Stub.
Most of the crypters have inbuilt stub. So the crypters drag and drop the
desired file to drag and drop files here area. After pressing the “Crypt” Button, it reads the bytes of the selected files
and encrypts them. Then, it writes the encrypted bytes to the Stub using
EOF (End of File) or Resources and other methods. Then the Stub stores the
data and creates the output file with the encrypted bytes in there. When
executing, the bytes will be decrypted using the same Cryption method.
After decrypting, the bytes will be converted to a file and executed.
Some Crypters are Scan time and some crypters are Run time.
Figure
4: Undo crypter automation
When the crypter is scan time,
the crypted file drops the original virus out. That means, it writes the
decrypted bytes to the file. That is named “Dropping”. The Dropped file (in
this case the original virus) will be executed using Shell Execute command or
others. These kinds of crypters are GOOD, because when the file is being
dropped out, the antivirus catches it.
Run time is the decrypted bytes
will be executed in Memory that means it uses a RunPE (Run Portable Executable).
It injects the bytes into an active process and bypasses the antivirus to catch
it up. These kinds of crypters are BAD. When the crypter is Run time, it is
also automatically scan time too. If the crypter is scan time, then it is ONLY
scan time.
3. Work Flow
Figure 5: Fud crypter
The Crypter takes the original binary file of your exe
and applies many encryption on it and stores on the end of file(EOF).So a new
crypted executable file is created.
Original Exe Crypted Exe
(ORIGINAL)001———— (CRYPTED)010
The new exe is not detected by antiviruses because its
code is scrambled by the crypter. When executed the new .exe file decrypts the
binary file into small data pieces at a time and injects them into another
already existing process or a new empty one, or it drops the code into multiple
chunks in alternative data streams(not scanned by antivirus) then executes it as a .txt or .mp3
file.
1. Download free (e.g:
abc) FUD Crypter (abc – crypter name obfuscated)
2. Open the FUD Crypter select server file as your
Keylogger file or RAT file, then go to Appearance tab check custom icon and
select your icon (that included icon pack also)
3. Finally click "Crypt", now you will get a
Crypted file which is totally undetectable by antiviruses.
That is great information.It's really great post.
ReplyDeleteThanks for your comments.......
ReplyDeleteWonderful information. All these methods sounds really great. As I am learning about all these for the first time I am feeling bit difficult to understand them well. I will look for more information.
ReplyDeleteelectronic signature