Crypter Architecture - Automation Method 

1. Crypter Architecture 

The concept of encrypting a file “crypting” in order to make the crypted file undetectable to antivirus software or to make unpacking the file harder.

Stub	Encrypted File

   

   Figure.1 Memory executing crypter stub

The stub is the core of the program. It’s the stub’s mission to carry out file decryption in memory and file execution or other custom options a programmer has given the crypter. Programmers reduce the size of the stub in order to reduce the file size of the output file (stub + encrypted file). This will help of the stub go unnoticed, if there is only few bytes difference from the original input file and output file (input file – output file = stub size). A stub should be judged on the functionality as well as stability and security.

Figure 2: Crypter program execution

Figure 3: Stub program execution

2. Crypter automation method

There are usually 2 files, the Crypter and Stub. Most of the crypters have inbuilt stub. So the crypters drag and drop the desired file to drag and drop files here area. After pressing the “Crypt” Button, it reads the bytes of the selected files and encrypts them. Then, it writes the encrypted bytes to the Stub using EOF (End of File) or Resources and other methods. Then the Stub stores the data and creates the output file with the encrypted bytes in there. When executing, the bytes will be decrypted using the same Cryption method. After decrypting, the bytes will be converted to a file and executed. Some Crypters are Scan time and some crypters are Run time.

Figure 4: Undo crypter automation

When the crypter is scan time, the crypted file drops the original virus out. That means, it writes the decrypted bytes to the file. That is named “Dropping”. The Dropped file (in this case the original virus) will be executed using Shell Execute command or others. These kinds of crypters are GOOD, because when the file is being dropped out, the antivirus catches it.

Run time is the decrypted bytes will be executed in Memory that means it uses a RunPE (Run Portable Executable). It injects the bytes into an active process and bypasses the antivirus to catch it up. These kinds of crypters are BAD. When the crypter is Run time, it is also automatically scan time too. If the crypter is scan time, then it is ONLY scan time.

3. Work Flow

 Figure 5: Fud crypter

The Crypter takes the original binary file of your exe and applies many encryption on it and stores on the end of file(EOF).So a new crypted executable file is created.

Original Exe Crypted Exe

(ORIGINAL)001———— (CRYPTED)010

The new exe is not detected by antiviruses because its code is scrambled by the crypter. When executed the new .exe file decrypts the binary file into small data pieces at a time and injects them into another already existing process or a new empty one, or it drops the code into multiple chunks in alternative data streams(not scanned by  antivirus) then executes it as a .txt or .mp3 file.

1. Download free (e.g: abc) FUD Crypter (abc – crypter name obfuscated)

2. Open the FUD Crypter select server file as your Keylogger file or RAT file, then go to Appearance tab check custom icon and select your icon (that included icon pack also)

3. Finally click "Crypt", now you will get a Crypted file which is totally undetectable by antiviruses.