- 23 Nis 2020
- 297
- 1
Hello everyone, today i am gonna teach you working logic of antivirusses and crypters with my self expressions that can be true or false. I will use MalwareBytes for example antivirus. Actually it is not antivirus, it is anti-malware and simple.
I will use Quasar RAT for example malware that coded with C#.NET, many of you knows that malware.
+ Managing files and folders.
+ Downloading and uploading files.
+ Managing Task Manager.
+ Operating CMD commands.
+ Webcam and screen shots.
and it contains a lot of features like that.Malware uses reverse shell that means server is hackers computer, client is targets computer. Target connects to hacker with stated IP adress and port.
I am creating a example malware with QuasarRAT, IP adress will be 127.0.0.1 so it will be for local computer, i will try it in my own computer. My malware scanner MalwareBytes Malware and PUP security is open btw.
I saved malware to the desktop as backdoor.exe.
When i scan this with MalwareBytes;
When i run this on my computer;
It shows us backdoor.exes static and dynamic analysis reports.
STATİC ANALYSİS
Static analysis tries to map small sections and variables in the source code of applications to the source code of malicious applications in their databases. If the matching is correct, the application is described as a virus.
To bypass this, we need to encrypt the byte codes of the application. When the crypter application runs, it is our malware that will decode the byte codes and appear in any directory in pure form. İn crypting generally uses encryption methods such as BASE64 encoding technique, RC4, XOR, AES etc. Now lets code scan time crypter for an example.
We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;
Here, the function named AESDecryption returns the byte codes of the encrypted malware by the specified key and IV. Extractor function extracts the specified decoded byte codes to the specified directory. Our directory is hidden in the string variable named "backdoorPath". So it will be extracted to "C: \ Users \ Azad \ AppData \ Roaming \ Backdoor.exe" and the extracted Backdoor.exe will start.
The [KEY], [IV] and [BYTES] points should be considered in the codes. These are not variable and not an input. We will save the codes of this project in a text ******** and save it in Resources in the Binder. Then we will replace the points [KEY], [IV] and [BYTES] and compile them with CodeDom.
I am open new project and i put uncompiled source code to the Resources part.
Now let's go to the code part.
(There is an error in the 36th line of the photo, do not consider it; it is a problem caused by me. It will not effect you.)
In the code, first, program asks the name of the STUB to be indexed when it is compiled, key for AES, IV for AES and the path of the malware that will be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function and finally compile our STUB with the Compile function.
Here is the result;
And it came out to the STUB directory named Chrome.exe.
We have to obfuscate this exe now, I will use SmartAssembly for obfuscation... This method makes code that difficult to read.
Now i will use VirusTotal for the scan results. (If you thinking to use it do not send it to sites, that send reports to the antivirusses like VirusTotal.
Original backdoor.exe
Crypted backdoor.exe
As you can see, there has been a big decrease in detection rates, but it will still detect this file when those 50 antiviruses are running. The crypter we do was scan-time.
DYNAMİC ANALYSİS
The occurance reason for this method is that the source code of viruses is encrypted and obfuscated in different ways. In this way, antiviruses cannot detect malware in database matches. That's why dynamic analysis is used in antiviruses. Dynamic analysis analysis registry operations, file-folder operations, process manager operations, network operations and many other processes. Now let's code a run time crypter.
We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;
As you can see, instead of extracting it to the directory this time, we created a child process in the memory of the Run function, and run the bytes resolved with AESDecryption there.
The first parameter of the MethodBase.Invoke function asks where to start the code, we left null because we wanted Main. The second parameter is the parameters of the Main function, it can be edited optionally. This function is designed for .NET executables, you may need to use WIN32 APIs if you want to crypt executable file encoded with another based language. Now, we save these codes in the notepad and paste them into the Resources section in the project that we will open for Binder.
Now let's go to the code part.
In the code, the user first asks the STUB's Key for AES, IV for AES, and the path to the malware that will need to be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function, and finally we compile our STUB with the Compile function.
And here is the result;
And it came out to the STUB directory named Chrome.exe.
Now let's make a run time scan;
As you can see, MalwareBytes received a connection to the QuasarRAT server, (the hacker (me)) without any intervention.
How Can We Circumvent the Sandbox
Some antivirus and anti malwares, tests executable files in sandboxes and write them to the log file, according to this log file the antivirus detects malware. Most sandboxes have run times, shut down after a certain period of time and give log. In the past, when we put our application in Sleep mode in virtual areas, the virtual area would see the application as harmless. Later this method became primitive. As a method to overcome this again; We constantly open 2 spaces in the memory, fill in the 1st area and then transfer this 1st field to the 2nd area. So, the sandbox perceives the application as harmless and says "This is doing a lot, absolutely harmless." Here is the example code for this;
Now let's try this for example;
The example that does not run harmless code first, but runs the malicious code directly;
Example that runs the harmless code first and then runs the malicious code;
That was end of my topic. Antiviruses and anti malware can still detect these methods, and if they come up with a powerful or new method, these methods won't work. I suggest coding the type of file to be crypter instead of crypter so it's hard to catch. It is also easy to crypter if crypter is used.
I will use Quasar RAT for example malware that coded with C#.NET, many of you knows that malware.
+ Managing files and folders.
+ Downloading and uploading files.
+ Managing Task Manager.
+ Operating CMD commands.
+ Webcam and screen shots.
and it contains a lot of features like that.Malware uses reverse shell that means server is hackers computer, client is targets computer. Target connects to hacker with stated IP adress and port.
I am creating a example malware with QuasarRAT, IP adress will be 127.0.0.1 so it will be for local computer, i will try it in my own computer. My malware scanner MalwareBytes Malware and PUP security is open btw.
I saved malware to the desktop as backdoor.exe.
When i scan this with MalwareBytes;
When i run this on my computer;
It shows us backdoor.exes static and dynamic analysis reports.
STATİC ANALYSİS
Static analysis tries to map small sections and variables in the source code of applications to the source code of malicious applications in their databases. If the matching is correct, the application is described as a virus.
To bypass this, we need to encrypt the byte codes of the application. When the crypter application runs, it is our malware that will decode the byte codes and appear in any directory in pure form. İn crypting generally uses encryption methods such as BASE64 encoding technique, RC4, XOR, AES etc. Now lets code scan time crypter for an example.
We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;
Here, the function named AESDecryption returns the byte codes of the encrypted malware by the specified key and IV. Extractor function extracts the specified decoded byte codes to the specified directory. Our directory is hidden in the string variable named "backdoorPath". So it will be extracted to "C: \ Users \ Azad \ AppData \ Roaming \ Backdoor.exe" and the extracted Backdoor.exe will start.
The [KEY], [IV] and [BYTES] points should be considered in the codes. These are not variable and not an input. We will save the codes of this project in a text ******** and save it in Resources in the Binder. Then we will replace the points [KEY], [IV] and [BYTES] and compile them with CodeDom.
I am open new project and i put uncompiled source code to the Resources part.
Now let's go to the code part.
(There is an error in the 36th line of the photo, do not consider it; it is a problem caused by me. It will not effect you.)
In the code, first, program asks the name of the STUB to be indexed when it is compiled, key for AES, IV for AES and the path of the malware that will be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function and finally compile our STUB with the Compile function.
Here is the result;
And it came out to the STUB directory named Chrome.exe.
We have to obfuscate this exe now, I will use SmartAssembly for obfuscation... This method makes code that difficult to read.
Now i will use VirusTotal for the scan results. (If you thinking to use it do not send it to sites, that send reports to the antivirusses like VirusTotal.
Original backdoor.exe
Crypted backdoor.exe
As you can see, there has been a big decrease in detection rates, but it will still detect this file when those 50 antiviruses are running. The crypter we do was scan-time.
DYNAMİC ANALYSİS
The occurance reason for this method is that the source code of viruses is encrypted and obfuscated in different ways. In this way, antiviruses cannot detect malware in database matches. That's why dynamic analysis is used in antiviruses. Dynamic analysis analysis registry operations, file-folder operations, process manager operations, network operations and many other processes. Now let's code a run time crypter.
We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;
As you can see, instead of extracting it to the directory this time, we created a child process in the memory of the Run function, and run the bytes resolved with AESDecryption there.
The first parameter of the MethodBase.Invoke function asks where to start the code, we left null because we wanted Main. The second parameter is the parameters of the Main function, it can be edited optionally. This function is designed for .NET executables, you may need to use WIN32 APIs if you want to crypt executable file encoded with another based language. Now, we save these codes in the notepad and paste them into the Resources section in the project that we will open for Binder.
Now let's go to the code part.
In the code, the user first asks the STUB's Key for AES, IV for AES, and the path to the malware that will need to be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function, and finally we compile our STUB with the Compile function.
And here is the result;
And it came out to the STUB directory named Chrome.exe.
Now let's make a run time scan;
As you can see, MalwareBytes received a connection to the QuasarRAT server, (the hacker (me)) without any intervention.
How Can We Circumvent the Sandbox
Some antivirus and anti malwares, tests executable files in sandboxes and write them to the log file, according to this log file the antivirus detects malware. Most sandboxes have run times, shut down after a certain period of time and give log. In the past, when we put our application in Sleep mode in virtual areas, the virtual area would see the application as harmless. Later this method became primitive. As a method to overcome this again; We constantly open 2 spaces in the memory, fill in the 1st area and then transfer this 1st field to the 2nd area. So, the sandbox perceives the application as harmless and says "This is doing a lot, absolutely harmless." Here is the example code for this;
Now let's try this for example;
The example that does not run harmless code first, but runs the malicious code directly;
Example that runs the harmless code first and then runs the malicious code;
That was end of my topic. Antiviruses and anti malware can still detect these methods, and if they come up with a powerful or new method, these methods won't work. I suggest coding the type of file to be crypter instead of crypter so it's hard to catch. It is also easy to crypter if crypter is used.
Translator: Baphomet
Original Topic:https://www.turkhackteam.org/c-j-vb...crypterlarin-calisma-mantigi-net-crypter.html
Author: Zilla
Original Topic:https://www.turkhackteam.org/c-j-vb...crypterlarin-calisma-mantigi-net-crypter.html
Author: Zilla
Son düzenleme:
