So what is a Crypter or a Packer? From what I have read crypters and
packers are quite similar. While the lines between them can blur a
packer generally deals with compression and obfuscation and is often
used by software companies to prevent revers-engineering their
software. A crypter is focused on encryption and is a program that
has grown out of the underground community. Both crypters and packers
obfuscate code to deter reverse-engineering. By utilizing a crypter or
packer on malicious code an attacker can increase their chances of
bypassing anti-virus fingerprint/signature based detection.
Strategy
For this last SLAE problem I decided that I wanted to try and use AES
256-bit encryption for my shellcode crypter. I found some sample c code
here
which illustrates how to use the openssl c library for
encryption/decryption. The strategy will be as follows:
Create an encrypt and decrypt c program using the sample code
provided in the above link as a guide
Add the execve /bin/sh shellcode from the SLAE course into the
encrypt c program
Encrypt the shellcode using the AES encryption and get an
encrypted shellcode output
Place the encrypted shellcode within the decrypt program
Setup the decrypt program so that a function pointer points to the
decrypted shellcode and executes it
Lets write the code.
The Code
The assembly for the execve /bin/sh shellcode was the following:
We compile and link the shellcode using the provided compile.sh script:
We proceed to get the shellcode using our dumpsc function we wrote
in the previous exercise:
Now we have the shellcode. We proceed to write the aesencrypt.c
program. Most of the code is a straight reproduction of the openssl
example code with the subtraction of the decryption functionality and
the addition of our shellcode:
When we compile this shellcode we need to remember to link the openssl library:
When we run the encryption program we see the following output:
We can see our original shellcode and the encrypted version as
well. The next task is to write our decryption program and add the
encrypted shellcode to it. Once again, most of the decryption code is
just reproduced from the openssl example but I have modified it to
remove the encryption related code and instead of printing out the
decrypted text I instead cast it to a function pointer and execute it
as our usual c stub programs have done:
When we compile this program we need to ensure once again that we link
the openssl library as well as disable stack protection and make the
stack executable:
Perfect. Now for the moment of truth…
The Execution
It works! We see that our original execve /bin/sh shellcode has
executed and we can run commands on our shell as expected.