cryptic.c

1. //
2. // cryptc.c
3. // The official way of writing a crypter in C | Source Code
4. // 1: encrypts “.text” section
5. // 2: you must have enough free space at the end of the section for the stub
6. // 3: there may not be transparency in the RVA (like – raw size = 1000, virutal size = 2000) for that section, o
7. // it may malfunction
8. // 4: *edited* how did i miss that, there must be no relocations for “.text” section
9. //
10. //
11. //
12.  
13. #include <stdio.h>
14. <pre>#pragma comment(linker, "/OPT:NOREF") // this tells the linker to keep the machine code of unreferenced source code
15. #pragma optimize("", off) // disable all optimizations in order for our stub to run smootly, though im not sure if it really helps, i just saw some guy doing it this way lolz <span class="wp-smiley wp-emoji wp-emoji-smile" title=":)">:)</span>
16.  
17. #include <windows.h> // familiar?
18. #include <stdio.h> // i wonder what this might be, hmm...
19.  
20. // gets the first sections header offset
21. #define SECHDROFFSET(a) ((LPVOID) ( (LPBYTE) a + \
22. ((PIMAGE_DOS_HEADER)a)->e_lfanew + \
23. sizeof(IMAGE_NT_HEADERS)))
24.  
25. // those are the offsets to the
26. #define OEP_o 21 // original entry point
27. #define SEG_o 11 // virtual address of section
28. #define BSZ_o 1 // block size, must be a multiple of 8
29. #define SZ_o 6 // section size, must be a multiple of the chosen block size
30. // values in the stub
31.  
32. // a simple block xor
33. // every byte in the given block is XOR'ed with its index
34. void _xor_block(unsigned char *pblock, unsigned int blocksize)
35. {
36. unsigned int i;
37.  
38. for(i = 0; i < blocksize; i++)
39. pblock[i] ^= i;
40.  
41. return;
42. }
43.  
44. // just a wrapper around the above function
45. int _xor_chunk(unsigned char* pchunk, unsigned long chunksize, unsigned int blocksize)
46. {
47. if(chunksize % blocksize || blocksize % 8)
48. return -1;
49.  
50. unsigned long index = 0;
51.  
52. while(index < chunksize)
53. {
54. _xor_block(pchunk + index, blocksize);
55. index += blocksize;
56. }
57.  
58. return 0;
59. }
60.  
61. // this is our stub and the new entry point for the encrypted PE
62. __declspec(naked) void __stdcall _stub(void)
63. {
64. __asm
65. {
66. push 0xFEFEFEFE //blocksize
67. push 0xFDFDFDFD //chunksize
68. push 0xFCFCFCFC //pchunk
69.  
70. call _xor_chunk //decrypt
71.  
72. mov eax, 0x7FFFFFFF //oep
73. jmp eax //go go
74. }
75. }
76.  
77. // a placeholder, used for stub size calculation
78. __declspec(naked) int _end(void)
79. {
80. __asm ret 8
81. }
82.  
83. // so basicly the ASM code of the above 3 (w/o _end) functions will be added to the end of the ".text" section
84. // after updating the proper values in the stub, ofc
85. // then the PE header is updated along with the section header
86. // and with the entry point at _stub's code its all done! wow that was easy oO
87.  
88. // GO GO POWER RANGERS!!!
89. int main(void)
90. {
91. // im not going to lecture you about those, if you are not familiar with these structures, you should go read about PE format...
92. PIMAGE_DOS_HEADER pDosH;
93. PIMAGE_NT_HEADERS pNtH;
94. PIMAGE_SECTION_HEADER pSecH;
95.  
96. // variables
97. HANDLE hFile;
98.  
99. DWORD dwFileSize, dwSectionSize, dwStubSize,
100. dwVSize, dwOldProt, dwSpot, dwGap, bytes;
101.  
102. LPBYTE FileBuffer, SectionBuffer;
103. CHAR FileName[MAX_PATH];
104.  
105. // get the filename to encrypt
106. printf("File to encrypt: ");
107. scanf("%s", &FileName);
108.  
109. // open it and get the size
110. hFile = CreateFile(FileName, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
111. dwFileSize = GetFileSize(hFile, 0);
112.  
113. // load in memory
114. FileBuffer = (LPBYTE) malloc(dwFileSize);
115. ReadFile(hFile, FileBuffer, dwFileSize, &bytes, 0);
116.  
117. pDosH = (PIMAGE_DOS_HEADER) FileBuffer;
118.  
119. // check if it is valid PE, i would say that this is merely a proper check, for a proper one you would need to calculate all the RVA's and see if they are valid
120. if(pDosH->e_magic != IMAGE_DOS_SIGNATURE)
121. return -1;
122.  
123. pNtH = (PIMAGE_NT_HEADERS) (FileBuffer + pDosH->e_lfanew);
124.  
125. if(pNtH->Signature != IMAGE_NT_SIGNATURE)
126. return -2;
127.  
128. pSecH = (PIMAGE_SECTION_HEADER) SECHDROFFSET(FileBuffer);
129.  
130. while(memcmp(pSecH->Name, ".text", 5)) // get the ".text" section header
131. pSecH++;
132.  
133. dwVSize = pSecH->Misc.VirtualSize; // the virtual size of the section, later this will be used as chunksize in our stub, after proper alignment
134. dwSectionSize = pSecH->SizeOfRawData; // speaks for itself
135. dwStubSize = (DWORD) _end - (DWORD) _xor_block; // the stubsize, in bytes
136.  
137. SectionBuffer = (LPBYTE) malloc(dwSectionSize); // allocate memory enough to hold our raw section data
138. memcpy(SectionBuffer, FileBuffer + pSecH->PointerToRawData, dwSectionSize); // ... copy the data
139.  
140. _xor_chunk(SectionBuffer, dwSectionSize, 256); // aaand encrypt it! you can use different block sizes here - 8, 16, 32, 64, 128, 256, 512...
141. memset(SectionBuffer + pSecH->Misc.VirtualSize, 0, (dwSectionSize - pSecH->Misc.VirtualSize)); // fill with zeros after the end of actual data
142.  
143. dwSpot = pSecH->Misc.VirtualSize; // this will be the offset (relative to the beginning of the section) where we will place our stub
144.  
145. while(dwSpot % 16) // align it to 16 byte boundary
146. dwSpot++;
147.  
148. dwSpot += 256; // this is in order to prevent the stub from corruption by overwriting its own code, since we will place it after the end of the section data
149. dwGap = dwSpot - pSecH->Misc.VirtualSize; // the gap between our stub and the end of the data
150.  
151. DWORD oep = pNtH->OptionalHeader.AddressOfEntryPoint + pNtH->OptionalHeader.ImageBase; // the original entry point, this is a linear address
152. DWORD seg = pSecH->VirtualAddress + pNtH->OptionalHeader.ImageBase; // the section address, you guessed right, this too is a linear one
153. DWORD bsz = 256; // you know what this is
154.  
155. while(dwVSize % bsz) // we need to align it to block size
156. dwVSize++;
157.  
158. VirtualProtect(_xor_block, dwStubSize, PAGE_EXECUTE_READWRITE, &dwOldProt); // to be able to update the stub...
159.  
160. // and update it, blah, blah, blah...
161. memcpy((void *)((unsigned long) _stub + OEP_o), &oep, 4);
162. memcpy((void *)((unsigned long) _stub + SEG_o), &seg, 4);
163. memcpy((void *)((unsigned long) _stub + BSZ_o), &bsz, 4);
164. memcpy((void *)((unsigned long) _stub + SZ_o), &dwVSize, 4);
165.  
166. memcpy(SectionBuffer + dwSpot, _xor_block, dwStubSize); // place the damn thing already!
167.  
168. pSecH->Characteristics = 0xE0000060; // R/W/E, executable code, initialized data. although my experience shows that you are just fine with R/W...
169. pSecH->Misc.VirtualSize += dwStubSize + dwGap; // update the virtual size of the section
170. pNtH->OptionalHeader.AddressOfEntryPoint = pSecH->VirtualAddress + dwSpot + ( (DWORD)_stub - (DWORD)_xor_block ) ;
171.  
172. // and finally update the file
173. SetFilePointer(hFile, pSecH->PointerToRawData, 0, FILE_BEGIN); //new section data
174. WriteFile(hFile, SectionBuffer, dwSectionSize, &bytes, 0);
175.  
176. SetFilePointer(hFile, pDosH->e_lfanew, 0, FILE_BEGIN); //new PE header
177. WriteFile(hFile, pNtH, sizeof(IMAGE_NT_HEADERS), &bytes, 0);
178.  
179. SetFilePointer(hFile, ((DWORD) pSecH - (DWORD) FileBuffer), 0, FILE_BEGIN); //new section header
180. WriteFile(hFile, pSecH, sizeof(IMAGE_SECTION_HEADER), &bytes, 0);
181.  
182. // some good habits <span class="wp-smiley wp-emoji wp-emoji-smile" title=":)">:)</span>
183. CloseHandle(hFile);
184.  
185. free(FileBuffer);
186. free(SectionBuffer);
187.  
188. return 0;
189. }
190.  
191. // bye, bye, EOF