Assignment 7 – Custom Shellcode Crypter
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-1112
This is the last assignment in order to complete the SLAE (32bit) certification.
What is a Crypter?
A Crypter is a type of software that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security mechanisms. It is used by cybercriminals to create malware that can bypass security programs by presenting itself as a harmless program until it is executed. – Trend Micro
Custom Shellcode Crypter
The objective for this Assignment is to create a Custom Crypter using any programming language and using any existing encryption schema. This implementation uses AES 128 in CBC mode.
This AES 128 implementation can be found at https://github.com/kokke/tiny-AES128-C.
The example to be encrypted is our old friend’s execve-stack Shellcode:
The Shellcode encryption is done with the file aescrypt.c. It splits the Shellcode in 16 byte (128 bit) blocks and it performs Block-wise encryption with the defined key. If the Shellcode is not multiple of 16 bytes, the cryptor adds padding automatically with NOP instructions.
The key is also 16 Bytes (128bit) and is padded with Nulls if necessary.
In the following image it is possible to see the cryptor in action:
Here is the source code of the Cryptor:
gcc aescrypt.c aes.c -o aescrypt
As it’s name suggests, this program decrypts the Shellcode and then executes it. In the following image it is possible to see the decryptor output:
Here is the source code of the Decryptor:
gcc decrypt_exec_shellcode.c aes.c -o decrypt_exec_shellcode -fno-stack-protector -z execstack
As always, the full code can be found in my SLAE Github repository.
With this I finish my last Assignment towards the SLAE32 certification. I would like to thank Vivek Ramachandran and the Pentester Academy team for putting together such a great course. See you in the SLAE64.