lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4FAA2851.9040306@census-labs.com>
Date: Wed, 09 May 2012 11:18:25 +0300
From: Dimitris Glynos <dimitris@...sus-labs.com>
To: Levent Kayan <levonkayan@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Hyperion - Paper about Windows PE run-time
 encryption

On 05/09/2012 02:15 AM, Levent Kayan wrote:
> Hello,
> 
> few minutes ago, we released a paper about windows PE runtime crypters.
> 
> A short description:
> 
> Hyperion: Implementation of a PE crypter - This paper reveals the
> theoretic aspects behind run-time crypters and describes a reference
> implementation for Portable Executables.
> 
> You can find the paper, here: http://nullsecurity.net/papers.html
> 
> We will release the source code (hyperion) during our berlinsides talk
> (http://berlinsides.org/ - Thank you aluc). Also, our talk is based on
> this paper.

On a related note, you might want to check this out:

http://census-labs.com/news/2012/05/07/athcon-2012-update/

In our AthCon 2012 presentation, entitled "Packing Heat" we've presented
the design of a fully metamorphic packer. It's quite elegant, in the
sense that the packer:
- is a cross-platform ruby script
- it fully controls the assembly and linking process of the
  resulting binary thru METASM
- it comes with its own library of metamorphic instructions
  (no fixed code for memory allocator, decryptor and loader)

Our goal was to achieve AV evasion during pentests. So there's no
anti-RE / anti-debugging code there.

I see that Hyperion uses AES128 encryption and the output is placed
in a byte array in the executable (please correct me if I'm wrong).
There's a problem with this (if you are interested in AV evasion).
Appart from the fixed decryption code (which is signature friendly), you
have section data of increased entropy. We've found that increased
entropy "raises alerts" in the AV world; the file will be flagged
as suspicious and more thorough checks will be performed. If you're
still interested in AES encryption you might want to generate
instructions that load these bytes (rather than just place them in the
executable). This will considerably decrease information entropy.

We will not be releasing the source code to our packer, but we've put
a step by step guide in our slides, so you can build one from scratch.
Our prototype implementation is only 1700 lines of code :-)

Best regards,

Dimitris

http://census-labs.com -- IT security research, development and services

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ