Encrypting Your Payload

Overview

Whether you choose to statically include your shellcode in the binary or choose to stage it, encrypting it is important. This is because anti-virus and EDR solutions have static detections and signatures for for known malware.

There are 3 easy encryption/decryption methods that will be covered including:

  • XOR
  • RC4
  • AES

The XOR operation is often performed with the ^ symbol in most languages. XOR is an abbreviation of “Exlusive OR” and is an equation given 2 logical statements. The XOR function returns TRUE if one statement is true (1) and the other statement is false (0) meaning that these statements are exclusive to eachother.

An example of XOR:

1
2
3
4

A ^ b = #
     A = 0 1 0 0 0 0 0 1
     b = 0 1 1 0 0 0 1 0
result = 0 0 1 0 0 0 1 1 (#)

An example of XOR implemented in C would be:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

#include <stdio.h>
#include <string.h>

void xor(char key, char *data, int length){
        for(int x = 0; x < length; x++)
        {
                data[x] ^= key;
        }
}

int main(){
        char key = 'z';
        char data[] = "Hello World";

        printf("Before XOR: %s\n", data);

        // encrypting data[] with XOR
        xor(key, data, strlen(data));
        printf("After XOR: %s\n", data);

        // final XOR to restore to original
        xor(key, data, strlen(data));
        printf("Restored with XOR: %s\n", data);
}

RC4 or Rivest Cipher 4 is a symmetric stream cipher that produces a pseudo-random keystream based on a variable length key. Its extremely fast and super easy to implement with the Win32 api.

An example of RC4 implemented in C would be:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#include <windows.h>
#include <stdio.h>
#include <string.h> 

struct ustring {
    DWORD Length;
    DWORD MaximumLength;
    PUCHAR Buffer;
};

typedef NTSTATUS(WINAPI* _SystemFunction033)(
    struct ustring* memoryRegion,
    struct ustring* keyPointer
);


int main() {
    _SystemFunction033 SystemFunction033 = (_SystemFunction033)GetProcAddress(LoadLibraryW(L"advapi32.dll"), "SystemFunction033");

    char _key[] = "KeyKeyKeyKey";
    unsigned char cleartext[] = "Hello World";
    printf("Original: %s\n", (char*)cleartext); 
    struct ustring key;
    key.Buffer = (PUCHAR)_key; 
    key.Length = strlen(_key);

    struct ustring _data;
    _data.Buffer = (PUCHAR)cleartext;
    _data.Length = sizeof(cleartext) - 1;

    SystemFunction033(&_data, &key);

    printf("Encrypted: %s\n", (char*)_data.Buffer);

    return 0;
}

AES or Advanced Encryption Standard is a widely trusted and used encryption algorithm. It can be a bit difficult to learn at first, but its the best encryption algorithm out of the other 2 we talked about. I utilize the tiny AES project so in order to program this out, you will have to pull some included files down.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#include <stdio.h>
#include <stdint.h>
#include <string.h>

// https://github.com/kokke/tiny-AES-c
#include "aes.h"
#include "aes.c"


int main(void) {
    // Key and IV HAVE to be 16 bytes long or this wont work.
    uint8_t key[16] = {
        0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe,
        0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81
    };
    uint8_t iv[16]  = {
        0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
        0x01,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f
    };

    struct AES_ctx ctx;
    char message[] = "Hello World";
    size_t len = strlen(message);
    printf("Plaintext: %s\n", message);

    // initialize the AES context with the key and IV and encrypt the message
    AES_init_ctx_iv(&ctx, key, iv);
    AES_CTR_xcrypt_buffer(&ctx, message, len);

    printf("Ciphertext: %s\n", (char*)message);

    // decrypt the message by reinitializing the AES context with the same key and IV
    AES_ctx_set_iv(&ctx, iv);
    AES_CTR_xcrypt_buffer(&ctx, message, len);

    printf("Decrypted: %s\n", (char*)message);
    return 0;
}

Sources:

https://osandamalith.com/2022/11/10/encrypting-shellcode-using-systemfunction032-033/
https://github.com/kokke/tiny-AES-c
https://www.geeksforgeeks.org/advanced-encryption-standard-aes/

0%