Учимся криптовать: профессиональные приемы обхода антивирусов

Содержание:

CRYPTO file
FAQs
Installation
Incremental Usage
Usage
Usage
Продолжаем эксперимент
FAQs
Development
License
Async and Streams
FAQs
Внутренности Антивирусов
Security

CRYPTO file

Format

A CRYPTO file is the product of the Crypter encryption process. This file
stores both the encrypted version of the user file and the public credentials
needed to encrypt and decrypt it. It has a file extension, which
is appended to the full file name (including the extension) of the file
originally encrypted. The file itself is a tar archive in the following
structure:

someFile.crypto
├── data // the encrypted version of the user selected file
└── creds // the public credentials used to encrypt it

Reusing the same MasterPass

If you attempt to decrypt a CRYPTO file by resetting to a specific
MasterPass or setting an identical MasterPass on a different machine,
you will likely encounter the following error:

This issue occurs because the MasterPassKey that was originally used to
derive the encryption key on is not the same as the MasterPassKey
derived with the reused MasterPass. Since Crypter uses randomness to
generate secure credentials, this second set of credentials will be quite
different from the original set. As a result, the derived encryption key is
incorrect and yields this error.

See
for instructions on how to successfully reuse the same MasterPass.

Achieving portability and same MasterPass reuse

To achieve portability on Crypter, the set of MasterPassKey credentials
need to be exported from Crypter on the source machine
and imported into Crypter on the target machine.

This can be achieved in two simple steps:

Please refer to the FAQs for instructions on how to perform the above steps.

The machine where the CRYPTO file was initially
encrypted.

The machine where you wish to decrypt the CRYPTO
file.

FAQs

How do I encrypt a file or folder?

If you haven’t already, walk through the setup and set your MasterPass.
To encrypt a file or folder, first launch Crypter and verify your MasterPass.
After doing so successfully, you will see the main Crypter window with an orange
area. Here, you can simply drag-and-drop or click to select the file/folder you
wish to encrypt. Once Crypter is done encrypting your file/folder, it will show
you the encryption information (i.e. the encryption key and the path of the
encrypted file) in a new window. To encrypt another file/folder simply click the
back arrow at the bottom left and start-over 😉

How do I decrypt a CRYPTO file?

To decrypt a CRYPTO file, first launch Crypter and verify your MasterPass. After
doing so successfully, you will see the main Crypter window with an orange area.
Here, you can simply drag-and-drop or click to select the CRYPTO file that you
wish to decrypt. After a few seconds, the process will complete and you will see
some information about the file and its original encryption in a new window. By
default, the decrypted file has the same name as the name of the original file
(i.e. the encrypted file name without the at the end).

How do I encrypt multiple files?

Crypter can encrypt an entire folder so you can put them in a folder or,
alternatively, compress them into an archive (like a ) and then just pass
it to Crypter 😉

Where are my encrypted/decrypted files/folders placed?

By default, every source file that you encrypt/decrypt gets encrypted/decrypted
to the same directory where the source file is located.

How can I access Crypter’s preferences?

You can access Crypter’s preferences by either clicking on the cog icon in the
main Crypter window or by going to from the menu.

How can I reset my MasterPass?

You can reset your MasterPass by clicking on the «Forgot it» link in the Verify
MasterPass window. This takes you to a new screen where you can enter a new, valid
MasterPass. Once you’ve entered it, click the ‘Reset’ button and you’ll be sent
back to the verify screen where you can verify your new MasterPass.

What is a valid MasterPass?

Crypter will not allow you to set an invalid MasterPass. A MasterPass is valid
when it adheres to the following rules:

It is at least 8 characters long
It has at least one uppercase alphabetic character (A-Z)
It has at least one lowercase alphabetic character (a-z)
It has at least one numeric character (0-9)
It has at least one special character ($@!%*#?&)

These rules are enforced via the following regular expression:

/^(?=.*a-z)(?=.*A-Z)(?=.*\d)(?=.*$@!%*#?&).{8,}$/;

What are MasterPass credentials?

MasterPass credentials are a set of values that are required to derive the
MasterPassKey from the MasterPass. These values have a pseudo-random element and
are cryptographically linked. Every MasterPass that is set or reset with Crypter
has a unique set of MasterPass credentials. These yield a distinct MasterPassKey,
even when a MasterPass is reused.

How can I export my MasterPass credentials?

To export your MasterPass credentials, you can first open Crypter’s
preferences (see above). From this screen, click on the «Export» button. A
dialog will appear from which you can select the folder where you wish to export
the credentials. A success message will confirm a successful export. The
exported MasterPass credentials file is always named .

How can I import my MasterPass credentials?

To import a set of MasterPass credentials, you can first open Crypter’s
preferences (see above). From this screen, click on the «Import» button. A
dialog will appear from which you can locate your file.
After you select it, a success message will confirm a successful import and
you will have to verify the MasterPass for the credentials.

NOTE: while Crypter does not require the MasterPass credentials file to be
exactly named , it does require the file’s contents to
be unaltered from when it was exported from Crypter. If it has been altered,
the import may fail.

Installation

Requirements

RNCryptor 5 is written in Swift 3 and does not bridge to Objective-C (it includes features that are not available). If you want an ObjC implementation, see RNCryptor-objc. That version can be accessed from Swift, or both versions can coexist in the same project.

The Bridging Header

CommonCrypto is not a modular header (and Apple has suggested it may never be). This makes it very challenging to import into Swift. To work around this, the necessary header files have been copied into , which needs to be bridged into Swift. You can do this either by using RNCryptor as a framework, adding to your existing bridging header, or making your bridging header in Build Settings, «Objective-C Bridging Header.»

Installing Manually

The easiest way to use RNCryptor is by making it part of your project, without a framework. RNCryptor is just one swift file and one bridging header, and you can skip all the complexity of managing frameworks this way. It also makes version control very simple if you use submodules, or checkin specific versions of RNCryptor to your repository.

This process works for most targets: iOS and OS X GUI apps, Swift frameworks, and OS X commandline apps. It is not safe for ObjC frameworks or frameworks that may be imported into ObjC, since it would cause duplicate symbols if some other framework includes RNCryptor.

Drag and link and into your project
If you already have a bridging header file, add (or the path to which you copied ).
If you don’t have a bridging header:
- Swift project: In your target’s Build Settings, set «Objective-C Bridging Header» to your path for . (Or create a bridiging header and follow instructions above.)
- ObjC project: Xcode will ask if you want to create a bridging header. Allow it to, and add to the header (or the path to which you copied )
To access RNCryptor from Swift, you don’t need to import anything. It’s just part of your module.
To access RNCryptor from ObjC, import your Swift header (modulename-Swift.h). For example: .

Built this way, you don’t need to (and can’t) into your code. RNCryptor will be part of your module.

Carthage

This approach will not work for OS X commandline apps. Don’t forget to embed .

Built this way, you should add to your ObjC or to your Swift code.

This approach will not work for OS X commandline apps.

Built this way, you should add to your Swift code.

Incremental Usage

RNCryptor supports incremental use, for example when using with . This is also useful for cases where the encrypted or decrypted data will not comfortably fit in memory.

To operate in incremental mode, you create an or , call repeatedly, gathering its results, and then call and gather its result.

//
// Encryption
//
let password = "Secret password"
let encryptor = RNCryptor.Encryptor(password: password)
let ciphertext = NSMutableData()

// ... Each time data comes in, update the encryptor and accumulate some ciphertext ...
ciphertext.appendData(encryptor.updateWithData(data))

// ... When data is done, finish up ...
ciphertext.appendData(encryptor.finalData())

//
// Decryption
//
let password = "Secret password"
let decryptor = RNCryptor.Decryptor(password: password)
let plaintext = NSMutableData()

// ... Each time data comes in, update the decryptor and accumulate some plaintext ...
try plaintext.appendData(decryptor.updateWithData(data))

// ... When data is done, finish up ...
try plaintext.appendData(decryptor.finalData())

Usage

To begin with, you must select a backend:

RbNaCl (recommended)

RbNaCl is a Ruby FFI binding to libsodium, a portable state-of-the-art
cryptography library.

To use Cryptor with RbNaCl, add the following to your Gemfile:

gem 'rbnacl-libsodium'

And in your Ruby program, require the following:

require 'cryptor'
require 'cryptor/symmetric_encryption/ciphers/xsalsa20poly1305'

Rails (ActiveSupport::MessageEncryptor)

Cryptor can use ActiveSupport 4.0+’s class to encrypt
messages. This scheme uses AES-256 in CBC mode for encryption and HMAC-SHA1
to provide ciphertext integrity.

This option is only recommended if you have some compliance issues which
mandate the use of NIST ciphers or if you have problems installing
the rbnacl-libsodium gem or libsodium library for some reason.

To use Cryptor with ActiveSupport::MessageEncryptor, require the following
from a Rails 4.0+ app or other app with ActiveSupport 4.0+ bundled:

require 'cryptor'
require 'cryptor/symmetric_encryption/ciphers/message_encryptor'

Authenticated Symmetric Encryption

To encrypt data with Cryptor, you must first make a secret key to encrypt it
under. Use the following for RbNaCl:

# Make a RbNaCl secret key
secret_key = Cryptor::SymmetricEncryption.random_key(:xsalsa20poly1305)

or the following for ActiveSupport::MessageEncryptor:

# Make an ActiveSupport secret key
secret_key = Cryptor::SymmetricEncryption.random_key(:message_encryptor)

Inspecting a secret key looks like this:

To obtain the secret URI, use the method, which returns a string:

>> secret_key.to_secret_uri
=> "secret.key:///xsalsa20poly1305;0saB1tfgKWDh_bX0oAquLWgAq-6yjG1u04mP-CtQG-4"

This string can be saved somewhere secret and safe then later loaded and passed into
:

cryptor = Cryptor::SymmetricEncryption.new("secret.key:///xsalsa20poly1305;0saB...")

After this, you can encrypt with the method:

ciphertext = cryptor.encrypt(plaintext)

and decrypt with the method:

decrypted = cryptor.decrypt(ciphertext)

Usage

SETOCryptorProvider

is a factory for objects. Always use the factory for creating instances.

Create New Cryptor & Master Key

NSString *password = ...;
SETOCryptor *cryptor = ;
SETOMasterKey *masterKey = ;

Actually, you should call these methods from a background thread, as random number generation will benefit from UI interaction.

NSString *password = ...;
dispatch_async(dispatch_get_global_queue(QOS_CLASS_UTILITY, ), ^{
  SETOCryptor *cryptor = ;
  SETOMasterKey *masterKey = ;
  dispatch_async(dispatch_get_main_queue(), ^{
    // do the rest here
  });
});

Create Cryptor From Existing Master Key

This is equivalent to an unlock attempt.

SETOMasterKey *masterKey = ...;
NSError *error;
SETOCryptor *cryptor = ;
if (error) {
  NSLog(@"Unlock Error: %@", error);
} else {
  NSLog(@"Unlock Success");
}

Determine File Sizes

Beginning with vault version 5, you can determine the cleartext and ciphertext sizes in O(1). Reading out the file sizes before vault version 5 is theoretically possible, but not supported by this library.

SETOCryptor *cryptor = ...;
NSUInteger ciphertextSize = ...;
NSUInteger cleartextSize = ;
// and the other way round with +

SETOCryptor

is the core class for cryptographic operations on Cryptomator vaults. This is an abstract class, so you should use to create a instance.

Directory ID Encryption

SETOCryptor *cryptor = ...;
NSString *directoryId = ...;
NSString *encryptedDirectoryId = ;

Filename Encryption and Decryption

SETOCryptor *cryptor = ...;
NSString *filename = ...;
NSString *directoryId = ...;
NSString *encryptedFilename = ;
NSString *decryptedFilename = ;

File Content Authentication

SETOCryptor *cryptor = ...;
NSString *ciphertextFilePath = ...;
;

File Content Encryption

SETOCryptor *cryptor = ...;
NSString *cleartextFilePath = ...;
NSString *ciphertextFilePath = ...;
;

File Content Decryption

SETOCryptor *cryptor = ...;
NSString *ciphertextFilePath = ...;
NSString *cleartextFilePath = ...;
;

SETOAsyncCryptor

is a decorator for running file content encryption and decryption operations asynchronously. It’s useful for cryptographic operations on large files without blocking the main thread.

Create and initialize using to specify a dispatch queue. If you’re initializing with the convenience initializer , a serial queue (utility QoS class) will be created and used.

holds the information necessary for the master key. All properties are immutable to prevent accidental changes. Use or to modify the properties in bulk. Use the convenience method , e.g. for persisting the master key.

Продолжаем эксперимент

Возможно, многим покажется, что описанного выше уже достаточно, чтобы успешно распространять троянские программы, ведь шансы быть обнаруженными мы сократили вдвое. Это верно, однако мы отсекли лишь самые убогие антивирусы, которые совершенно не отвечают требованиям времени. В ходе экспериментов я выяснил, что и с мощной эмуляцией кода можно справиться, причем достаточно легко!

Для разминки, вставим в подопытный пинч несколько небольших кусков кода, которые «закроют глаза» нескольким антивирусам (а заодно и многим реверсерам низкой квалификации). По адресу 13147C90 я разместил криптор, аналогичный вышеописанному, который шифрует написанный нами антиотладочный код (4Ch байт, начиная с адреса 13147C30). На диске ты найдешь его код, здесь же его привести не позволяет объем статьи. Таким образом, мы скрыли от некоторых эвристических механизмов некоторые детали нашего механизма, усложнив работу необходимостью многоступенчатой распаковки.

Существует очень любопытный прием, который дает очень хороший эффект, вводящий в ступор некоторые отладчики и антивирусы. Имя ему – обнуление точки входа. Действительно, совсем неправдоподобной выглядит ситуация, когда PE-заголовок, располагающийся по нулевому смещению относительно ImageBase, является одновременно исполняемым кодом. Однако она более чем возможна. Открой отлаживаемый файл в WinHex и взгляни на байты данных, располагающиеся в самом начале файла: 4D 5A 00 00 (да-да, это та самая буквенная сигнатура «MZ», расположенная в начале PE-файла!). Взглянув на этот же PE-заголовок в отладчике (для этого нужно перейти по адресу 13140000h), мы увидим следующую картину:

Кажется, первые две инструкции вполне безобидны и могут быть выполнены без риска «уронить» программу. К сожалению, следом за ними располагается лишь два нулевых байта, а испортить MZ-заголовок, записав межсегментный пятибайтный переход на антиотладочный код, мы не можем. Подумав с полминуты, можно найти верное решение. Взгляни на 13140028. Здесь можно найти гораздо больше пяти нулевых байт. Слон здесь вряд ли поместится, но длинный переход – вполне! Итак, действуем следующим образом: меняем нулевые байты, начиная с адреса 13140002, на следующую инструкцию:

а байты, расположенные по адресу 13140028, на следующий код:

После выполненных процедур остается лишь сохранить программу, открыть ее на редактирование в LordPE и обнулить поле «EntryPoint». Итак, все работает, и еще два антивируса сдались: теперь лишь 25 из 43 находят в нашем подопытном образце опасный код.

Исследования показали, что пинч содержит четыре секции, две из которых – .conf и .data – содержат данные, которые могут быть рассмотрены антивирусами в качестве константы и занесены в сигнатурную базу. Поэтому необходимо зашифровать и их.

Для этого полностью убираем код раскриптовки, заменяя его в OllyDbg на нули, и видим, что наш образец все равно палится как пинч! Делаем вывод, что либо антивирусы методом перебора видят наш код, либо проверяют image base. Пробуем изменить Image base – и, действительно, отметаем еще четыре антивируса.

FAQs

How do I encrypt a file or folder?

How do I decrypt a CRYPTO file?

How do I encrypt multiple files?

Crypter can encrypt an entire folder so you can put them in a folder or,
alternatively, compress them into an archive (like a ) and then just pass
it to Crypter 😉

Where are my encrypted/decrypted files/folders placed?

By default, every source file that you encrypt/decrypt gets encrypted/decrypted
to the same directory where the source file is located.

How can I access Crypter’s preferences?

You can access Crypter’s preferences by either clicking on the cog icon in the
main Crypter window or by going to from the menu.

How can I reset my MasterPass?

What is a valid MasterPass?

Crypter will not allow you to set an invalid MasterPass. A MasterPass is valid
when it adheres to the following rules:

It is at least 8 characters long
It has at least one uppercase alphabetic character (A-Z)
It has at least one lowercase alphabetic character (a-z)
It has at least one numeric character (0-9)
It has at least one special character ($@!%*#?&)

These rules are enforced via the following regular expression:

/^(?=.*a-z)(?=.*A-Z)(?=.*\d)(?=.*$@!%*#?&).{8,}$/;

What are MasterPass credentials?

How can I export my MasterPass credentials?

How can I import my MasterPass credentials?

Development

Crypter is developed in the «dev» branch, which may be unstable at times.
This branch should typically be used for pull requests.

The «master» branch will always be kept stable.

Configurations

All major configurations that you can apply are found under .
This includes changes to certain cryptography settings. Please be advised
that altering these may break functionality and
.

Test

Crypter primarily uses mocha and chai for testing. Since the project uses a
lot of JS ES6 syntax, babel is also used as a transpiler. To run all the tests,
execute:

Crypter uses istanbul for coverage. To run test coverage, execute:

Build

Crypter’s binaries (available under releases) have been built using
Electron. Since Crypter uses electron-builder to build binaries,
you must install it globally:

To build the app for macOS, run:

To build the app for Linux, run:

To build the app for Windows x84 and/or x64, run:

License

The MIT License (MIT)

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the «Software»), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished todo so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Async and Streams

When performing async operations on streams, the data can come very quickly
(particularly if you’re reading from a local file). If you use RNCryptor in a
naïve way, you’ll queue a work blocks faster than the engine can process them
and your memory usage will spike. This is particularly true if there’s only one
core, such as on an iPad 1. The solution is to only dispatch new work blocks as
the previous work blocks complete.

// Make sure that this number is larger than the header + 1 block.
// 33+16 bytes = 49 bytes. So it shouldn't be a problem.
int blockSize = 32 * 1024;

NSInputStream *cryptedStream = ;
NSOutputStream *decryptedStream = [NSOutputStream outputStreamToFileAtPath:@"/tmp/C++.crypt" append:NO];

;
;

// We don't need to keep making new NSData objects. We can just use one repeatedly.
__block NSMutableData *data = ;
__block RNEncryptor *decryptor = nil;

dispatch_block_t readStreamBlock = ^{
  ;
  NSInteger bytesRead =  maxLength:blockSize];
  if (bytesRead < ) {
    // Throw an error
  }
  else if (bytesRead == ) {
    ;
  }
  else {
    ;
    ;
    NSLog(@"Sent %ld bytes to decryptor", (unsigned long)bytesRead);
  }
};

decryptor =  initWithSettings:kRNCryptorAES256Settings
                                         password:@"blah"
                                          handler:^(RNCryptor *cryptor, NSData *data) {
                                            NSLog(@"Decryptor recevied %ld bytes", (unsigned long)data.length);
                                            ;
                                            if (cryptor.isFinished) {
                                              ;
                                              // call my delegate that I'm finished with decrypting
                                            }
                                            else {
                                              // Might want to put this in a dispatch_async(), but I don't think you need it.
                                              readStreamBlock();
                                            }
                                          }];

// Read the first block to kick things off    
readStreamBlock();

FAQs

1. Why did you create this?

Crypter was created for two reasons:

As an experiment and Proof-of-Concept (PoC)
For use in Red vs. Blue training environments

Traditionally, malware is written in compiled languages like C and C++. As a security researches and Python developer, I set out to determine the extent to which interpretted languages could be used for the creation of malware. At the same time I was working for a security reseller who offered Red vs. Blue training to large enterprises. The training environment made use of live malware samples which were realistic, but unreliable and volatile. After completing the initial PoC, I continued working on Crypter for this organisation to provide a customisable Ransomware sample for use use in this environment.

2. Why make it publically available?

Crypter was made publically available to enable security researchers and enthusiasts to gain a better understanding of Ransomware. While there are plenty of guides and videos on the topic, they usually don’t provide the understanding that can be gained by experiencing something first hand.

3. But couldn’t it be used by criminals for malicious purposes?!

While Crypter can be used to simulate a real Ransomware attack, steps have been taken to allow users to reverse any damage, and to prevent use by criminals in the wild. Ransomware is only useful to a criminal if they have the ability to decrypt the user’s files and the user does not. Traditionally this is done by sending the encryption key to a remote Command & Control (CnC) server controlled by an attack once the user’s files have been encrypted. The victim then pays a ransom fee to retrieve access to the key that will decrypt their files.

With Crypter however, there is no inbuilt CnC capability. Once the user’s files have been encrypted, the decryption key is written to key.txt in the same directory as the ransomware executable. The user can then use this key to decrypt their files.

4. Could it not be adapted for malicious use?

It is certainly possible to further develop Crypter and implement the missing CnC capabilities. However, this requires expertise and knowledge in programming as well as malware tactics and techniques. Anyone motivated and knowledgeable enough to add these components would most likely create a piece of Ransomware from scratch, and not make use of an existing, open source and publically available package as the basis for their attacks.

5. Can you add a feature for me?

Alternatively, if there is a feature that you think could be cool or useful, then feel free to create an issue with some information on what you’re looking for and why. I’m usually quite busy with other projects, but if I think it’s worthwhile and I can find the time, I may see if it’s something that I can implement.

Внутренности Антивирусов

В упрощенном виде, антивирус — это набор правил (сигнатур) и система, которая проверяет файл по этим правилам.

К примеру, пусть в антивирусе будут такие сигнатуры:

секция с кодом, записываемая +10;
после запуска прописывается в авторан +30;
вторая секция с именем Zeus +30;
меньше 4 энтропия кодовой секции +20;
есть сертификат от майкрософта -10.

Дальше антивирь проверяет те правила, которые возможно проверить без запуска EXE, потом в эмуляторе запускает файл и проверяет все остальные правила. А после этого подсчитывает сумму, если она больше 100, значит вирус, если меньше — значит не вирус.

Security

Security-first practice

Crypter follows a security-first practice. This means that security is its
highest priority and first consideration. Thus, while Crypter seeks
to make encryption more convenient, it always defers to maintaining
a high level of security.

MasterPass

Crypter never stores your MasterPass in memory or on the filesystem. This
substantially improves the security of your MasterPass. You are only asked to
enter the MasterPass when you first set, reset or verify it. Whenever you enter
your MasterPass, Crypter derives a MasterPassKey (using a set of generated
credentials) and then immediately discards the MasterPass. The MasterPassKey is
then securely stored in memory and used to derive the encryption keys. Since
these credentials are derived via a one-way function, they cannot be used in
any way to derive the MasterPass.

MasterPassKey

Crypter uses a WeakMap to store the MasterPassKey inside the MasterPassKey class
using a closure function. This makes the MasterPassKey data held in the object
(externally) inaccessible, consequently increasing the protection of the
MasterPassKey. The MasterPassKey is never flushed to the filesystem and is always
stored in (main) memory. Since JS does not give control over or allow such a
low-level operation as wiping memory, the program relies on the garbage
collection and volatility of the main memory for the permanent erasure of the
MasterPassKey stored in memory.

Crypter generates a new set of random credentials for deriving the MasterPassKey
every time the MasterPass is set (at setup) or reset. Crypter employs randomness
to mitigate brute-force attacks and thus drastically improve security.