[C++] Polymorphic Crypter

06/Ara/13 01:26

Kısayol

Şikayet

Özel Mesaj

ZINDIK

Kayıt Tarihi: 31/Mart/2007

Kaynak kodları 5bin dolardan rus underground forumlarında satılan bir polimorfik crypter. Malwareci müridler eğitim amaçlı yararlanabilir.

Polimorfik? Bilgi için bu kaynaktan yararlanabilirsiniz = http://www.bilgiguvenligi.gov.tr/zararli-yazilimlar/polimorfik-virusler-ve-tespit-yontemleri.html

Rusca'dan google translate:

TOMAHAWK MULTIPASS MORPHER ENGINE
Multipass Kriptor \ Morpher \ Protector .
Maintained and continuously upgraded since 2010
Ultraprivat . The possibility of cooperation after the interview .
Possibility of issuing kriptora "on hand." Possible sale sortsy .
1. Console interface ;
2 . polymorph ;
3 . Garbage code , garbage , trash section ;
4 . Normalization of the entropy at the output ;
5 . Fitted compression (output image as a rule, 30-70 % less) ;
6. Packer linker input file is automatically detected. The decision to use
varying compression automatically accepted on the basis of several factors:
 - Whether there was a packer at the entrance ;
 - The degree of compression ;
 - Entropy ;
7. Overlay support ;
8. Support \ transfer command line;
9. Adding icons provided there mikromorfer icons, the possibility of " noise " icons
possible to save other resources ( versioning information , manifest etc);
10 . Random size at the outlet or within the specified limits ;
11.Two type antiemulyatsii averskih VM + one + one antidebuggings antiemulyator from ordinary Wirth. machines.
including MS Security Essentials - does not spin .

Written in pure C + Inline assembler;

Checking Zeus, SpyEye, Carberp, Citadel, and many others.

Check AB (Scan4You): 0/ 35 - always

1. Sortsy consist of 2 projects
Generator and TlsStub, other projects - is an outline for the future, for the crypt dll
2 . There are a lot of additional tools ( folder Bin \ PlugIn):
pmorph.dll - polymorphic generator ;
selfscan.dll and PESniffer.dll - determine whether the file was something packed inlet ;
if packaged upx.exe - unpack ;
There's still Morpher icons and a lot of things in this version is not yuzayutsya .
There are utility ScompX.exe in the Bin
( she solyushen not included because there is rarely a need to edit it ), but there sortsy her present.
When rebildinge occurs following items :
1. There TlsStub - it's self with the stub loader section of code placed encrypted code
target file , what does ScompX.exe;
2 . Generator - creates an output file Morph.exe, which morphs stub with wired already there there file
3 . At the output file TlsStub.exe ( folder Bin) - is the result of kriptovki
4 . At the entrance - bot.exe ( although the name can be changed in the project options TlsStub-> Build Events before and after );
Pocketbook cleaning . Part 1 of 42.

NOD - signature / import, plus the number of functions and their order, remove from ntdll.dll import data
Avast - signature data
VBA - emulation , put a long cycle
GData - import, swears by the media , put the optimization
Panda - preferably the presence user32.dll
Avira - kodovubyu section desirable to put on record , add debug directory !!! Base64 do
Panda - signature / ENTROPY
KAV - rarefied code feykovye DBGPRINT + imports (sometimes)
MSE - the same that KAV
BitDefender - prikopalis to GetProcAddress (ntdll & kernel); import Plenty left .


1.You will palitsya NOD- ohm , you can try to remove the optimization properties StubNew:
Project-> Properties StubNew-> C / C + + -> Optimization: Optimization - put "Disabled" , the preferred size or speed - put " No "
2.If will pop bitdef and friends and if needed urgently kriptonut , it is possible in the properties StubNew:
Project-> Properties StubNew-> Linker -> Debugging - put " Generate debug information " - " Yes " , but will shoot one Avast .
3 . You can play with flags in StubNew.h: DBG_FAKE, DBG_OK, TLS ( will zayuzat TLS), ANTIDEBUG, PREDBG;
4 . You can remove / add fake imports in StubNew.cpp: InitInstance ( there are comments );
5 . You can change the entry point at stabovuyu from MS (CRT) - EntryPoint change on _tWinMain, respectively removing properties StubNew:
Project-> Properties StubNew-> Linker - > Advanced- > Entry Point ;
6. You can do the most import permutations properties StubNew:
Project-> Properties StubNew-> Linker - > Input -> Additional Dependencies

Malvar SDK for developers , Part 1 of 4

1. Generation treshkoda after passing my Morpher :
Tags:

__asm {hlt} _asm {cli} _asm {cld}
as many .... _asm {nop}


All this will be replaced with " garbage " code , only here it is necessary to take into account that it can not be inserted in the long cycles ,
because morfleny this trash (mostly arithmetic) will eat CPU time , although it is very useful against emulators ,
e.g. such as VBA

What will this : signatures in your stuffing in the memory will always be different from the crypt to crypt .

Kaynak kodları:

Krypton_7.1.zip

Alıntı yap