Change background image
  1. What's up? I see you're viewing as a Guest. How about registering, it only takes like 2 minutes. This will enable you to do more on our forum and stay updated.

Crypters Explained

Discussion in 'PC General' started by 3nvisi0n, Sep 9, 2011.

Thread Status:
This thread is more than 180 days old.
  1. 3nvisi0n

    3nvisi0n The R3v0lu710n Super-Mod

    Hello everyone,

    Since it has been a little while since I've written anything for these forums(sorry) I figured a little article might be due. Thus comes this little write-up regarding crypters. Now don't get your hopes up I'm not going to teach you how to code a crypter, I'm simply going to explain at a high-level of abstraction what they do and more importantly how they work and what their weakness is. This is a very basic concept and thus the article is very basic, if you already know your stuff there should be nothing to learn in this. This one is for the newbies.

    A Crypter?

    A crypter is a common blackhat tool. I cannot think of any whitehat non-malicious use for this tool. The basic idea of it is that a crypter will take a malicious file that is detected by an anti-virus and make it undetectable to the anti-virus. It does so my 'encrypting' the malicious contents so when the anti-virus looks at the file it sees nothing that matches any known malware(malicious software) and so it doesn't give the user any warning. So in even shorter form a crypter allows malware to spread without tripping your anti-virus. So I am sure you can see how powerful this tool can be in the hands of a malicious code writter.

    How Does it do this?

    Well By the name you should be able to guess how it encrypting the code. More specificaly this all works in just a couple steps.

    The first step the Crypter will take your the malicious file it is given and run it through an encryption process this will produce a new binary file full of garbage. When encrypted the file cannot be run by windows or anything else(and thereby when scanned by an anti-virus it just sees garbage and doesn't warn the victim about it.) This makes your malware undetectable at scantime.

    There is a problem since the file cannot be run by an operating system at this time one must now attach an additional piece of code that will decrypt the encrypted code and run it. This decrypter is generally called a stub. There are two main ways the stub will work.Basic Crypters which only offer scan-time protection have the simpliest stubs.
    This will essientally do the following:
    1. Load the encrypted code from system memory
    2. Decrypt the code and store it back in memory decrypted
    3. Issue a Jump command to the start of the unencrypted code
    4. The system will now run the uncrypted source.

    Now the obvious problem is the malicious code is now plainly seen in memory and anti-viruses programs normally do not overlook this fact. So at run-time the code would be detected. More complicated crypters would obviously not do such an idiotic thing. A crypter that provides both scan-time and run-time protection would essientally do the following:
    1. Load a portion of encrypted code from memory
    2. Decrypt the code
    3. execute the decryted code
    4. Loop back to step 1 until file has been completed.

    Now before any of you that know how it works yell at me, I am aware this si not a perfect representation of the innerworkings. But this is the basic concept that a run-time crypter would follow.

    SO now you know at a high level of abstraction how the crypter works, and what it does.

    I'm scared now...there must be a weak point...isn't there?
    Well yes, there is a weakness to crypters. The major weakness is the stub that is attached to decrypt the code, this stub normally cannot be encrypted itself(since it is needed for the decryption) So the fatal flaw in crypters is this stub, if you can detect a stub they can tell its been crypted and thereby it doesn't matter how good the payload is encrypted since the stub was detected.

    Of course hackers have found ways to combat this flaw with USGs(Unique Stub Generators) but that is potentially a topic for another article.

    *Disclaimer, this is ment to be educational only I take no responsibility for what this information is used for. I also take no claim at the accuracy of this information in an effort to make it more reader friendly I have ignored key details that would be key to actually implementing the code but not key to understanding how it all works. Thanks for reading.
    1 person likes this.
  2. Crazy52

    Crazy52 Gate Keeper Admin

    most of the time when you find a public crypter someone has already reported the stub and you get even more detections
  3. 3nvisi0n

    3nvisi0n The R3v0lu710n Super-Mod

    This is the major weakness I pointed out about crypters, detection of the stub, so once a basic crypter is known all it takes is making a simple hash of the stub portion for AV to detect it.

  4. dns

    dns Active Member Admin

    Very good explanation for beginner's envy, thanks for this post.
  5. Sh0tGuN2197

    Sh0tGuN2197 *Shotty* Super-Mod

    This is a nice post :D I knew most of it. Just a few I did not know. Thanks for it.
Thread Status:
This thread is more than 180 days old.

Share This Page