search

Ricky5panish / Ricky5panish.github.io

Creative Commons Zero v1.0 Universal
2 stars 0 forks source link

Input #1

Open richoffpints opened 1 week ago

richoffpints commented 1 week ago

So i read your article om how to kake the crupter, canu please explain why it nly can be x64, and if so how i can make it for x32 and x64

Ricky5panish commented 1 week ago

Sure. To accomplish this task, you need to modify some parts of stub.cpp which handles the process hollowing. You need to make the following changes:

  1. Change structures: Replace IMAGE_NT_HEADERS64 with IMAGE_NT_HEADERS.
  2. Change data types: Replace DWORD64 with DWORD.
  3. Change pointers: Replace PIMAGE_NT_HEADERS64 with PIMAGE_NT_HEADERS.
  4. Change registers: Replace RDX with EDX and RCX with ECX.
  5. Change offset: Replace +8 with +4 in the WriteProcessMemory function.

With these modifications, you can use the crypter (only) for 32-bit (native) PE files.

Edit: Due to the x64 validation of the argument, you also need to replace these structures, data types, and pointers in the crypter.cpp file.

richoffpints commented 6 days ago

Wow very cool than you! Can i put something similar to an "eles or if or elesif" aomething like that to make it so say, if its not dword then use dword64, so then it can check the PE wether its 64 or 32? If theres alot more to it then that i dont wana waist your time, but its worth asking. U did a great hob here i love it and ita helped me inderstand this so mich more

Ricky5panish commented 5 days ago

Thank you :) If you really want the crypter for both x64 and x32, there are a few steps to follow.

The crypter (crypter.cpp) actually holds the raw code of our x64 stub as a byte array (unsigned char rawData[] = {...};), writes this stub to disk, then validates your input PE. If it's x64, it encrypts your chosen PE and appends it to the x64 stub.

  1. First, you need to insert the raw byte array of the x64 stub into the crypter.cpp as usual. Then, create a second stub program with the code modifications to run an x32 PE as mentioned in my previous answer, and build it for the x32 architecture. After that, insert this raw byte array as well. Don't forget to change the name of the variable to differentiate these two byte arrays (e.g., unsigned char rawData32[] = {...};). Be aware that your IDE or code editor might lag significantly if you insert two large byte arrays like this into your code.

  2. In the section where the crypter checks the architecture of your input PE, you can modify the if condition so that after validating the PE, the crypter either writes the x64 stub to disk, encrypts the validated x64 PE data, and appends it to this stub, or if the input PE is x32, writes the x32 stub to disk, encrypts the validated x32 PE data, and appends it to this stub.

Due to the large byte arrays, I would recommend completing task 2 before task 1.