bytecode77 / pe-union

Crypter, binder & downloader with native & .NET stub, evasive by design, user friendly UI
https://bytecode77.com/pe-union
BSD 2-Clause "Simplified" License
647 stars 145 forks source link

New to C# #22

Closed bill0alt closed 2 years ago

bill0alt commented 2 years ago

I am new to C++ and C#. I have been a webdeveloper for years, but in the field of C and C# I have little to no experience. Do you have any idea how I can get resrouces on learning about crypters and stub.

While I was researching I found this repo, but I don't really know how I should get started. On Google and youtube there is very little information available as far as I know.

Any suggestions?

bytecode77 commented 2 years ago

Probably the best way to learn something more in-depth is to write your own crypter. You can focus on the very core of a crypter and leave out all the details. PEunion has a lot of features, but basically your crytper should be a small program ("stub") that decrypts an executable and executes it.

Just make the stub write it to the disk and execute it. And then in the next step, you can try to figure out what "RunPE" aka. process hollowing is, why it's essential - and apply it.

This should keep you busy for a while ;)

bill0alt commented 2 years ago

Thank you for the answer, but do you know some places where I can learn more about crypters? On youtube and google there seems to be little to no info. So how did you learn about them?

bytecode77 commented 2 years ago

I agree that tutorials on this are rare. I didn't use a tutorial, since over time I became familiar with all sorts of techniques that are used in crypters. My first attempt was to just bundle an executable (or two) and then drop it on disk and execute it - my second attempt was to use RunPE to execute the EXE file without writing it to the disk.

The first one is relatively simple. The second one, you'll find a lot of tutorials for RunPE and even ready made code to use.

bill0alt commented 2 years ago

Ok thank you I will surely try it. Is RunPe the same as a stub or is that something else? And if it is something else how could I learn about that. Because from what I understood the stub is what is the most important for a crypter

bytecode77 commented 2 years ago

The stub is a small executable that decrypts the payload and executes it using RunPE.

Stub: Contains the payload and your code to decrypt and execute it Payload: The executable that you would like to encrypt RunPE: A routine that can execute an EXE file in-memory without writing it to the disk. For a proof-of-concept, you can skip this and write the EXE to the disk and after everything works proceed to implement RunPE.

bill0alt commented 2 years ago

Thank you a lot. Do these terms also apply for other operating systems such as macos or linux?

Where can I find this executable in this project. When I go to the folder stub there are only C# files no executable. You described the runpe as a routine and not as a file. How does it get executed if it is not a file?

Also if the only purpose of a stub is to encrypt the payload isn't it enough to just change the encryption process to make it FUD again?

If I just use RunPe with the payload I assume this would be easily detectable by an antivirus. This is why we need the stub. Am I right?

bytecode77 commented 2 years ago

Do these terms also apply for other operating systems such as macos or linux?

No. These hacks work differently for each operating system, so you should commit for one specific OS.

Where can I find this executable in this project.

The C# files you mentioned are compiled to the stub by using the C# compiler.

You described the runpe as a routine and not as a file.

RunPE is a technique that is used to execute an EXE file without writing it to the disk. You should look for tutorials about RunPE to understand how it works.

Also if the only purpose of a stub is to encrypt the payload isn't it enough to just change the encryption process to make it FUD again? If I just use RunPe with the payload I assume this would be easily detectable by an antivirus. This is why we need the stub. Am I right?

Yes, it is detectable. To make it actually FUD, you will have to do a whole lot more than just RunPE. But you should start with the basics of creating a stub that decrypts and executes an executable. Then you can start tinkering with AV evasion.