Open fSociety-Protected opened 1 week ago
bytecode77
commented
1 week ago Hey there. This is just a PoC that demonstrates a C# executable that morphs its own code. It isn't in and of itself useful, so you can't swap out the Payload to "chain together" your own payload. It's merely a code demo.
Also, Payload.exe is a .NET payload, which I assume you replaced by a native payload.
fSociety-Protected
commented
1 week ago Hey there. This is just a PoC that demonstrates a C# executable that morphs its own code. It isn't in and of itself useful, so you can't swap out the Payload to "chain together" your own payload. It's merely a code demo.
Also, Payload.exe is a .NET payload, which I assume you replaced by a native payload.
γ € So... there is no way to do exactly the same thing, γ €but importing a non-.NET binary? π₯΄
I mean, instead of compressing/encrypting the code, γ €just encrypt the payload.exe stored in the resources. π€
Because the truth would be a very good way to protect a project... γ €I mean, if there was a way to use as an executable launcher, γ €γ €your automorphic project, it would be awesome! π―π―
bytecode77
commented
6 days ago Nah... To protect a project from AV, use in-memory techniques. This is really just a PoC and can't be combined with unrelated techniques.
fSociety-Protected
commented
6 days ago Nah... To protect a project from AV, use in-memory techniques. This is really just a PoC and can't be combined with unrelated techniques. γ €
γ € Wow, what a disappointment I just got Β«@byteΒ», because I've been all night, γ €trying with all my strength to make such a loader come true. π₯΄π€¦ββοΈ γ € γ € As an automorphic loader, that would be able to carry a binary (an .EXE, but not ONLY .NET, any . EXE) γ €as an embedded resource in encrypted form and that when running the automorphic launcher, decrypt the γ €γ € resource in memory, execute the resource in memory using P/Invoke, re-encrypt the resource with a random γ €γ €γ € key and compile the whole launcher morphing and obfuscating all variables, strings, etc... as it already does... π γ € γ € But if you say that's NOT possible... I guess I'm going to abandon my little project of being able to γ € create an automorphic launcher that can and will be able to host any binary executable as an embedded γ €γ € resource and be able to decrypt it and run it in memory. π γ € γ € For me you are a real inspiration @bytecode77, γ € seriously, for me you are the best. ππ― γ € γ € And if apparently, it's you, who tells me that this is not possible, γ €...then I won't be the one to question it, really. π γ €
bytecode77
commented
6 days ago If you're developing your own crypter and decided that it should be morphing, then you can implement that, sure. All I'm saying is that you cannot use this PoC as it is and swap out the Payload, as a PoC is generelly not designed to be used in-place as it is.
So, if you're working on your own crypter, then you can look at how polymorphism and morphing stubs work from my project, etc. and do your own implementation.
Keep going...
fSociety-Protected
commented
6 days ago If you're developing your own crypter and decided that it should be morphing, then you can implement that, sure. All I'm saying is that you cannot use this PoC as it is and swap out the Payload, as a PoC is generelly not designed to be used in-place as it is.
So, if you're working on your own crypter, then you can look at how polymorphism and morphing stubs work from my project, etc. and do your own implementation.
Keep going... γ €
γ € So I'm not wasting my time? π₯΄ γ €Is it possible to do what I say? π γ € γ € I mean, create a launcher which has as an embedded resource my own *.exe payload, native, not .NET γ €and when running the launcher, in turn, decrypt the payload in memory and run the payload directly in γ €γ €memory to avoid any kind of footprint on the disk and then, after having run the payload, encrypt the resource γ €γ €γ €with a new random key and use polyformism to mutate the launcher code and auto-compile itself? π γ € γ € Is it worth it? Is it possible to create something like that? π€ γ €I wouldn't want to go round in circles for nothing. π γ € γ € Any advice @byte for choosing γ €the best way or practice to follow? π§ γ €
bytecode77
commented
6 days ago Not sure what exactly you're up to. You can achieve a morphing binary, or any other type of obfuscation. AV isn't affected as much by the morphing of the binary as by the evasion techniques used.
fSociety-Protected
commented
6 days ago Not sure what exactly you're up to. You can achieve a morphing binary, or any other type of obfuscation. AV isn't affected as much by the morphing of the binary as by the evasion techniques used.
γ € What I am looking for is to create a launcher which can store in an encrypted way a *.EXE binary, γ €which does not have to be a .NET binary and that when executing the launcher, let's call it βLOADER.EXEβ, γ €γ €this in turn, decrypts the embedded binary that is inside, let's call it, βPAYLOAD.EXEβ and is executed directly γ €γ €γ €in memory, without at any time is written to disk, to avoid leaving any trace or track. ποΈπͺΆπ γ €
And at the end of the execution of βPAYLOAD.EXEβ, then, the launcher βLOADER.EXEβ, γ €applies the automorphosis that you show in this project, encrypting with a new random γ €γ €key the embedded binary βPAYLOAD.EXEβ. π€π§ γ €
More than a technique to evade AV's, it would be extremely useful to protect γ €my projects against reverse engineering techniques, debugging, etc... π γ €
I hope you now understand much γ €better what I want to do @bytecode77. π―π
bytecode77
commented
5 days ago RunPE is the keyword for you, if you want to run a native executable in memory.
Good luck!
fSociety-Protected
commented
5 days ago RunPE is the keyword for you, if you want to run a native executable in memory.
Good luck!
Okay @bytecode77, thanks for the tip. ππ
Well, first of all... π
I hope you are well and everything β β β is going great in your life! π
Well, I've been keeping an eye on this project and I've got some interesting ideas! β β But... I also have some doubts that I hope you can help me to solve! π―
ββββββββββββββββββββββββββββββββββββββββ
Well, in your web page, you say the following about the executable named βpayload.exeβ: β βRemember, that the payload is a separate and replaceable executable file.β -bytecode77
Now, I have tried to simply replace the payload.exe file with another one, β β like for example the β$77-Example.exeβ file from your r77 project, but apparently, β β β ββ when trying to run the auto-morphic launcher, β$77-Example.exeβ is never executed. π€ β
Is there something I'm not understanding or β β β something should I need to know @bytecode77? π β
Thanks for everything @bytecode77 and I hope you can β β β β get back to me when you have some free time, thanks! π π