FileGuard - File crypter and packing utility

Related tags

CryptographyFileGuard
Overview

FILEGUARD

FILEGUARD is a file crypter and packing utility.

This project was originally included as a script in the WARFOX-C2 project found here. However, it can work as a standalone packer. The associated dropper utility mentioned here is known as CUBDROP and it can be found here

Description

image

Technical Details

FileGuard

FILEGUARD takes a file as input, compresses it via GZIP, encrypts it using AES-128 (CBC mode) and appends the AES key to the end of the file. This utility was designed to pack the WARFOX DLL implant to aid in its DLL sideloading execution process.

  1. You provide an input file (technically any file type should work) as argv[1] and the expected output file as argv[2]
  2. FileGuard compresses the input file using GZIP and writes a copy to disk
  3. FileGuard encrypts the compressed file using AES-128 in CBC mode with a randomly generated key
    • The AES IV is hardcoded as ffffffffffffffff to make the key parsing process of the dropper utility easier, but it could be randomized
  4. The AES key is appended to the file so it can be discovered by the dropper utility
  5. A copy of the finalized binary is stored in an output text file; the binary is formatted as a BYTE array which can be embedded in the dropper process

Dropper Utility

This utility is not yet included in this repository. The dropper utility is written in C++ and relies on C++ Boost libraries to perform GZIP decompression and decryption. The following example outlines how the dropper can be used to DLL-sideload the FileGuard packed binary, however, FileGuard could be applied elsewhere.

  1. The dropper locates the embedded (packed) payload
  2. The AES key is recovered from the end of the encrypted file and the buffer is resized to remove the key
  3. The key is used to decrypt the packed file via AES
  4. Once decrypted, the compressed file is decompressed using Boost::Gzip
  5. The final payload is written to disk alongside its sibling binary
  6. The sibling binary (a signed, legitimate binary) is used to DLL-sideload the associated DLL payload

Example Usage

$ python3 FileGuard.py calc.exe calc_packed.exe

[+] Usage: python FileGuard.py 
    
    
     
____________________________________________________________

[+] Successfully GZIP compressed file
[+] Original file - 5da8c98136d98deec4716edd79c7145f
[+] Compressed file - 7d8bbaf40e671ef70ca4811007fb7f6e
[+] File to encrypt - calc_packed.exe
        [+] AES Key: 34f88c98cfd49e102c00064577328f3b
        [+] AES IV: ffffffffffffffff
[+] Encrypted file - d2cac6a07e13c4a39620239d0e3a93c8
[+] Encrypted file output - calc_packed.exe.enc
[+] Appended AES key to the file

To-do

  • Strip the GZIP header and set it during the unpacking routine of the dropper utility
  • Fix the XOR routine that encrypts the appended AES key
Owner
Malware Researcher/Adversary Simulation/Reverse Engineer/Exploit Developer
GitHub Repository
A crypto bot that checks the price movement in the markets and creates buy and sell signals

Booter bot Purpose The purpose of this bot is to check the price fluctuations in a given market in binance and create the idealistic signals based on

2 Oct 09, 2022
The (Python-based) mining software required for the Nintendo Switch mining project.

ntgbtminer - Nintendo Switch edition This is a version of ntgbtminer that works with the Nintendo Switch bitcoin miner. ntgbtminer ntgbtminer is a no

4 Jun 03, 2021
obj-encrypt is an encryption library based on the AES-256 algorithm.

obj-encrypt is an encryption library based on the AES-256 algorithm. It uses Python objects as the basic unit, which can convert objects into binary ciphertext and support decryption. Objects encrypt

Cyberbolt 2 May 04, 2022
Audits Python environments and dependency trees for known vulnerabilities

pip-audit pip-audit is a prototype tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisor

Trail of Bits 701 Dec 28, 2022
A simple script useful to switch from Dashlane to Bitwarden by converting the password file to the right format.

A simple script useful to switch from Dashlane to Bitwarden by converting the password file to the right format.

3 May 06, 2022
Discord webhooks for alerting crypto currency price changes & historical data.

Crypto-Discord Discord Webhooks for alerting crypto currency price changes & historical data. Create virtual environment and install requirements. $ s

Филип Арсовски 1 Sep 02, 2022
Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters.

modeval Modeval (or Modular Eval) is a modular and secure string evaluation library that can be used to create custom parsers or interpreters. Basic U

2 Jan 01, 2022
Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

29.5k Dec 31, 2022
Generate a 2FA Code out of an 2FA Secret(Time-based only!)

2FA-Generator Generate a 2FA Code out of an 2FA Secret(Time-based only!) ❗ Pleas don't share this secrets/generated codes with someone. If someone kno

TheDanniCraft 1 Nov 05, 2021
Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Smart-contracts - open sourcing our upcoming smart contracts for better security and transparency

Rand Gallery 16 Jul 10, 2022
Maximal extractable value inspector for Ethereum, to illuminate the dark forest 🌲 💡

mev-inspect-py Maximal extractable value inspector for Ethereum, to illuminate the dark forest 🌲 💡 Given a block, mev-inspect finds: miner payments

Flashbots 563 Dec 29, 2022
Python wrapper for the Equibles cryptos API.

Equibles Cryptos API for Python Requirements. Python 2.7 and 3.4+ Installation & Usage pip install If the python package is hosted on Github, you can

Equibles 1 Feb 02, 2022
Linear encryption software programmed with python

Echoder linear encryption software programmed with python How does it work? The text in the text section runs a function with two keys entered keys mu

Emre Orhan 4 Dec 20, 2021
This is simple Blockchain ,miner and wallet to send crypto using python

pythonBlockchain-SImple This is simple Blockchain ,miner and wallet to send crypto using python It is simple Blocchain so it can only dobasic work usi

3 Nov 22, 2022
Crypto Portfolio Clustering with and without optimization techniques (elbow method, PCA).

Crypto Portfolio Clustering Crypto Portfolio Clustering with and without optimization techniques (elbow method, PCA). Analysis This is an anlysis of c

David L 0 Feb 18, 2022
FileGuard - File crypter and packing utility

FILEGUARD FILEGUARD is a file crypter and packing utility. This project was orig

11 Nov 28, 2022
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 12.9k Jan 05, 2023
A simple Ethereum mining pool

A simple getWork pool for ethereum mining Payouts are still manual. TODO: write payouts when someone mines 10 blocks. Also, make the submit actually

93 Oct 05, 2022
Python program that handles the creation, encryption and storage of log/journal files. Kinda works like a diary of sorts.

LucaSoft J.O.U.R.N.A.L The J.O.U.R.N.A.L (Just anOther User Redaction & Navigation Assistant by Lucaspec72) is a Python program that handles the creat

Lucaspec72 8 Oct 27, 2021
A Docker image for plotting and farming the Chia™ cryptocurrency on one computer or across many.

An easy-to-use WebUI for crypto plotting and farming. Offers Plotman, MadMax, Chiadog, Bladebit, Farmr, and Forktools in a Docker container. Supports Chia, Cactus, Chives, Flax, Flora, HDDCoin, Maize

Guy Davis 328 Jan 01, 2023