23

I am talking about crypters used to encrypt files like viruses and keyloggers for the sole purpose of bypassing antivirus detection. How do they work?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
gbr
  • 2,000
  • 1
  • 16
  • 22

3 Answers3

14

In some circles, "crypter" and "packer" are synonymous to mean binaries or programs which are self-checking and/or self-modifying. Crypters may, more specifically, mean self-modification that includes encryption and/or code scrambling (see more below).

I suggest that you read Chris Eagle's The IDA Pro Book for an introductory understanding of packers and their disassembly of components and architecture.

Daniel Reynaud's work on packers and self-modifying code is also very fascinating. He makes some distinction between integrity checking, blind writes, code scrambling, and encryption of PE files in this blog post about visualizing packers and self-modifying programs. His crude system of checking for these various technique implementations in packers using dynamic binary instrumentation (not the best way of going about this, but it can be very fast compared to other methods) is available at https://code.google.com/archive/p/tartetatintools/

atdre
  • 18,885
  • 6
  • 58
  • 107
11

You could give some of the encoders in the metasploit framework a look. In particular the Polymorphic XOR Additive Feedback Encoder ( Shikata Ga Nai ) might be worth a look, as it is dicussed in the Metasploit Unleashed documentation in regards to bypassing antivirus detection.

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
0

We can make a difference between the packers which, from a binary create a new binary, with a different signature which is not understandable by a disassembler and which will be unpacked from memory to execute the original code, we call it polymorphism. And there are the packers which from a binary create a new binary with a new signature which can be polymorphic but which will edit his own signature at runtime every time he will get executed, we call it metaporphism.

If you want to see metamorphic engines, you can take a look at my code (only for elf) : AD_1DA

Few cool papers : https://vx-underground.org/papers.html (There are all very cool especially the Infection categorie)

n4sm
  • 1
  • 2