Escolar Documentos
Profissional Documentos
Cultura Documentos
http://
How to Create Your own FUD Crypter [The Right Way] ...In Less Than a Week
Brought to you by, http://crypters.net Version 1.00 July, 2010 Limits of Liability & Disclaimer of Warranty
I AM NOT AN ATTORNEY. DO NOT USE THE FOLLOWING TEXT UNLESS YOU HAVE YOUR OWN ATTORNEY REVIEW IT FIRST.
The author and publisher of this ebook and the associated materials have used their best efforts in preparing this material. The author and publisher make no representations or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents of this material. They disclaim any warranties expressed or implied, merchantability, or fitness for any particular purpose. The author and publisher shall in no event be held liable for any loss or other damages, including but not limited to special, incidental, consequential, or other damages. If you have any doubts about anything, the advice of a competent professional should be sought. This material contains elements protected under International and Federal Copywright laws and treaties. Any unauthorized reprint or use of this material is prohibited.
http://
About the Author Little bit about me: My name is Shawn and im 17 ..at the time of writing this. Things i like to do are, playing guitar, surfing, hangin with friends, and of course.. chilling alot on the alienware laptop :) Everyone starts out somewhere.. and me..? well theres nothing special about my story.. I am no greater than any of you. I just had alot of interest and desire with many things related to hacking. So i read and read, searched and searched, for a very long time.. The only thing that probably makes me different, is that i also have a desire to help others in the situations i was once in. jk that was a lie... but i do think im good at putting myself in others situations..helping them.. then making money off it XD funny thing is.. after i ended up creating a successful Crypter i started losing interest in hacking itself.. and ended up doing nothing but some ethical hacking. I dont even use crypters myself anymore :). You can reach me at http://crypters.net
http://
http://
Introduction
First i just want to give major credits to all the links to threads used in this ebook. Massive credits to all the forum members that made them, thank you.
What you can expect from This EBook I would just like to mention that if you even have the slightest interest in Crypters and making your own, you are in the right place. You will be provided with the most informative, in depth blueprint on Crypters ever put into one package before. I am going to be real and remind you to be aware of whats required from you to get the most out of this ebook. There is no magic buttons.. no magic pills.. Especially when programming, you have to put effort and take action on what you learn in order to succeed. Whats covered in this eBook? This ebook will consist of all the aspects that will get you on a flawless track for creating your own FUD Crypter ..or anything FUD to be honest.., this way you will gain a huge advantage. I will be giving my 100% into this ebook so all i ask from you is to never be discouraged from the looks of anything and put your 100%. the layout of this ebook is constructed as follows, the first half is pretty much aimed toward the beginner level to intermediate and the second half is aimed toward the intermediate to advanced. just to remind you to not exagerate and be unrealistic, I will be teaching you all of what you need to know about Crypters and making them, getting you up to the right point, but once your at that point, you have to be aware that your set on your own.. thats life. But I do have to say, It is truly an awesome and thrilling experience.. So lets get started
http://
http://
How do i know which antiviruses detect my file? There are many sites with this same purpose of scanning files and giving a report of which antiviruses detect your files. The main issue leading to crypters becoming detected is because if you or someone who is in posession of your crypted file, scans it on some of these scanner sites, the crypted file will be distributed to the antivirus vendors, thus causing the crypted code overwritten on your file to become detected, which in turn causes your crypter to turn out detected. It is recommended to scan all files you crypt on http://scanner.novirusthanks.org while making sure the do not distribute sample checkbox is checked!
What is EOF and what is it used for? EOF stands for End Of File. Some files like Bifrost, Medusa, and Cybergate require the end of file data in order to run without corruption, So If Crypters Dont Preserve this end of file data, your crypted file will become corrupt.
http://
What is a USG? A USG is part of a crypter that generates a unique version of the stub (stub is part of crypter used to encrypt and decrypt the specified file). The purpose of this is because FUD crypters dont last forever, eventually crypters become detected over a period of time. You will understand this better later on in the ebook. (The USG is to the right and above it is the Crypter)(But this is probably one of the most advanced USGs you will find, some can be very simple)
http://
What is a File Binder? A File Binder is pretty self explanetory.. It binds or puts to files together as one so as a result when someone opens this one file, 2 files will execute. You would usually use a file binder when being even more stealth then just simply a crypted file. The biggest question people have when first learning what a binder is and what it does is, can you bind a .exe with something different? like a .jpg for example? The answer is Yes, BUT.. the output of both binded files will be shown as .exe, so in a way it can defeat the purpose.
What are antis on Crypters? Antis are an extra feature that come with some Crypters. For example anti-vm, anti-debugger, anti-avira...etc these refer to bypassing or preventing something specified, so anti-debugger meaning it will prevent it from being debugged.
What is a file pumper? A File Pumper will pump your file - refering to adding more bytes to it making your file larger. The benefit of this is usually not so great but it can be ok to have and may lose a detection or 2.
Types and forms of Crypters Crypters can range in many types and forms and it is important to understand these types and forms because it will help you choose a quality crypter to solve your needs or help you realize what options and features you would want to implement in your own Crypter. Here are some simple and advanced crypters to give you a good idea, or picture in your head.
http://
http://
http://
http://
The Antivirus vs Crypter Concept Have you ever wondered how all the viruss, rats, and bots..etc become detected by antiviruses? ..im sure you have.. and this concept will give you all the answers. Antiviruses can be alot more complext then you would imagine, so learning the ways they are notified of malicious files and how they detect are essential for bypassing them. Ok there are 2 ways antiviruses are notified of malicious files and eventually flag your file as detected, 1. the first one is From online file scanner sites where people upload files they think might be suspicious looking, and want to know if its actually a virus or not. They upload there files to one of these sites to check which antiviruses detect it and flag it as a virus. Once the files are uploaded, based on certain elements they are then distributed to the antivirus vendors labs. On some online scanners there is an option available for you to check for no distribution. I am not aware if this actually does what we all think because i heard they will still distribute, but with a price to the av vendors. Even though this may be true or false, it is still always a good idea to scan on these sites that have this option available, for example http://scanner.novirusthanks.org Here are some multi antivirus scanners http://scanner.novirusthanks.org http://virustotal.org
http://
www.virustotal.com/ And there is also individual antivirus scanners, for example: http://www.kaspersky.com/scanforvirus http://www.bitdefender.com/scanner/online/free.html
2. The Second factor is From the antiviruses themselves. You may be thinking.. oh really? yes.. and to tell you the sad truth.. hardly anyone even knows about this, Its sad isnt it? this is essential information that everyone must know when using or making Crypters. most of the time, the antivirus will automatically send the files out when any certain file becomes detected. Antivirus also owners have the option to send off a file to the vendor with a click of a button through there desktop antivirus.
What can you do about this? well you can change the settings on your antivirus. The setting usually come in slightly different forms, sometimes you are also asked during setup, and sometimes you just have to go into the settings or options manually, for
http://
example:
http://
http://
All of what you just read is essential to keep in mind when making an FUD Crypter. The sole reason behind why public Crypters always become detected ..and usually fast, is because the majority of people do not know the antivirus vs Crypter concept.. therefore they either blindly upload there crypted files to one of the scanner sites that distribute also.. the antiviruses themselves are uploading there crypted files without them even noticing. Even people who make there own Crypters arent aware of this which is why they are always wondering why there crypted files always become detected so fast.
http://
Anti-viruss have databases of these lines that are known to be associated with malicious files. They use that database to check against your file to see if it matches. If it does, then it is marked as infected. They do use other methods of detection, but this is the one you will learn how to avoid.
http://
http://
Your crypter is going to take the contents of an infected file, encrypt them, and place it at the bottom of a seemingly virus-free file called your stub. Your stub file will then extract the encrypted data from itself, decrypt it, then extract and run it. So just imagine if this stub file that is joined together with the cryped infected file is detected? well.. then all the files you crypt will also show up as detected since this stub is used with all the crypted files. This may sound like a complicated and confusing process, but it isnt and i will explain more about it later on.
http://
Heres another pic i found, (credits to hackhound) this explains all this in a slightly different way, maybe you will understand it better:
http://
Intro to programming with vb6 You must be aware that in order to make your own FUD Crypter, you must atleast know the basics of programming, so if you dont, this is a very important section to read, so read through it all and if theres something you dont understand i encourage you to do some google searching about it or read around/ask through this forum http://www.vbforums.com/forumdisplay.php?f=1 Without getting so in depth and complicated, i am going to first have you learn the basic concepts of programming in order for you to just understand enough to be able to first understand the most essential parts of what a program is doing so you will be able to understand other sources when you read them and modify them. You most likely will have questions that i will not be able to answer, so if your unsure about some of these basic concepts, search vb6 tutorial or visual basic tutorials on http://youtube.com ..this way always seems to be best because
http://
seems people learn drastically easier to from video. If you have a more specific question or issue, search google. Ok so, from searching for a long time, i came to the conclusion that this site teaches vb6 in the best most understandable/appealing way http://www.vbtutor.net/vbtutor.html just go through the table of contents and please try to go up until, not higher then, lesson 18 and ignore all the ads on the sides and in between. You dont have to go through all of them at once, or in the same day even. I would encourage you to just refer back to the lessons at any given time and consistently, but slowly moving forward each day. And remember.. to get more clarification or understand more of it, always search youtube and google.
Basic Vb6 Outline for Creating a Crypter Crypters in Vb6 consist of two parts: the Crypter Client which is the actual user interface that the user uses for specifying the file to encrypt, the settings...etc The Stub file, which is part of the Crypter but it is not used by the user, it is simply just there, in the same directory as the crypter client, because it is being used by it. So programming a Crypter comes in these 2 parts and are made seperately in 2 different projects. They only interact with each other when compiled into finished .exes. You might be wondering, well what project gets detected so i will know which to modify? The Stub project is only what you have to always undetect and... re-undetect when the crypted files become detected BECAUSE the stub file is what is actually injected into all the crypted output files. So common sense being.. when eventually, for example someone that you infected runs the crypted file and maybe uploads it to virustotal (which distributes) or the antivirus itself distributes, the crypted file has your stub code in it aswell as the crypted malicious code.. therefore the antivirus will then detect and put signatures causing the stub code to become detected. Basically this stub code is injected into all crypted files so obviously all the crypted files will then also become detected since it caries these detected signatures.
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.
http://
Here is example crypter/stub projects in its simplest form that you can learn from, there are comments explaining each part throughout the code http://crypters.net/example-source.rar just scim through it and try and get an idea of the different parts and what there for, get familiar with it, if you dont fully understand it, its fine for now. The best way for you to learn is by showing you a diverse set of tutorials, so throughout this ebook, i will keep linking you different tuts. Heres one of the best tutorials on how to make a simple Crypter from HF (hackforums.net if you arent already a member, go sign up) http://www.hackforums.net/showthread.php?tid=204038 With this you might get some more understanding of how it all fits together in a different way and Remember, by knowing how it all works together, the more easier it will be to undetect the code One of the biggest issues that I should address are compatibility with different OSs. Basically what affects the compatibility of certain OSs for example 32bit/64bit win7, xp is almost always the RunPE module that you are using. What I would do is really read up on the source im using and test it out first before I go ahead and modify it. The way i learned how to make crypters and different methods of undetecting them is from constantly reading and modifying every Crypter i got my hands on. I encourage you to do the same and just start searching and browsing through the coding/vb sections on, http://hackforums.net http://hackhound.org
http://www.opensc.ws/forum.php
http://
http://
Once your there, you should see few options like project name, startup object, if you want to change any of that then do it. So now go into the next tab called Make. Here you should see the version info, title of application, icon, and in the middle you will see version Information with comments, version, company name, file description..etc All these options should be changed to anything random.. especially when starting from someone elses source.
http://
do nothing with it. Now it may be more unlikely depending on how unique, but the point is that ..even if your doing nothing with your stub and never crypt files, eventually it will become detected, all will. So to clarify, The fact that from all the other Crypters being distributed that for example that use a specific method of execution using a specific api which has slight relation to how your Crypter was made, will cause your crypter to also become detected. Now with all this in mind, i want to make sure your not getting the impression that all vb6 crypters suck and they will all get detected easily.. because this is not completely true. As long as you use the right techniques and have your own unique and creative way of doing things, the longer the Crypter will last.. and just to let you know, when a crypted file is distributed, its not like it will become detected right away.. It takes about a week to a few weeks for a signature to made on the file and updated into the database. So a point i want to also get across while you understand this concept is that, The most honest true approach you will learn in this ebook, is the fact that no matter what undetection technique or method you use, there is no one technique that will last forever, they all eventually become detected, which means that theres no garantee for giving you a technique to easily just copy and paste to make your fud crypter and live happily ever after, that would be a lie.. What This Ebook will give you, is a layout of the universal, proven techniques that you can keep in mind so you can learn how they work, improve upon them, and make variations of them to successfully make your own FUD Crypters.
http://
http://
3. Now that we know the detection is coming from the RunPE module, we will put the code back and drill down by first deleting each sub and function in the module. We then find out the detection is coming from the CallAPIbyname function 4. Now that we know which function is detected, we will then drill down further by deleting each line of code. (depending on the size of the func, just delete each segment and drill down from there, you can do the same for the modules, for example you can delete the first half and second half of the function first) 5. Then once you found the string in the function thats causing detection the whole undetection process comes into play. You can basically just recode the portion of code thats causing detection in a very different or even slightly different way and combine this what you will learn in the next chapter, or simply only use whats in the next chapter alone. Broad Signatures For detecting broad signatures, its pretty much the same process, The only difference is that you have to be aware of a few more things throughout the process. I will show you some examples of a broad signature in this situation, Lets say the RtlMoveMemory api is causing detection. Now if we are taking apart the code using the process i just showed, you will realize that the detection is coming from the module but you wouldnt realize what is being detected inside the module by doing the standard, remove each sub/func at a time. The reason for this is that this api is used in multiple places throughout the module. Sometimes you will even come across situations where variations of the same piece of code is used throughout the module.
Also here is another technique you can use as a last resort http://www.hackforums.net/showthread.php?tid=33874
http://
http://
There are some vb6 crypter sources in the crypter sources section on this page http://crypters.net/crypter-sources/ So pick which source you want to modify for the purposes of learning how to use the techinques i will show you for undetection. To some people, modifying another source and making it undetected, that you didnt make from scratch yourself, means your a fake or a skid.. Now when undetecting, alot of effort and work usually has to be done.. so why make it harder on yourself when theres already sources out there all doing the same thing just in different forms..? Why Reinvent the Wheel?? In alot of cases, to undetect and keep your Crypter undetected, you have to change around code, replace code, add code... to the point where making the Crypter from scratch is almost the same thing.. Some people have different way of doing things and have their reasons.. but from what im teaching for learning purposes and for beginners, you will start by reading other sources and modifying them, then eventually you can just code a very sophisticated one from scratch someday in the future. So again.. my point is, for now especially there is no need to reinvent the wheel..
http://
Heres the basic outline of the whole universal undetection process summed up in the most brief way Adding junk code for modifying execution flow and various other reasons Changing the order of all code aspects. Changing variable names String manipulation. Change Assembly information Add or change icon
The list goes can go on and on if you want to get specific and no specific technique lasts forever, so The main thing to remember is to be very creative and to try many.. MANY variations of ideas and techniques that you think may confuse/distract/deceive antiviruses. Some antiviruses will be deceived and bypassed easily with one technique even.. and another av can be alot harder, so you would have to use variations of all these techniques. This will definitely require dedication and effort, but can be easy with a good set of techniques and practice. It all comes down to experience and learning from it. I will be giving you and showing you many examples that fall into the category of each of these methods so you will get a perfect idea of how it all works so you can then use and improve upon them with your own. I will also be getting into automation tools that can do alot of these undetection techniques for you instead of manually, but it is very important that you understand how it all works manually because eventually you will have to manually apply them.
http://
About Unique Stubs and USGs Ok so you know how a USG comes with some Crypters right? Well these USGs also known as stub generators, generate unique versions of the stub for that Crypter. How all of these USGs generate unique stubs are from using all these methods of undetection but in a click of a button. How? A set of techniques and methods are implemented into the USG using variations of the same undetection method/techinque by randomizing the strings, variables, and the order within these undetection techniques (like variations of junk code). Also giving the user the ability to choose specific undetection options/methods to use thus creating a unique version of the stub, This way, when someones stub becomes detected there is a high chance another persons stub, using the same Crypter, wont get detected. Since the majority of the stub might have a different variation and layout of the code from all the undetection options/methods used in the usg, there is a high chance the signiture that causes the other stub to be detected will not be shown, or in the same place in this other unique version of it because it might be 90% different. So basically USGs ultimately give an advantage for how long the stub will last undetected. If you dont fully understand this, its fine because you will better understand it once you actually start learning and applying these actual methods and techniques. lets start with.. Adding junk code Ok heres pretty much all the types of junk code: junk subs/functions fake calls fake variables junk strings of text fake loops fake if/else
Basically all junk code is, is randomized portions of regular code which you spread across your program that can either just be in between and/or throughout your programs code, it can deceive or confuse execution but never actually interferes too much with the process of execution to the point where it will corrupt.
http://
Here are some Examples of junk sub/functions with variations of junk variables/if-else/loops...etc Just to give you an idea...
http://
Heres a simple example of a Fake Call to a junk sub at beginning of sub main() for slightly modifying execution flow
http://
So be creative, use variations of techniques over variations.. develop your own techniques from these ideas. Never stop trying things and being creative, this is the whole journey and thrill of making Your own FUD Crypter. One example of being creative is, you can add a whole bunch of junk subs/func...etc, into a series of junk modules and classes with nothing else but junk in them and fake execution.
http://
Changing variable names Changing variable names is highly important and must be done. Press ctrl + H and you will see a small replace form popup. It is very important that you dont messup the code, so always make sure you use the right options when changing a certain variable or set of veriables in your code. For example you could be changing a public variable which is used throughout your whole project and without noticing, only selecting the current module option, causing only the variables to be changed in that current module.. so always keep these things in mind when changing variables.
http://
String manipulation Changing and encrypting strings/apis Just like changing variables, changing strings can mess up your code if you arent too cautious.. Especially when encrypting strings and apis. Encrypting strings and apis are very powerful and is a must when it comes to successfully creating a fully undetectable Crypter. Some examples of string manipulation Encrypt Strings Reverse Strings String conversion There are many types of encryption algorithms to encrypt strings with for example the most popular are xor, rc4, Rot, string to hex. A big issue most people arent aware of is the fact that sometimes when encrypting strings with some RunPE modules.. bad things happen, files become corrupt, the Crypter itself can become corrupt...etc So always be cautious of your string manipulation. There are some important strings to always make sure are changed or encrypted in your Crypter. The first to take note of is, The Key Split which is, in the example below: meEncPass = thepassword. Change the string to something like: aksefiaIUEHF@q#)*!qJFIAUEHFIwqNEOGq)# and remember, this string has to be the same key split in both the stub project and the crypter project or the crypter will not work and give you a subscript 9 out of range error when running the crypted file. The second to take note of is, all the strings in the RunPE module. 99% of the time these have to be encrypted no matter which runPE module you use. So always remember to encrypt these..
http://
For this example we are going to use a simple Src Undetector http://www.mediafire.com/?uzqym10ttom (First go in the OCX folder and run the registrar, then run the program) Before you go any further, always keep a backup of your source because some programs will mess up your code alot.. and you might also..
1. Once downloaded and ocxs registered, Load the stub project. 2. Click one of the 3 string obfuscation buttons or right click in the project window and select anything you want to try 3. if you encrypted the strings, remember to add the encryption function by right clicking and selecting Add Xor Function keep on doing it.. try many things, theres no right or wrong way pretty much.
http://
Add or change icon Adding or changing an icon isnt too good of an undetection technique but it can undetect from 1 or 2 avs in some situations. Also changing an icon can corrupt files aswell but its actually pretty rare. The reason this would happens is most likely because the icon size is different then the size the file can handle. it is very simple to change an icon and i can show you in a few easy steps.. If you search around you can find many icon changers easily but for this example we will use reshacker.
1. download reshacker here: http://crypters.net/ResHacker.rar 2. drag the file you want into the window 3. Click through the icon folders until you cant anymore then Right click on icon or icon group and click replace resource 4. simply choose the .ico (icon filetype) to replace it with.
http://
Earlier in the chapter i used a src undetector for an example of encrypting strings. This src undetector can be used for many other undetection techniques aswell Heres a thread with almost all the free undetectors around.. (Sorry about those shitcash links.. if it was my thread they wouldnt be there)
http://www.hackforums.net/showthread.php?tid=231066
If you dont want to, or cant download from those links, what i would do is search through different forums with the names of the undetectors to see if there are any other download links people are giving.
http://
you might be wondering, well what tool did i use to undetect my crypter? I bought a pretty advanced undetector from pr!ngles on HF called pringles undetector or src undetector for around $50 usd, i would highly recommend it but im pretty sure he doesnt sell it anymore and also not sure if its techniques are outdated. Heres one of the threads with one of the versions of it (hopefully link is still alive) http://www.hackforums.net/showthread.php?tid=220642&highlight=undetector There should be others very similar to it or maybe even better nowdays, just search through the sellers section of HF for undetector or something.
http://
http://
updated, But just because they are constantly being updated, dont let that discourage you because usually a simple tweek to the method that worked a month ago can work now and easily bypass the new detection, This is why you must always be creative and learn from how the certain av works, what they detect, and how they detect because it will help you GREATLY
Detection Thread sub-section of the Basic section (Hack Hound Programming Basic The Detection Thread) You have to
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.
http://
This section is undetection heaven.. people tell you and help eachother bypass detections. In this section, lights will start flashing in your head, insights will arise, and ideas will spark. Read through as many threads and pages as you possibly can of undetection and malware on hackhound Here another tactic to keep in mind.. basically WHENEVER a detection comes up and you are stuck, search hackhound with variations of keywords related to the av detecting it and the part of the code being detected for example, copybytes avira which is referring to the api copybytes thats being detected and avira being the av detecting it. Also what you can also do is just search with variations of these same keywords related to your situation and search google.. or any other forum, you never know what you will find. I have had so many detections solved from just doing extensive searching. Goodluck.
Resources If you have questions about something or want to learn more always refer to, and search through
http://hackforums.net
http://hackhound.org
http://www.opensc.ws
http://
What did you think of the Crypter BluePrint? Do you have any questions or suggestions for the Crypter Blueprint? Please Go to this link to tell me so I can make it better, http://www.surveymonkey.com/s/XKSVMBJ
http://