Crypters are software tools that are used to encrypt or conceal the contents of another program, usually with the intention of hiding its true nature. In the context of cybersecurity, crypters are often used by cybercriminals to evade detection by antivirus programs and hide malicious behavior, such as the installation of a virus or the theft of sensitive information.
It is important to note that crypters can be used for both legitimate and malicious purposes, and their use for malicious purposes is a violation of the law in many countries and can result in severe consequences. If you are studying crypters as part of a cybersecurity or computer science course, I recommend doing so within the context of ethical and legal use and avoiding any activities that could be harmful to others.
PEUNION Crypter
CRYPTER, BINDER & DOWNLOADER
PEunion encrypts executables, which are decrypted at runtime and executed in-memory.
KEY FEATURE OVERVIEW
- Emulator detection
- Low-entropy packing scheme (adsbygoogle = window.adsbygoogle || []).push({});
Typically, an executable is decrypted and executed in-memory by the stub. If the executable is a native PE file, RunPE (process hollowing) is used. For .NET executables, the .NET stub uses Invoke. Legitimate files with no known signatures can be written to the disk.
IMPLEMENTATION & EXECUTION FLOW
Obfuscation and evasive features are fundamental to the design of PEunion and do not need further configuration. The exact implementation is fine tuned to decrease detection and is subject to change in future releases.
This graph illustrates the execution flow of the native stub decrypting and executing a PE file. The .NET stub works similarly.
The fundamental concept is that the stub only contains code to detect emulators and to decrypt and pass execution to the next layer. The second stage is position independent shellcode that retrieves function pointers from the PEB and handles the payload. To mitigate AV detections, only the stub requires adjustments. Stage 2 contains all the "suspicious" code that is not readable at scantime and not decrypted, if an emulator is detected.
The shellcode is encrypted using a proprietary 4-byte XOR stream cipher. To decrease entropy, the encrypted shellcode is intermingled with null-bytes at randomized offsets. Because the resulting data has no repeating patterns, it is impossible to identify this particular encoding and infer YARA rules from it. Hence, AV detection is limited to the stub itself.
OBFUSCATION
Assembly code is obfuscated by nop-like instructions intermingled with the actual code, such as an increment followed by a decrement. Strings are not stored in the data section, but instead constructed on the stack using mov-opcodes.
The C# obfuscator replaces symbol names with barely distinguishable Unicode characters. Both string and integer literals are decrypted at runtime.
RIGHT-TO-LEFT OVERRIDE TOOL
The Unicode character U+202e allows to create a filename that masquerades the actual extension of a file.
It is a simple renaming technique, where all characters followed by U+202e are displayed in reversed order. This way, an executable can be crafted in such a way that it looks like a JPEG file.
AUDIENCE
In order to use this program, you should:
be familiar with crypters and the basic concept of what a crypter does
have a basic understanding of in-memory execution and evasion techniques
acknowledge that uploading the stub to VirusTotal will decrease the time that the stub remains FUD
I do not take any responsibility for anybody who uses PEunion in illegal malware campaigns. This is an educational project.
FUD
This project is FUD on the day of release. A crypter that is free, publicly available, and open source will not remain undetected for a long time. Adjusting the stub so it does not get detected is a daunting task and all efforts are in vain several days later. Therefore, there will be no updates to fix detection issues.
Rather, PEunion offers a fully functional implementation that is easy to modify and extend. If you want PEunion to be FUD, please get familiar with the code of the stub and adjust it until you are satisfied with the result.
However, additional evasion techniques may be implemented in future releases to improve the baseline design.
Downlaod :
Click the Button Below to Download the File.
PEunion
PEunion bundles multiple executables (or any other file type) into a single file. Each file can be configured individually to be compressed, encrypted, etc. In addition, an URL can be provided for a download to be executed.
The resulting binary is compiled from dynamically generated C# code. No resources are exposed that can be harvested using tools like Resource Hacker. PEunion does not use managed resources either. Files are stored in byte[] code definitions and when encryption and compression is applied, files become as obscure as they can get.
And on top of that, obfuscation is applied to a maximal extent! Variable names are obfuscated using barely distinguishable Unicode characters. String literals for both strings that you provide, as well as constant string literals are encrypted.
PEunion can be either used as a binder for multiple files, as a crypter for a single file, or as a downloader.
Screenshots
This is the application interface. First, you add the files to your project.
Each file can be configured individually. Default settings already include obfuscation, compression and encryption. Relevant settings are primarily: Where to drop the file, using what name and whether or not to execute it and so on…
The project can be saved into a .peu file, which includes all project information. Paths to your files are relative if they are located in the same directory or a sub directory.
PEunion can also be used as a downloader. Simply specify a URL and provide drop & execution parameters. Of course, bundled files and URL downloads can be mixed in any constellation.
Settings
For the C# code that is generated, compiler settings can be configured here. Usually, you will be looking to change the icon and assembly info:
The next two pages include settings for obfuscation and startup parameters. Default obfuscation settings are at maximum, however they can be changed, if required.
Compiling
Finally, the project is compiled into a single executable file. In addition, generating just the code will compile the .cs file, but not the binary.
And any errors that creep in will either prevent building or display a warning:
Additional Tools
There are additional tools and utilities. Currently, there is only one, however more will follow, such as an exe to docx “converter”, etc.
Right to Left Override
A lesser-known ~~bug~~ feature: Right to left override. By using the U+202e unicode character, file name strings can be reversed, yielding additional obscurity.
Example: Colorful A[U+202E]gpj.scr will be displayed as Colorful Arcs.jpg in File Explorer. Since “scr” (for screensaver) easily goes unseen, it may be superior over “exe”. With the matching icon applied, the file may look just like an image or document file: