Encrypted PE Loader Generator

Related tags

Cryptography Huan
Overview

Huan

Huan is an encrypted PE Loader Generator that I developed for learning PE file structure and PE loading processes. It encrypts the PE file to be run with different keys each time and embeds it in a new section of the loader binary. Currently, it works on 64 bit PE files.

How It Works?

First, Huan reads the given PE file and encrypts it with CBC mode AES-128 encryption algorithm. For the encryption, I used Tiny AES in C and prepared a padding code for the requirement of this library. When the encryption is complete, it compiles the loader using the Visual Studio compiler (MsBuild.exe) and creates an executable. After that, it creates a section (called .huan) on that executable, and embed the encrypted content, size information, IV and symmetric key. Both keys are created randomly for each copy of the loader. The layout of this section can be seen below.

When the loader is executed, it first takes the image base of itself by reading the Process Environment Block. After learning the image base, it parses the loaded copy of itself to find .huansection. Then, it decrypts the whole content, buffers it, and loads the binary which relies on the memory.

Quick Demo

TO-DO List

  • 32 Bit support
  • Improvements on PE loader
  • Blog post about PE loading process
  • Reducing the detection rate of the loader

References

Disclaimer

I shared this tool only for showing the code snippets of well known TTPs. I'm not responsible for the use of this tool for malicious activities.

You might also like...
A test showing a flipped bit in a file encrypted on two different machines

ChaCha ASM Test I have observed that the ChaCha cipher may have very rarely divergent code paths for AVX vs. SSE. I have seen this in earlier CryptoPP

Encrypted shellcode injector with basic virtual machine evasion using C++
Encrypted shellcode injector with basic virtual machine evasion using C++

C++ PE Injector Overview Fully undetectable shellcode injector written in C++ with customizable XOR payload encryption/decryption and basic antivirus

Decrypt FairPlay encrypted executable binaries on macOS

UnFairPlay Decrypt FairPlay encrypted binaries on macOS when SIP-enabled. By mapping an executable as r-x and then using mremap_encrypted on the encry

Shamir’s Secret Sharing Algorithm: Shamir’s Secret Sharing is an algorithm in cryptography created by Adi Shamir. The main aim of this algorithm is to divide secret that needs to be encrypted into various unique parts.
Shamir’s Secret Sharing Algorithm: Shamir’s Secret Sharing is an algorithm in cryptography created by Adi Shamir. The main aim of this algorithm is to divide secret that needs to be encrypted into various unique parts.

Shamir-s-Secret-Sharing-Algorithm-Cryptography Shamir’s Secret Sharing Algorithm: Shamir’s Secret Sharing is an algorithm in cryptography created by A

A lightweight Bedorck Dedicated Server Plugin Loader
A lightweight Bedorck Dedicated Server Plugin Loader

LiteLoader 简体中文 A lightweight Bedorck Dedicated Server Plugin Loader Based on BedrockX Install Download LiteLoader from Releases or Actions, unzip it

An extensible, cross-platform, single-header C/C++ OpenGL loader library.

Simple OpenGL Loader An extensible, cross-platform, single-header C/C++ OpenGL loader library. Usage For Windows Win32 or Linux X11 applications, the

A lightweight plugin loader for Bedorck Dedicated Server

LiteLoader 简体中文 Donate us(afdian) Forum A lightweight Bedorck Dedicated Server Plugin Loader Based on BedrockX Install Download LiteLoader from Releas

PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

A python script loader for Grand Theft Auto San Andreas

PyLoader Introduction This is a .asi plugin that allows writing custom Python scripts for GTA SanAndreas. This plugin is still in the early stages of

C Wavefront OBJ loader for OpenGL

OBJ GL Loader v2 Quite fast .OBJ loader written in C How to use it Put objgl2.c and objgl2.h files in Your project and include them. To put it simply:

A multi-language script plugin loader for BDS LiteLoader, based on ScriptX

LiteXLoader - 划时代 x 跨语言脚本插件加载器 🎨 简介 LiteXLoader是一个基岩版官方服务端Bedrock Delicated Server(以下简称BDS)插件框架,提供强大的跨语言脚本插件支持能力和稳定的开发API支持。

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

config-loader is a static reflection framework written in C++17 from parse configuration file to native data structure.

config-loader is a static reflection framework written in C++17 from parse configuration file to native data structure.

An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

memory-module-loader memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. T

Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Mod Loader for CMD with Multithreading Support

简介 cocmd 工具通过在进程空间中加载多个 cmd.dll 实例实现了真正意义上的多线程执行批处理脚本 其中 cmd.dll 修改自 Win7 SP1 中的 32 位 cmd.exe 不同于 start /b 的启动方式,因为环境变量和进程环境是绑定的,所以多个脚本线程间可以实时共享变量以及 G

GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or launcher.

GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or la

My old heavily modified version of bigbase v1, it has an impulse-like scrollbar, ytd header loader, Vector3 fix + gamestate fix and some other misc changes!
My old heavily modified version of bigbase v1, it has an impulse-like scrollbar, ytd header loader, Vector3 fix + gamestate fix and some other misc changes!

Old Bigbase V1 UI This is my old ui for bigbase v1 but i dont need it anymore because the dev of solar mod menu stole it, and the new paragon menu (Fr

Comments
  • Huan isn't compiling output EXE

    Huan isn't compiling output EXE

    I built with VS 2022 Community. Tried with mimikatz but it does not compile the output EXE and does not get past the Loader is compiled and readed prompt. Screen Shot 2022-03-30 at 10 23 23 AM

    opened by assume-breach 3
Owner
Furkan Göksel
Security Enthusiast and Developer
Furkan Göksel
UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

UnrealKey UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

Devin Acker 37 Nov 24, 2022
Libraries and tools to perform fully homomorphic encryption operations on an encrypted data set.

Fully Homomorphic Encryption (FHE) This repository contains open-source libraries and tools to perform fully homomorphic encryption (FHE) operations o

Google 2.8k Dec 5, 2022
Distributed, Encrypted, Fractured File System - A custom distributed file system written in C with FUSE

A custom FUSE-based filesystem that distributes encrypted shards of data across machines on a local network, allowing those files to be accessible from any machine.

Charles Averill 14 Nov 2, 2022
Decrypt FairPlay encrypted executable binaries on macOS

UnFairPlay Decrypt FairPlay encrypted binaries on macOS when SIP-enabled. By mapping an executable as r-x and then using mremap_encrypted on the encry

subdiox 82 Nov 28, 2022
standalone chia generator

chiagen standalone chia generator this is front-end of madMAx43v3r and also chiapos reference plotter, but not limited to it, more plotter or tools wi

uray meiviar 13 Nov 24, 2021
a header-file-only, SHA256 hash generator in C++

PicoSHA2 - a C++ SHA256 hash generator Copyright © 2017 okdshin Introduction PicoSHA2 is a tiny SHA256 hash generator for C++ with following propertie

Shintarou Okada 529 Nov 26, 2022
FCracker is a command line tool designed to brute force encrypted files like zip, 7z, rar, pdf etc.

FCrack is a command-line tool designed to brute force encrypted files like zip, 7z, rar, pdf, gpg etc.

null 21 Oct 3, 2022
UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

UnrealKey UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

Devin Acker 37 Nov 24, 2022
Libraries and tools to perform fully homomorphic encryption operations on an encrypted data set.

Fully Homomorphic Encryption (FHE) This repository contains open-source libraries and tools to perform fully homomorphic encryption (FHE) operations o

Google 2.8k Dec 5, 2022
Distributed, Encrypted, Fractured File System - A custom distributed file system written in C with FUSE

A custom FUSE-based filesystem that distributes encrypted shards of data across machines on a local network, allowing those files to be accessible from any machine.

Charles Averill 14 Nov 2, 2022