I created a simple SFX application which works on Compressing / Packing files. When someone click the output file he will be prompted for a password, if password entered correctly the file decrypt it self following a specific routines.
A customer said that my file was a virus, so i scanned the file online on VirusTotal.com and i seen that the file was detected by avira in the SCAN RESULT. I reexamined the source code Line by Line, and i found that the following Lines of code are detected.
public class SimplerAES
{
private static byte[] key = { 88, 54, 54, 147, 99, 201, 41, 80, 58, 100, 5, 64, 213, 99, 14, 15, 154, 35, 110, 36, 124, 25, 115, 23, 56, 44, 65, 7, 45, 254, 1, 54 };
private static byte[] vector = { 33, 8, 121, 196, 223, 45, 63, 100, 1, 32, 18, 87, 1, 158, 119, 111};
private ICryptoTransform encryptor, decryptor;
private UTF8Encoding encoder;
public SimplerAES()
{
RijndaelManaged rm = new RijndaelManaged();
encryptor = rm.CreateEncryptor(key, vector);
decryptor = rm.CreateDecryptor(key, vector);
encoder = new UTF8Encoding();
}
public string Encrypt(string unencrypted)
{
return Convert.ToBase64String(Encrypt(encoder.GetBytes(unencrypted)));
}
public string Decrypt(string encrypted)
{
return encoder.GetString(Decrypt(Convert.FromBase64String(encrypted)));
}
public byte[] Encrypt(byte[] buffer)
{
MemoryStream encryptStream = new MemoryStream();
using (CryptoStream cs = new CryptoStream(encryptStream, encryptor, CryptoStreamMode.Write))
{
cs.Write(buffer, 0, buffer.Length);
}
return encryptStream.ToArray();
}
public byte[] Decrypt(byte[] buffer)
{
MemoryStream decryptStream = new MemoryStream();
using (CryptoStream cs = new CryptoStream(decryptStream, decryptor, CryptoStreamMode.Write))
{
cs.Write(buffer, 0, buffer.Length);
}
return decryptStream.ToArray();
}
}
What i want to do now is to find a solution which let me encrypt the class above, so instead of writing it as it is in my C# propgram i will write the encrypted string. and use a function which decrypt and execute the encrypted string at Run-time. So instead of writing the above class i will write the following
String MYCODE = "687b1ddf28e8d9d3141c3b5d8d4d1863964a614c74317e88a18a10c1c4723bed18d53c99eeb5f05b6646b10b63ae14166c81b06dd487103d133a06896ed9a125e8e2a9c54a2fec82ddd8abe4ef9bbe1b99664a8bc761db2ce70cd1dd9d6898e72490ccea73d7dab056e86cec23f39328b9eb3ef3ef7942db4122178b8a319971c6de2a5cb7e23dd5ba382525a7993122bf068d9d7ac189e701e1b2120b6f5747123e320f892a51df0ff38d7fef5c24d8914a9974d36183c4885582d2ce37023cbde2c23896e608754e81cf9faf70cd64fea5e930340e185fcfe1f457710a2e8b7c977b4c851f8fb4dd49ea53216dc8242ec6ac17e5256ab16170ac49a124a3972477e6bbfefbf1e1c1f84290e023fa2d7813e7761c9e2872c2d57e8d69be34c2cbb41fd75b81604ebf57dece4c9fd6b5bce441350cc4e2ca1bc78105ee554629ff6201745088a177859d168ffffb356fb2bb327de7495db77e07d9fcc9787fc4313a5118037f5828eb2ac7a006126b21b207eb22a369b3182d1f613b43a097d214650c6fd0af057f7836586b4f55342351e93fbb03f726982f4356c801342b6efe7a9fe29ba6770a61d29656725ed21c77a17fe61ffb6d9dea55bbd1ab9e70c1ce44fc82ed710550483ae3b6049aa7d24cc142f5d521bc8beaa36d2839fb82efe59aafa713659c3e902a65c27e8fa9712cd9d232ac65fbf20bef047371317bd60331f8b8b2971cc1ba2b5e854c3d0b072ad786deb40811dcdb335d2937a1ef86a5d0923294ed9eed758670856bbd89471e4940d6dbdae6d8e4cb10235645c2e23be442a4739d0a24a56b666828269704984621ba9761d47512e0804a3a20b0f7c15ff10036dedb4ad8f1149c028de5d726f9e62244fc22b45a5096736d6dd65e9afddd05234982818f7eccd35555805169cf1ef887bf06bc4cee729513c255ff3e41de5397e45212ca921e394bfd059f30cd3404a3a7e989e374239c22aca956e39d576838bed69551040095a4e070fdecd369b7be51ae30ad0a8c4d3c23c7678a7bb661a720e88d396218b0f37bea4f7959df498b7f2e59460b32735685b551f0fe74786a119ce9343ebd4c3f2efea11f02741a067300fe836ad7943577c56b22cf54964b6bf8be4b0a61c353be7fffe90166c5a1c667938878eace2046eb254fc65ef7a3c98c7877651e1cc735bb006d5ba9fdf5f5555345570a43adbe6a49ed714d79990f408f667ac2a624511b0fc1674bdff0cd02b11a2666cb76b39c84d5aeb2b32c3777f7f577495bdef2ac7cf8a119487c8a97a6c1ec8f5b775cd7059f7edd3d8da1764467058991d6a6c5b061fdbbc255103798d5d2e2d75eff80316b65abff2b9d1514f55e2db114e207ba6d41419924e9397404750a7822daa93c5055dbd3448f8d25550cae7daf8fea9d6ab51eff5f11e88dabe81a0030a775480bb694acf95ce4cf48497fd24272853a62e1af55c5ab4e2d058ebd04f053a01b86b7d87e0c1c8bae2ed3f3e5f2096d83569aef940331f29ed27656968880433b6a892b97239acef888afb9b4f4e3dcb4bb67823ce1e80f2068805145daacea016267dadbb78f437aaed32711dcc436f9a4997cc19eb797c10ca3c8c432b4fdf9c886bdc566f233400e202630925eb837c812c9ba95957ca7035056831d93ab16cd5c9095090e64b3f90d6ff709f732237dd41a3cebe371f7328b7bd3cbb6cf695f98c69b45e1999a3595bd12cc23f5f3cfcf13e355b7a3ea5b0bbc5c60142ae85829915f48d4ae0fc896ed8113e6062a7c6e54ac8470d0c8cc5b5e5e91d702a7b19af4a9b647e84db3ad1c5c65f2f450f99cdce1be4b3a3404070de4f45f36eb0acec358452c72c475ee69615614889737b698afab9472ab2cd12a543555dbe31199b8c188232a85bbbff925a6e8bac9e0c98fd8156b34b849dcbbcb9077018c5a1d5ca7b76fa5ba3e5fa5070c47d4a4e1723503500f1b63395d60fcf8eb551fb3aaac2a52763d89584951e6adcec46cde1e0e7dc0c511fc38a9cb92413c4f4eb54a803ff18e759a9aac56760ab97f1a25f7474561964e541fac9ae4c53d1728565bfe8007c2a015d9e7a2877891a829db9a3b70e91507f060362efe6f7d51573feadb7cedfab390a6a53e171e28b4c0582c2dd944d2b227b0d79f7484795bdbe15da65c3a60d859b10cc3b20614c827eff8d78bf5a64d86d5404c14b96bbd46c2ae176064feb5ef80b5147dae06faa34982b5835fe0562ce210c27abce2e15235cd530550f1927dc2b73f732b159391fbe186a670284a81a3e22d182b0587dda31429d296b486683d3b74205ce6a15102334c43c610c44841fad92ab9456340ef55fde6814ba11a0d069dd680b7b2c63aaa5b6a7d1ab119ebbfb2c5322ee950f94f9780652e258650b2991a62f9964a6534a16104de5463f1fb278b82690999c6ff48a3eed75ca7a619ab5ae4c3c2a66b4bc7d450f597aba119cfcb292f1a91032cc0a8f11f9baabd491fff0bcea62c72f8e30c87e58b769c5a5e1f6c7aca403ace859f199fb60381412d75703966c8adcef9a6938bde96d09376692a9bffe6ab4c31d7f71c8d959feadb0e532a3e6dd8f84d9e0f114d81bb3122ba2cbb9f59b636118a0d7a3c5f177329ccb50a049a60d6"
Then simply i call a function like:
xor_get_and_execute_original_code(MYCODE,mykey);
Is this possible, and how can I achieve this in the case it is.
Though encryption isn't an effective method for protecting your entire source code, you can use encryption as part of the obfuscation process without slowing the program.
Encryption is the method by which information is converted into secret code that hides the information's true meaning. The science of encrypting and decrypting information is called cryptography. In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext.
Encryption refers to an algorithmic process in which data is changed into a form that can no longer be read. The data is encrypted using electronic or digital keys. Synonyms for the term encryption are coding or ciphering. Encryption is used when two or more people communicate with each other.
How to decrypt a cipher text? To decrypt / decipher an encoded message, it is necessary to know the encryption used (or the encoding method, or the implemented cryptographic principle). Without knowing the technique chosen by the sender of the message, it is impossible to decrypt it (or decode it).
You could do it plugin-style. Load the decrypted code up via CodeDOM and execute it from there. Plugin behaviour is usually acceptable to AV-ware.
Do you ever think that what trigger the alert may be this keys ?
private static byte[] key = { 88, 54, 54, 147, 99, 201, 41, 80, 58, 100, 5, 64, 213, 99, 14, 15, 154, 35, 110, 36, 124, 25, 115, 23, 56, 44, 65, 7, 45, 254, 1, 54 };
private static byte[] vector = { 33, 8, 121, 196, 223, 45, 63, 100, 1, 32, 18, 87, 1, 158, 119, 111};
Change them to something different and check it again. I do not see anything else that can trigger the virus alert here.
unfortunately some times the virus or other security check programs can false trigger by "self protection code" that direct read/write on "code memory" of the program, and some of my programs that use HASP or similar protection false trigger the virus. At least two of my programs triggers them with out having any bad code inside, just security test.
Now on this code that I do not see anything that can trigger a virus except a misfortune of combination numbers that's look like a known virus and gives this alert. So ether changes your keys, ether re-position your functions to change this pattern and try again.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With