This is the beginning of a series of coding tutorials.

The goal is that I may teach some (grey|black|shit)heads about
useless stuff and vice versa.

I took this whole sample from my first exec crypter solution which is outdated.
So C&P might raise the AV alarms. However I was quite surprised how bad the
detection ratio was. But more on it later.

[b]Caution[/b]:
Before you start copy and pasting my stuff you should be aware that I'm using
well-known malware (mirai in this case) to show that the crypter is working.
It is highly advised to use a [b]VM[/b] without network access to test this repo or
use at least the inoffensive payload
aka exec_payload. Mirai detects if it gets executed in a [b]VM[/b] but it is enough
to show that the crypter works. Although all mirai CNC servers are shutdown afaik.

[b]Get the repo[/b]:
The source is located at Tochka's (ty for your git service <3) github like GOGS onion page which
you can access here:
[code]http://qxklmrhx7qkzais6.onion/segfault/Torum-Tutorial-00[/code]

[b]Build it[/b]:
[code]
make # default build using unoffensive exec_payload
make USE_MIRAI=y # use mirai as payload
make USE_PAYLOAD # use custom payload
make DEBUG=y # disable symbol/section stripping and produce dbg syms
[/code]

[b]Run it[/b]:
[b][i]Do this at your own risk if USE_MIRAI=y ![/i][/b]
You can now run the crypter:
[code]./exec_crypter[/code]
The first run detects that the payload is not encrypted and encrypt it.
The second will recognize that the payload is already encrypted, decrypt and run it.

[b]How it works[/b] (assuming a successful run):
[list=1]
[*] open the crypter executable and create a file for temp storage
[*] copy the crypter executable into the temp file using sendfile
[*] memory map the temp file into memory
[*] search for the unique marker which marks the beginning of our payload trailer struct
[*] Encryption:
[*] if xor key contains only NUL bytes, assume that the payload is stored as plain text
[*] if payload is stored as plain text, generate a xor key and encrypt the payload in out mmap'd buffer
[*] Decryption:
[*] if payload is encrypted (at least one not NUL byte in xor key), open a new temp file, copy the payload there using sendfile
[*] run the payload and at try to unlink the file after execution
[/list]

[b]Remarks[/b]:
The payload is stored in a section named [b].payload[/b] which means that you can't change the size of the payload after it
is linked in the resulting executable (well it is possible but needs a lot more work to achieve this). The payload itself gets
included by nasm (see [b]include_payload.asm[/b]) which also sets up the initial trailer struct.
The used encryption mechanism is all but [b]not secure[/b] since it uses a simple XOR ECB algorithm (no IVs, no block chaining).
But still enough to bypass all AV solutions, lol...

[b]Result[/b]:
I was actually quite surprised that this old and very basic crypter results in a zero detection ratio for well-known malware e.g. mirai.
There are probably two reasons why no linux/ELF AV scanner detects it:
[list=2]
[*] they don't use behavioral analysis e.g. a sandboxed execution environment
[*] they don't hook execve/execveat
[/list]

Feel free to comment and improve this crappy old source..
I will upload new tutorials in the upcoming weeks .. e.g. code injection/polymorphic code obfuscation/direct syscall invocation/whatsoever

(*segfault)