By | August 24, 2012

Source: Secure Planet

by Peter

In this article “I’ve been working on a couple of little of side projects and finally had a couple hours to sit down and test some things out.  I’m always looking for better ways to hide my reverse shells (and of course meterpreter) and evade anti-virus.  Through some of the conferences I recently attended, here are a couple of new techniques.

1) Hyperion [http://www.nullsecurity.net/binary.html]

Hyperion is a run-time encrypter for 32-bit portable executables.  Runtime crypter accepts binary executable files as input and transforms them into an encrypted version (preserving its original behavior). When executed, the encrypted file decrypts itself on startup and executes its original content.

In short, to summarize what Hyperion does, is that it encrypts a binary with AES 128.  Usually, you’d have to input the cipher key, but this is where Hyperion does it differently. The newly generated encrypted file doesn’t contain the AES cipher key within its code.  It actually doesn’t even know what it is.  During execution, the encrypted version brute forces through every AES key, then decrypts the PE file in memory and executes it. Sweet!”

Leave a Reply