Forum Thread: Make Runtime Crypter

Hi, I just finished my own crypter, I write it in vb and it works "great". Scanning online it went from 27/35 detection to 1/35, the only problem is that it is only scantime. Practically it merges the stub, the crypted payload and a file to bind with, using a certain string as splitter, when the file is ran it splits the contents and create a temp .exe with the payload encrypted and then execute it. Logically the AV detects it and removes it before it's launched so it is pretty useless. I read about the runtime crypter that decrypt the payload directly in memory so the AV can't detect it, but I don't understand how to do it, so can someone point me in the right direction? Maybe linking me something about it, I'll appreciate. Thanks

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

2 Responses

You can take a look to the code of UPX . It is a packer, but the principle is the same (run-time unzip pretty much the same than run-time decrypt). Maybe somebody else can give you better pointers specifically for Windows.

You can also take a look to this very basic article for the overall idea on how they work. It targets ELF format for Linux though.

For Windows the executable format is called PE . I bet it would be pretty much the same thing but I had never played with PE so I cannot say for sure.

Good Luck

Thank you, I'll give it a shot

Share Your Thoughts

  • Hot
  • Active