How To: A Guide on Runtime Crypters

What's good, peeps? I've been noticing some rather advanced tutorials slowly emerging here on Null Byte and I know that people want more of them but I've been reluctant to post something of such caliber because I fear that the information will just go over their heads, but hey, as long as it's there, people can always go off to research themselves and eventually understand. So here is my contribution to the gradual and inevitable progression of Null Byte!

Welcome, readers, to a guide and walkthrough on runtime crypters! This section will specifically cover Windows systems so if you're a hater and cringe at the slightest sound of Microsoft's grotesque baby, feel free to close this tab, delete your history, exit your browser, pour some oil onto your machine and sanitize it with fire! Else, please continue onwards. If you do not know what a crypter is, please proceed onto this article. Also, please bare with the theory, I know that it's boring and I apologize for that.

The following article details the internals of the Portable Executable (PE) format and some concepts of Windows' memory management. I will only be covering the relevant information so if you wish to understand more, you will need to do some more research.

Note: I am still currently learning more about this so if I happen to get any information incorrect, please leave a comment below or drop a message in my inbox and I will try to patch it ASAP.

Disclaimer: This is an article which shows how the runtime crypter works. It is meant to be a guide, not a tutorial so not every little piece of information will be provided.

Introduction to the Portable Executable

We can see here that the PE format is divided into two main parts: the header and sections.

The header contains crucial information about the file such as its overall management (locations and sizes) and how it should be handled in memory.

The sections are where the actual data resides such as the code, data and resources (icons, images, GUI, etc.) - those who have been following my C tutorials should be somewhat familiar with this.

We'll now take a deeper look into these two segments.

PE Format Conclusion

Intermezzo

When Windows maps an executable file into memory, it's pretty much the same thing as on disk except that the sections will be split up into their own parts in memory accordingly. The information for this lies in the respective section's section header.

Now let's look at how runtime crypters do their magic...

Unraveling the Mysteries of the Runtime Crypter

Finally, we have reached the interesting part of the article! Woo! Let's not waste any time and dive down the rabbit hole!

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Step 6: ???

???

Step 7: Profit

Profit!

Conclusion

That's it! If you feel confused, please, do some research!

Hope you've enjoyed this (somewhat lengthy, hopefully not too boring) article and now at least sort of understand what's happening! Thanks for reading!

dtm.