FreshRSS

๐Ÿ”’
โŒ Secure Planet Training Courses Updated For 2019 - Click Here
โ˜ท
โ–ณ ๐Ÿ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

NoArgs - Tool Designed To Dynamically Spoof And Conceal Process Arguments While Staying Undetected

By: Zion3R


NoArgs is a tool designed to dynamically spoof and conceal process arguments while staying undetected. It achieves this by hooking into Windows APIs to dynamically manipulate the Windows internals on the go. This allows NoArgs to alter process arguments discreetly.


Default Cmd:


Windows Event Logs:


Using NoArgs:


Windows Event Logs:


Functionality Overview

The tool primarily operates by intercepting process creation calls made by the Windows API function CreateProcessW. When a process is initiated, this function is responsible for spawning the new process, along with any specified command-line arguments. The tool intervenes in this process creation flow, ensuring that the arguments are either hidden or manipulated before the new process is launched.

Hooking Mechanism

Hooking into CreateProcessW is achieved through Detours, a popular library for intercepting and redirecting Win32 API functions. Detours allows for the redirection of function calls to custom implementations while preserving the original functionality. By hooking into CreateProcessW, the tool is able to intercept the process creation requests and execute its custom logic before allowing the process to be spawned.

Process Environment Block (PEB) Manipulation

The Process Environment Block (PEB) is a data structure utilized by Windows to store information about a process's environment and execution state. The tool leverages the PEB to manipulate the command-line arguments of the newly created processes. By modifying the command-line information stored within the PEB, the tool can alter or conceal the arguments passed to the process.

Demo: Running Mimikatz and passing it the arguments:

Process Hacker View:


All the arguemnts are hidden dynamically

Process Monitor View:


Technical Implementation

  1. Injection into Command Prompt (cmd): The tool injects its code into the Command Prompt process, embedding it as Position Independent Code (PIC). This enables seamless integration into cmd's memory space, ensuring covert operation without reliance on specific memory addresses. (Only for The Obfuscated Executable in the releases page)

  2. Windows API Hooking: Detours are utilized to intercept calls to the CreateProcessW function. By redirecting the execution flow to a custom implementation, the tool can execute its logic before the original Windows API function.

  3. Custom Process Creation Function: Upon intercepting a CreateProcessW call, the custom function is executed, creating the new process and manipulating its arguments as necessary.

  4. PEB Modification: Within the custom process creation function, the Process Environment Block (PEB) of the newly created process is accessed and modified to achieve the goal of manipulating or hiding the process arguments.

  5. Execution Redirection: Upon completion of the manipulations, the execution seamlessly returns to Command Prompt (cmd) without any interruptions. This dynamic redirection ensures that subsequent commands entered undergo manipulation discreetly, evading detection and logging mechanisms that relay on getting the process details from the PEB.

Installation and Usage:

Option 1: Compile NoArgs DLL:

  • You will need microsoft/Detours">Microsoft Detours installed.

  • Compile the DLL.

  • Inject the compiled DLL into any cmd instance to manipulate newly created process arguments dynamically.

Option 2: Download the compiled executable (ready-to-go) from the releases page.

Refrences:

  • https://en.wikipedia.org/wiki/Microsoft_Detours
  • https://github.com/microsoft/Detours
  • https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
  • https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++


Temcrypt - Evolutionary Encryption Framework Based On Scalable Complexity Over Time

By: Zion3R


The Next-gen Encryption

Try temcrypt on the Web โ†’

temcrypt SDK

Focused on protecting highly sensitive data, temcrypt is an advanced multi-layer data evolutionary encryption mechanism that offers scalable complexity over time, and is resistant to common brute force attacks.

You can create your own applications, scripts and automations when deploying it.

Knowledge

Find out what temcrypt stands for, the features and inspiration that led me to create it and much more. READ THE KNOWLEDGE DOCUMENT. This is very important to you.


Compatibility

temcrypt is compatible with both Node.js v18 or major, and modern web browsers, allowing you to use it in various environments.

Getting Started

The only dependencies that temcrypt uses are crypto-js for handling encryption algorithms like AES-256, SHA-256 and some encoders and fs is used for file handling with Node.js

To use temcrypt, you need to have Node.js installed. Then, you can install temcrypt using npm:

npm install temcrypt

after that, import it in your code as follows:

const temcrypt = require("temcrypt");

Includes an auto-install feature for its dependencies, so you don't have to worry about installing them manually. Just run the temcrypt.js library and the dependencies will be installed automatically and then call it in your code, this was done to be portable:

node temcrypt.js

Alternatively, you can use temcrypt directly in the browser by including the following script tag:

<script src="temcrypt.js"></script>

or minified:

<script src="temcrypt.min.js"></script>

You can also call the library on your website or web application from a CDN:

<script src="https://cdn.jsdelivr.net/gh/jofpin/temcrypt/temcrypt.min.js"></script>

Usage

ENCRYPT & DECRYPT

temcrypt provides functions like encrypt and decrypt to securely protect and disclose your information.

Parameters

  • dataString (string): The string data to encrypt.
  • dataFiles (string): The file path to encrypt. Provide either dataString or dataFiles.
  • mainKey (string): The main key (private) for encryption.
  • extraBytes (number, optional): Additional bytes to add to the encryption. Is an optional parameter used in the temcrypt encryption process. It allows you to add extra bytes to the encrypted data, increasing the complexity of the encryption, which requires more processing power to decrypt. It also serves to make patterns lose by changing the weight of the encryption.

Returns

  • If successful:
    • status (boolean): true to indicate successful decryption.
    • hash (string): The unique hash generated for the legitimacy verify of the encrypted data.
    • dataString (string) or dataFiles: The decrypted string or the file path of the decrypted file, depending on the input.
    • updatedEncryptedData (string): The updated encrypted data after decryption. The updated encrypted data after decryption. Every time the encryption is decrypted, the output is updated, because the mainKey changes its order and the new date of last decryption is saved.
    • creationDate (string): The creation date of the encrypted data.
    • lastDecryptionDate (string): The date of the last successful decryption of the data.
  • If dataString is provided:
    • hash (string): The unique hash generated for the legitimacy verify of the encrypted data.
    • mainKey (string): The main key (private) used for encryption.
    • timeKey (string): The time key (private) of the encryption.
    • dataString (string): The encrypted string.
    • extraBytes (number, optional): The extra bytes used for encryption.
  • If dataFiles is provided:
    • hash (string): The unique hash generated for the legitimacy verify of the encrypted data.
    • mainKey (string): The main key used for encryption.
    • timeKey (string): The time key of the encryption.
    • dataFiles (string): The file path of the encrypted file.
    • extraBytes (number, optional): The extra bytes used for encryption.
  • If decryption fails:
    • status (boolean): false to indicate decryption failure.
    • error_code (number): An error code indicating the reason for decryption failure.
    • message (string): A descriptive error message explaining the decryption failure.

Here are some examples of how to use temcrypt. Please note that when encrypting, you must enter a key and save the hour and minute that you encrypted the information. To decrypt the information, you must use the same main key at the same hour and minute on subsequent days:

Encrypt a String

const dataToEncrypt = "Sensitive data";
const mainKey = "your_secret_key"; // Insert your custom key

const encryptedData = temcrypt.encrypt({
  dataString: dataToEncrypt,
  mainKey: mainKey
});

console.log(encryptedData);

Decrypt a String

const encryptedData = "..."; // Encrypted data obtained from the encryption process
const mainKey = "your_secret_key";

const decryptedData = temcrypt.decrypt({
  dataString: encryptedData,
  mainKey: mainKey
});

console.log(decryptedData);

Encrypt a File:

To encrypt a file using temcrypt, you can use the encrypt function with the dataFiles parameter. Here's an example of how to encrypt a file and obtain the encryption result:

const temcrypt = require("temcrypt");

const filePath = "path/test.txt";
const mainKey = "your_secret_key";

const result = temcrypt.encrypt({
  dataFiles: filePath,
  mainKey: mainKey,
  extraBytes: 128 // Optional: Add 128 extra bytes
});

console.log(result);

In this example, replace 'test.txt' with the actual path to the file you want to encrypt and set 'your_secret_key' as the main key for the encryption. The result object will contain the encryption details, including the unique hash, main key, time key, and the file path of the encrypted file.

Decrypt a File:

To decrypt a file that was previously encrypted with temcrypt, you can use the decrypt function with the dataFiles parameter. Here's an example of how to decrypt a file and obtain the decryption result:

const temcrypt = require("temcrypt");

const filePath = "path/test.txt.trypt";
const mainKey = "your_secret_key";

const result = temcrypt.decrypt({
  dataFiles: filePath,
  mainKey: mainKey
});

console.log(result);

In this example, replace 'path/test.txt.trypt' with the actual path to the encrypted file, and set 'your_secret_key' as the main key for decryption. The result object will contain the decryption status and the decrypted data, if successful.

Remember to provide the correct main key used during encryption to successfully decrypt the file, at the exact same hour and minute that it was encrypted. If the main key is wrong or the file was tampered with or the time is wrong, the decryption status will be false and the decrypted data will not be available.

UTILS

temcrypt provides utils functions to perform additional operations beyond encryption and decryption. These utility functions are designed to enhance the functionality and usability.

Function List:

  1. changeKey: Change your encryption mainKey
  2. check: Check if the encryption belongs to temcrypt
  3. verify: Checks if a hash matches the legitimacy of the encrypted output.

Below, you can see the details and how to implement its uses.

Update MainKey:

The changeKey utility function allows you to change the mainKey used to encrypt the data while keeping the encrypted data intact. This is useful when you want to enhance the security of your encrypted data or update the mainKey periodically.

Parameters

  • dataFiles (optional): The path to the file that was encrypted using temcrypt.
  • dataString (optional): The encrypted string that was generated using temcrypt.
  • mainKey (string): The current mainKey used to encrypt the data.
  • newKey(string): The new mainKey that will replace the current mainKey.
const temcrypt = require("temcrypt");

const filePath = "test.txt.trypt";
const currentMainKey = "my_recent_secret_key";
const newMainKey = "new_recent_secret_key";

// Update mainKey for the encrypted file
const result = temcrypt.utils({
  changeKey: {
    dataFiles: filePath,
    mainKey: currentMainKey,
    newKey: newMainKey
  }
});

console.log(result.message);

Check Data Integrity:

The check utility function allows you to verify the integrity of the data encrypted using temcrypt. It checks whether a file or a string is a valid temcrypt encrypted data.

Parameters

  • dataFiles (optional): The path to the file that you want to check.
  • dataString (optional): The encrypted string that you want to check.
const temcrypt = require("temcrypt");

const filePath = "test.txt.trypt";
const encryptedString = "..."; // Encrypted string generated by temcrypt

// Check the integrity of the encrypted File
const result = temcrypt.utils({
  check: {
    dataFiles: filePath
  }
});

console.log(result.message);

// Check the integrity of the encrypted String
const result2 = temcrypt.utils({
  check: {
    dataString: encryptedString
  }
});

console.log(result2.message);

Verify Hash:

The verify utility function allows you to verify the integrity of encrypted data using its hash value. Checks if the encrypted data output matches the provided hash value.

Parameters

  • hash (string): The hash value to verify against.
  • dataFiles (optional): The path to the file whose hash you want to verify.
  • dataString (optional): The encrypted string whose hash you want to verify.
const temcrypt = require("temcrypt");

const filePath = "test.txt.trypt";
const hashToVerify = "..."; // The hash value to verify

// Verify the hash of the encrypted File
const result = temcrypt.utils({
  verify: {
    hash: hashToVerify,
    dataFiles: filePath
  }
});

console.log(result.message);

// Verify the hash of the encrypted String
const result2 = temcrypt.utils({
  verify: {
    hash: hashToVerify,
    dataString: encryptedString
  }
});

console.log(result2.message);

Error Codes

The following table presents the important error codes and their corresponding error messages used by temcrypt to indicate various error scenarios.

Code Error Message Description
420 Decryption time limit exceeded The decryption process took longer than the allowed time limit.
444 Decryption failed The decryption process encountered an error.
777 No data provided No data was provided for the operation.
859 Invalid temcrypt encrypted string The provided string is not a valid temcrypt encrypted string.

Examples

Check out the examples directory for more detailed usage examples.

WARNING

The encryption size of a string or file should be less than 16 KB (kilobytes). If it's larger, you must have enough computational power to decrypt it. Otherwise, your personal computer will exceed the time required to find the correct main key combination and proper encryption formation, and it won't be able to decrypt the information.

TIPS

  1. With temcrypt you can only decrypt your information in later days with the key that you entered at the same hour and minute that you encrypted.
  2. Focus on time, it is recommended to start the decryption between the first 2 to 10 seconds, so you have an advantage to generate the correct key formation.

License

The content of this project itself is licensed under the Creative Commons Attribution 3.0 license, and the underlying source code used to format and display that content is licensed under the MIT license.

Copyright (c) 2023 by Jose Pino



โŒ