An example malicious payload controller and obfuscator assisted by TPM-protected keys
An example malicious payload controller and obfuscator assisted by TPM-protected keys.
This is the offline (server-side) component that generates the executed payload from the decrypter stub and your choice of encrypted payload.
SET VS90COMNTOOLS=%VS120COMNTOOLS%
pip install pefile pycryptoThis is a Windows VS2013 solution containing two projects. The logic can be rewritten on OSX or Linux, depending on the intended target.
Detect a TPM on a client and create a new encryption keypair using standard protections. Return the public key component to be transmitted back to a encrypted PE generator.
Using an input public key and input malicious payload, generate and return a self-decrypting PE that decrypts and executes in-memory.
Although the output PE can be executed on any machine, only a target machine will have the private key pair in it's crypto-store. Thus only a target machine will decrypt and executed the original input payload.
The malcrypt application involves several components and processes:
For the crypto-store access, malcrypt assumes the input public key was created with no or
known controls by tpm-keyextract. The security of the private key is not critical to
malcrypt if a TPM was used to generate the key pair. Malcrypt intends to limit the
execution of the input payload to a target system. There are trusted computing concerns
related to proving a TPM was used to create the keypair, but they are outside the scope
of the example PoC implementation.
MIT and Microsoft MSR-LA.