#1
|
|||
|
|||
Is it possible to encrypt a .sys file?
Just like exe encrypt.
Is it possible to make this encrypt? Please also intro some tools. Thanks! |
#2
|
||||
|
||||
Hi,
yes it is possible to encrypt sys files. Protector Themida for example using a custom encryption routine to protect several parts of its code. I don't know exactly what you mean with "intro tools" but if you think about adding other binaries like pebundle does forget about it... Cheers, PAPiLLiON |
#3
|
||||
|
||||
yes, you may append your code to .sys but make sure to update checksum in PE header and to make code section writable. Any exception in r0 will cause bsod
__________________
http://accessroot.com |
#4
|
|||
|
|||
The PE-checksum will be your smallest problem if you plan to encrypt *.SYS files.
You must take care of what sections are loaded at which time, you must take care of the init callbacks, you will run into some big problems when trying to allocate memory and some other nasty problems. Just to name one, how do you plan to call LoadLibrary or GetProcAddres from Ring-0? KERNEL32 is not present and you can't use SEH to find the imports by trial and error. |
#5
|
||||
|
||||
He have to use native api, but thats obvious...
|
#6
|
||||
|
||||
Quote:
__________________
http://accessroot.com |
#7
|
|||
|
|||
Quote:
It only prevent some modifications. Encrypt file can not be analyzed by static disassemble tool such as IDA pro. And as we know, VMProtect can make protection on .sys file but not encrypt, even compress. |
#8
|
|||
|
|||
Dont' forget about MmGetSystemRoutineAddress routine Of couse if it works only for routines exported by ntoskrnl or HAL.. But in some cases it's enough.
Here is a plan how to make simple native encryptor Very common. 1) Get some user mode PE encryptor\compressor sources (better in asm) 2) Change GetProcAddress to MmGetSystemRoutineAddress 3) Change VirtualAlloc\VirtualFree to ExAllocatePool\ExFreePool 4) Debug P.S. Classical compression based on possibility of making VirualSize of PE section bigger than PhisicalSize will work only in case Section alignment= 1000, File alignment= 200. Any other combination does'nt work for me. Anyway compression in drivers it's not a good idea coz memory in pool is very valuable resource. Last edited by adaptor; 05-17-2006 at 19:47. |
#9
|
||||
|
||||
agree, thats why small decryption code(xor/add/sub/rol/ror etc) is much better, import rebuilding code and compression is just wast of r0 memory
__________________
http://accessroot.com |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Encrypt and Decrypt with public key and private key(RSA based) | CarrotStickCam | Source Code | 2 | 01-16-2023 14:53 |