############################################################################### # # # ~ .__ °.__ 0 o ^ .__ °__ `´ # # °____) __ __| | | °| ______°____ 0 ____ __ _________|__|/ |_ ___.__. # # / \| | °\ |°| | °/ ___// __ \_/ ___\| | °\_ __ \ o\ __< | | # # | o°| \ | / |_| |__\___ \\ ___/\ °\___| o| /| | \/ || |° \___ O| # # |___| /____/|____/____/____ °>\___ >\___ >____/ |__|° |__||__| / ____| # # `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/ ``´```´```´´´´`´``0_o\/´´`´´ # # # # Hyperion: A runtime PE-Crypter # # # # VERSION # # 2.3.1 # # # # DATE # # 03/23/2020 # # # # AUTHOR # # belial - http://www.phobosys.de/hyperion # # # # LICENSE # # BSD-License # # # # DESCRIPTION # # Hyperion is a runtime encrypter for 32/64 bit portable executables. It is a # # reference implementation and bases on the paper "Hyperion: Implementation # # of a PE-Crypter". The paper describes the implementation details which # # aren't in the scope of this readme file. # # The crypter is a C project and can be compiled with the corresponding # # makefile (tested with Mingw and Visual Studio). Afterwards it is started # # via the command line and encrypts an input executable with AES-128. The # # encrypted file decrypts itself on startup (bruteforcing the AES key which # # may take a few seconds) and generates a log file for debug purpose. # # # # TODO # # - AES payload: Maybe use Windows crypto API instead because our fasm aes # # payload is full of static tables # # - Better crypto blob hiding/obfuscation # # - Dynamically morph code and add junk code # # - Support late Binding of DLLs/APIs # # - Check for correct DLL Version Numbers before Loading # # - Analysis: What else is missing in PE loader # # - Provide hyperion as free a web service to hide advanced implementation # # details # # # # CHANGELOG: # # # # v2.3.1: # # - bugfix in .net file detection # # # # v2.3: # # - log message strings were still in non-log binaries -> removed # # - each function uses shadow registers -> preparation for code morphing # # - basic win32 apis are part of import table and not loaded dynamically # # - output size for non-log binaries reduced by 4kb # # - 32 bit is now deprecated # # - preserve GUI/Console Flag # # - abort if input is a .NET executable # # # # v2.2: # # - removed aes.dll blob and use tinyAes c implementation instead # # - aes payload uses new FasmAES 1.3 which has several bugfixes # # # # v2.1: # # - crappy makefile cleanup # # # # v2.0: # # - added 64-bit support # # - upgraded fasm.exe to 1.71 # # - flexible payload structure to add your own ecryption algos # # - removed c++ code and added pure c instead # # # # v1.2: # # - added windows 8 and 8.1 support (thx to CoolOppo) # # # # v1.1: # # - code cleanup and refactoring (more leightweighted and increased # # maintainability) # # - change key space size via the command line # # - change key length via the command line # # - disable logfile generation of the container via commandline # # - display verbose informations while running # # # # v1.0: # # - initial release # # # ###############################################################################