{"id":243,"date":"2020-03-30T15:52:12","date_gmt":"2020-03-30T13:52:12","guid":{"rendered":"http:\/\/futex.re\/blog\/?p=243"},"modified":"2020-03-30T15:52:12","modified_gmt":"2020-03-30T13:52:12","slug":"agent-tesla-strings-decrypter","status":"publish","type":"post","link":"https:\/\/futex.re\/blog\/?p=243","title":{"rendered":"Agent Tesla Strings Decrypter"},"content":{"rendered":"

I wanted to take a look at dnlib<\/a> trying to understand what are its possibilities. at the same point I had to deal with an ‘Agent Tesla’ sample, which used strings obfuscation with AES CBC 256 bits.<\/p>\n

The decryption method was easy to find, as can be seen in the capture below:<\/p>\n

\"\"<\/a><\/p>\n

A quick win consist to copy paste this method inside a new Visual Studio project, and it will do the job later.<\/p>\n

First we have to load the assembly binary.<\/p>\n

ModuleDefMD module = ModuleDefMD.Load(executable);<\/c><\/code><\/p>\n

Next we parse the types and all the methods of the binary and search for a String opcode (value 114 in IL) and if the string is forwarded by a Call, that mean that the string is a method parameter.
\n
\nforeach (TypeDef type in module.GetTypes())
\n{
\ncountModule++;<\/code><\/p>\n

foreach (MethodDef method in type.Methods)
\n{
\n\/\/check if the method is not empty and if it not a constructor
\nif (!method.HasBody || method.IsConstructor)
\ncontinue;<\/p>\n

countMethod++;<\/p>\n

<\/code> for (int i = 0; i < method.Body.Instructions.Count; i++)
\n {
\n if (method.Body.Instructions[i].OpCode.Value == 114) \/\/OpCodes.Ldstr)
\n {
\n if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call)
\n {
\n<\/code><\/p>\n

Now we can retreive the encrypted string, and past it to the DecryptString method. Afterwards, to get a clean output sample, we have to remove the string and the call to the real decryption method inside the loaded assembly
\n
\nvar cryptedstring = method.Body.Instructions[i].Operand.ToString();<\/code><\/p>\n

string decryptedstring = DecryptString(cryptedstring);<\/p>\n

\/\/For exception max stack value
\nmethod.Body.KeepOldMaxStack = true;<\/p>\n

method.Body.Instructions[i].OpCode = OpCodes.Ldstr;
\nmethod.Body.Instructions[i].Operand = decryptedstring;<\/p>\n

method.Body.Instructions.Remove(method.Body.Instructions[i + 1]);<\/p>\n

<\/code><\/code><\/p>\n

And finally we save our new clean assembly
\n
\nString outputfilename = outputFolderName +\" \\\\\" + filename + \"_uncrypt.exe\";<\/code><\/p>\n


\n<\/code>module.Write(outputfilename);
\n<\/code><\/p>\n

Now opening the cleaned Assembly in Dnspy, we can see the clean strings:<\/p>\n

\"\"<\/a><\/p>\n

Of course, if the algorithm changes, we have to fix inside the source code and rebuild the binary, which can be a bit painful. An evolution could be used a kind of reflexion to call the decryption method inside the loaded assembly (with is RVA for example). We will explore this another time.<\/p>\n

As you can see, it's really easy to use the basic of DNlib, and we can do even more cool thinks!<\/p>\n

The source code of the decrypter can be found on my github<\/a>, in case it is useful to anyone.<\/p>\n

If you see any bugs or have further ideas to make it great again, don't hesitate to message me.<\/p>\n

<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

I wanted to take a look at dnlib trying to understand what are its possibilities. at the same point I had to deal with an ‘Agent Tesla’ sample, which used strings obfuscation with AES CBC 256 bits. The decryption method … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/243"}],"collection":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=243"}],"version-history":[{"count":6,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions"}],"predecessor-version":[{"id":253,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions\/253"}],"wp:attachment":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}