Return

README.md

@@ -1,3 +1,25 @@
-# dEncExDelRe
+# dEncexdel
 
-Decrypt|Encrypt|Execute|Delete|Return
+dEncexdel encrypts a linux executable or decrypts it into memory, executes it and deletes the decrypted file.
+
+Practical uses: execute a service from memory without storing the plain source or the binary on disk, secure a PoC exploit.
+
+dEncexdel uses /dev/shm/.
+
+Wins:
+- You can have executables that are encrypted.
+- Does not write to the physical drive, but to memory.
+
+Limitations:
+- Goes only as far as execution.
+- The executed binary can still be read from memory by root (eg. cat /proc/PID/bin > /tmp/bin)
+
+
+# usage 
+Be careful, -e overwrites the passed executable
+
+python3 dEncexdel.py -e executable  # encrypt
+
+python3 dEncexdel.py -x executable  # decrypt and execute
+
+python3 dEncexdel.py -r executable  # just stdout the decrypted data

dEncexdel.py

@@ -0,0 +1,100 @@
+#!/usr/bin/python3
+# dEncexdel by six
+# version: 1.1
+
+import getpass
+import argparse
+import base64
+from cryptography.fernet import Fernet
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+
+# Taking arguments from the user
+parser = argparse.ArgumentParser()
+parser.add_argument("-e", help="Encrypt the executable")
+parser.add_argument("-x", help="Decrypt, execute and delete")
+parser.add_argument("-r", help="Read and print the decrypted data to stdout")
+args = parser.parse_args()
+passkey = getpass.getpass("Passkey: ")
+
+# Building the key for Fernet
+passkey = passkey.encode()
+salt = b'\x05bWB\xc5i\x8b\x8dy\xd5\xe3[~\\Z\x10' # You want to change this and possibly store salts in a database
+kdf = PBKDF2HMAC(
+    algorithm=hashes.SHA256(),
+    length=32,
+    salt=salt,
+    iterations=100000,
+    backend=default_backend()
+)
+key = base64.urlsafe_b64encode(kdf.derive(passkey))  # Fernet(key) requires to be a base64 urlsafe string
+f = Fernet(key)
+
+
+# Encryption, overwrites the original file
+def encrypt(filename, key):
+    f = Fernet(key)
+    with open(filename, "rb") as file:
+        file_data = file.read()
+    encrypted_data = f.encrypt(file_data)
+    with open(filename, "wb") as file:
+        file.write(encrypted_data)
+
+
+# Decryption to /dev/shm/dEncexdel/<filename>
+def decrypt(filename, key):
+
+    # decryption
+    f = Fernet(key)
+    with open(filename, "rb") as file:
+        encrypted_data = file.read()
+    try:
+        decrypted_data = f.decrypt(encrypted_data)
+    except:
+        print("Wrong passkey")
+        return
+
+    # Print to stdout if -r is used and do not execute
+    if args.r:
+        try:
+            print(decrypted_data.decode('utf-8'))
+        except:
+            import sys
+            sys.stdout.buffer.write(decrypted_data)
+        return
+
+    # Prepare a directory with read permissions to the user only
+    import os
+    temp_dir = "/dev/shm/dEncexdel/"
+    os.mkdir(temp_dir)
+    os.chmod(temp_dir, 0o700)
+
+    # Write out the decrypted executable
+    filename = temp_dir + filename
+    with open(filename, "wb") as file:
+        file.write(decrypted_data)
+
+    # Make the temporary file executable    
+    os.chmod(filename, 0o700)
+    from subprocess import Popen
+    Popen([filename])
+
+    # Wait until binary is loaded but execution not finished
+    # Let me know if you have a better idea
+    import time
+    time.sleep(3)
+
+    # Remove the file and the directory
+    Popen(['rm','-rf',temp_dir])
+
+
+# Deciding if we encrypt or decrypt and run or just read to stdout
+if args.e:
+    encrypt(args.e, key)
+
+if args.x:
+    decrypt(args.x, key)
+
+if args.r:
+    decrypt(args.r, key)