Hyperion
Hyperion is a runtime encrypter for 32-bit portable executables that uses AES-128 encryption. The encrypted executable self-decrypts on startup by bruteforcing the AES key.
Description
Hyperion provides runtime encryption for 32-bit portable executables (PE files), commonly used in Windows environments. It serves as a reference implementation based on the research paper 'Hyperion: Implementation of a PE-Crypter,' which details the cryptographic and evasion techniques employed.
The primary use case is for security researchers, red teamers, and developers needing to obfuscate PE binaries to bypass static analysis or antivirus detection. By encrypting the executable, Hyperion makes it difficult for signature-based scanners to identify malicious payloads until runtime.
When executed, the encrypted binary automatically decrypts itself through a bruteforce attack on the AES-128 key, which may take a few seconds. It also generates a log file for debugging purposes, aiding developers in troubleshooting encryption/decryption issues.
How It Works
Hyperion encrypts 32-bit PE files using AES-128 via command-line invocation. At runtime, the encrypted executable implements a bruteforce mechanism to recover the AES key, decrypting the original payload in memory. This self-decrypting stub is embedded during the encryption process. Debug logs are produced to track decryption success, key recovery timing, and potential errors. Implementation details are covered in the referenced paper 'Hyperion: Implementation of a PE-Crypter,' focusing on PE structure manipulation and runtime evasion.
Installation
sudo apt install hyperionExamples
hyperionhyperion input.exehyperion /path/to/target.exehyperion malware.exe output.enchyperion test_pe.exehyperion -h