Skip to content

Latest commit

 

History

History
47 lines (37 loc) · 1.39 KB

README.md

File metadata and controls

47 lines (37 loc) · 1.39 KB

PayBreak

Defense against cryptographic ransomware.

Presented at ACM ASIACCS 2017. Paper can be found here: PayBreak

Kolodenker, Eugene, William Koch, Gianluca Stringhini, and Manuel Egele.
"PayBreak: Defense against cryptographic ransomware." In Proceedings of the 2017
ACM Asia Conference on Computer and Communications Security (ASIACCS). ACM
(Association for Computing Machinery), 2017.

PayBreak CSAW Poster

Build

cl /LD antiransom.cpp

Installation

Copy antiransom.dll to C:\antiransom.dll (Must be root directory for least amount of issues)

In registry set: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs to C:\antiransom.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs to 1

Round trip demo

# Build and install the antiransom.dll
cl /LD antiransom.cpp
mv antiransom.dll "C:"

# Build and run a sample encrypter
cl ./test/kEncrypt.cpp ./test/easy_cryptoapi.cpp  
kEncrypt.exe ./test/test1.txt test1.enc no

# Check the log and extract the key data
grep ExfilKeyData "C:/CryptoHookLog.dll"

# Decrypt using the extracted data and compare to the original (should be same)
./scripts/decrypt-file.py -f test1.enc -o test1.out -x <keydata>
diff test1.out ./test/test1.txt