Encode a exe in a python script... this is something I really wanted to be able to do a few months ago and couldn't figure out quickly. It didn't seem like there was allot of info out there so I thought this could be something worth sharing. It turns out doing this is incredibly easy!

So first we have a exe, for arguments sake lets say its streams.exe from the sysinternals suite. We want to put this in a script so that we can use it on any computer we manage to get our python onto.

Lets start by importing base64 as this is how we are going to encode it in our script.
import base64

Now we need to open the file and read the raw binary data "thats the rb in the open command"
f = open('streams.exe', 'rb')
raw_data = f.read()
f.close()

Now that we have the raw data lets base64 encode it.
b64_data = base64.b64encode(raw_data)

And thats really all there is to it we can now use something like this in our script.
b64_data = """AAAA..ETC"""

Writing it back to a file is as simple as this.
raw_data = base64.b64decode(b64_text)
f.open('new_streams.exe', 'wb')
f.write(raw_data)
f.close()

So lets take this one step further, say we wanted to encrypt this exe so that not many people could figure out what exactly it is. Now to generate a key for the encryption I'm going to actually hash a webpage. If something happened or if I want it to error out I simply change the page by 1 letter and it will fail on extraction! This has the added benefit of me being able to see who connects and I can even write a script to change my webpage the first connect.

First we need to import some things, also note that you might have to compile Crypto.
import base64
import hashlib
import urllib2
from Crypto.Cipher import AES
from Crypto import Random

Ok so lets get a hash of a webpage, google isn't a good choice but well use it for this anyway.
resp = urllib2.urlopen('http://www.google.com')
html = resp.read()

Now lets hash that page
key = hashlib.sha256(html).digest()

Now that we have our hash/key we need to encrypt it for this we will use AES_CBC however it needs a blocksize of 16 so we have to pad our data. Thats not a issue because we can simply strip it off after the decryption.
length = 16 - (len(b64_data) % 16)
b64_data += '{' * length

And here we do the actual encryption and then base64 the output so we can include it in a script just like before.
iv = "\x00" * 16
e = AES.new(key, AES.MODE_CBC, iv)
enc_data = base64.b64encode(e.encrypt(b64_data))

Then we can encode it in our script like so.
enc_data = """AAAA..ETC"""

That's it, now to reverse that when we want, we just hash the webpage and use it as a key, strip off the padding, base64decode the data, then write it to a file.
# assuming we have our key like above
e = AES.new(key, AES.MODE_CBC, iv)
data = base64.b64decode(enc_data)
ndata = e.decrypt(data)
data = base64.b64decode(ndata.rstrip('{'))

Super simple and pretty cool, now all we need is a way to inject that into memory rather than write it to disk.... ;)

I'm putting a "helper" script up on my github if you want to check it out https://github.com/trump0dump/helpful