This PE tool encrypts/obfuscates marked strings so that even in the decompressed virtual image they are not in their plaintext form. At runtime, when these strings are referenced, an application must use special functions to retrieve the plaintext version of the strings.
To facilitate the string decryption at run-time is PEHTLIB. It can be statically linked, or a DLL can be provided (email us). Registered users also have access to the source code, so they can simply link its C++ source into their project to utilize the string decryption functions.
The idea is to mark strings for encryption by prefixing them with a special set of characters. This lets PEHideText find them and encrypt them. At runtime, only your application knows where these strings are located. Your code will have been written to use the PEHTLIB decryption functions, and will access the encrypted strings at whatever addresses they happened to be linked to.
When examining the virtual memory your process occupies, plaintext strings are easily visible, and often automatically extracted by advanced task managers. This will help prevent that by keeping the plaintext strings in dynamically allocated memory. The dynamically allocted memory can live for a brief microsecond as-needed, or remain so it need not be decrypted again.
The prefixes for string-encryption are defined in a C++ header file, PEHT.H.
One of the unique capabilities is for *optional* re-use of deobfuscated returned buffers. That way, if you decrypted the same text 1000 times, you'd get a singular and instance to its plaintext form. This is optional though, and simply freeing the derypted buffer with the provided API will result in a normal new allocation.
For multi-byte (ascii) strings, define a string with PEHT_DEFINE_ENCRYPTED_TEXT_A
For wide-character (unicode) strings, define a string with PEHT_DEFINE_ENCRYPTED_TEXT_W
For TCHARs (type defined at compile time) strings, define a string with PEHT_DEFINE_ENCRYPTED_TEXT_T
PEHideText should then be run on the uncompressed application so that it can encrypt/obfuscate these strings.
The source code for the runtime decryption of the strings is provided in PEHTib.cpp and PEHTLib.h. You can simply add them to your project, or port them to a different language.
| TCHAR *GetEncryptTextT(TCHAR *ptszText) | For TCHAR, where the character width can be changed by #defs. |
| wchar_t *GetEncryptedTextW(wchar_t *pwszText) | For wide-character (unicode) strings. |
| char *GetEncryptedTextA(char *pszText) | For multi-byte (ascii) strings. |
It does not hurt to call a function multiple times to retrieve a pointer to the plaintext version of the same string. The same pointer will be returned each time, but decryption will only occur once (unless cleanup/free functions below are called between invocations).
If you wish to free a single decrypted string from memory (as opposed to all at once via FreeAllDecryptedTexts), then you should use the functions:
| bool *FreeEncryptedTextT(TCHAR *ptszText) | For TCHAR, where the character width can be changed by #defs. |
| bool *FreeEncryptedTextW(wchar_t *pwszText) | For wide-character (unicode) strings. |
| bool *FreeEncryptedTextA(char *pszText) | For multi-byte (ascii) strings. |
Important: The original pointer to the encrypted string should be passed to these functions, not the pointer retrieved by the GetEncryptedText functions!
Before your application exits, it should call the following to clean up dynamically allocated memory:
void PEHTCleanup();
C++ Example:
#include <stdio.h>
#include <tchar.h>
#include "peht.h"
...
PEHT_DEFINE_ENCRYPTED_TEXT_T(MY_ENCRYPTED_STRING, _T("This string will be encrypted in the image."));
CPEHideText cPEHT;
TCHAR *ptsz1=cPEHT.GetEncryptedText(MY_ENCRYPTED_STRING);
_tprintf(_T("The text is: %s"),ptsz1);
cPEHT.FreeDecryptedText(ptsz1);
// or
// PEHTCleanup();
// frees all decrypted text buffers
You can either link with PEHTLIB.lib, or PEHTLIB_X64.LIB for x64 builds, or simply include the PEHTLIB C++ source into your project (registered build only). We can also make a DLL available, if needed.