TCP/UDP symmetric encryption tunnel wrapper
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


CryptHook is a modular implementation for securing existing applications with symmetrical block cipher encryption. It works by hooking the base system calls for network communication send/sendto and recv/recvfrom. Crypthook will work with any existing application that relies on these system calls.


CryptHook relies on AES in GCM mode using a 256 bit key. Keys are generated from passphrases using PBKDF2. IVs are constructed on the fly using random bytes of data, and the same key derivation technique to reconstruct the initialization vector on the receiving end in order to keep overhead to a minimum. Authentication of each packet is also verified.


The following characteristics must be changed if you are going to use this for anything reasonably secure. All configuration can be changed in crypthook.c using the following #defines.

#define KEY_SALT "changeme"
#define IV_SALT "changeme"
#define ITERATIONS 1000

#define PASSPHRASE "Hello NSA"

KEY_SALT and ITERATIONS are used in the key derivation process to change the plain text passphrase into a 256 bit key.

IV_SALT and ITERATIONS are used in the IV derivation process to change the 8 bytes of random data into a full IV for use with the algorithm.

PASSPHRASE is simply the default passphrase if none is provided via the CH_KEY environment variable.


  • libcrypto / openssl


$ make

Example Use

$ LD_PRELOAD=./ CH_KEY=donthackmebro ncat -l -p 5000

$ LD_PRELOAD=./ CH_KEY=donthackmebro ncat server 5000