'Module could not be found' error when using DLLs on Windows 11

[JitBox]

Hey all, when I compile a dll, I see that the entrypoint is "Update", and I took a quick look at the .nim file to verify. When I attempt to run "rundll32.exe NimPlant.dll,Update" It give me an error saying "There was a problem starting NimPlant.dll, The specific module could not be found"

Any ideas, anyone else getting this too? This is a fully out of the box run of a compiled dll, I havent changed anything. I was able to get exe to send back a shell just fine.

[chvancooten]

Hey @JitBox, thanks for the report. That's an odd issue, and I don't seem to be able to reproduce it (with a freshly compiled DLL rundll32 NimPlant.dll,Update should definitely do the trick).

Could you please provide more information about the systems you are compiling the DLL on, the software versions, and the system you are running it on?

P.S. For next time: please follow the issue template so the report is as complete as possible :)

[JitBox]

@chvancooten Hmm, I installed nimplant per the installation instructions, did a simply "python3 NimPlany.py compile dll" (this was done on a basic kali linux and also on a ubuntu build), I transferred the dll to a x64 windows machine and ran "rundll32.exe NimPlant.dll,Update" and I get a pop up stating it can not find the module..

[chvancooten]

Did you try compiling with the Docker container? Also, what is the Windows version you're running the DLL on?

[JitBox]

I have not tried docker yet but I am installing on a limited ec2 linux image, it has mingw-w64 installed though, it’s being ran on a windows 10 VM 

Sent from Yahoo Mail for iPhone

On Friday, March 3, 2023, 18:11, Cas van Cooten @.***> wrote:

Did you try compiling with the Docker container? Also, what is the Windows version you're running the DLL on?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[chvancooten]

Sorry, but I can't reproduce this issue. Please try compiling with the Docker container or on a Windows machine to see if that fixes the issue. Alternatively, please try inspecting the file exports with something like CFF explorer to see if everything looks alright. Finally, try running on a different target machine build to see if that causes the issue.

If you find what exactly causes this issue please let me know so I can look into fixing it!

[chvancooten]

Hey! Was just able to reproduce this issue. It seems to happen on Windows 11 only, not sure what changed with RunDLL or DLL entrypoints that is causing this issue. Will dive a bit further into it :)

[JitBox]

Excellent thanks for looking into it.. also good luck at your adversary village talk!

Sent from Yahoo Mail for iPhone

On Thursday, March 9, 2023, 11:33, Cas van Cooten @.***> wrote:

Hey! Was just able to reproduce this issue. It seems to happen on Windows 11 only, not sure what changed with RunDLL or DLL entrypoints that is causing this issue. Will dive a bit further into it :)

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[chvancooten]

Hey! I haven't solved this yet, but after some debugging I'm a bit further in understanding what is causing this.

Basically, the cp and mv command both use imports from the os standard library that seem to cause this issue whenever they used in the code. The culprit commands seem to be: moveFile, moveDir, copyDir, copyFile, and copyFileToDir. You may see a pattern here :)

I suspect that some changes to the underlying OS have introduced these issues in the os stdlib. The 'module could not be found' seems to imply that some OS functions for file operations have changed between versions.

That's about how far I got with the issue at the moment, and I have to go. Next steps would be to reproduce in a minimal POC (should be easy, just call any of these functions and compile as DLL), report the issue to the Nim team, and find a workaround.

If this is blocking you from NimPlant, a really ugly fix is to comment out the if statements for both cp and mv in functions.nim and the implant will work fine.

Any help is welcome in the meantime :)

[chvancooten]

Hey! I just pushed a fix to the dev branch that works around this issue by avoiding the copyFile call in the os stdlib that is at the core of this issue, and implementing dependent functions using the CopyFileA function from the Windows API. In my testing, this fixes DLLs on Windows 11.

Please check out the dev branch and let me know if these fixes work for you!

This is a workaround but no negative side-effects should arise from it. An issue has been raised with the Nim team to hopefully fix the underlying upstream issue here: https://github.com/nim-lang/Nim/issues/21504

[JitBox]

hey @chvancooten , thank you so much for all of your assistance here. Unfortunately after pulling the dev branch and installing per requirements in the README, the dll still shows the error "module not found" when attempting to execute through rundll32. Everything else I do with this C2 works perfectly fine, so i'm confident it's not user error..

I am working with a Kali linux device to compile, and executing on a Windows 10 VM. I will make some time tonight to troubleshoot a bit more and let you know what I find.

[chvancooten]

Hey, that's weird, I was only able to reproduce on Windows 11 in the first place. Could you please provide the exact build numbers of the Windows machines you are triggering the DLL on?

Also, just to be sure, you did run a git checkout dev before compiling the DLL implant, right?

[JitBox]

@chvancooten here is a play by play:

Switching to dev and compiling:

attempting to run on windows:

OS Build:

[JitBox]

Im assuming whatever dependancies the DLL uses, my workstation just dosen't have for whatever reason.

[chvancooten]

Hey, thanks for the issue description. Unfortunately, I am not able to reproduce this issue even when cross-compiling on Kali to the exact same Windows build (win 10 19045). The DLL compiles and runs just fine on my end.

Some things to try:

• Compile using the nimbuild docker container (see readme)
• Compile on the Windows machine you are testing the DLL on
• Comment out line 47 and 48, and line 65 and 66 of https://github.com/chvancooten/NimPlant/blob/main/client/util/functions.nim and try again (the cp and mv functions that caused the issue on win11)
• Attach a debugger to try and identify which module is considered missing
• Try on a different machine and/or Windows build

Please let me know your findings, since your issue looks similar to the Win11 one I would like to reproduce it, but it's hard for me to fix when I can't :)

[JitBox]

No worries at all. I will try those steps. Thanks for your assistance here. Ill update if I find anything good.

[chvancooten]

In addition, one thing to try and see if it's the DLL dependencies somehow is to compile statically, e.g. --app:staticlib and --passL:-static (not sure off the top of my head if this is the right syntax, but worth a try if the above fails)