search

klezVirus / inceptor

Template-Driven AV/EDR Evasion Framework
Other
1.6k stars 263 forks source link

[WinError 5] Access is denied #11

Closed lexone12 closed 3 years ago

lexone12 commented 3 years ago

C:\Users\Administrator\inceptor\inceptor>python inceptor.py native C: test.exe -o 111daa.exe -t loader

[+] Native Artifact Generator Started At 2021-08-15 11:53:22.856704 [] Phase 0: Loading... [] Phase 1: Converting binary into shellcode [>] Transformer: Loader [] Phase 2: Encoding [] Phase 3: Generating source files using CLASSIC [>] Phase 3.1: Writing CPP file in .\temp\tmptxs2l2rc.cpp [] Phase 4: EXE compilation and Signing [>] Phase 4.1: Compiling EXE... Traceback (most recent call last): File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate self.generate_wrapped() File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 241, in generate_wrapped self.compile_exe(shellcode) File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 156, in compile_exe status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files) File "C:\Users\Administrator\inceptor\inceptor\compilers\Compiler.py", line 63, in compile output = subprocess.check_output(cmd) File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 424, in check_output return run(popenargs, stdout=PIPE, timeout=timeout, check=True, File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 505, in run with Popen(*popenargs, **kwargs) as process: File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 951, in init self._execute_child(args, executable, preexec_fn, close_fds, File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1420, in _execute_child hp, ht, pid, tid = _winapi.CreateProcess(executable, args, PermissionError: [WinError 5] Access is denied

antivirus is disabled uac is disabled

the administrator rights are windows server 2019 how can i fix it?

klezVirus commented 3 years ago

Hi @lexone12, I'm not sure but it seems there is an error in your command line?

######################### | What's this "C:" and "test.exe" ?
python inceptor.py native C: test.exe -o 111daa.exe -t loader
lexone12 commented 3 years ago

Hi @lexone12, I'm not sure but it seems there is an error in your command line?

######################### | What's this "C:" and "test.exe" ?
python inceptor.py native C: test.exe -o 111daa.exe -t loader

python inceptor.py native C:\Users\Administrator\Downloads\1\2\Release\test.exe -o 111daa.exe -t loader

0xElessar commented 3 years ago

I have very similar issue unfortunately. [REMOVED] UPDATE: Interesting. I have managed to fix the above error, but adding to my VS installation C++ Clang tools, and rebuilding whole Python VENV. However, the below errors still stand. I am using mainly the raw shellcode, so the below are not essential for me. Thank you for your work, @klezVirus !

Here are some other errors:

python inceptor.py native c:\Repos\bbb.exe -o .\test.exe
[+] Native Artifact Generator Started At 2021-09-14 16:42:41.045113
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Pe2sh
[-] Failed to locate converted file: c:\Repos\bbb.shc.exe
Traceback (most recent call last):
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
    self.generate_wrapped()
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 221, in generate_wrapped
    shellcode_bytes = self.transformer.transform(target=self.file)
  File "C:\Repos\inceptor\inceptor\converters\Pe2Shellcode.py", line 40, in transform
    sys.exit(1)
SystemExit: 1

Another:

python inceptor.py native c:\Repos\bbb.exe -o .\test.exe -t donut
[+] Native Artifact Generator Started At 2021-09-14 16:43:04.623222
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Donut
[-] Failed to convert c:\Repos\bbb.exe
Traceback (most recent call last):
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
    self.generate_wrapped()
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 221, in generate_wrapped
    shellcode_bytes = self.transformer.transform(target=self.file)
  File "C:\Repos\inceptor\inceptor\converters\Donut.py", line 37, in transform
    sys.exit(1)
NameError: name 'sys' is not defined
klezVirus commented 3 years ago

Hi @lexone12, after a while, I discovered the error might be caused by some missing DLLs in the precompiled version of LLVM-Obfuscator. You can try fixing it by building LLVM_obfuscator directly on your system. The steps required are available here.

@0xElessar, your issue is way different fro the one encountered by @lexone12 , and it's caused by an architecture mismatch. Inceptor works by default on x64, so if you want to pack a binary which is 32-bit, you'll had to specify it using the --arch x86 option.

Let me know if this solves your issues.

0xElessar commented 3 years ago

Hello @klezVirus ,

setting --arch does not matter unfortunately. The errors are exactly the same. Using shellcode works perfectly. Soon I will try the .NET binary. Need to setup to new C2 infra first. I will keep you updated :) Thanks again for the tool and the support!

klezVirus commented 3 years ago

Well, this is strange, can you add the debug information for the donut loader? You can do this by going in the config.ini, and putting LOADERS = 1 in the DEBUG section. This will print the donut command line executed by the program, which can help identifying the problem.

0xElessar commented 3 years ago

Of course. Great idea, @klezVirus .

python inceptor.py native c:\Repos\bbb.exe -o .\test.exe -t donut --arch x86 generates this donut command: "C:\Repos\inceptor\inceptor\libs\public\donut.exe" -e3 -a2 -b1 -f1 "c:\Repos\bbb.exe" -o "C:\Repos\inceptor\inceptor\temp\bbb.bin" python inceptor.py native c:\Repos\bbb.exe -o .\test.exe -t donut --arch x64 generates the same command! "C:\Repos\inceptor\inceptor\libs\public\donut.exe" -e3 -a2 -b1 -f1 "c:\Repos\bbb.exe" -o "C:\Repos\inceptor\inceptor\temp\bbb.bin"

Changing manually -a2 to -a1 fixed the donut error. So ... the problem seems to be in the architecture parameter!

klezVirus commented 3 years ago

Yeah, I guessed it was the architecture. This will be definitely fixed with next commits. Thanks a lot for your time here, this was extremely valuable! As soon as I push the fix, probably tonight, I'll close the isse. Again, thanks @0xElessar for the help :D

0xElessar commented 3 years ago

No problem, @klezVirus. The pleasure is mine. Thank you for helping the community. The tool is great!

klezVirus commented 3 years ago

Hi @0xElessar, the issue should be fixed now in the main branch. Closing the issue for now, feel free to reopen if you notice it's not working properly.

EddieIvan01 commented 3 years ago

Same issue, the problem is that the COMPILERS.vcvarsall in config.ini is null, so the compiling command line is "C:\inceptor" x64 & "C:\inceptor\obfuscators\native\llvm-clang\llvm-clang\clang-cl.exe" ...