klezVirus / inceptor

Template-Driven AV/EDR Evasion Framework
Other
1.59k stars 261 forks source link

LLVM Native #15

Closed 0xElessar closed 3 years ago

0xElessar commented 3 years ago

Hello @klezVirus ,

thank you for your work. I tried to use LLVM compilation for nice obfuscation, but this command results in the missing DLL files errors:

python inceptor.py native c:\Repos\test1.raw -o test.exe -C llvm
[...]
[*] Phase 4: EXE compilation and Signing
  [>] Phase 4.1: Compiling EXE...
Traceback (most recent call last):
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
    self.generate_wrapped()
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 241, in generate_wrapped
    self.compile_exe(shellcode)
  File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 159, in compile_exe
    raise FileNotFoundError("Error generating EXE")
FileNotFoundError: Error generating EXE

One of the missing libraries attached.

I repeated the installation process multiple times. The error always occurs.

llvm

0xElessar commented 3 years ago

The problem is caused by clang-cl.exe in the "\inceptor\obfuscators\native\llvm-clang\llvm-clang" folder.

Next, I downloaded the LLVM package and installed it. Added it to the path as well. I can access clang-cl.exe from this install without any errors. However, the update-config.py still reports, LLVM is not installed and downloads pre-compiled binaries. Next, it uses clang-cl.exe from the "\inceptor\obfuscators\native\llvm-clang\llvm-clang" instead of the correctly installed one :(

0xElessar commented 3 years ago

OK. I have managed to fix it by:

  1. installing mingw from https://sourceforge.net/projects/mingw-w64/files/Toolchains%20targetting%20Win32/Personal%20Builds/mingw-builds/installer/mingw-w64-install.exe/download

I used the following version: x86_64-8.1.0-posix-seh-rt_v6-rev0

  1. Extracting 3 DLL from the installed files and putting them into: C:[...]\inceptor\inceptor\obfuscators\native\llvm-clang\llvm-clang:
klezVirus commented 3 years ago

Hi @0xElessar, just noticing this after I answered to the other issue. Honestly, it's a smart way to solve the problem. Not knowing if this is applicable in all cases (I' not even sure why this happens in certain version of Windows/Visual Studio only), the official fix is still to re-build LLVM-Obfuscator. Anyway, happy you managed to find a solution!

0xElessar commented 3 years ago

@klezVirus thank you for your response. Yeah, I was really surprised to see this problem.

Great work and project. Thank you for your time, @klezVirus .