Closed 0xElessar closed 3 years ago
Hi @0xElessar, you're right, there was a bug with the signature in when generating native EXE. For the -dll
flag, I have to be honest, I think it's just confusing, I'm gonna remove it in the near future. That flag would create a wrapper DLL around the executable. Let's say you run the following command:
python inceptor.py native topack.exe -o packed.exe --dll
The idea is that you would create two files:
Last bit. I'm gonna put a Wiki up soon. It's required to use the tool properly, I'm working on it at the moment.
Thank you, @klezVirus .
I get the point :) But it will be pity if you remove features, already present in the tool. That would be such a waste of time!
I ran successfully this:
python inceptor.py native c:\Repos\test1.raw -o testdll.exe --dll
I got two files:
But the shellcode is still present in the exe file :( So I am not sure why we need testdll.dll.
This feature would be great, if it worked in this way:
1) Exe and DLL file are created
2) Exe file is totally safe and it is doing nothing apart from loading DLL file and executing a function in the DLL file
3) DLL file contains all the payload with encoding/encryption/unhooking etc.
4) DLL can be loaded with this EXE file, or directly with rundll32 testdll.dll,anyfunctionname
I used such approach to bypass some EDR product, which kept reporting my .exe as malicious and refused to load, even without any shellcode! Putting protected shellcode within DLL solved the problem.
Your tool is great, because it introduced obfuscation, encoding/encryption is so easy, flexible and automated way! DLL with payload is a very needed feature now as many EDR products, do not detect DLL Sideloading or especially DLL hijacking, which allows to execute the payload in difficult scenarios!
thanks
UPDATE: I think you already have similar feature in the tool :)
python inceptor.py native c:\Repos\test1.raw -o testdll2.dll --exports testaaa
dumpbin /exports testdll2.dll
Microsoft (R) COFF/PE Dumper Version 14.29.30133.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file testdll2.dll
File Type: DLL
Section contains the following exports for testdll2-temp.dll
00000000 characteristics
FFFFFFFF time date stamp
0.00 version
1 ordinal base
1 number of functions
1 number of names
ordinal hint RVA name
1 0 002021A0 PsychoBlastEP
rundll32 testdll2.dll,PsychoBlastEP
Yes, WIKI will be extremely helpful :) Thanks.
Hi @0xElessar, I've started the Wiki, let me know if you notice something missing that you would like to see there. Again, thanks for your feedback, it's extremely valuable!
No problem, @klezVirus . My pleasure!
Thank you. Wiki looks great. Signing examples ... so helpful !!!
I am going to check the modules examples, but first I need to install the new version. But there is a problem :( Unlucky me :(
Hi @0xElessar, closing for now, feel free to reopen in case.
Hey @klezVirus,
sorry to bother you again, but I have a few questions/issues. When you have a moment, can you have a look, please?
a) Are you sure the native signatures work correctly?
b) Are you sure Modules work correctly in the native mode? I can't see any difference in the below tool output:
c) DLLs - Could you explain how this functionality works with some examples, please? After using the below command, the DLL does not have any exported function, which can be called... so I am not sure whether this worked correctly.
Thank you for your time!