klezVirus / inceptor

Template-Driven AV/EDR Evasion Framework
Other
1.59k stars 261 forks source link

Modules, signature and DLL #16

Closed 0xElessar closed 3 years ago

0xElessar commented 3 years ago

Hey @klezVirus,

sorry to bother you again, but I have a few questions/issues. When you have a moment, can you have a look, please?

a) Are you sure the native signatures work correctly?

python inceptor.py native c:\Repos\test1.raw -o test.exe --sign

[+] Native Artifact Generator Started At 2021-09-20 20:31:07.434885
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
  [>] Phase 3.1: Writing CPP file in .\temp\tmp7egn3rv_.cpp
[*] Phase 4: EXE compilation and Signing
  [>] Phase 4.1: Compiling EXE...
    [+] Success: file stored at test.exe
    [+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
  [>] Phase 4.2: Signing native binary
[*] Phase 5: Finalising
  [>] Phase 5.1: Finalising native binary
    [+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:31:15.653622
signtool verify /v .\test.exe

Verifying: .\test.exe
SignTool Error: No signature found.

b) Are you sure Modules work correctly in the native mode? I can't see any difference in the below tool output:

python inceptor.py native c:\Repos\test1.raw -o test.exe --modules aaa

[+] Native Artifact Generator Started At 2021-09-20 20:33:20.200979
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
  [>] Phase 3.1: Writing CPP file in .\temp\tmpao90o50p.cpp
[*] Phase 4: EXE compilation and Signing
  [>] Phase 4.1: Compiling EXE...
    [+] Success: file stored at test.exe
    [+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
[*] Phase 5: Finalising
  [>] Phase 5.1: Finalising native binary
    [+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:33:28.389986
python inceptor.py native c:\Repos\test1.raw -o test.exe --modules unhook

[+] Native Artifact Generator Started At 2021-09-20 20:33:37.310321
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
  [>] Phase 3.1: Writing CPP file in .\temp\tmpsgpu8ejh.cpp
[*] Phase 4: EXE compilation and Signing
  [>] Phase 4.1: Compiling EXE...
    [+] Success: file stored at test.exe
    [+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
[*] Phase 5: Finalising
  [>] Phase 5.1: Finalising native binary
    [+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:33:45.294281

c) DLLs - Could you explain how this functionality works with some examples, please? After using the below command, the DLL does not have any exported function, which can be called... so I am not sure whether this worked correctly.

python inceptor.py native c:\Repos\test1.raw -o test.dll --dll --exports testfunction

[+] Native Artifact Generator Started At 2021-09-20 20:41:32.664229
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC.DLL
  [>] Phase 3.1: Writing CPP file in .\temp\tmp13vzis0a.cpp
[*] Phase 4: DLL compilation and Signing
  [>] Phase 4.1: Compiling DLL...
    [+] Success: file stored at C:\Repos\inceptor\inceptor\temp\test-temp.dll
[*] Phase 5: Finalising
  [>] Phase 5.1: Finalising native library
    [+] Success: file stored at test.dll
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:41:35.757092
dumpbin /exports test.dll
Microsoft (R) COFF/PE Dumper Version 14.29.30133.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file test.dll

File Type: DLL

  Summary

        1000 .data
        1000 .pdata
        1000 .rdata
        1000 .reloc
        2000 .text

Thank you for your time!

klezVirus commented 3 years ago

Hi @0xElessar, you're right, there was a bug with the signature in when generating native EXE. For the -dll flag, I have to be honest, I think it's just confusing, I'm gonna remove it in the near future. That flag would create a wrapper DLL around the executable. Let's say you run the following command:

python inceptor.py native topack.exe -o packed.exe --dll

The idea is that you would create two files:

  1. An exe
  2. A DLL which should execute a "drop and execute" kind of payload

Last bit. I'm gonna put a Wiki up soon. It's required to use the tool properly, I'm working on it at the moment.

0xElessar commented 3 years ago

Thank you, @klezVirus .

I get the point :) But it will be pity if you remove features, already present in the tool. That would be such a waste of time!

I ran successfully this: python inceptor.py native c:\Repos\test1.raw -o testdll.exe --dll

I got two files:

But the shellcode is still present in the exe file :( So I am not sure why we need testdll.dll.

This feature would be great, if it worked in this way: 1) Exe and DLL file are created 2) Exe file is totally safe and it is doing nothing apart from loading DLL file and executing a function in the DLL file 3) DLL file contains all the payload with encoding/encryption/unhooking etc. 4) DLL can be loaded with this EXE file, or directly with rundll32 testdll.dll,anyfunctionname

I used such approach to bypass some EDR product, which kept reporting my .exe as malicious and refused to load, even without any shellcode! Putting protected shellcode within DLL solved the problem.

Your tool is great, because it introduced obfuscation, encoding/encryption is so easy, flexible and automated way! DLL with payload is a very needed feature now as many EDR products, do not detect DLL Sideloading or especially DLL hijacking, which allows to execute the payload in difficult scenarios!

thanks

UPDATE: I think you already have similar feature in the tool :)

python inceptor.py native c:\Repos\test1.raw -o testdll2.dll --exports testaaa

dumpbin /exports testdll2.dll
Microsoft (R) COFF/PE Dumper Version 14.29.30133.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file testdll2.dll

File Type: DLL

  Section contains the following exports for testdll2-temp.dll

    00000000 characteristics
    FFFFFFFF time date stamp
        0.00 version
           1 ordinal base
           1 number of functions
           1 number of names

    ordinal hint RVA      name

          1    0 002021A0 PsychoBlastEP

rundll32 testdll2.dll,PsychoBlastEP

Yes, WIKI will be extremely helpful :) Thanks.

klezVirus commented 3 years ago

Hi @0xElessar, I've started the Wiki, let me know if you notice something missing that you would like to see there. Again, thanks for your feedback, it's extremely valuable!

0xElessar commented 3 years ago

No problem, @klezVirus . My pleasure!

Thank you. Wiki looks great. Signing examples ... so helpful !!!

I am going to check the modules examples, but first I need to install the new version. But there is a problem :( Unlucky me :(

klezVirus commented 3 years ago

Hi @0xElessar, closing for now, feel free to reopen in case.