klezVirus / inceptor

Template-Driven AV/EDR Evasion Framework
Other
1.59k stars 261 forks source link

Definition file not working #26

Closed klezVirus closed 2 years ago

klezVirus commented 2 years ago

Hi, I tried your tool using a .def file created with

dumpbin /exports file.dll /out:file.def

I provided the file.def as --exports parameter but I get the following error when executed:

Traceback (most recent call last):
  File "inceptor.py", line 268, in <module>
    generator = NativeArtifactGenerator(binary_abs_path,
  File "C:\Users\Username\Documents\Tools\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 147, in __init__
    self.dll_compiler_args["/DEF"] = f'"{os.path.abspath(self.exports)}"'
TypeError: 'NoneType' object does not support item assignment

How can I set custom exports?

Originally posted by @CT-H00K in https://github.com/klezVirus/inceptor/issues/22#issuecomment-966664175

klezVirus commented 2 years ago

Hi @CT-H00K, I've tried now using the dev branch and it seems the issue has been already fixed.

0xArt3mis commented 2 years ago

Hi @klezVirus , I cannot test it since the dev branch is still kinda buggy and not properly executing. inceptor_bug

I've tried with venv and pipenv for the virtual environment.

Do you plan switching to poetry in the future? https://python-poetry.org/

klezVirus commented 2 years ago

Yeah you're right, I'm still solving a few issues before merging. I'll merge Dev and main very soon anyway. Didn't know poetry, seems very useful, I'll consider that for sure, thanks for the suggestion! ;)

ghost commented 2 years ago

how to import the .def file ?

image

klezVirus commented 2 years ago

Hi @Revozop, the definition file can be added with the --exports parameter Let me know if it works, I'm working on a few updates at the moment and don't remember if this is working fine in the main branch.

You can find more examples in the wiki page Example By Scenario

klezVirus commented 2 years ago

Tested the DEF file in main branch and confirmed as working. Closing this issue for now.