Closed jmhickman closed 3 years ago
Thanks man sorry for the long delay but I'll be looking at this next 👍
Awesome! I look forward to any findings.
Hi Jim, so this issue arrives as the payloads you're looking at aren't .NET assemblies and ConfuserEx2 is only for obfuscating .NET assemblies.
You can use it with any of the .NET payloads, for example dropper_cs.exe is working fine once 'confused' for me, and isn't caught by Defender etc.
Sharp_v4 isn't a .Net assembly? I guess I misunderstood what that was. Is it a normal PE that hosts .Net?
Aye so it’s an unmanaged PE that is used to inject the relevant shellcode, which then does involve loading the CLR etc but the exe itself isn’t .NET.
On 3 Nov 2020, at 15:45, jmhickman notifications@github.com wrote:
Sharp_v4 isn't a .Net assembly? I guess I misunderstood what that was. Is it a normal PE that hosts .Net?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.
Well color me embarrassed. Sorry!
Haha not a problem at all man :) it’s a good find for with the .NET payloads we do have though!
On 3 Nov 2020, at 16:45, jmhickman notifications@github.com wrote:
Well color me embarrassed. Sorry!
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.
Description
Attempting to apply protections to the
binaries using the ConfuserEx 2 project results in an error:
Obviously, this is a ConfuserEx2 error and not an issue with Posh. When I searched though for this error, I found this issue on their project page: https://github.com/mkaring/ConfuserEx/issues/179
In it, was the caution that ConfuserEx2 doesn't currently support .Net Core 3.1.
It's pretty clear that the Posh binaries aren't being compiled this way (they're far too small), but is there any obvious thing that would be causing the process to fail?
Have the project maintainers tried/used ConfuserEx successfully before? Is there some other 'supported' way of applying obfuscation to the payloads?
Execution Environment:
Implant Info
Defensive Technologies
Windows Defender
To Reproduce
Expected behavior
not relevant
Screenshots
not relevant