search

nettitude / PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
BSD 3-Clause "New" or "Revised" License
1.79k stars 323 forks source link

[BUG](?) Sharpv4 and Poshv4 payloads not playing nice with ConfuserEx2 #179

Closed jmhickman closed 3 years ago

jmhickman commented 3 years ago

Description

Attempting to apply protections to the

binaries using the ConfuserEx 2 project results in an error:

[ERROR] Unknown error occurred.
Exception: System.BadImageFormatException: .NET data directory RVA is 0
   at dnlib.DotNet.MD.MetadataFactory.Create(IPEImage peImage, Boolean verify)
   at dnlib.DotNet.MD.MetadataFactory.Load(String fileName)
   at Confuser.Core.ObfAttrMarker.MarkProject(ConfuserProject proj, ConfuserContext context)
   at Confuser.Core.ConfuserEngine.RunInternal(ConfuserParameters parameters, CancellationToken token)
Failed at 5:06 PM, 0:00 elapsed.

Obviously, this is a ConfuserEx2 error and not an issue with Posh. When I searched though for this error, I found this issue on their project page: https://github.com/mkaring/ConfuserEx/issues/179

In it, was the caution that ConfuserEx2 doesn't currently support .Net Core 3.1.

It's pretty clear that the Posh binaries aren't being compiled this way (they're far too small), but is there any obvious thing that would be causing the process to fail?

Have the project maintainers tried/used ConfuserEx successfully before? Is there some other 'supported' way of applying obfuscation to the payloads?

Execution Environment:

Data Value
PoshC2 v7.0.4 (61bcca4 2020-09-22 12:40:33)
OS & version Kali Linux 2020.3
Using Docker/containerisation? Using Kali linux in LXD container

Implant Info

Defensive Technologies

Windows Defender

To Reproduce

  1. Download the mentioned compiled payloads to a Windows computer.
  2. Download and extract the release archive for ConfuserEx2
  3. Attempt to apply the minimum protections via the process outlined here

Expected behavior

not relevant

Screenshots

not relevant

riskydissonance commented 3 years ago

Thanks man sorry for the long delay but I'll be looking at this next 👍

jmhickman commented 3 years ago

Awesome! I look forward to any findings.

riskydissonance commented 3 years ago

Hi Jim, so this issue arrives as the payloads you're looking at aren't .NET assemblies and ConfuserEx2 is only for obfuscating .NET assemblies.

You can use it with any of the .NET payloads, for example dropper_cs.exe is working fine once 'confused' for me, and isn't caught by Defender etc.

jmhickman commented 3 years ago

Sharp_v4 isn't a .Net assembly? I guess I misunderstood what that was. Is it a normal PE that hosts .Net?

riskydissonance commented 3 years ago

Aye so it’s an unmanaged PE that is used to inject the relevant shellcode, which then does involve loading the CLR etc but the exe itself isn’t .NET.

On 3 Nov 2020, at 15:45, jmhickman notifications@github.com wrote:

 Sharp_v4 isn't a .Net assembly? I guess I misunderstood what that was. Is it a normal PE that hosts .Net?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.

jmhickman commented 3 years ago

Well color me embarrassed. Sorry!

riskydissonance commented 3 years ago

Haha not a problem at all man :) it’s a good find for with the .NET payloads we do have though!

On 3 Nov 2020, at 16:45, jmhickman notifications@github.com wrote:

 Well color me embarrassed. Sorry!

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.