Modules, signature and DLL about inceptor HOT 5 CLOSED

Hi @0xElessar, you're right, there was a bug with the signature in when generating native EXE. For the -dll flag, I have to be honest, I think it's just confusing, I'm gonna remove it in the near future. That flag would create a wrapper DLL around the executable. Let's say you run the following command:

python inceptor.py native topack.exe -o packed.exe --dll

The idea is that you would create two files:

1. An exe
2. A DLL which should execute a "drop and execute" kind of payload

Last bit. I'm gonna put a Wiki up soon. It's required to use the tool properly, I'm working on it at the moment.

from inceptor.

Thank you, @klezVirus .

I get the point :) But it will be pity if you remove features, already present in the tool. That would be such a waste of time!

I ran successfully this:
python inceptor.py native c:\Repos\test1.raw -o testdll.exe --dll

I got two files:

• testdll.exe
• testdll.dll

But the shellcode is still present in the exe file :( So I am not sure why we need testdll.dll.

This feature would be great, if it worked in this way:

1. Exe and DLL file are created
2. Exe file is totally safe and it is doing nothing apart from loading DLL file and executing a function in the DLL file
3. DLL file contains all the payload with encoding/encryption/unhooking etc.
4. DLL can be loaded with this EXE file, or directly with rundll32 testdll.dll,anyfunctionname

I used such approach to bypass some EDR product, which kept reporting my .exe as malicious and refused to load, even without any shellcode! Putting protected shellcode within DLL solved the problem.

Your tool is great, because it introduced obfuscation, encoding/encryption is so easy, flexible and automated way! DLL with payload is a very needed feature now as many EDR products, do not detect DLL Sideloading or especially DLL hijacking, which allows to execute the payload in difficult scenarios!

thanks

UPDATE: I think you already have similar feature in the tool :)

python inceptor.py native c:\Repos\test1.raw -o testdll2.dll --exports testaaa

dumpbin /exports testdll2.dll
Microsoft (R) COFF/PE Dumper Version 14.29.30133.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file testdll2.dll

File Type: DLL

  Section contains the following exports for testdll2-temp.dll

    00000000 characteristics
    FFFFFFFF time date stamp
        0.00 version
           1 ordinal base
           1 number of functions
           1 number of names

    ordinal hint RVA      name

          1    0 002021A0 PsychoBlastEP

rundll32 testdll2.dll,PsychoBlastEP

Yes, WIKI will be extremely helpful :) Thanks.

from inceptor.

Hi @0xElessar, I've started the Wiki, let me know if you notice something missing that you would like to see there. Again, thanks for your feedback, it's extremely valuable!

from inceptor.

No problem, @klezVirus . My pleasure!

Thank you. Wiki looks great. Signing examples ... so helpful !!!

I am going to check the modules examples, but first I need to install the new version. But there is a problem :( Unlucky me :(

from inceptor.

Hi @0xElessar, closing for now, feel free to reopen in case.

from inceptor.