DLL native mode

[0xElessar]

Hey @klezVirus ,

when you have a moment, could you have a look at below.

I tried to use your tool to generate some DLL and sign them. Here are my results:

python inceptor.py native c:\repos\msgbox32.raw --arch x86 -o cldapi.dll
Does not work. The exported function is called _PsychoBlastEP@16 and it cannot be called successfully.

python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll
Works perfectly.

python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -e XOR
Does not work.

python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -s -sd microsoft.com -so
Works but it is not signed.

python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll -s -sd www.microsoft.com
Works and it is signed.

python inceptor.py native c:\repos\msgbox64.raw --arch x64 -o cldapi.dll --clone C:\Windows\system32\ntdll.dll
Does not work. Breaks the DLL. The output DLL has all exported functions from ntdll.dll.

Any chance for fixing them, please? :)

thanks
Rafal

[klezVirus]

Hi @0xElessar, thanks for the continous testing, it is very precious.

So, let's come to your points one by one:

• Oflline signing: Should be fixed in dev branch
• x86 Exports: You should define an export file .def if you want to prevent names from being mangled by the linker.
• --clone standard behaviour is to copy everything from a binary. If you want just the metadata like "company, copyright, etc" there is no support for that, but there will be in the near future, so stay tuned.
• XOR not working, what do you mean with that exactly?

[0xElessar]

My pleasure, @klezVirus.

I will try to define .def file then. I remember having problems with it in the past. But i will try again.

Do you have any suggestion how to use --clone function effectively? In my testing, my payloads were overwritten by this function.

When I use an encoder with the DLL, there is no error message during DLL generation, but the payload seems to be damaged. Even a simple payload with a message box does not work after using an encoder. Without an encoder, the payload is executed successfully.

[0xArt3mis]

Hi, I tried your tool using a .def file created with

dumpbin /exports file.dll /out:file.def

I provided the file.def as --exports parameter but I get the following error when executed:

Traceback (most recent call last):
  File "inceptor.py", line 268, in <module>
    generator = NativeArtifactGenerator(binary_abs_path,
  File "C:\Users\Username\Documents\Tools\inceptor\inceptor\generators\NativeArtifactGenerator.py", line 147, in __init__
    self.dll_compiler_args["/DEF"] = f'"{os.path.abspath(self.exports)}"'
TypeError: 'NoneType' object does not support item assignment

How can I set custom exports?