• Stars
    star
    201
  • Rank 194,491 (Top 4 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created about 3 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Koppeling x Metatwin x LazySign

Invoke-DLLClone

Koppeling x Metatwin x LazySign

Invoke-DllClone combines two projects called Koppeling and Invoke-MetaTwin. Invoke-DllClone can copy metadata and the AuthenticodeSignature from a source binary and into a target binary It also uses koppeling to clone the export table from a refference dll onto a malicious DLL post-build using NetClone Finally, it also supports random fake signatures using LazySign logic.

All Credits go to:

  • Joe Vest (vestjoe)
  • Nick Landers (monoxgas)

And the makers of SigThief

All I did was adapt metatwin to facilitate koppeling :)

Feel free to place the dependencies in src yourself if you do not trust me. Dependencies are:

  • NetClone
  • Resource Hacker
  • SigThief (optional)
  • makecert.exe (optional)
  • pvk2pfx.exe (optional)
  • signtool.exe (optional)

Make Sure you CD into the Invoke-DllClone directory first, the script uses relative paths

Forward all exports of powrprof and take over the metadata except the signature
Example Usage: Invoke-DllClone -Source C:\Windows\System32\powrprof.dll -Target C:\Malware\Evilpayload.dll -Output C:\Malware\powrprof.dll

Forward all exports of powrprof and take over the metadata including the signature (will obviously no longer be valid)
Example Usage: Invoke-DllClone -Source C:\Windows\System32\powrprof.dll -Target C:\Malware\Evilpayload.dll -Output C:\Malware\powrprof.dll -Sign

Forward all exports of powrprof and take over the metadata fake a random signature (will obviously not be valid)
Example Usage: Invoke-DllClone -Source C:\Windows\System32\powrprof.dll -Target C:\Malware\Evilpayload.dll -Output C:\Malware\powrprof.dll -FakeSign -FakeCompany lolcorp.evil

Example output:
PS G:\testzone\Invoke-DLLClone> Invoke-DllClone -Source C:\Windows\System32\powrprof.dll -Target .\evilpayload.dll -Output powrprof.dll -Sign
Source:         C:\Windows\System32\powrprof.dll
Target:         .\evilpayload.dll
Output:         .\2021-08-24_204139\powrprof.dll
Signed Output:  .\2021-08-24_204139\signed_powrprof.dll
----------------------------------------------
[*] Clones the export table from C:\Windows\System32\powrprof.dll onto .\evilpayload.dll... using NetClone
[+] Done.
[*] Extracting resources from powrprof.dll
[*] Copying resources from powrprof.dll to .\2021-08-24_204139\powrprof.dll
[*] Extracting and adding signature ...

[+] Results
 -----------------------------------------------
[+] Metadata


VersionInfo : File:             G:\testzone\Invoke-DLLClone\2021-08-24_204139\signed_powrprof.dll
              InternalName:     POWRPROF
              OriginalFilename: POWRPROF.DLL
              FileVersion:      10.0.19041.546 (WinBuild.160101.0800)
              FileDescription:  Power Profile Helper DLL
              Product:          Microsoft® Windows® Operating System
              ProductVersion:   10.0.19041.546
              Debug:            False
              Patched:          False
              PreRelease:       False
              PrivateBuild:     False
              SpecialBuild:     False
              Language:         English (United States)




[+] Digital Signature


SignatureType     : Authenticode
SignerCertificate : [Subject]
                      CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                    [Issuer]
                      CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                    [Serial Number]
                      330000026551AE1BBD005CBFBD000000000265

                    [Not Before]
                      3/4/2020 7:30:38 PM

                    [Not After]
                      3/3/2021 7:30:38 PM

                    [Thumbprint]
                      E168609353F30FF2373157B4EB8CD519D07A2BFF

Status            : HashMismatch



PS G:\testzone\Invoke-DLLClone>



More Repositories

1

LazySign

Create fake certs for binaries using windows binaries and the power of bat files
PowerShell
543
star
2

SharpZipRunner

Executes position independent shellcode from an encrypted zip
C#
300
star
3

SharpHandler

C#
181
star
4

AmsiHooker

Hookers are cooler than patches.
C#
167
star
5

GG-AESY

Hide cool stuff in images :)
C#
144
star
6

TrustJack

Yet another PoC for https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
C#
142
star
7

SharpNukeEventLog

nuke that event log using some epic dinvoke fu
C#
114
star
8

SharpLNKGen-UI

UI for creating LNKs
C#
96
star
9

SharpRDPDump

Create a minidump of TermService for clear text pw extraction
C#
87
star
10

Backdoorplz

adding a backdooruser using win32api
C++
79
star
11

Red-EC2

Spin up RedTeam infrastructure on AWS via Ansible
59
star
12

DeepSleep

all credits go to @mgeeky
C
58
star
13

CSharpReflectionWorkshop

The repository that complements the From zero to hero: creating a reflective loader in C# workshop
C#
37
star
14

Clippi-B

C#
34
star
15

FunWithServerless

Python
23
star
16

Emulation-Workshop

The repository accompanying the Buer Emulation workshop
C#
23
star
17

Ansible-EmpireSuite

ansible roles to download and install empire (BC-Security),deathstar(byt3bl33der) and starkiller (BC-Security)
23
star
18

CMDLL

the most basic DLL ever to pop a cmd.
C++
22
star
19

Red-Route53-Interactive

17
star
20

talks-cons

aggregated repo for all conferences and talks I am giving
C#
17
star
21

Ansible-Cobalt-Strike

An Ansible role to install cobalt-strike
16
star
22

SharpXOR

XOR crypt/decrypt using C#
C#
12
star
23

blogposts-talks-and-tidbits

all random stuff that dont warrant a seperate repo
C
12
star
24

Parsers

parsers to make life easier
Python
12
star
25

DRegHide

fun stuff with null bytes and dinvoke
C#
8
star
26

sharpbysentinel

lol firewall
C#
7
star
27

impacket-nomulti-adcs-shadowcreds

in case clients are annoying with enforcing signing :)
Python
7
star
28

SEC565-Tools

PowerShell
5
star
29

NerveGas

messing around with ETW in C#
C#
4
star
30

x33fcon-workshop

PowerShell
3
star
31

RegFetch

Interfaces with winsockets to fetch a txt file, parses the file and changes the registry accordingly
C++
2
star
32

BeFree

get rid of pesky registry restrictions.
PowerShell
2
star
33

Get-ServiceACL

courtesey of a gist I found on github
PowerShell
1
star