Inception Framework

Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to building the C# payload in memory, which is then executed using reflection.

Inception has been successful in bypassing a number of AV products. These tests were conducted on a fully patched, 64-bit Windows 10 host using Metasploit Meterpreter shellcode.

@two06 is the primary author of this project.

Overview

Inception is comprised of three main components:

• The payload builder (inception.py)
• A payload server (server.py)
• The “stager”, a .NET executable which must be launched on the victim machine.

Payloads are built using Inception.py. Currently, two types of the payload are supported:

• Shellcode
• Custom

These payload types are described in more detail below. Inception.py will guide you through the payload creation process, depending on which menu options are selected.

Payloads are served using a Flask app (server.py). This app either serves the encrypted, pre-generated payload or issues a redirect to a specified URL. Payloads are, by default, use-once. If an attempt to retrieve a payload which has already been used is made, the server will issue a redirect. If a non-existent payload is requested, the server will issue a redirect.

The stager is a .NET application which fetches, decodes, compiles and executes the payload. This application must be run on the victim machine. The stager is large (~10MB) when built.

Download

git clone https://github.com/two06/Inception.git
pip install Flask Colorama

Use

Copyright (c) 2018 James Williams

Source: https://github.com/two06/