DLL Exports Extraction BOF with optional NTFS transactions.

Related tags

Miscellaneous DLL-Exports-Extraction-BOF
Overview

DLL Exports Extraction BOF

What is this?

  • This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [all | fancy])
  • If a third argument is supplied:
    • all extracts the values, and creates a string representation of a valid .DEF file for the provided DLL
    • fancy uses the work of @anthemtotheego) to create an NTFS transaction to provide a memory-residing copy of the corresponding data, which is then synchronized to your Cobalt Strike downloads view.

What problem are you trying to solve?

  1. During recent conversations with colleagues in regard to DLL-based attacks; sideloading, proxying, insert-vector-here, it came to my attention that there are certain instances in which having the exact path to the true DLL to offload requests was necessary.
  2. I wanted to support both 32-bit AND 64-bit executable images.
  3. I wanted the Base to be represented properly, as not all ordinal base values begin at 1. I wanted the values to be accurate.
  4. I wanted an operator to understand how many functions in total are exported from a given executable, so they can make a better determination of whether to download a copy, send the output of this application to the Beacon console, or download an "in memory" variant of the contents.

How do I build this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory

How do I use this?

  • From a given Beacon:

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk".
  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
  • There are absolutely bugs in this code; these may or may not come down in the future. I wrote this as a PoC. JohnLaTwC is my hero.

What does the output look like?

Standard (Number-total only output):

Verbose (All data sent to beacon console):

Transactional NTFS Download of File:

You might also like...
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
DLL Hooker using DLL Redirection
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
CRC32 slice-by-16 implementation in JS with an optional native binding to speed it up even futher

CRC32 slice-by-16 implementation in JS with an optional native binding to speed it up even futher. When used with Webpack/Browserify etc, it bundles the JS version.

Mathias Buus 8 Aug 4, 2021
Fully resizing juce peak meter module with optional fader overlay.
Fully resizing juce peak meter module with optional fader overlay.

Sound Meter Juce peak meter module with optional fader overlay. by Marcel Huibers | Sound Development 2021 | Published under the MIT License Features:

Sound Development 17 Nov 22, 2022
New version of the well known ESP32 Radio. Now optional I2S output!

ESP32Radio-V2 New version of the well known ESP32 Radio. Now optional I2S output! Compile time configuration in config.h. Do not forget to upload the

Ed Smallenburg 56 Dec 28, 2022
Zep - An embeddable editor, with optional support for using vim keystrokes.
Zep - An embeddable editor, with optional support for using vim keystrokes.

Zep - A Mini Editor Zep is a simple embeddable editor, with a rendering agnostic design and optional Vim mode. It is built as a shared modern-cmake li

Rezonality - 703 Dec 30, 2022
STFT based multi pitch shifting with optional formant preservation in C++ and Python

stftPitchShift This is a reimplementation of the Stephan M. Bernsee smbPitchShift.cpp, a pitch shifting algorithm using the Short-Time Fourier Transfo

Jürgen Hock 11 Dec 16, 2022
a small C library for x86 CPU detection and feature extraction

libcpuid libcpuid provides CPU identification for the x86 (and x86_64). For details about the programming API, you might want to take a look at the pr

Veselin Georgiev 358 Dec 26, 2022
MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files supporting textures, skeletons, and all provided vertex data.

MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files. A dynamic model is one that is animated or is spawned in during the game.

Montague 33 Sep 2, 2022
Owner
Somewhere, doing something.
null
GitHub
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

null 121 Dec 13, 2022
A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

null 78 Dec 1, 2022
Create VCV Rack modules from gen~ exports

gen-rack Export gen~ patches to VCV Rack modules. How to use First, you'll want to grab a copy of this repository (clone/download/etc). Then take a lo

Isabel 78 Dec 24, 2022
A Blender 2.7+ plugin that exports sausage link characters with animations

Sausage64 Sausage64 is a plugin for Blender 2.7 onwards, which allows you to export "sausage link" style character models with animations. The plugin

Buu342 33 Dec 17, 2022
Comparing data of module exports from disk and memory, then caching any differences.

Inline-PatchFinder Need to see if the process you're reversing/analyzing is patching/hooking any loaded module's exports? Well, look no further. Inlin

null 14 Oct 15, 2022
Creates 3D lithophanes from image files, exports them to stl files, ready for slicing and 3D printing.

LithoMaker Creates 3D lithophanes from PNG image files and exports them to STL files, ready for slicing and 3D printing. Download the latest release h

Lars Muldjord 25 Dec 24, 2022
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 58 Dec 6, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 266 Jan 1, 2023