BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

Overview

Self_Deletion_BOF

BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

Why?

I didn't see that it currently existed (via the Community Kit) at the time of authorship.

How do I run this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory
  3. Within a provided Beacon, beacon> self_delete

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk".
    • Most of these calls can be replaced with Nt or Zw equivalents, which most (if not all) relevant stubs have been generated for you in the syscalls.h header file.
      • I may replace these with the aforementioned at a later point, but as it stands, I just wanted this up and "out there" for people first and foremost.
      • As it stands, there is one 64-bit call to NtClose, if you wish, you may just create the Dynamic Function Resolution prototype in win32_api.h for CloseHandle.
You might also like...
PLP Project Programming Language | Programming for projects and computer science and research on computer and programming.
PLP Project Programming Language | Programming for projects and computer science and research on computer and programming.

PLPv2b PLP Project Programming Language Programming Language for projects and computer science and research on computer and programming. What is PLP L

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.

PPLDump BOF Who worked on this? Justin Lucas (@the_bit_diddler) Brad Campbell (@hackersoup) What is this? Jokingly, an exercise of my own personal san

DLL Hijack Search Order Enumeration BOF
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

DLL Exports Extraction BOF with optional NTFS transactions.
DLL Exports Extraction BOF with optional NTFS transactions.

DLL Exports Extraction BOF What is this? This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [

Comments
  • Make Error

    Make Error

    After running make clean then trying to make the file the following error occurs:

    In file included from main.c:9:                                                                                                                                                                                                                                                                                                                                                               
    headers/syscalls.h:72:16: error: redefinition of ‘struct MEM_EXTENDED_PARAMETER’                                                                                                                                                                                                                                                                                                              
       72 | typedef struct MEM_EXTENDED_PARAMETER {                                                                                                                                                                                                                                                                                                                                               
          |                ^~~~~~~~~~~~~~~~~~~~~~
    In file included from /usr/share/mingw-w64/include/minwindef.h:163,
                     from /usr/share/mingw-w64/include/windef.h:9,
                     from /usr/share/mingw-w64/include/windows.h:69,
                     from main.c:5:
    /usr/share/mingw-w64/include/winnt.h:4920:36: note: originally defined here
     4920 |   typedef struct DECLSPEC_ALIGN(8) MEM_EXTENDED_PARAMETER {
          |                                    ^~~~~~~~~~~~~~~~~~~~~~
    In file included from main.c:9:
    headers/syscalls.h:84:3: error: conflicting types for ‘MEM_EXTENDED_PARAMETER’
       84 | } MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
          |   ^~~~~~~~~~~~~~~~~~~~~~
    In file included from /usr/share/mingw-w64/include/minwindef.h:163,
                     from /usr/share/mingw-w64/include/windef.h:9,
                     from /usr/share/mingw-w64/include/windows.h:69,
                     from main.c:5:
    /usr/share/mingw-w64/include/winnt.h:4932:5: note: previous declaration of ‘MEM_EXTENDED_PARAMETER’ was here
     4932 |   } MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
          |     ^~~~~~~~~~~~~~~~~~~~~~
    In file included from main.c:9:
    headers/syscalls.h:84:28: error: conflicting types for ‘PMEM_EXTENDED_PARAMETER’
       84 | } MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
          |                            ^~~~~~~~~~~~~~~~~~~~~~~
    In file included from /usr/share/mingw-w64/include/minwindef.h:163,
                     from /usr/share/mingw-w64/include/windef.h:9,
                     from /usr/share/mingw-w64/include/windows.h:69,
                     from main.c:5:
    /usr/share/mingw-w64/include/winnt.h:4932:30: note: previous declaration of ‘PMEM_EXTENDED_PARAMETER’ was here
     4932 |   } MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
          |                              ^~~~~~~~~~~~~~~~~~~~~~~
    In file included from main.c:9:
    headers/syscalls.h: In function ‘SW2_PopulateSyscallList’:
    headers/syscalls.h:4188:48: warning: multi-character character constant [-Wmultichar]
     4188 |         if ((*(ULONG*)DllName | 0x20202020) != 'ldtn') continue;
          |                                                ^~~~~~
    headers/syscalls.h:4189:54: warning: multi-character character constant [-Wmultichar]
     4189 |         if ((*(ULONG*)(DllName + 4) | 0x20202020) == 'ld.l') break;
          |                                                      ^~~~~~
    headers/syscalls.h:4207:39: warning: multi-character character constant [-Wmultichar]
     4207 |         if (*(USHORT*)FunctionName == 'wZ')
          |                                       ^~~~
    headers/syscalls.h: At top level:
    headers/syscalls.h:12937:33: warning: backslash-newline at end of file
    12937 | __asm__("RtlCreateUserThread: \n\
          |                                  
    make: *** [Makefile:5: all] Error 1
    
    opened by Ap3x 2
  • should we compile on windows?

    should we compile on windows?

    you cannot imagine the list of errors showing when compiling on Mac.

    same as most of BOFs on GitHub compiled with mingw version superior to 8.0.1. I have got version 9

    weird , any help?? thx

    question 
    opened by fendi1989 2
Owner
Somewhere, doing something.
null
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

FalconForce 81 Sep 28, 2022
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 158 Sep 19, 2022
Taskbar Labeler is a PoC/research/learning project.

Taskbar Labeler Taskbar Labeler is a PoC/research/learning project. It replaces the rendering of certain icons on the taskbar with a colored rectangle

Bence 1 Jan 23, 2022
BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey. Forked from https://github.com/crypt0p3g/bof-collection Setup How t

null 2 Feb 12, 2022
a poc implementation arm64 tracer based on simulation

sim-trace a poc implementation arm64 tracer based on simulation Build Test ndk-build NDK_DEBUG=1 Run Test adb push test /data/local/tmp/test && adb s

null 30 Sep 29, 2022
anthemtotheego 366 Sep 29, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 346 Sep 22, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 199 Sep 28, 2022
Strstr with user-supplied needle and filename as a BOF.

Needle_Sift_BOF What is this? Strstr with user-supplied needle and filename as a BOF. Why? Why not? Supply what you want, and don't worry about downlo

null 30 Jul 1, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 169 Sep 24, 2022