Beacon.dll reverse

Overview

beacon实现

最近闲来无事,正好WBGIII大佬逆向了beacon,我觉得站在巨人的肩膀上干事情比较快,索性就拿着beacon分析了一波,这次patch修源码,让其适配64位还是学到了不少东西的。

具体链接 https://github.com/WBGlIl/Beacon_re

建议先下载一份源码,对照着看,防止看不懂系列,文章内容会涉及较多源码内容。

(PS: 此代码无任何功能,只做了32位跟64位上线适配,shell.h为ida提取出来的c代码,需要修复才能使用,突然很多大佬star跟follow,搞得我很慌,只在原版WBGIII大佬基础上改动)

序言

这个逆向工程量有点大,我在逆向cmdshell的时候发觉代码量有点大,一晚上折腾下来有点坚持不下去了,不如分享出来,集齐大伙的思想,一起想办法逆向出来。或者直接重写cs的功能,这个设想我有了,可以参照gh0st的源码,c++写的,但是cs做了较多的异常处理以及权限判断等,需要分析下才能参照重写,有时间慢慢整吧,把这段时间的成果分享下。

目录结构

  • Project文件夹(可以直接编译运行的vs工程,替换global.cpp的shellcode即可,那里有64位跟32位shellcode设置)
  • reverse_things
    • beacon.x64.dll(原生dll)
    • beacon.x64.dll.i64(写了一些备注的ida文件)
    • x86的没咋弄

自行食用

下面进入正文吧。

调试teamserver端

因为要实现beacon.dll,必然要调试teamserver端,或者wireshark抓取数据包,这里我是选择的是调试teamserver端,在cobalt strike二开的基础上,修改build artifacts的主函数aggressor.Aggressor

image-20210801222051377

将其修改为server.TeamServer,再开启debug模式就是teamserver端了,在run界面部分添加参数

image-20210801222134791

VM options部分

-XX:ParallelGCThreads=4 -Xms512m -Xmx1024m -Dcobaltstrike.server_port=51000 -Djavax.net.ssl.keyStore=D:/CB_4.3/cobaltstrike.store -Djavax.net.ssl.keyStorePassword=Mannix123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC

Program arguments部分

192.168.1.103 123456

在BeaconC2.java此处下断点

image-20210801222326137

为的是截取数据包,meta data数据在此解密

实现beacon64

因为32位beacon已经实现收发包功能了,那么现在我需要做的是,实现64位beacon的收发包功能,其实32位跟64位差别不是很大,就是数据结构需要调整一下。

具体改动部分如下

image-20210801223051048

开头的tomcrypt库需要控制好版本差异

image-20210801222925957

在Beacon初始化的时候,结构体大小不同

image-20210801223018562

在生成C2配置文件的时候,偏移需要修改

image-20210801223135963

读取配置文件的部分也需要进行修改适配

image-20210801223209601

读取int时候的修改,这里看个人

image-20210801223249010

get_short同样修改

image-20210801223314673

rawData做好版本修改

image-20210801231140724

数据结构进行稍微调整

总共就这么点需要适配的地方,但很多都是通过调试得来的

流程分析

首先是xor解密,这个从二开cs可以知道,默认的配置是用0x2e异或加密的,而原生的beacon.dll有个AAAABBBB作为定位,在生成shellcode或者获取的时候,进行patch,总共大小0x1000字节。

Beacon_init函数,就是对配置进行解密,异或完成过后,通过循环读取,写入C2Config变量

image-20210801224040431

读取方式见下图

image-20210801225547826

这是xor解密过后的原生配置,分四块来说,

  1. 第一块为标记位,标志结束与否
  2. 第二块为data_type,类型判断,看是读取short,int,还是需要申请空间存放的字符串
  3. 第三块为data_size,在需要申请空间的时候,这里就作为大小了
  4. 第四块为写入内容,如果是short,int直接写入即可

特点:

  • 每次读两个字节
  • 每次循环分别至少需要读三次get_short

image-20210801230029178

解密完过后,这一大段都是进行数据的设置,设置User-Agent,Source我这里测试用的ip,ServerPort就是端口,还有时间,以及轮询方式的设置

image-20210801230059094

在这里需要重点关注的两个点就是这里,生成加密的metadata以及发送Metadata

image-20210801230312595

这里其实就是发送给服务端的数据了

image-20210801230531673

拿到原生数据先看一下,后面会拿rsa加密,这里的beef是标识头,作为服务端解密认证的一个标志,最后的是,上线的一个PC名称,以及进程名称,这里叫Beacon.exe

image-20210801230627294

rsa加密后的数据,这个调试teamserver的时候可以接受的这些数据进行查看

image-20210801230812661

我不一步步调试给你们看了,到最后会发觉,他会将meta数据打包成Cookie,在请求包中携带加密的cookie发送给服务端,服务端收到这个cookie后进行rsa解密

vs studio生成

(PS: 这段使用教程其实WBGIII大佬博客有讲,但我有个外国朋友看不懂中文的工具,这里发个英文工具图)

首先cobalt strike获取beacon.raw,winhex打开

image-20210820220720724

查找到这里,选择4096字节,复制到C source即可,替换

image-20210820220843500

64位替换64位的,32位替换32位的

这里我将代码进行了重构,直接就可以编译了

image-20210801231316206

64位

image-20210801231358070

总结

谢谢WBGIII大佬的分享,虽然代码有点乱,但是可能是直接逆向出来未经过整理就发布的,还是得感谢下大佬,以后的话,在原始的beacon上慢慢加功能,到时候替换到cs原生的beacon.dll,内存特征就比较容易去除了

Issues
  • Compiling NinjaSploit

    Compiling NinjaSploit

    Hi there. I read that you were able to successfully compile this repo - https://github.com/FSecureLABS/Ninjasploit

    I've been trying to compile it for around 3 days now with no success, using meterpreter repo, visual studio 13, etc.

    Could I please contact you over email somehow?

    My email is [email protected]

    Thanks :)

    opened by 0xAL3INO 1
  • Memory Address Issue on xor_decode (http_tool.h)

    Memory Address Issue on xor_decode (http_tool.h)

    Hey,

    I found that there is an address calculation issue happens on the xor_decode function will cause crash when beaconing.

    The code v11 = out[v8 + v9] ^ in[v8 & 3]; takes the sum of v8+v9 to locate the in array from out (as v9 = the address diff betw in and out). However, as v8 is unsigned, if v9 is a negative number (as no guarantee for out lies after in), the result address of v8+v9 will be overflow since it is converted to unsigned.

    To solve this, suggest: change the data definition of v8 to signed int, or use v11 = in[v8 + 4] ^ in[v8 & 3]; instead of v11 = out[v8 + v9] ^ in[v8 & 3];

    我在我的測試profile發現,xor_decode 函數中有從 out 反向計算出 in 的行為,但函數的v8是無符號int,和有符號int v9 相加會導致溢出,令Beacon崩潰。建議把 v8 換成 signed 或用 v11 = in[v8 + 4] ^ in[v8 & 3]; 代替。

    Elephacking

    opened by elephacking 1
Owner
LiHua
LiHua
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 86 Jun 15, 2022
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 34 Jun 26, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 180 Jun 23, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
anthemtotheego 330 Jul 1, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 329 Jun 27, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 110 Jun 27, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 75 Jun 15, 2022
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

HelpSystems 846 Jun 30, 2022
Move CS beacon to GPU memory when sleeping

Blog post Tested on Windows 21H1, Visual Studio 2019 (v142) and an NVIDIA GTX860M. GPUSleep GPUSleep moves the beacon image to GPU memory before the b

ben 162 Jun 19, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 8 May 30, 2022
Collection of Beacon Object Files

Beacon Object Files Name Syntax ETW Patching etw stop / etw start API Function Utility read_function / check_function / patch_function <dll_path> <fun

null 387 Jun 27, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Cobalt Strike 28 Jun 18, 2022
Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated. This BOF was created on the heels o

null 44 Jun 27, 2022
Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development

My algorithm cracks NERD HireMe for any output within 1 Second without Brute-Force! Read more if you want to find out how this was accomplished or execute this algorithm yourself on Wandbox - Online C++ Compiler

Alexander Töpfer 58 Nov 15, 2021
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 1.9k Jun 24, 2022
Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

null 48 Jun 15, 2022