A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

Overview

FindObjects-BOF

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.

What is this repository for?

  • Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll).
  • Use direct systems calls within Beacon Object files to enumerate processes for specific process handles (e.g. lsass.exe).
  • Avoid using the Windows and Native APIs as much as possible (to avoid userland hooks).
  • Execute this code within the beacon process using Beacon object files to avoid fork&run.

Why do i need this?

Utilizing direct systems calls via inline assembly in BOF code provides a more opsec safe way of interacting with the system. Using direct system calls avoids AV/EDR software intercepting user-mode API calls.

  • The FindModule bof can be used to identify processes which have a certain module loaded, for example the .NET runtime clr.dll or the winhttp.dll module. This information can be used to select a more opsec safe spawnto candidate when using Cobalt Strike's execute-assembly or before injecting an exfill beacon shellcode using the shinject command.

    FindObjects

  • The FindProcHandle bof can be used to identify processes with a specific process handle in use, for example processes using a handle to the lsass.exe process. If there's a process within the system with a lsass.exe process handle, we could use this existing process/handle to read or write memory without opening a new process handle. This bypasses certain AV/EDR's capabilities of detecting and blocking LSASS process/memory access.

    FindProcHandle

How do I set this up?

We will not supply compiled binaries. You will have to do this yourself:

  • Clone this repository.
  • Make sure you have the Mingw-w64 compiler installed. On Mac OSX for example, you can use the ports collection to install Mingw-w64 (sudo port install mingw-w64).
  • Run the make command to compile the Beacon object file.
  • Within Cobalt Strike use the Script Manager to load the FindObjects.cna script.
  • Within a Cobalt Strike beacon context use the FindProcHandle or FindModule command with the required parameters (e.g. module or process name).
Owner
Outflank B.V.
Clear advice with a hacker mindset. Red Teaming - Digital Attack Simulation - Incident Detection and Response
Outflank B.V.
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 137 Jun 15, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 69 Jun 23, 2022
Cobalt Strike BOF Files with Nim!

BOF-Nim oh yeah baby I have an inkling it's possible, right now the problem seems to be getting the go function to be present in the Symbol table. No

byt3bl33d3r 59 Jun 22, 2022
SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

Bobby Cooke 329 Jun 27, 2022
The libxo library allows an application to generate text, XML, JSON, and HTML output using a common set of function calls. The application decides at run time which output style should be produced.

libxo libxo - A Library for Generating Text, XML, JSON, and HTML Output The libxo library allows an application to generate text, XML, JSON, and HTML

Juniper Networks 240 Jun 13, 2022
x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Bobby Cooke 113 Jun 23, 2022
A simple YAML parser which produces a Node Tree Object representation of YAML Documents

A simple YAML parser which produces a Node Tree Object representation of YAML Documents and includes a find method to locate individual Nodes within the parsed Node Tree.

Timothy Rule 1 Oct 17, 2021
VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary.

VMPImportFixer VMPImportFixer is a tool aimed to resolve import calls in a VMProtect'd (3.x) binary. Information VMPImportFixer attempts to resolve al

null 240 Jun 24, 2022
[WIP] A Riru module tries to enable Magisk hide for isolated processes.

Riru-IsolatedMagiskHider Background Many applications now detect Magisk for security, Magisk provided "Magisk Hide" to prevent detection, but isolated

残页 490 Jun 23, 2022
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Jun 24, 2022
Manage (Windows) processes from Garry's Mod.

gm_proc Manage (Windows) processes from Garry's Mod. Usage (success: bool, pid: number) Process.Start(path: string, parameters?: string, working_direc

Earu 4 Apr 20, 2022
LibOS is a modern C++17 library that makes OS-specific features cross-platform.

LibOS is a modern C++17 library that makes OS-specific features cross-platform. Ever tried to get Windows version after Windows 8? Or to send ke

Gavrilikhin Daniil 27 Jun 15, 2022
Example library and blog that explain how JSI modules are built from scratch in React Native

react-native-simple-jsi This is an example library that explains how anyone can build jsi modules from scratch in React Native. This code is written a

Ammar Ahmed 104 Jun 18, 2022
A tool for generating build scripts for C++20 projects that use modules.

cpp_module_parser [cmop] A tool for generating build scripts for C++20 projects that use modules. The intent is to provide a backend for premake, for

Alexander Christensen 2 Nov 23, 2021
A basic A* implementation showing how to use C++20 modules alongside UWP and C++/WinRT.

Introduction This is a port from an old application that was original written in a mix of C++14, Java and C++/CX. Originaly the goal was to use a simp

null 9 Mar 2, 2022
convert elf file to single c/c++ header file

elf-to-c-header Split ELF to single C/C++ header file

Musa Ünal 2 Nov 4, 2021
You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery

YOLT You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery As of 24 October 2018 YOLT has been superceded by SIMRDWN YOLT is an

CosmiQ Works 595 Jun 20, 2022
Small header-only C++ library that helps to initialize Vulkan instance and device object

Vulkan Extensions & Features Help, or VkExtensionsFeaturesHelp, is a small, header-only, C++ library for developers who use Vulkan API.

Adam Sawicki 10 Apr 13, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 357 Jun 25, 2022