Collection of Beacon Object Files

Beacon Object Files

Name Syntax
ETW Patching etw stop / etw start
API Function Utility read_function / check_function / patch_function <dll_path> <function_name>
Syscalls Shellcode Injection syscalls_inject <PID> <listener_name> / syscalls_shinject <PID> <path_to_bin>
Spawn and Syscalls Shellcode Injection syscalls_spawn <listener> / syscalls_shspawn <path_to_bin>
Spawn and Static Syscalls Shellcode Injection (NtQueueApcThread) static_syscalls_apc_spawn <listener> / static_syscalls_apc_spawn <path_to_bin>
Static Syscalls Shellcode Injection (NtCreateThreadEx) static_syscalls_inject <PID> <listener_name> / static_syscalls_shinject <PID> <path_to_bin>
Static Syscalls Process Dump static_syscalls_dump <PID> [path_to_output]
Curl curl host [port] [method] [--show] [useragent] [headers] [body]

ETW Patching BOF

Simple Beacon object file to patch (and revert) the EtwEventWrite function in ntdll.dll to degrade ETW based logging.

All credit goes to @xpn: https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/.

API Function Utility BOF

Beacon object file to:

  • Read bytes of loaded module API function
  • Read relevant on-disk DLL and compare functions to identify differencies (e.g. EPP/EDR hooking)
  • Patch functions with the on-disk copy (i.e. API unhooking)

Credit goes to @spotheplanet for the Dll parsing technique: https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time

Syscalls Shellcode Injection BOF (64-bit only)

Beacon object file to:

Credit also to @tomcarver16 for their DLL inject BOF and aggressor script (https://github.com/tomcarver16/BOF-DLL-Inject)

Spawn with Syscalls Shellcode Injection BOF (64-bit only)

Same syscalls injection process as SyscallsInject (above) but uses BeaconSpawnTemporaryProcess to create the target process.

Spawn with Syscalls Shellcode Injection (NtMapViewOfSection -> NtQueueApcThread) BOF (64-bit only)

NtCreateSection -> NtMapViewOfSection -> NtQueueApcThread -> NtResumeThead. Uses BeaconSpawnTemporaryProcess to create the target process.

Syscalls generated using @jthuraisamy's SysWhispers2, @FalconForce's SysWhispers2BOF and @Outflanknl's InlineWhispers.

Code adapted from @peperunas's injectopi

Static Syscalls Shellcode Injection BOF (64-bit only)

Beacon object file to:

  • Inject shellcode (either custom or beacon) into remote process using NtOpenProcess -> NtAllocateVirtualMemory -> NtWriteVirtualMemory -> NtCreateThreadEx.

Same injection process as above, but using static Syscalls, rather than stubs fetched from Ntdll.

Syscalls generated using @jthuraisamy's SysWhispers2, @FalconForce's SysWhispers2BOF and @Outflanknl's InlineWhispers.

Static Syscalls Process Dump BOF (64-bit only)

Beacon object file to:

  • Unhook NtReadVirtualMemory function.
  • Create process memory dump using MiniDumpWriteDump function to specified (or default) location

Syscalls generated using @jthuraisamy's SysWhispers2, @FalconForce's SysWhispers2BOF and @Outflanknl's InlineWhispers.

This is effectively a rough port of @Outflank's Dumpert tool. All credit to them for that.

Simple Web Utility BOF (Curl)

Beacon object file and associated aggressor to make simple web requests without establishing SOCKS PROXY. Example use case could be confirming outbound access to specific service before deploying a relay from F-Secure's C3.

Similar Resources

Blazingly fast multi-object tracker. Works on 1 (x, y) point per object.

Blazingly fast multi-object tracker. Works on 1 (x, y) point per object.

Norfair++ This is a C++ implementation of Techainer's Norfair, which originates from Norfair, a library for real-time 2D object tracking. Its function

Jan 26, 2022

Building and Executing Position Independent Shellcode from Object Files in Memory

PIC-Privileges Building and Executing Position Independent Shellcode from Object Files in Memory. This is a pingback to the blogpost I wrote at https:

Nov 1, 2022

A tool to generate elegant UML-like class/object diagrams for C++ header files

Diagrams for C++ header files Note: This is a PoC project; Issues will drive the development What's this all about We strive for a tool to generate el

Mar 19, 2022

A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

Nov 11, 2022

Beacon.dll reverse

Beacon.dll reverse

beacon实现 最近闲来无事,正好WBGIII大佬逆向了beacon,我觉得站在巨人的肩膀上干事情比较快,索性就拿着beacon分析了一波,这次patch修源码,让其适配64位还是学到了不少东西的。 具体链接 https://github.com/WBGlIl/Beacon_re 建议先下载一份源

Nov 17, 2022

Move CS beacon to GPU memory when sleeping

Blog post Tested on Windows 21H1, Visual Studio 2019 (v142) and an NVIDIA GTX860M. GPUSleep GPUSleep moves the beacon image to GPU memory before the b

Nov 13, 2022

A BOF for enumerating version information for DLLs associated for a Beacon process.

A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Nov 5, 2022

This program converts ASCII STL files to RT files for miniRT.

STL to RT This program converts ASCII STL files to RT files for miniRT. Input the ASCII STL file to the standard input and output the RT file from the

Mar 29, 2021

Creates 3D lithophanes from image files, exports them to stl files, ready for slicing and 3D printing.

LithoMaker Creates 3D lithophanes from PNG image files and exports them to STL files, ready for slicing and 3D printing. Download the latest release h

Nov 27, 2022
Comments
  • Question About smss.exe and csrss.exe

    Question About smss.exe and csrss.exe

    hello i would like to know what it would take to make this work in smss.exe and csrss.exe ?

    first i disabled Light (WinTcb) and critical process then i used StaticSyscallsInject in smss.exe and the process just died...

    in csrss.exe and I did the same thing, but instead of the process dying, the cpu is 50% infinite without stopping in the csrss.exe process, and no shell in the cobalt strike...

    in other words, normal migration doesn't work and neither do syscalls do you have any ideas?

  • Allow APC spawn to use alternate credentials

    Allow APC spawn to use alternate credentials

    Added BOFs/StaticSyscallsAPCUserSpawn/

    Modified the .cna and entry.c slightly to accommodate CreateProcessWithLogonW. Thought it would be cool to emulate the native spawnas functionality, but use the direct syscalls for the injection.

    Rather than add onto existing apc_spawn, I created separate static_syscalls_apc_user_spawn/shspawn, so the syntax doesn't become too cumbersome with the original. Let me know what you think.

    No changes to Syscalls.h/beacon.h from the original.

Related tags
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Nov 9, 2022
Nov 19, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Nov 15, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

Nov 19, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Nov 9, 2022
A Beacon Object File that creates a minidump of the LSASS process.
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

Nov 24, 2022
Beacon Object File allowing creation of Beacons in different sessions.
Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated. This BOF was created on the heels o

Nov 18, 2022
Use DOS object files (OMF) as patch files

omfpatch - Use Intel/Microsoft .OBJ files as binary diffs Overview This tool makes it possible to use MASM / TASM / JWasm / nasm as tool to write patc

Jan 30, 2022
Tsdf-plusplus - TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction

TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction TSDF++ is a novel multi-object TSDF formulation that can encode mult

Nov 24, 2022