Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF

Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly, to return a list of processes.

Getting that Processlist using direct systemcalls via HalosGate/HellsGate

  • If there is no EDR hooks detected, the BOF will just default to using HellsGate

Verbose mode (-v) shows the memory addresses back to the CS console for debugging

Compile with x64 MinGW (Only tested from MacOS compiling atm):

x86_64-w64-mingw32-gcc -c halosgate-ps.x64.c -o halosgate-ps.x64.o -masm=intel

Run from Cobalt Strike Beacon Console

  • After compile import the halosgate-ps.cna script into Cobalt Strikes Script Manager
beacon> halosgate-ps

To Do List

  • Free the memory allocated / fix memory leaks
  • Figure out a way to supress the "[+] received output:" messages in the Cobalt Strike console
  • Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols
    • Or use hashing
  • Build on this to make a series of BOFs that use this HalosGate/HellsGate syscaller to do direct systemcalls
  • Clean up the assembly functions

Usage

beacon> halosgate-ps
[*] HalosGate Processlist BOF (Author: Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[*]               Credits to: @SEKTOR7net @zodiacon @smelly__vx @am0nsec
[+] host called home, sent: 3232 bytes
   PID    PPID    Name
   ---    ----    ----
     0       0    (null)
     4       0    System
    92       4    Registry
   312       4    smss.exe
   436     424    csrss.exe
   512     424    wininit.exe
   532     504    csrss.exe
   624     504    winlogon.exe
   648     512    services.exe
   692     512    lsass.exe
   ...

Credits / References

Reenz0h from @SEKTOR7net (Creator of the HalosGate technique )
@smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
Pavel Yosifovich (@zodiacon)
OutFlank - Direct Syscalls in Beacon Object Files
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Owner
Bobby Cooke
SpiderLabs | OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
Similar Resources

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Jan 3, 2023

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Dec 28, 2022

Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

 	Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Aug 21, 2022

A Visual Studio template used to create Cobalt Strike BOFs

A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Dec 28, 2022

Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Dec 22, 2022

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Dec 31, 2022

This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Nov 9, 2022

InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module

InlineExecute-Assembly InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process

Dec 26, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Dec 9, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]
 EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

Oct 29, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Dec 30, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Dec 30, 2022
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

RecycledGate This is just another implementation of Hellsgate + Halosgate/Tartarusgate. However, this implementation makes sure that all system calls

Dec 14, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Dec 1, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Dec 28, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Jan 3, 2023
Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

Jul 27, 2022