CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass

Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Running InjectEtwBypass BOF from CobaltStrike to Bypass ETW in Notepad.exe

Compile with x64 MinGW:

cat compile.sh
x86_64-w64-mingw32-gcc -m64 -mwindows -c injectEtwBypass.c -o injectEtwBypass.o \
-masm=intel -Wall -fno-asynchronous-unwind-tables -nostdlib -fno-ident -Wl,-Tlinker.ld,--no-seh
bash compile.sh

Run from Cobalt Strike Beacon Console

  • After compiling injectEtwBypass.o, load the injectEtwBypass.cna script into Cobalt Strikes via the Script Manager
  • Once loaded into Cobalt Strike, you can use the command from the interactive beacon console:
beacon> help
injectEtwBypass - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
beacon> help injectEtwBypass
Synopsis: injectEtwBypass PID
beacon> injectEtwBypass 8968
[*] Inject ETW Bypass (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] host called home, sent: 2336 bytes
[+] received output:
Injecting NTDLL.EtwEventWrite bypass in remote process: 8968 (PID)

Credits / References

ETW Bypass Massive Credits to Adam Chester (@_xpn_) of TrustedSec

Creating Shellcode BOFs with C Chetan Nayak (@NinjaParanoid)

HalosGate SysCaller

HellsGate Syscaller

Process Injection - Pavel Yosifovich (@zodiacon)

BOF Helpers

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF

Great Resource for learning Intel ASM - Vivek Ramachandran (@vivekramac)

Implementing ASM in C Code with GCC

Owner
Bobby Cooke
SpiderLabs | OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
Similar Resources

ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Nov 24, 2022

Code Injection, Inject malicious payload via pagetables pml4.

Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

Nov 21, 2022

Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

Nov 9, 2022

Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

Sep 12, 2022

(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

Marathon-Fortnite-Cheat-Fix-Leak Fortnite Marathon Cheat v18.20 FIXED [Leak] Getting started Open .sln with Visual Studio 2019 Compile batch build to

Dec 13, 2021

Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post

Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post

Jaws is an invisible interpreted programming language that was created for antivirus research. Since Jaws code is composed entirely of whitespace char

Oct 17, 2022

Bypass Roblox's Trustcheck via the JNZ address of it

Bypass Roblox's Trustcheck via the JNZ address of it

What is a Trustcheck? Roblox has a check to see if the URL that was inputted is trusted by them or not, this can be bypassed via 2 options. You can ei

Sep 25, 2022

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

Nov 17, 2022

TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Nov 20, 2022
Comments
  • Fixed the compilation warning and added a success message

    Fixed the compilation warning and added a success message

    • Disabled the -Wint-to-pointer-cast warning in injectEtwBypass.c
    • Added a success message if the compilation was successful in compile.sh
    • Going to buy a beer pack for your awesome project
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Nov 15, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Nov 12, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

Aug 26, 2021
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

RecycledGate This is just another implementation of Hellsgate + Halosgate/Tartarusgate. However, this implementation makes sure that all system calls

Nov 16, 2022
Inject code into remote python process.

python-inject Inject code into remote python process. Table of Contents About The Project Built With Getting Started Prerequisites Installation Usage

Jan 10, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

Nov 22, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]
 EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

Oct 29, 2022
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

Nov 15, 2022
Inject .NET assemblies into an existing process
Inject .NET assemblies into an existing process

inject-assembly - Execute .NET in an Existing Process This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader

Nov 15, 2022
Full VAC Bypass. Inject detected cheats and not get VAC banned.

VAC-Bypass Full VAC Bypass Run steam as administrator, this is so that steamservice.exe isn't loaded, instead the steamservice.dll (VAC) is loaded int

Nov 13, 2022