Remove API hooks from a Beacon process.

This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

Known issues:

Unhook refreshes "everything". If you're module stomping--this would include that module. The unhook alias does detect if module stomping is enabled and report an error. Future improvements could limit which DLLs are refreshed to a list of high-interest DLLs or explicitly exclude our stomped module.

To build:

x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook
Owner
Raphael Mudge
Technical Director of Cybersecurity at HelpSystems. Big fan of mint chocolate chip icecream. Feral programmer.
Raphael Mudge
Similar Resources

A Beacon Object File that creates a minidump of the LSASS process.

A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

Nov 29, 2022

A BOF for enumerating version information for DLLs associated for a Beacon process.

A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Nov 5, 2022

Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.

Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.

Launcher Abuser Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve ex

Nov 25, 2022

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

Nov 21, 2022

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Nov 12, 2022

A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support.

A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support.

PCIBan A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support. This is probably very unsafe, not supporting edg

Oct 20, 2022

Windows user-land hooks manipulation tool.

Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Nov 20, 2022

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Dec 2, 2022

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Dec 3, 2022

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Oct 20, 2022

A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

Sep 12, 2022

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Nov 27, 2022

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Nov 17, 2022

Collection of beacon object files for use with Cobalt Strike to facilitate 🐚.

Beacon Object Files Name Syntax MiniDumpWriteDump minidumpwritedump PID path_of_dmp? MiniDumpWriteDump BOF (64-bit only) Custom implementation of

Nov 13, 2022

Collection of Beacon Object Files (BOF) for Cobalt Strike

Various BOF collection Name Description ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Da

Nov 22, 2022

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Dec 3, 2022

A simple and easy WiFi-enabled ESP8266-powered WSPR and FT8 beacon which uses NTP + DS3231 RTC for timing.

A simple and easy WiFi-enabled ESP8266-powered WSPR and FT8 beacon which uses NTP + DS3231 RTC for timing.

Easy-Digital-Beacons-v1 A simple and easy WiFi-enabled ESP8266-powered WSPR and FT8 beacon which uses NTP + DS3231 RTC for timing. The whole design is

Nov 20, 2022

Beacon.dll reverse

Beacon.dll reverse

beacon实现 最近闲来无事,正好WBGIII大佬逆向了beacon,我觉得站在巨人的肩膀上干事情比较快,索性就拿着beacon分析了一波,这次patch修源码,让其适配64位还是学到了不少东西的。 具体链接 https://github.com/WBGlIl/Beacon_re 建议先下载一份源

Nov 17, 2022

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Dec 2, 2022
Comments
  • Specify modules that should not be unhooked

    Specify modules that should not be unhooked

    Hi,

    This PR adds functionality to specify modules that should not be unhooked to retain hooks introduced intentionally by our tooling, such as User-Defined Reflective Loader (ref. ElusiveMice ) that wants to patch amsi.dll, wldp.dll in-memory.

    Having launched unhook would restore our hooks denying previous intentions. To fix that, this PR adds optional parameters to the unhook command that define modules to be skipped during unhooking.

    beacon> help unhook
    Synopsis: unhook [[skip-module1] [... [skip-moduleN]]]
    
    Attempt to remove hooks from all DLLs except from modules specified as optional parameters.
    Example use:
    	beacon> unhook amsi wldp
    will not unhook amsi.dll and wldp.dll that might have been intentionally patched by our tooling.
    

    Example run:

    beacon> unhook wldp amsi
    [*] Running unhook.
        Will skip these modules: wmp.dll, amsi.dll, wldp.dll
    [+] host called home, sent: 9475 bytes
    [+] received output:
    ntdll.dll            <.text>
    Unhook is done.
    

    Feel free to ignore changes introduced to make.bat. They include Visual Studio header paths, that possibly we might not want to be included in this repository's base.

    Regards, Mariusz.

CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

Nov 22, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

Nov 19, 2022
Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination
Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination.

Nov 30, 2022
Project to remove the 'dotted focus box' around your selections in Windows 11.

Thank you https://github.com/mrexodia/NoFlashWindow for providing this template. With out it this would not have been as easy. Do not run the 32 bit i

Nov 29, 2022
bsdiff changed to remove bz2, the header and to allow streaming interfaces, to be used on the esp32 with idf as a component

bspatch for esp32 This project adds support for bspatch to the esp32 with some changes: no compression (bz2), no header and changed the interfaces to

Oct 24, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Nov 28, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Nov 25, 2022
Dec 1, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Dec 1, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022