Remove API hooks from a Beacon process.

Last update: Jan 2, 2023

Comments: 1

This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

Known issues:

Unhook refreshes "everything". If you're module stomping--this would include that module. The unhook alias does detect if module stomping is enabled and report an error. Future improvements could limit which DLLs are refreshed to a list of high-interest DLLs or explicitly exclude our stomped module.

To build:

x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook

Owner

Raphael Mudge

Technical Director of Cybersecurity at HelpSystems. Big fan of mint chocolate chip icecream. Feral programmer.

https://github.com/rsmudge/unhook-bof

Similar Resources

A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

Jan 5, 2023

A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Nov 5, 2022

Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.

Launcher Abuser Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve ex

Nov 25, 2022

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

Jan 3, 2023

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Dec 20, 2022

A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support.

PCIBan A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support. This is probably very unsafe, not supporting edg

Dec 28, 2022

Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Dec 9, 2022

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display

Dec 24, 2022

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Jan 4, 2023

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Dec 30, 2022

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Dec 28, 2022

Comments

Specify modules that should not be unhooked
Hi,

This PR adds functionality to specify modules that should not be unhooked to retain hooks introduced intentionally by our tooling, such as User-Defined Reflective Loader (ref. ElusiveMice ) that wants to patch amsi.dll, wldp.dll in-memory.

Having launched unhook would restore our hooks denying previous intentions. To fix that, this PR adds optional parameters to the unhook command that define modules to be skipped during unhooking.

beacon> help unhook Synopsis: unhook [[skip-module1] [... [skip-moduleN]]] Attempt to remove hooks from all DLLs except from modules specified as optional parameters. Example use: beacon> unhook amsi wldp will not unhook amsi.dll and wldp.dll that might have been intentionally patched by our tooling.

Example run:

beacon> unhook wldp amsi [*] Running unhook. Will skip these modules: wmp.dll, amsi.dll, wldp.dll [+] host called home, sent: 9475 bytes [+] received output: ntdll.dll <.text> Unhook is done.

Feel free to ignore changes introduced to make.bat. They include Visual Studio header paths, that possibly we might not want to be included in this repository's base.

Regards, Mariusz.

Remove API hooks from a Beacon process.

Owner

Raphael Mudge

Similar Resources

A Beacon Object File that creates a minidump of the LSASS process.

A BOF for enumerating version information for DLLs associated for a Beacon process.

Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

A PoC for requesting HWIDs directly from hardware, skipping any potential hooks or OS support.

Windows user-land hooks manipulation tool.

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

Collection of beacon object files for use with Cobalt Strike to facilitate 🐚.

Collection of Beacon Object Files (BOF) for Cobalt Strike

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

A simple and easy WiFi-enabled ESP8266-powered WSPR and FT8 beacon which uses NTP + DS3231 RTC for timing.

Beacon.dll reverse

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Comments

Specify modules that should not be unhooked

Related tags

CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Project to remove the 'dotted focus box' around your selections in Windows 11.

bsdiff changed to remove bz2, the header and to allow streaming interfaces, to be used on the esp32 with idf as a component

Beacon Object File (BOF) for remote process injection via thread hijacking

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.