QoL update

KIT/FindDotnet/README.md

@@ -1,11 +0,0 @@
-# FindDotnet
-Find processes that most likely have .NET loaded by searching for the section name: `\BaseNamedObjects\Cor_Private_IPCBlock(_v4)_<ProcessId>`
-
-## Usage
-* `finddotnet`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindDotnet/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindDotnet/bofcompile.bat

@@ -1,4 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc finddotnet.c
-move /y finddotnet.obj finddotnet.o

KIT/FindDotnet/finddotnet.c

@@ -1,163 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <psapi.h>
-#include <shlwapi.h>
-#include <strsafe.h>
-#include <winternl.h>
-#include "beacon.h"
-#include "finddotnet.h"
-
-#pragma comment(lib, "ntdll.lib")
-#pragma comment(lib, "User32.lib")
-#pragma comment(lib, "Shlwapi.lib")
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-
-BOOL FindDotNet() {
-	int p = 0;
-	int pid = 0;
-	char psPath[MAX_PATH];
-	HANDLE currentProc = NULL;
-	UNICODE_STRING sectionName = { 0 };
-	WCHAR ProcNumber[30];
-	OBJECT_ATTRIBUTES objectAttributes;
-	BOOL dotNetFound = FALSE;
-	LPCSTR procName;
-	//WCHAR WCprocName[256];
-	
-	NtGetNextProcess_t pNtGetNextProcess = (NtGetNextProcess_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtGetNextProcess");
-	NtOpenSection_t pNtOpenSection = (NtOpenSection_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtOpenSection");
-	if (pNtGetNextProcess == NULL || pNtOpenSection == NULL) {
-		BeaconPrintf(CALLBACK_ERROR, "Error resolving native API calls!\n");
-		return -1;		
-	}
-	
-	WCHAR objPath[] = L"\\BaseNamedObjects\\Cor_Private_IPCBlock_v4_";
-	sectionName.Buffer = (PWSTR)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, 500);
-
-	internal_printf("\nProcess name\t\t\t\t\t\tPID\n");
-	internal_printf("=====================================================================\n");
-
-	while (!pNtGetNextProcess(currentProc, MAXIMUM_ALLOWED, 0, 0, &currentProc)) {
-		
-		pid = KERNEL32$GetProcessId(currentProc);
-		if (pid == 0) continue;		
-
-		USER32$wsprintfW(ProcNumber, L"%d", pid);
-
-		MSVCRT$memset(sectionName.Buffer, 0, 500);
-		MSVCRT$memcpy(sectionName.Buffer, objPath, MSVCRT$wcslen(objPath) * 2);   // add section name "prefix"
-		KERNEL32$lstrcatW(sectionName.Buffer, ProcNumber);
-		sectionName.Length = MSVCRT$wcslen(sectionName.Buffer) * 2;		// finally, adjust the string size
-		sectionName.MaximumLength = sectionName.Length + 1;		
-	
-		InitializeObjectAttributes(&objectAttributes, &sectionName, OBJ_CASE_INSENSITIVE, NULL, NULL);
-
-		HANDLE sectionHandle = NULL;		
-		NTSTATUS status = pNtOpenSection(&sectionHandle, SECTION_QUERY, &objectAttributes);
-		
-		if (NT_SUCCESS(status)) {
-			KERNEL32$CloseHandle(sectionHandle);
-			
-			KERNEL32$K32GetProcessImageFileNameA(currentProc, psPath, MAX_PATH);
-			procName = SHLWAPI$PathFindFileNameA(psPath);
-			
-			//KERNEL32$MultiByteToWideChar(CP_ACP, 0, procName, -1, WCprocName, 256);
-			internal_printf("%-60s\t%d\n", procName, pid);
-			
-			dotNetFound = TRUE;
-		}
-	}
-	
-	return dotNetFound;
-}
-
-
-int go(void) {
-	BOOL res = NULL;
-	
-	if(!bofstart()) return;
-	
-	res = FindDotNet();
-	if(!res) {
-		BeaconPrintf(CALLBACK_ERROR, "No .NET process found!");
-	}
-	else {
-		printoutput(TRUE);
-	}
-
-	return 0;
-}
-

KIT/FindDotnet/finddotnet.cna

@@ -1,22 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "finddotnet", "Find processes that most likely have .NET loaded.",
-    "INFO:\nFind processes that most likely have .NET loaded by searching for the section name: \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_<ProcessId>\n\n" .
-    "USAGE:\nfinddotnet\n\n");
-
-
-alias finddotnet {
-    $bid = $1;
-	
-    # Read in the right BOF file
-    $handle = openf(script_resource("finddotnet.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    blog($bid, "Tasked to search for processes that have .NET loaded..");
-
-    beacon_inline_execute($bid, $data, "go", $null);
-}
-
-

KIT/FindDotnet/finddotnet.disasm

@@ -1,438 +0,0 @@
-Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
-Copyright (C) Microsoft Corporation.  All rights reserved.
-
-
-Dump of file finddotnet.o
-
-File Type: COFF OBJECT
-
-BeaconPrintToStreamW:
-  0000000000000000: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  0000000000000005: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
-  000000000000000A: 4C 89 44 24 18     mov         qword ptr [rsp+18h],r8
-  000000000000000F: 4C 89 4C 24 20     mov         qword ptr [rsp+20h],r9
-  0000000000000014: 48 83 EC 58        sub         rsp,58h
-  0000000000000018: C7 44 24 30 01 00  mov         dword ptr [rsp+30h],1
-                    00 00
-  0000000000000020: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
-                    00 00
-  0000000000000028: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],1
-                    00 01
-  0000000000000030: 77 28              ja          000000000000005A
-  0000000000000032: 4C 8D 05 00 00 00  lea         r8,[g_lpStream]
-                    00
-  0000000000000039: BA 01 00 00 00     mov         edx,1
-  000000000000003E: 33 C9              xor         ecx,ecx
-  0000000000000040: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
-  0000000000000046: 89 44 24 30        mov         dword ptr [rsp+30h],eax
-  000000000000004A: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
-  000000000000004F: 7D 09              jge         000000000000005A
-  0000000000000051: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
-  0000000000000055: E9 01 01 00 00     jmp         000000000000015B
-  000000000000005A: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],1
-                    00 01
-  0000000000000062: 77 2E              ja          0000000000000092
-  0000000000000064: BA 02 00 00 00     mov         edx,2
-  0000000000000069: B9 00 20 00 00     mov         ecx,2000h
-  000000000000006E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$calloc]
-  0000000000000074: 48 89 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],rax
-                    00
-  000000000000007B: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
-                    00 00
-  0000000000000083: 75 0D              jne         0000000000000092
-  0000000000000085: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
-                    00 80
-  000000000000008D: E9 9D 00 00 00     jmp         000000000000012F
-  0000000000000092: 48 8D 44 24 68     lea         rax,[rsp+68h]
-  0000000000000097: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  000000000000009C: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
-  00000000000000A1: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
-  00000000000000A6: 4C 8B 4C 24 60     mov         r9,qword ptr [rsp+60h]
-  00000000000000AB: 41 B8 FF 1F 00 00  mov         r8d,1FFFh
-  00000000000000B1: BA 00 20 00 00     mov         edx,2000h
-  00000000000000B6: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
-                    00
-  00000000000000BD: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$_vsnwprintf_s]
-  00000000000000C3: 85 C0              test        eax,eax
-  00000000000000C5: 75 0A              jne         00000000000000D1
-  00000000000000C7: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
-                    00 80
-  00000000000000CF: EB 5E              jmp         000000000000012F
-  00000000000000D1: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
-                    00 00
-  00000000000000D9: 74 4C              je          0000000000000127
-  00000000000000DB: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
-                    00
-  00000000000000E2: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$wcslen]
-  00000000000000E8: 8B C0              mov         eax,eax
-  00000000000000EA: 48 D1 E0           shl         rax,1
-  00000000000000ED: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  00000000000000F4: 48 8B 09           mov         rcx,qword ptr [rcx]
-  00000000000000F7: 48 89 4C 24 40     mov         qword ptr [rsp+40h],rcx
-  00000000000000FC: 4C 8D 4C 24 34     lea         r9,[rsp+34h]
-  0000000000000101: 44 8B C0           mov         r8d,eax
-  0000000000000104: 48 8B 15 00 00 00  mov         rdx,qword ptr [g_lpwPrintBuffer]
-                    00
-  000000000000010B: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  0000000000000112: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
-  0000000000000117: FF 50 20           call        qword ptr [rax+20h]
-  000000000000011A: 89 44 24 30        mov         dword ptr [rsp+30h],eax
-  000000000000011E: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
-  0000000000000123: 7D 02              jge         0000000000000127
-  0000000000000125: EB 08              jmp         000000000000012F
-  0000000000000127: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
-                    00 00
-  000000000000012F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
-                    00 00
-  0000000000000137: 74 15              je          000000000000014E
-  0000000000000139: 41 B8 00 40 00 00  mov         r8d,4000h
-  000000000000013F: 33 D2              xor         edx,edx
-  0000000000000141: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
-                    00
-  0000000000000148: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  000000000000014E: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
-                    00 00 00
-  0000000000000157: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
-  000000000000015B: 48 83 C4 58        add         rsp,58h
-  000000000000015F: C3                 ret
-  0000000000000160: CC                 int         3
-  0000000000000161: CC                 int         3
-  0000000000000162: CC                 int         3
-  0000000000000163: CC                 int         3
-  0000000000000164: CC                 int         3
-  0000000000000165: CC                 int         3
-  0000000000000166: CC                 int         3
-  0000000000000167: CC                 int         3
-  0000000000000168: CC                 int         3
-  0000000000000169: CC                 int         3
-  000000000000016A: CC                 int         3
-  000000000000016B: CC                 int         3
-  000000000000016C: CC                 int         3
-  000000000000016D: CC                 int         3
-  000000000000016E: CC                 int         3
-  000000000000016F: CC                 int         3
-BeaconOutputStreamW:
-  0000000000000170: 40 57              push        rdi
-  0000000000000172: 48 81 EC A0 00 00  sub         rsp,0A0h
-                    00
-  0000000000000179: 48 8D 44 24 50     lea         rax,[rsp+50h]
-  000000000000017E: 48 8B F8           mov         rdi,rax
-  0000000000000181: 33 C0              xor         eax,eax
-  0000000000000183: B9 50 00 00 00     mov         ecx,50h
-  0000000000000188: F3 AA              rep stos    byte ptr [rdi]
-  000000000000018A: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
-                    00 00 00
-  0000000000000193: C7 44 24 28 00 00  mov         dword ptr [rsp+28h],0
-                    00 00
-  000000000000019B: 48 C7 44 24 20 00  mov         qword ptr [rsp+20h],0
-                    00 00 00
-  00000000000001A4: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
-                    00
-  00000000000001AB: 48 8B 00           mov         rax,qword ptr [rax]
-  00000000000001AE: 41 B8 01 00 00 00  mov         r8d,1
-  00000000000001B4: 48 8D 54 24 50     lea         rdx,[rsp+50h]
-  00000000000001B9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  00000000000001C0: FF 50 60           call        qword ptr [rax+60h]
-  00000000000001C3: 85 C0              test        eax,eax
-  00000000000001C5: 7D 05              jge         00000000000001CC
-  00000000000001C7: E9 13 01 00 00     jmp         00000000000002DF
-  00000000000001CC: 8B 44 24 60        mov         eax,dword ptr [rsp+60h]
-  00000000000001D0: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  00000000000001D5: 48 8B 44 24 30     mov         rax,qword ptr [rsp+30h]
-  00000000000001DA: 48 FF C0           inc         rax
-  00000000000001DD: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  00000000000001E2: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000001E8: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  00000000000001ED: 4C 8B C1           mov         r8,rcx
-  00000000000001F0: BA 08 00 00 00     mov         edx,8
-  00000000000001F5: 48 8B C8           mov         rcx,rax
-  00000000000001F8: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000001FE: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
-  0000000000000203: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
-  0000000000000209: 74 6B              je          0000000000000276
-  000000000000020B: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
-                    00 00 00
-  0000000000000214: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
-                    00
-  000000000000021B: 48 8B 00           mov         rax,qword ptr [rax]
-  000000000000021E: 45 33 C9           xor         r9d,r9d
-  0000000000000221: 45 33 C0           xor         r8d,r8d
-  0000000000000224: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
-  0000000000000229: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  0000000000000230: FF 50 28           call        qword ptr [rax+28h]
-  0000000000000233: 85 C0              test        eax,eax
-  0000000000000235: 7D 02              jge         0000000000000239
-  0000000000000237: EB 3D              jmp         0000000000000276
-  0000000000000239: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
-                    00
-  0000000000000240: 48 8B 00           mov         rax,qword ptr [rax]
-  0000000000000243: 4C 8D 4C 24 28     lea         r9,[rsp+28h]
-  0000000000000248: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
-  000000000000024D: 48 8B 54 24 20     mov         rdx,qword ptr [rsp+20h]
-  0000000000000252: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  0000000000000259: FF 50 18           call        qword ptr [rax+18h]
-  000000000000025C: 85 C0              test        eax,eax
-  000000000000025E: 7D 02              jge         0000000000000262
-  0000000000000260: EB 14              jmp         0000000000000276
-  0000000000000262: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
-  0000000000000267: 48 8D 15 00 00 00  lea         rdx,[$SG105371]
-                    00
-  000000000000026E: 33 C9              xor         ecx,ecx
-  0000000000000270: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  0000000000000276: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
-                    00 00
-  000000000000027E: 74 1F              je          000000000000029F
-  0000000000000280: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
-                    00
-  0000000000000287: 48 8B 00           mov         rax,qword ptr [rax]
-  000000000000028A: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
-                    00
-  0000000000000291: FF 50 10           call        qword ptr [rax+10h]
-  0000000000000294: 48 C7 05 00 00 00  mov         qword ptr [g_lpStream],0
-                    00 00 00 00 00
-  000000000000029F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
-                    00 00
-  00000000000002A7: 74 18              je          00000000000002C1
-  00000000000002A9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
-                    00
-  00000000000002B0: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
-  00000000000002B6: 48 C7 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],0
-                    00 00 00 00 00
-  00000000000002C1: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
-  00000000000002C7: 74 16              je          00000000000002DF
-  00000000000002C9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000002CF: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
-  00000000000002D4: 33 D2              xor         edx,edx
-  00000000000002D6: 48 8B C8           mov         rcx,rax
-  00000000000002D9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
-  00000000000002DF: 48 81 C4 A0 00 00  add         rsp,0A0h
-                    00
-  00000000000002E6: 5F                 pop         rdi
-  00000000000002E7: C3                 ret
-  00000000000002E8: CC                 int         3
-  00000000000002E9: CC                 int         3
-  00000000000002EA: CC                 int         3
-  00000000000002EB: CC                 int         3
-  00000000000002EC: CC                 int         3
-  00000000000002ED: CC                 int         3
-  00000000000002EE: CC                 int         3
-  00000000000002EF: CC                 int         3
-FindDotNet:
-  00000000000002F0: 40 56              push        rsi
-  00000000000002F2: 57                 push        rdi
-  00000000000002F3: 48 81 EC 68 04 00  sub         rsp,468h
-                    00
-  00000000000002FA: C7 44 24 70 00 00  mov         dword ptr [rsp+70h],0
-                    00 00
-  0000000000000302: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
-                    00 00
-  000000000000030A: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
-                    00 00 00
-  0000000000000313: 48 8D 44 24 40     lea         rax,[rsp+40h]
-  0000000000000318: 48 8B F8           mov         rdi,rax
-  000000000000031B: 33 C0              xor         eax,eax
-  000000000000031D: B9 10 00 00 00     mov         ecx,10h
-  0000000000000322: F3 AA              rep stos    byte ptr [rdi]
-  0000000000000324: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
-                    00 00
-  000000000000032C: 48 8D 0D 00 00 00  lea         rcx,[$SG105407]
-                    00
-  0000000000000333: FF 15 00 00 00 00  call        qword ptr [__imp_GetModuleHandleA]
-  0000000000000339: 48 8D 15 00 00 00  lea         rdx,[$SG105406]
-                    00
-  0000000000000340: 48 8B C8           mov         rcx,rax
-  0000000000000343: FF 15 00 00 00 00  call        qword ptr [__imp_GetProcAddress]
-  0000000000000349: 48 89 44 24 58     mov         qword ptr [rsp+58h],rax
-  000000000000034E: 48 8D 0D 00 00 00  lea         rcx,[$SG105409]
-                    00
-  0000000000000355: FF 15 00 00 00 00  call        qword ptr [__imp_GetModuleHandleA]
-  000000000000035B: 48 8D 15 00 00 00  lea         rdx,[$SG105408]
-                    00
-  0000000000000362: 48 8B C8           mov         rcx,rax
-  0000000000000365: FF 15 00 00 00 00  call        qword ptr [__imp_GetProcAddress]
-  000000000000036B: 48 89 44 24 60     mov         qword ptr [rsp+60h],rax
-  0000000000000370: 48 83 7C 24 58 00  cmp         qword ptr [rsp+58h],0
-  0000000000000376: 74 08              je          0000000000000380
-  0000000000000378: 48 83 7C 24 60 00  cmp         qword ptr [rsp+60h],0
-  000000000000037E: 75 1C              jne         000000000000039C
-  0000000000000380: 48 8D 15 00 00 00  lea         rdx,[$SG105412]
-                    00
-  0000000000000387: B9 0D 00 00 00     mov         ecx,0Dh
-  000000000000038C: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  0000000000000392: B8 FF FF FF FF     mov         eax,0FFFFFFFFh
-  0000000000000397: E9 17 02 00 00     jmp         00000000000005B3
-  000000000000039C: 48 8D 84 24 B0 00  lea         rax,[rsp+0B0h]
-                    00 00
-  00000000000003A4: 48 8D 0D 00 00 00  lea         rcx,[$SG105413]
-                    00
-  00000000000003AB: 48 8B F8           mov         rdi,rax
-  00000000000003AE: 48 8B F1           mov         rsi,rcx
-  00000000000003B1: B9 56 00 00 00     mov         ecx,56h
-  00000000000003B6: F3 A4              rep movs    byte ptr [rdi],byte ptr [rsi]
-  00000000000003B8: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000003BE: 41 B8 F4 01 00 00  mov         r8d,1F4h
-  00000000000003C4: BA 08 00 00 00     mov         edx,8
-  00000000000003C9: 48 8B C8           mov         rcx,rax
-  00000000000003CC: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000003D2: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
-  00000000000003D7: 48 8D 0D 00 00 00  lea         rcx,[$SG105414]
-                    00
-  00000000000003DE: E8 00 00 00 00     call        BeaconPrintToStreamW
-  00000000000003E3: 48 8D 0D 00 00 00  lea         rcx,[$SG105415]
-                    00
-  00000000000003EA: E8 00 00 00 00     call        BeaconPrintToStreamW
-  00000000000003EF: 48 8D 44 24 38     lea         rax,[rsp+38h]
-  00000000000003F4: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
-  00000000000003F9: 45 33 C9           xor         r9d,r9d
-  00000000000003FC: 45 33 C0           xor         r8d,r8d
-  00000000000003FF: BA 00 00 00 02     mov         edx,2000000h
-  0000000000000404: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  0000000000000409: FF 54 24 58        call        qword ptr [rsp+58h]
-  000000000000040D: 85 C0              test        eax,eax
-  000000000000040F: 0F 85 9A 01 00 00  jne         00000000000005AF
-  0000000000000415: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  000000000000041A: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessId]
-  0000000000000420: 89 44 24 30        mov         dword ptr [rsp+30h],eax
-  0000000000000424: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
-  0000000000000429: 75 02              jne         000000000000042D
-  000000000000042B: EB C2              jmp         00000000000003EF
-  000000000000042D: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
-  0000000000000432: 48 8D 15 00 00 00  lea         rdx,[$SG105417]
-                    00
-  0000000000000439: 48 8D 8C 24 10 01  lea         rcx,[rsp+110h]
-                    00 00
-  0000000000000441: FF 15 00 00 00 00  call        qword ptr [__imp_USER32$wsprintfW]
-  0000000000000447: 41 B8 F4 01 00 00  mov         r8d,1F4h
-  000000000000044D: 33 D2              xor         edx,edx
-  000000000000044F: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  0000000000000454: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  000000000000045A: 48 8D 8C 24 B0 00  lea         rcx,[rsp+0B0h]
-                    00 00
-  0000000000000462: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$wcslen]
-  0000000000000468: 48 D1 E0           shl         rax,1
-  000000000000046B: 4C 8B C0           mov         r8,rax
-  000000000000046E: 48 8D 94 24 B0 00  lea         rdx,[rsp+0B0h]
-                    00 00
-  0000000000000476: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  000000000000047B: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
-  0000000000000481: 48 8D 94 24 10 01  lea         rdx,[rsp+110h]
-                    00 00
-  0000000000000489: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  000000000000048E: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$lstrcatW]
-  0000000000000494: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  0000000000000499: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$wcslen]
-  000000000000049F: 48 D1 E0           shl         rax,1
-  00000000000004A2: 66 89 44 24 40     mov         word ptr [rsp+40h],ax
-  00000000000004A7: 0F B7 44 24 40     movzx       eax,word ptr [rsp+40h]
-  00000000000004AC: FF C0              inc         eax
-  00000000000004AE: 66 89 44 24 42     mov         word ptr [rsp+42h],ax
-  00000000000004B3: C7 84 24 80 00 00  mov         dword ptr [rsp+80h],30h
-                    00 30 00 00 00
-  00000000000004BE: 48 C7 84 24 88 00  mov         qword ptr [rsp+88h],0
-                    00 00 00 00 00 00
-  00000000000004CA: C7 84 24 98 00 00  mov         dword ptr [rsp+98h],40h
-                    00 40 00 00 00
-  00000000000004D5: 48 8D 44 24 40     lea         rax,[rsp+40h]
-  00000000000004DA: 48 89 84 24 90 00  mov         qword ptr [rsp+90h],rax
-                    00 00
-  00000000000004E2: 48 C7 84 24 A0 00  mov         qword ptr [rsp+0A0h],0
-                    00 00 00 00 00 00
-  00000000000004EE: 48 C7 84 24 A8 00  mov         qword ptr [rsp+0A8h],0
-                    00 00 00 00 00 00
-  00000000000004FA: 48 C7 44 24 68 00  mov         qword ptr [rsp+68h],0
-                    00 00 00
-  0000000000000503: 4C 8D 84 24 80 00  lea         r8,[rsp+80h]
-                    00 00
-  000000000000050B: BA 01 00 00 00     mov         edx,1
-  0000000000000510: 48 8D 4C 24 68     lea         rcx,[rsp+68h]
-  0000000000000515: FF 54 24 60        call        qword ptr [rsp+60h]
-  0000000000000519: 89 44 24 50        mov         dword ptr [rsp+50h],eax
-  000000000000051D: 83 7C 24 50 00     cmp         dword ptr [rsp+50h],0
-  0000000000000522: 0F 8C 82 00 00 00  jl          00000000000005AA
-  0000000000000528: 48 8B 4C 24 68     mov         rcx,qword ptr [rsp+68h]
-  000000000000052D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$CloseHandle]
-  0000000000000533: 41 B8 04 01 00 00  mov         r8d,104h
-  0000000000000539: 48 8D 94 24 50 01  lea         rdx,[rsp+150h]
-                    00 00
-  0000000000000541: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  0000000000000546: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$K32GetProcessImageFileNameA]
-  000000000000054C: 48 8D 8C 24 50 01  lea         rcx,[rsp+150h]
-                    00 00
-  0000000000000554: FF 15 00 00 00 00  call        qword ptr [__imp_SHLWAPI$PathFindFileNameA]
-  000000000000055A: 48 89 44 24 78     mov         qword ptr [rsp+78h],rax
-  000000000000055F: C7 44 24 28 00 01  mov         dword ptr [rsp+28h],100h
-                    00 00
-  0000000000000567: 48 8D 84 24 60 02  lea         rax,[rsp+260h]
-                    00 00
-  000000000000056F: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
-  0000000000000574: 41 B9 FF FF FF FF  mov         r9d,0FFFFFFFFh
-  000000000000057A: 4C 8B 44 24 78     mov         r8,qword ptr [rsp+78h]
-  000000000000057F: 33 D2              xor         edx,edx
-  0000000000000581: 33 C9              xor         ecx,ecx
-  0000000000000583: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$MultiByteToWideChar]
-  0000000000000589: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
-  000000000000058E: 48 8D 94 24 60 02  lea         rdx,[rsp+260h]
-                    00 00
-  0000000000000596: 48 8D 0D 00 00 00  lea         rcx,[$SG105419]
-                    00
-  000000000000059D: E8 00 00 00 00     call        BeaconPrintToStreamW
-  00000000000005A2: C7 44 24 34 01 00  mov         dword ptr [rsp+34h],1
-                    00 00
-  00000000000005AA: E9 40 FE FF FF     jmp         00000000000003EF
-  00000000000005AF: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
-  00000000000005B3: 48 81 C4 68 04 00  add         rsp,468h
-                    00
-  00000000000005BA: 5F                 pop         rdi
-  00000000000005BB: 5E                 pop         rsi
-  00000000000005BC: C3                 ret
-  00000000000005BD: CC                 int         3
-  00000000000005BE: CC                 int         3
-  00000000000005BF: CC                 int         3
-  00000000000005C0: CC                 int         3
-  00000000000005C1: CC                 int         3
-  00000000000005C2: CC                 int         3
-  00000000000005C3: CC                 int         3
-  00000000000005C4: CC                 int         3
-  00000000000005C5: CC                 int         3
-  00000000000005C6: CC                 int         3
-  00000000000005C7: CC                 int         3
-  00000000000005C8: CC                 int         3
-  00000000000005C9: CC                 int         3
-  00000000000005CA: CC                 int         3
-  00000000000005CB: CC                 int         3
-  00000000000005CC: CC                 int         3
-  00000000000005CD: CC                 int         3
-  00000000000005CE: CC                 int         3
-  00000000000005CF: CC                 int         3
-go:
-  00000000000005D0: 48 83 EC 38        sub         rsp,38h
-  00000000000005D4: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  00000000000005DC: E8 00 00 00 00     call        FindDotNet
-  00000000000005E1: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  00000000000005E5: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
-  00000000000005EA: 75 14              jne         0000000000000600
-  00000000000005EC: 48 8D 15 00 00 00  lea         rdx,[$SG105427]
-                    00
-  00000000000005F3: B9 0D 00 00 00     mov         ecx,0Dh
-  00000000000005F8: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  00000000000005FE: EB 05              jmp         0000000000000605
-  0000000000000600: E8 00 00 00 00     call        BeaconOutputStreamW
-  0000000000000605: 33 C0              xor         eax,eax
-  0000000000000607: 48 83 C4 38        add         rsp,38h
-  000000000000060B: C3                 ret
-
-  Summary
-
-          38 .chks64
-         1DE .data
-          94 .debug$S
-          A8 .drectve
-          30 .pdata
-         60C .text$mn
-          28 .xdata

KIT/FindDotnet/finddotnet.h

@@ -1,29 +0,0 @@
-#include <windows.h>
-
-//FindDotNet
-typedef NTSTATUS (NTAPI * NtGetNextProcess_t)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Flags, PHANDLE NewProcessHandle);
-typedef NTSTATUS (NTAPI * NtOpenSection_t)(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process);
-//WINBASEAPI void *__cdecl MSVCRT$memcpy(void *Dst, const void *Src, size_t MaxCount);
-WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str);
-//WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
-DECLSPEC_IMPORT int WINAPI USER32$wsprintfW(LPWSTR unnamedParam1, LPCWSTR unnamedParam2, ...);
-//WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$K32GetProcessImageFileNameA(HANDLE hProcess, LPSTR lpImageFileName, DWORD nSize);
-DECLSPEC_IMPORT LPCSTR WINAPI SHLWAPI$PathFindFileNameA(LPCSTR pszPath);
-DECLSPEC_IMPORT LPWSTR WINAPI KERNEL32$lstrcatW (LPWSTR lpString1, LPCWSTR lpString2);
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
-//WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-DECLSPEC_IMPORT int WINAPI KERNEL32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, _In_NLS_string_(cbMultiByte)LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
-

KIT/FindExclusions/README.md

@@ -1,15 +0,0 @@
-# FindExclusions
-Check Windows Defender for excluded files, folders, extentions and processes.
-
->This operation requires elevated privileges. Furthermore, currently only Windows Defender exclusions are supported. However, this code is easily enhanced to also support other AV products that communicate via WMI. 
-
-
-## Usage
-* `findexclusions`
-
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindExclusions/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindExclusions/bofcompile.bat

@@ -1,5 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findexclusions.c
-move /y findexclusions.obj findexclusions.o
-

KIT/FindExclusions/findexclusions.c

@@ -1,223 +0,0 @@
-#include <stdio.h>
-#include <Windows.h>
-#include <wbemidl.h>
-#include "findexclusions.h"
-#include "beacon.h"
-
-#pragma comment(lib, "wbemuuid.lib")
-#pragma comment(lib, "ole32.lib")
-#pragma comment(lib, "oleaut32.lib")
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-
-int EnumerateDefenderExclusions() {
-    HRESULT hr;
-	int result = 0;
-    
-    hr = OLE32$CoInitializeEx(0, COINIT_APARTMENTTHREADED);
-    if (FAILED(hr)) goto Cleanup;
-	
-	IWbemLocator *pLoc = NULL;
-	IID CLSIDWbemLocator = {0x4590f811, 0x1d3a, 0x11d0, {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
-	IID IIDIWbemLocator = {0xdc12a687, 0x737f, 0x11cf, {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
-    hr = OLE32$CoCreateInstance(&CLSIDWbemLocator, 0, CLSCTX_INPROC_SERVER, &IIDIWbemLocator, (LPVOID *)&pLoc);
-    if (FAILED(hr)) goto Cleanup;
-	
-	IWbemServices *pSvc = NULL;
-    hr = pLoc->lpVtbl->ConnectServer(pLoc, OLEAUT32$SysAllocString(L"ROOT\\Microsoft\\Windows\\Defender"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
-    if (FAILED(hr)) goto Cleanup;
-
-    hr = OLE32$CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
-
-    IEnumWbemClassObject* pEnumerator = NULL;
-	hr = pSvc->lpVtbl->ExecQuery(pSvc, OLEAUT32$SysAllocString(L"WQL"), OLEAUT32$SysAllocString(L"SELECT * FROM MSFT_MpPreference"), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);
-	if (FAILED(hr)) goto Cleanup;
-
-	internal_printf("\nExclusion enumeration results:\n====================================================\n");
-	
-	ULONG returnedCount = 0;
-	IWbemClassObject *pResult = NULL;
-	while (pEnumerator) {
-		hr = pEnumerator->lpVtbl->Next(pEnumerator, WBEM_INFINITE, 1, &pResult, &returnedCount);
-		if (0 == returnedCount) break;
-		
-		//folder and files
-		VARIANT pathName;
-		hr = pResult->lpVtbl->Get(pResult, L"ExclusionPath", 0, &pathName, 0, 0);
-		if (SUCCEEDED(hr)) {
-			if (pathName.vt == VT_NULL) {
-				internal_printf("[-] No file or folder exclusion configured\n");
-				result = 1; 
-			} else if (pathName.vt == (VT_ARRAY | VT_BSTR)) {
-				
-				SAFEARRAY* sa = pathName.parray;
-				BSTR* bstrArray;
-				long lBound, uBound;
-
-				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
-				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
-				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
-
-				for (long i = lBound; i <= uBound; i++) {
-					if (MSVCRT$wcscmp(bstrArray[i], L"N/A: Must be an administrator to view exclusions") == 0) {
-						BeaconPrintf(CALLBACK_ERROR, "Access Denied! The current user does not have sufficient permissions to enumerate exclusions.\n");
-						goto Cleanup;
-					} else {
-						internal_printf("[+] Found folder/file exclusion: %ls\n", bstrArray[i]);
-						result = 1; 
-					}
-				}
-				OLEAUT32$SafeArrayUnaccessData(sa);
-			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse path data with error code: %d\n", pathName.vt);
-
-			OLEAUT32$VariantClear(&pathName);
-		}
-		
-		//extention
-		VARIANT extName;
-		hr = pResult->lpVtbl->Get(pResult, L"ExclusionExtension", 0, &extName, 0, 0);
-		if (SUCCEEDED(hr)) {
-			if (extName.vt == VT_NULL) {
-				internal_printf("[-] No extention exclusion configured\n");
-				result = 1; 
-			} else if (extName.vt == (VT_ARRAY | VT_BSTR)) {
-				
-				SAFEARRAY* sa = extName.parray;
-				BSTR* bstrArray;
-				long lBound, uBound;
-
-				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
-				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
-				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
-
-				for (long i = lBound; i <= uBound; i++) {
-					internal_printf("[+] Found extention exclusion: %ls\n", bstrArray[i]);
-					result = 1; 
-				}
-				OLEAUT32$SafeArrayUnaccessData(sa);
-			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse extention data with error code: %d\n", extName.vt);
-			
-			OLEAUT32$VariantClear(&extName);
-		}
-		
-		//processes
-		VARIANT procName;
-		hr = pResult->lpVtbl->Get(pResult, L"ExclusionProcess", 0, &procName, 0, 0);
-		if (SUCCEEDED(hr)) {
-			if (procName.vt == VT_NULL) {
-				internal_printf("[-] No process exclusion configured\n");
-				result = 1; 
-			} else if (procName.vt == (VT_ARRAY | VT_BSTR)) {
-				
-				SAFEARRAY* sa = procName.parray;
-				BSTR* bstrArray;
-				long lBound, uBound;
-
-				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
-				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
-				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
-
-				for (long i = lBound; i <= uBound; i++) {
-					internal_printf("[+] Found process exclusion: %ls\n", bstrArray[i]);
-					result = 1; 
-				}
-				OLEAUT32$SafeArrayUnaccessData(sa);
-			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse process data with error code: %d\n", procName.vt);
-			
-			OLEAUT32$VariantClear(&procName);
-		}
-	}
-	
-Cleanup:
-    if (pSvc) pSvc->lpVtbl->Release(pSvc);
-    if (pLoc) pLoc->lpVtbl->Release(pLoc);
-    if (pEnumerator) pEnumerator->lpVtbl->Release(pEnumerator);
-	if (pResult) pResult->lpVtbl->Release(pResult);
-    OLE32$CoUninitialize();
-
-	return result;
-}
-
-
-int go() {
-	int result = 0; 
-	
-	if(!bofstart()) return;
-	
-	result = EnumerateDefenderExclusions();
-	if(result) printoutput(TRUE);
-	
-	return 0;
-}

KIT/FindExclusions/findexclusions.cna

@@ -1,26 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-	"findexclusions", "Check the AV for excluded files, folders, extentions and processes.",
-	"INFO:\nCheck the AV for excluded files, folders, extentions and processes. Currently only Windows Defender exclusions are supported.\n\n" .
-	"USAGE:\nfindexclusions\n\n");
-	
-alias findexclusions {
-    $bid = $1;
-	
-    # Read in the right BOF file
-    $handle = openf(script_resource("findexclusions.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    $arg_data  = bof_pack($bid);
-
-    blog($bid, "Tasked to enumerate exclusions..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-
-
-
-

KIT/FindExclusions/findexclusions.h

@@ -1,27 +0,0 @@
-#include <windows.h>  
-
-//EnumerateExclusions
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
-DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR, LONG, SOLE_AUTHENTICATION_SERVICE*, void*, DWORD, DWORD, void*, DWORD, void*);
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoSetProxyBlanket(IUnknown*, DWORD, DWORD, OLECHAR*, DWORD, DWORD, RPC_AUTH_IDENTITY_HANDLE, DWORD);
-DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetLBound(SAFEARRAY*, unsigned int, long*);
-DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetUBound(SAFEARRAY*, unsigned int, long*);
-DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayAccessData(SAFEARRAY*, void**);
-DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayUnaccessData(SAFEARRAY* psa);
-DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantClear(VARIANTARG *pvarg);
-WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *);
-WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR);
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
-WINBASEAPI int WINAPI MSVCRT$wcscmp(const wchar_t* str1, const wchar_t* str2);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

KIT/FindFile/README.md

@@ -1,23 +0,0 @@
-# FindFile
-Search for matching files based on a word, extention or keyword in the file content. Wildcards are supported.
-
->Keyword matching only works for text based files like .csv, .txt or .ps1 etc. So no MS Office files like .xlsx and .docs :(. 
-
-## Arguments
-* `<path to directory>`: specify a path to the directory from which to start searching (recursive searching supported).
-* `<search pattern>`: specify a single word or extention to search for (support wildcards).
-* `<keyword>`: leave empty OR specify a keyword to search for in text based files (support wildcards).
-
-## Usage
-* `findfile <path to directory> <search pattern> <(optional) keyword>`
-
-## Examples
-* `findfile C:\Users\RTO\Documents *.xlsx`
-* `findfile C:\Users\RTO *login*.* username`
-* `findfile C:\Users\RTO *.txt *pass*`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindFile/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindFile/bofcompile.bat

@@ -1,5 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findfile.c
-move /y findfile.obj findfile.o
-

KIT/FindFile/findfile.c

@@ -1,278 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <stdbool.h>
-#include "findfile.h"
-#include "beacon.h"
-
-#define MAX_PREVIEW_LENGTH 200
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-bool keywordMatches(const char* content, const char* keyword) {
-    size_t keywordLen = MSVCRT$strlen(keyword);
-    
-    // If keyword is "*example*"
-    if (keyword[0] == '*' && keyword[keywordLen - 1] == '*') {
-        char tempKeyword[MAX_PATH]; 
-        MSVCRT$strncpy(tempKeyword, keyword + 1, keywordLen - 2);
-        tempKeyword[keywordLen - 2] = '\0';
-        if (MSVCRT$strstr(content, tempKeyword)) {
-            return true;
-        }
-    }
-    // If keyword is "example*"
-    else if (keyword[keywordLen - 1] == '*') {
-        char tempKeyword[MAX_PATH];
-        MSVCRT$strncpy(tempKeyword, keyword, keywordLen - 1);
-        tempKeyword[keywordLen - 1] = '\0';
-        if (MSVCRT$strncmp(content, tempKeyword, keywordLen - 1) == 0) {
-            return true;
-        }
-    }
-    // If keyword is "*example"
-    else if (keyword[0] == '*') {
-        if (MSVCRT$strlen(content) >= keywordLen - 1 && 
-            MSVCRT$strcmp(content + MSVCRT$strlen(content) - (keywordLen - 1), keyword + 1) == 0) {
-            return true;
-        }
-    }
-    // If keyword is "example"
-    else if (MSVCRT$strstr(content, keyword)) {
-        return true;
-    }
-
-    return false;
-}
-
-
-
-bool SearchFileForKeyword(const char* filePath, const char* keyword) {
-    FILE *file = MSVCRT$fopen(filePath, "rb");  
-    if (!file) {
-        BeaconPrintf(CALLBACK_ERROR, "Failed to open file: %s\n", filePath);
-        return false;
-    }
-
-    MSVCRT$fseek(file, 0, SEEK_END);
-    long fileSize = MSVCRT$ftell(file);
-    MSVCRT$fseek(file, 0, SEEK_SET);
-
-    char* fileContents = (char*)MSVCRT$malloc(fileSize + 1); 
-    if(!fileContents) {
-        BeaconPrintf(CALLBACK_ERROR, "Failed to allocate memory for file: %s\n", filePath);
-        MSVCRT$fclose(file);
-        return false;
-    }
-    
-    MSVCRT$fread(fileContents, 1, fileSize, file);
-    fileContents[fileSize] = '\0';  
-    MSVCRT$fclose(file);
-
-    // Convert file contents to lowercase
-    for (long i = 0; i < fileSize; i++) {
-        fileContents[i] = MSVCRT$tolower(fileContents[i]);
-    }
-
-    // Convert keyword to lowercase
-    char* lowerKeyword = MSVCRT$_strdup(keyword);
-    if (!lowerKeyword) {
-        MSVCRT$free(fileContents);
-        return false;
-    }
-    for (int i = 0; lowerKeyword[i]; i++) {
-        lowerKeyword[i] = MSVCRT$tolower(lowerKeyword[i]);
-    }
-	
-	//match line with keyword and return pattern if true
-	char* line = MSVCRT$strtok(fileContents, "\n");
-	bool found = false;
-	bool firstPrint = true;
-	char preview[MAX_PREVIEW_LENGTH + 1]; 
-
-	while (line) {
-		if (keywordMatches(line, lowerKeyword)) {
-			found = true;
-			int lineLength = MSVCRT$strlen(line);
-	
-			if (lineLength > MAX_PREVIEW_LENGTH) {
-				MSVCRT$strncpy(preview, line, MAX_PREVIEW_LENGTH);
-				preview[MAX_PREVIEW_LENGTH] = '\0'; 
-			} else {
-				MSVCRT$strcpy(preview, line);
-			}
-			if (firstPrint) {
-				internal_printf("\n[+] Keyword '%s' found in file: %s\n", keyword, filePath);
-				firstPrint = false;
-			}
-			internal_printf("\t- Matched on pattern: %s\n", preview);
-			// break; // Uncomment to stop after the first match
-		}
-		line = MSVCRT$strtok(NULL, "\n");
-	}
-
-    MSVCRT$free(fileContents);
-    MSVCRT$free(lowerKeyword);
-	
-    return found;
-}
-
-
-void SearchFilesRecursive(const char* lpFolder, const char* lpSearchPattern, const char* keyword) {
-    WIN32_FIND_DATAA findFileData;
-    HANDLE hFind = INVALID_HANDLE_VALUE;
-    char szDir[MAX_PATH];
-    DWORD dwError;
-
-    // Build search path for files in the current directory
-    MSVCRT$strcpy(szDir, lpFolder);
-    MSVCRT$strcat(szDir, "\\");
-    MSVCRT$strcat(szDir, lpSearchPattern);
-	
-	// Search for files
-    hFind = KERNEL32$FindFirstFileA(szDir, &findFileData);
-    if (hFind != INVALID_HANDLE_VALUE) {
-        do {
-			if (!(findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
-				char fullPath[MAX_PATH];
-				MSVCRT$sprintf(fullPath, "%s\\%s", lpFolder, findFileData.cFileName);
-				
-				if (*keyword) { 
-				    SearchFileForKeyword(fullPath, keyword); 
-				} else if (!*keyword) {
-					internal_printf("[+] File found: %s\n", fullPath);
-				}
-			}
-		} while (KERNEL32$FindNextFileA(hFind, &findFileData) != 0);
-		
-		dwError = KERNEL32$GetLastError();
-		if (dwError != ERROR_NO_MORE_FILES) {
-			BeaconPrintf(CALLBACK_ERROR, "Error searching for next file: %d\n", dwError);
-		}
-		KERNEL32$FindClose(hFind);
-	}
-	
-	//search for subdirectories and recurse into them
-    MSVCRT$strcpy(szDir, lpFolder);
-    MSVCRT$strcat(szDir, "\\*");
-
-    hFind = KERNEL32$FindFirstFileA(szDir, &findFileData);
-    if (hFind != INVALID_HANDLE_VALUE) {
-        do {
-            if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY &&
-                MSVCRT$strcmp(findFileData.cFileName, ".") != 0 && 
-                MSVCRT$strcmp(findFileData.cFileName, "..") != 0) {
-				
-				// Build path for the subdirectory
-                char subDir[MAX_PATH];
-                MSVCRT$strcpy(subDir, lpFolder);
-                MSVCRT$strcat(subDir, "\\");
-                MSVCRT$strcat(subDir, findFileData.cFileName);
-
-                SearchFilesRecursive(subDir, lpSearchPattern, keyword);
-            }
-        } while (KERNEL32$FindNextFileA(hFind, &findFileData) != 0);
-		
-        dwError = KERNEL32$GetLastError();
-        if (dwError != ERROR_NO_MORE_FILES) {
-            BeaconPrintf(CALLBACK_ERROR, "Error searching for next file: %d\n", dwError);
-        }
-		KERNEL32$FindClose(hFind);
-    }
-}
-
-
-int go(char *args, int len) {
-	datap parser;
-    CHAR *lpDirectory = "";
-    CHAR *lpSearchPattern = "";
-    CHAR *keyword = ""; // If not empty, SearchFileForKeyword is called to verify if the keyword is in the text file
-
-	BeaconDataParse(&parser, args, len);
-	lpDirectory = BeaconDataExtract(&parser, NULL);
-	lpSearchPattern = BeaconDataExtract(&parser, NULL);
-	keyword = BeaconDataExtract(&parser, NULL);
-	if(!bofstart()) return;
-	
-	internal_printf("====================FILE SEARCH RESULTS====================\n");
-	
-    SearchFilesRecursive(lpDirectory, lpSearchPattern, keyword);
-	
-	printoutput(TRUE);
-	BeaconPrintf(CALLBACK_OUTPUT, "[+] Finished searching!\n");
-
-    return 0;
-}
-
-
-		
-		

KIT/FindFile/findfile.cna

@@ -1,39 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "findfile", "Search for matching files based on a word, extention or keyword.",
-    "INFO:\nSearch for matching files based on a word, extention or keyword in the file content. Wildcards are supported . Keyword matching only works for text based files.\n\n" .
-	"ARGUMENTS:\n[<path to directory>]: specify a path to the directory from which to start searching (recursive searching supported).\n[<search pattern>]: specify a single word or extention to search for (support wildcards).\n[<keyword>]: leave empty OR specify a keyword to search for in text based files (support wildcards).\n\n" .
-	"USAGE:\nfindfile <path to directory> <search pattern> <(optional) keyword> \n\n" .
-	"EXAMPLES:\nfindfile C:\\Users\\RTO\\Documents *.xlsx\nfindfile C:\\Users\\RTO *login*.* username\nfindfile C:\\Users\\RTO *.txt *pass*\n\n");
-
-
-alias findfile {
-    $bid = $1;
-	$lpDirectory = $2;
-    $lpSearchPattern = $3;
-    $keyword = $4;
-
-    if ($lpDirectory eq "") {
-        berror($bid, "Please specify a path to a directory.\n");
-        return;
-    }
-
-    if ($lpSearchPattern eq "") {
-        berror($bid, "Please specify a pattern/word to search for.\n");
-        return;
-    }
-
-    # Read in the right BOF file
-    $handle = openf(script_resource("findfile.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    $arg_data  = bof_pack($bid, "zzz", $lpDirectory, $lpSearchPattern, $keyword);
-
-    blog($bid, "Tasked to search for matching files..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-

KIT/FindFile/findfile.h

@@ -1,38 +0,0 @@
-#include <windows.h>  
-
-//SearchFileForKeyword + keywordMatches
-WINBASEAPI int WINAPI MSVCRT$strcmp(const char* str1, const char* str2);
-WINBASEAPI FILE* WINAPI MSVCRT$fopen(const char* filename, const char* mode);
-WINBASEAPI int __cdecl MSVCRT$fseek(FILE *_File, long _Offset, int _Origin);
-WINBASEAPI long __cdecl MSVCRT$ftell(FILE *_File);
-WINBASEAPI size_t __cdecl MSVCRT$fread(void * _DstBuf, size_t _ElementSize, size_t _Count, FILE * _File);
-WINBASEAPI int __cdecl MSVCRT$fclose(FILE *_File);
-WINBASEAPI char* WINAPI MSVCRT$strstr(const char* haystack, const char* needle);
-WINBASEAPI void *__cdecl MSVCRT$malloc(size_t _Size);
-//WINBASEAPI void __cdecl MSVCRT$free(void *_Memory);
-WINBASEAPI char* WINAPI MSVCRT$_strdup(const char* str);
-WINBASEAPI int WINAPI MSVCRT$tolower(int c);
-WINBASEAPI size_t WINAPI MSVCRT$strlen(const char* str);
-WINBASEAPI int WINAPI MSVCRT$strncmp(const char* str1, const char* str2, size_t n);
-WINBASEAPI char* WINAPI MSVCRT$strncpy(char* dest, const char* src, size_t n);
-DECLSPEC_IMPORT char* WINAPI MSVCRT$strtok(char* str, const char* delimiters);
-
-//SearchFilesRecursive
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$FindFirstFileA(LPCSTR lpFileName, LPWIN32_FIND_DATAA lpFindFileData);
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$FindNextFileA(HANDLE hFindFile, LPWIN32_FIND_DATAA lpFindFileData);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(void);
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$FindClose(HANDLE hFindFile);
-DECLSPEC_IMPORT int WINAPI KERNEL32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
-WINBASEAPI char* WINAPI MSVCRT$strcpy(char* dest, const char* src);
-WINBASEAPI char* WINAPI MSVCRT$strcat(char* dest, const char* src);
-WINBASEAPI int WINAPI MSVCRT$sprintf(char* buffer, const char* format, ...);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

KIT/FindHandle/README.md

@@ -1,26 +0,0 @@
-# FindHandle
-Find `process` and `thread` handle types between processes.
-
-## Options
-**Search options:**
-* `all`: list all processes with handles to all other processes.
-* `h2p`: list all processes that have a handle to a specific process.
-* `p2h`: list handles from a specific process to all other processes.
-
-**Handle query options:**
-* `proc`: search for PROCESS type handles.
-* `thread`: search for THREAD type handles.
-
-**Targeted search options:**
-* `<pid>`: for both the `h2p` and `p2h` search options, specify the PID of the process your interested in.
-
-## Usage
-* `findhandle all <proc | thread>`
-* `findhandle h2p <proc | thread> <pid>`
-* `findhandle p2h <proc | thread> <pid>`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindHandle/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindHandle/bofcompile.bat

@@ -1,5 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findhandle.c
-move /y findhandle.obj findhandle.o
-

KIT/FindHandle/findhandle.c

@@ -1,255 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <shlwapi.h>
-#include <Psapi.h>
-#include "findhandle.h"
-#include "beacon.h"
-
-#pragma comment(lib, "shlwapi")
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-
-BOOL GetHandles(int basePid, const BYTE flags, int targetPid) {
-
-	NTSTATUS status;
-    PSYSTEM_HANDLE_INFORMATION handleInfo;
-    ULONG handleInfoSize = 0x10000;
-    HANDLE processHandle;
-    ULONG i;
-	char procHostName[MAX_PATH];
-	BOOL foundHandle = FALSE;
-	
-	
-	if (flags == QUERY_PROC) internal_printf("[+] PROCESS HANDLE RESULTS\n==========================================");
-	else internal_printf("[+] THREAD HANDLE RESULTS\n==========================================");
-	
-	
-    NtQuerySystemInformation_t pNtQuerySystemInformation = (NtQuerySystemInformation_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
-    NtDuplicateObject_t pNtDuplicateObject = (NtDuplicateObject_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDuplicateObject");
-    NtQueryObject_t pNtQueryObject = (NtQueryObject_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryObject");
-
-	WCHAR Filter[100];
-	switch(flags) {
-		case QUERY_PROC:	MSVCRT$swprintf_s(Filter, 50, L"%s", L"Process"); break;
-		default:			MSVCRT$swprintf_s(Filter, 50, L"%s", L"Thread"); break;
-	}
-
-    handleInfo = (PSYSTEM_HANDLE_INFORMATION) MSVCRT$malloc(handleInfoSize);
-    while ((status = pNtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH)
-			handleInfo = (PSYSTEM_HANDLE_INFORMATION)MSVCRT$realloc(handleInfo, handleInfoSize *= 2);
- 
-    if (status != 0) {
-        BeaconPrintf(CALLBACK_ERROR, "Failed to retrieve process information!\n");
-        return 1;
-    }
-	
-    for (i = 0 ; i < handleInfo->NumberOfHandles ; i++) {
-        SYSTEM_HANDLE_TABLE_ENTRY_INFO objHandle = handleInfo->Handles[i];
-		
-        HANDLE dupHandle = NULL;
-        POBJECT_TYPE_INFORMATION objectTypeInfo;
-        PVOID objectNameInfo;
-        UNICODE_STRING objectName;
-        ULONG returnLength;
-		
-		if(objHandle.UniqueProcessId == 4) continue;
-		
-        if ((basePid != 0) && (objHandle.UniqueProcessId != basePid)) continue;
-		
-		if (objHandle.UniqueProcessId == KERNEL32$GetCurrentProcessId()) continue;
- 
- 
-		if (!(processHandle = KERNEL32$OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, FALSE, objHandle.UniqueProcessId))) {
-			continue;
-		}
- 
-		KERNEL32$K32GetProcessImageFileNameA(processHandle, procHostName, MAX_PATH);
-		
-        if (!NT_SUCCESS(pNtDuplicateObject(processHandle, (void *) objHandle.HandleValue, KERNEL32$GetCurrentProcess(), &dupHandle, 0, 0, DUPLICATE_SAME_ACCESS))) {
-            continue;
-        }
- 
-        objectTypeInfo = (POBJECT_TYPE_INFORMATION) MSVCRT$malloc(0x1000);
-        if (!NT_SUCCESS(pNtQueryObject(dupHandle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL))) {
-            KERNEL32$CloseHandle(dupHandle);
-            continue;
-        }
-	
-		if (!SHLWAPI$StrStrIW(Filter, objectTypeInfo->Name.Buffer)) {
-			MSVCRT$free(objectTypeInfo);
-            KERNEL32$CloseHandle(dupHandle);
-			continue;
-		}
-		
-        objectNameInfo = MSVCRT$malloc(0x1000);
-        objectName = *(PUNICODE_STRING) objectNameInfo;
-		
-		int procID = 0;
-		if (flags == QUERY_PROC) procID = KERNEL32$GetProcessId(dupHandle);
-		if (flags == QUERY_THREAD) procID = KERNEL32$GetProcessIdOfThread(dupHandle);
-
-		char procNameTemp[MAX_PATH];
-		if (procID != 0) {
-			if (flags == QUERY_THREAD) {
-				HANDLE pH = KERNEL32$OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, FALSE, procID);
-				if (pH) KERNEL32$K32GetProcessImageFileNameA(pH, procNameTemp, MAX_PATH);
-				else MSVCRT$sprintf_s(procNameTemp, MAX_PATH, "%s", "non existent?");
-				KERNEL32$CloseHandle(pH);
-			}
-			else {
-				KERNEL32$K32GetProcessImageFileNameA(dupHandle, procNameTemp, MAX_PATH);
-			}
-		}
-		
-		if (targetPid != 0 && targetPid != procID) {
-			MSVCRT$free(objectTypeInfo);
-			MSVCRT$free(objectNameInfo);
-			KERNEL32$CloseHandle(dupHandle);
-			continue;
-		}
-		
-		if(procID != 0 && objHandle.UniqueProcessId != procID) {
-			internal_printf("\nHandle from:\t%s [%d]\nHandle to:\t%s [%d]\nHandle object:\t%#x\nAccess rights:\t%#x\n", 
-				procHostName,
-				KERNEL32$GetProcessId(processHandle),
-				procNameTemp,
-				procID,
-				objHandle.HandleValue,
-				objHandle.GrantedAccess); //https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
-			
-			foundHandle = TRUE;
-		}
-
-        MSVCRT$free(objectTypeInfo);
-        MSVCRT$free(objectNameInfo);
-        KERNEL32$CloseHandle(dupHandle);
-    }
- 
-    MSVCRT$free(handleInfo);
-    KERNEL32$CloseHandle(processHandle);
-	
-	return foundHandle;
-}
-
-
-int go(char *args, int len) {
-	int basePid = 0;
-	int targetPid = 0;
-	BYTE flags;
-	CHAR *search;
-	CHAR *query;
-	BOOL res = NULL;
-	datap parser;
-	
-	BeaconDataParse(&parser, args, len);
-	search = BeaconDataExtract(&parser, NULL);
-	query = BeaconDataExtract(&parser, NULL);
-	if(!bofstart()) return;
-
-	if (MSVCRT$strcmp(query, "proc") == 0) flags = QUERY_PROC;
-	else if (MSVCRT$strcmp(query, "thread") == 0) flags = QUERY_THREAD;
-	else {
-		BeaconPrintf(CALLBACK_ERROR, "Please specify either proc (PROCESS_HANDLE) or 2 (THREAD_HANDLE) as handle search options.\n");
-		return 0;
-	}
-	
-	if (MSVCRT$strcmp(search, "all") == 0) {
-		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating all processes with handles to all other processes\n");
-		res = GetHandles(0, flags, 0);
-	}
-	else if (MSVCRT$strcmp(search, "h2p") == 0) {
-		targetPid = BeaconDataInt(&parser);
-		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating all processes that have a handle to PID: [%d]\n", targetPid);
-		res = GetHandles(0, flags, targetPid);
-	}
-	else if (MSVCRT$strcmp(search, "p2h") == 0) {
-		basePid = BeaconDataInt(&parser);
-		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating handles from PID [%d] to all other processes\n", basePid);
-		res = GetHandles(basePid, flags, 0);
-	}
-	else {
-		BeaconPrintf(CALLBACK_ERROR, "Please specify one of the following process search options: ht | h2p | p2h\n");
-		return 0;
-	}
-	
-	if(!res) BeaconPrintf(CALLBACK_ERROR, "No handle found for this search query!\n");
-	else  {
-		printoutput(TRUE);
-	}
-
-    return 0;
-}
-
-

KIT/FindHandle/findhandle.cna

@@ -1,62 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "findhandle", "Find process and thread handle types between processes.",
-    "INFO:\nFind process and thread handle types between processes.\n\nOPTIONS:\n[all]: list all processes with handles to all other processes\n[h2p]: list all processes that have a handle to a specific process\n[p2h]: list handles from a specific process to all other processes\n\nHandle Query Options:\n[proc]: search for PROCESS type handles\n[thread]: search for THREAD type handles\n\nTargeted Search Options:\n[<pid>]: for both the [h2p] and [p2h] search options, specify the PID of the process your interested in.\n\n" .
-    "USAGE:\nfindhandle all <proc | thread>\nfindhandle h2p <proc | thread> <pid>\nfindhandle p2h <proc | thread> <pid>\n\n");
-
-
-alias findhandle {
-    $bid = $1;
-    $search = $2;
-    $query = $3;
-    $pid = $4;
-
-    if ($search eq "") {
-        berror($bid, "Please specify one of the following seach options: all | h2p | p2h\n");
-        return;
-    }
-
-    if ($search eq "all" || $search eq "h2p" || $search eq "p2h") {
-        if ($query eq "") {
-            berror($bid, "Please specify one of the following handle types to search for: proc | thread\n");
-            return;
-        }
-        if ($query eq "proc" || $query eq "thread") {
-            if ($search eq "h2p" && $pid eq "" ) {
-                berror($bid, "Please specify the pid to target a specific process.\n");
-                return;
-            }
-            if ($search eq "p2h" && $pid eq "" ) {
-                berror($bid, "Please specify the pid to target a specific process.\n");
-                return;
-            }
-        }
-        else {
-            berror($bid, "This handle type isn't supported. Please specify one of the following handle types to search for: proc | thread\n");
-            return;
-        }
-    }
-    else {
-        berror($bid, "This option isn't supported. Please specify one of the following seach options: all | h2p | p2h\n");
-        return;
-    }
-	
-    # Read in the right BOF file
-    $handle = openf(script_resource("findhandle.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    if ($pid eq "") {
-        $arg_data  = bof_pack($bid, "zz", $search, $query);
-    }
-    else {
-        $arg_data  = bof_pack($bid, "zzi", $search, $query, $pid);
-    }
-
-    blog($bid, "Tasked to enumerate handles..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-

KIT/FindHandle/findhandle.h

@@ -1,103 +0,0 @@
-#include <windows.h>
-
-#define NT_SUCCESS(x) ((x) >= 0)
-#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
- 
-#define SystemHandleInformation 16
-#define ObjectBasicInformation 0
-#define ObjectNameInformation 1
-#define ObjectTypeInformation 2
- 
-#define QUERY_PROC		0x08
-#define QUERY_THREAD	0x10
-
-
-//GetHandles
-typedef NTSTATUS (NTAPI * NtQuerySystemInformation_t)(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
-typedef NTSTATUS (NTAPI * NtDuplicateObject_t)(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG Attributes, ULONG Options);
-typedef NTSTATUS (NTAPI * NtQueryObject_t)(HANDLE ObjectHandle, ULONG ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
-WINBASEAPI void* __cdecl MSVCRT$malloc(size_t _Size);
-WINBASEAPI void* __cdecl MSVCRT$realloc(void* _Memory, size_t _NewSize);
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$K32GetProcessImageFileNameA(HANDLE hProcess, LPSTR lpImageFileName, DWORD nSize);
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess();
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcessId();
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
-DECLSPEC_IMPORT LPWSTR WINAPI KERNEL32$StrStrIW(LPCWSTR lpFirst, LPCWSTR lpSrch);
-DECLSPEC_IMPORT PCWSTR WINAPI SHLWAPI$StrStrIW(PCWSTR pszFirst, PCWSTR pszSrch);
-//WINBASEAPI void __cdecl MSVCRT$free(void* _Memory);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessIdOfThread(HANDLE Thread);
-WINBASEAPI int __cdecl MSVCRT$sprintf_s(char *_Dst,size_t _SizeInBytes,const char *_Format,...);
-WINBASEAPI int __cdecl MSVCRT$swprintf_s(wchar_t *_Dst,size_t _SizeInWords,const wchar_t *_Format,...);
-DECLSPEC_IMPORT LPCSTR WINAPI SHLWAPI$PathFindFileNameA(LPCSTR pszPath);
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 
-WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
-
-
-typedef struct _UNICODE_STRING {
-    USHORT Length;
-    USHORT MaximumLength;
-    PWSTR Buffer;
-} UNICODE_STRING, *PUNICODE_STRING;
- 
-typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
-    USHORT UniqueProcessId;
-    USHORT CreatorBackTraceIndex;
-    UCHAR ObjectTypeIndex;
-    UCHAR HandleAttributes;
-    USHORT HandleValue;
-    PVOID Object;
-    ULONG GrantedAccess;
-} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
- 
-typedef struct _SYSTEM_HANDLE_INFORMATION {
-    ULONG NumberOfHandles;
-    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
-} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
- 
-typedef enum _POOL_TYPE {
-    NonPagedPool,
-    PagedPool,
-    NonPagedPoolMustSucceed,
-    DontUseThisType,
-    NonPagedPoolCacheAligned,
-    PagedPoolCacheAligned,
-    NonPagedPoolCacheAlignedMustS
-} POOL_TYPE, *PPOOL_TYPE;
- 
-typedef struct _OBJECT_TYPE_INFORMATION {
-    UNICODE_STRING Name;
-    ULONG TotalNumberOfObjects;
-    ULONG TotalNumberOfHandles;
-    ULONG TotalPagedPoolUsage;
-    ULONG TotalNonPagedPoolUsage;
-    ULONG TotalNamePoolUsage;
-    ULONG TotalHandleTableUsage;
-    ULONG HighWaterNumberOfObjects;
-    ULONG HighWaterNumberOfHandles;
-    ULONG HighWaterPagedPoolUsage;
-    ULONG HighWaterNonPagedPoolUsage;
-    ULONG HighWaterNamePoolUsage;
-    ULONG HighWaterHandleTableUsage;
-    ULONG InvalidAttributes;
-    GENERIC_MAPPING GenericMapping;
-    ULONG ValidAccess;
-    BOOLEAN SecurityRequired;
-    BOOLEAN MaintainHandleCount;
-    USHORT MaintainTypeList;
-    POOL_TYPE PoolType;
-    ULONG PagedPoolUsage;
-    ULONG NonPagedPoolUsage;
-} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
-

KIT/FindLib/README.md

@@ -1,16 +0,0 @@
-# FindLib
-Find a specific loaded module in all processes or list all loaded modules in a specific process.
-
-## Options
-* `search`: find all processes that have loaded a specific module (e.g. winhttp.dll or ws2_32.dll).
-* `list`: list all loaded modules in a remote process.
-
-## Usage
-* `findlib search <module name>`
-* `findlib list <pid>`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindLib/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindLib/bofcompile.bat

@@ -1,5 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findlib.c
-move /y findlib.obj findlib.o
-

KIT/FindLib/findlib.c

@@ -1,197 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <tlhelp32.h>
-#include <psapi.h>
-#include <shlwapi.h>
-#include "findlib.h"
-#include "beacon.h"
-
-#pragma comment(lib, "ntdll.lib")
-#pragma comment(lib, "Shlwapi.lib")
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-
-
-BOOL ListModules(int pid, char *targetModName) {
-    HANDLE hProcess;
-    MEMORY_BASIC_INFORMATION mbi;
-    char * base = NULL;
-	BOOL foundModule = FALSE;
-
-    hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
-	if (hProcess == NULL) return foundModule;
-
-	while (KERNEL32$VirtualQueryEx(hProcess, base, &mbi, sizeof(mbi)) == sizeof(MEMORY_BASIC_INFORMATION)) {
-		char fqModPath[MAX_PATH];
-		char modName[MAX_PATH];
-
-		if(targetModName != NULL) {
-			// only focus on the base address regions
-			if ((mbi.AllocationBase == mbi.BaseAddress) && (mbi.AllocationBase != NULL)) {
-				if (KERNEL32$K32GetModuleBaseNameA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) modName, sizeof(modName) / sizeof(TCHAR))) {
-					if(MSVCRT$strcmp(targetModName, modName) == 0) {
-						KERNEL32$K32GetModuleFileNameExA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) fqModPath, sizeof(fqModPath) / sizeof(TCHAR));
-						internal_printf("\nModulePath:\t%s\nModuleAddr:\t%#llx\n", fqModPath, mbi.AllocationBase);
-						foundModule = TRUE;
-					}
-				}
-			}
-			// check the next region
-			base += mbi.RegionSize;
-		}
-		else {
-			
-			// only focus on the base address regions
-			if ((mbi.AllocationBase == mbi.BaseAddress) && (mbi.AllocationBase != NULL)) {
-				if (KERNEL32$K32GetModuleFileNameExA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) fqModPath, sizeof(fqModPath) / sizeof(TCHAR))) {
-					internal_printf("ModulePath [%#llx]: %s\n", mbi.AllocationBase, fqModPath);
-					foundModule = TRUE;
-				}
-			}
-			// check the next region
-			base += mbi.RegionSize;
-		}
-	}
-	KERNEL32$CloseHandle(hProcess);
-	return foundModule;
-}
-
-
-BOOL FindProcess(char *targetModName) {
-	int procID = 0;
-	HANDLE currentProc = NULL;
-	char procPath[MAX_PATH];
-	char procName[MAX_PATH];
-	BOOL foundProc = FALSE;
-	BOOL res = FALSE;
-	
-	// resolve function address
-	NtGetNextProcess_t pNtGetNextProcess = (NtGetNextProcess_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtGetNextProcess");
-	
-	// loop through all processes
-	while (!pNtGetNextProcess(currentProc, MAXIMUM_ALLOWED, 0, 0, &currentProc)) {
-		procID = KERNEL32$GetProcessId(currentProc);
-		
-		if(procID == 4) continue;
-		if (procID == KERNEL32$GetCurrentProcessId()) continue;
-		if (procID != 0) foundProc = ListModules(procID, targetModName);
-		if(foundProc) {
-			KERNEL32$K32GetProcessImageFileNameA(currentProc, procPath, MAX_PATH);
-			MSVCRT$strncpy(procName, SHLWAPI$PathFindFileNameA(procPath), MAX_PATH);
-			internal_printf("ProcName:\t%s\nProcID:\t\t%d\nProcPath:\tC:\%s\n", procName, procID, procPath);
-			res = TRUE;
-		}
-	}
-	return res;
-}
-
-
-int go(char *args, int len) {
-	int pid = 0;
-	BOOL res = NULL;
-	CHAR *option;
-	CHAR *targetModName;
-	datap parser;
-	
-	BeaconDataParse(&parser, args, len);
-	option = BeaconDataExtract(&parser, NULL);
-	if(!bofstart()) return;
-	
-	if (MSVCRT$strcmp(option, "list") == 0) {
-		pid = BeaconDataInt(&parser);
-		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating loaded modules for PID: %d\n\n", pid);
-		internal_printf("[+] FOUND MODULES:\n==============================================================\n"); 
-		res = ListModules(pid, NULL);
-	}
-	else if (MSVCRT$strcmp(option, "search") == 0) {
-		targetModName = BeaconDataExtract(&parser, NULL);
-		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating processes that loaded module: %s\n[!] Can take some time..\n\n", targetModName);
-		internal_printf("[+] FOUND PROCESSES:\n==============================================================\n"); 
-		res = FindProcess(targetModName);
-	}
-	else {
-		BeaconPrintf(CALLBACK_ERROR, "This enumeration option isn't supported. Please specify one of the following enumeration options: search | list\n");
-		return 0;
-	}
-
-	if(!res) BeaconPrintf(CALLBACK_ERROR, "No modules found for this search query!\n\n");
-	else {
-		printoutput(TRUE);
-	}
-	return 0;
-}
-
-
-

KIT/FindLib/findlib.cna

@@ -1,53 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "findlib", "Find loaded module(s) in remote process(es)",
-    "INFO:\nFind a specific loaded module in all processes OR list all loaded modules in a specific process.\n\nOPTIONS:\n[search]: find all processes that have loaded a specific module (e.g. winhttp.dll or ws2_32.dll).\n[list]: list all loaded modules in a remote process.\n\n" .
-    "USAGE:\nfindlib search <module name>\nfindlib list <pid>\n\n");
-	
-
-
-alias findlib {
-    $bid = $1;
-    $option = $2;
-    $target = $3;
-
-    if ($option eq "") {
-        berror($bid, "Please specify one of the following enumeration options: search | list\n");
-        return;
-    }
-
-    if ($option eq "search" || $option eq "list") {
-        if ($option eq "search" && $target eq "") {
-            berror($bid, "Please specify a module name to search for\n");
-            return;
-        }
-
-        if ($option eq "list" && $target eq "") {
-            berror($bid, "Please specify the pid of the target process to enumerate\n");
-            return;
-        }
-    }
-    else {
-        berror($bid, "This enumeration option isn't supported. Please specify one of the following enumeration options: search | list\n");
-        return;
-    }
-
-    # Read in the right BOF file
-    $handle = openf(script_resource("findlib.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    if ($option eq "search") {
-       $arg_data  = bof_pack($bid, "zz", $option, $target);
-    }
-    else {
-        $arg_data  = bof_pack($bid, "zi", $option, $target);
-    }
-
-    blog($bid, "Tasked to enumerate loaded modules..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-

KIT/FindLib/findlib.disasm

@@ -1,529 +0,0 @@
-Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
-Copyright (C) Microsoft Corporation.  All rights reserved.
-
-
-Dump of file findlib.o
-
-File Type: COFF OBJECT
-
-bofstart:
-  0000000000000000: 48 83 EC 28        sub         rsp,28h
-  0000000000000004: BA 01 00 00 00     mov         edx,1
-  0000000000000009: B9 00 20 00 00     mov         ecx,2000h
-  000000000000000E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$calloc]
-  0000000000000014: 48 89 05 00 00 00  mov         qword ptr [output],rax
-                    00
-  000000000000001B: 33 C0              xor         eax,eax
-  000000000000001D: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  0000000000000024: B8 01 00 00 00     mov         eax,1
-  0000000000000029: 48 83 C4 28        add         rsp,28h
-  000000000000002D: C3                 ret
-  000000000000002E: CC                 int         3
-  000000000000002F: CC                 int         3
-  0000000000000030: CC                 int         3
-  0000000000000031: CC                 int         3
-  0000000000000032: CC                 int         3
-  0000000000000033: CC                 int         3
-  0000000000000034: CC                 int         3
-  0000000000000035: CC                 int         3
-  0000000000000036: CC                 int         3
-  0000000000000037: CC                 int         3
-  0000000000000038: CC                 int         3
-  0000000000000039: CC                 int         3
-  000000000000003A: CC                 int         3
-  000000000000003B: CC                 int         3
-  000000000000003C: CC                 int         3
-  000000000000003D: CC                 int         3
-  000000000000003E: CC                 int         3
-  000000000000003F: CC                 int         3
-internal_printf:
-  0000000000000040: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  0000000000000045: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
-  000000000000004A: 4C 89 44 24 18     mov         qword ptr [rsp+18h],r8
-  000000000000004F: 4C 89 4C 24 20     mov         qword ptr [rsp+20h],r9
-  0000000000000054: 48 83 EC 58        sub         rsp,58h
-  0000000000000058: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000060: C7 44 24 24 00 00  mov         dword ptr [rsp+24h],0
-                    00 00
-  0000000000000068: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
-                    00 00 00
-  0000000000000071: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
-                    00 00 00
-  000000000000007A: 48 8D 44 24 68     lea         rax,[rsp+68h]
-  000000000000007F: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  0000000000000084: 4C 8B 4C 24 28     mov         r9,qword ptr [rsp+28h]
-  0000000000000089: 4C 8B 44 24 60     mov         r8,qword ptr [rsp+60h]
-  000000000000008E: 33 D2              xor         edx,edx
-  0000000000000090: 33 C9              xor         ecx,ecx
-  0000000000000092: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$vsnprintf]
-  0000000000000098: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  000000000000009C: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  00000000000000A5: 83 7C 24 20 FF     cmp         dword ptr [rsp+20h],0FFFFFFFFh
-  00000000000000AA: 75 05              jne         00000000000000B1
-  00000000000000AC: E9 C2 01 00 00     jmp         0000000000000273
-  00000000000000B1: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000000B7: 41 B8 00 20 00 00  mov         r8d,2000h
-  00000000000000BD: BA 08 00 00 00     mov         edx,8
-  00000000000000C2: 48 8B C8           mov         rcx,rax
-  00000000000000C5: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000000CB: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
-  00000000000000D0: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  00000000000000D5: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
-  00000000000000DA: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000000E0: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  00000000000000E5: 4C 8B C1           mov         r8,rcx
-  00000000000000E8: BA 08 00 00 00     mov         edx,8
-  00000000000000ED: 48 8B C8           mov         rcx,rax
-  00000000000000F0: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000000F6: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  00000000000000FB: 48 8D 44 24 68     lea         rax,[rsp+68h]
-  0000000000000100: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  0000000000000105: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  000000000000010A: 4C 8B 4C 24 28     mov         r9,qword ptr [rsp+28h]
-  000000000000010F: 4C 8B 44 24 60     mov         r8,qword ptr [rsp+60h]
-  0000000000000114: 48 8B D0           mov         rdx,rax
-  0000000000000117: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  000000000000011C: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$vsnprintf]
-  0000000000000122: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  000000000000012B: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  0000000000000132: 8B 4C 24 20        mov         ecx,dword ptr [rsp+20h]
-  0000000000000136: 03 C8              add         ecx,eax
-  0000000000000138: 8B C1              mov         eax,ecx
-  000000000000013A: 3D 00 20 00 00     cmp         eax,2000h
-  000000000000013F: 7D 3E              jge         000000000000017F
-  0000000000000141: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  0000000000000146: 0F B7 0D 00 00 00  movzx       ecx,word ptr [currentoutsize]
-                    00
-  000000000000014D: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  0000000000000154: 48 03 D1           add         rdx,rcx
-  0000000000000157: 48 8B CA           mov         rcx,rdx
-  000000000000015A: 4C 8B C0           mov         r8,rax
-  000000000000015D: 48 8B 54 24 30     mov         rdx,qword ptr [rsp+30h]
-  0000000000000162: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
-  0000000000000168: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  000000000000016F: 03 44 24 20        add         eax,dword ptr [rsp+20h]
-  0000000000000173: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  000000000000017A: E9 C8 00 00 00     jmp         0000000000000247
-  000000000000017F: 48 8B 44 24 30     mov         rax,qword ptr [rsp+30h]
-  0000000000000184: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  0000000000000189: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
-  000000000000018E: 0F 8E B3 00 00 00  jle         0000000000000247
-  0000000000000194: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  000000000000019B: B9 00 20 00 00     mov         ecx,2000h
-  00000000000001A0: 2B C8              sub         ecx,eax
-  00000000000001A2: 8B C1              mov         eax,ecx
-  00000000000001A4: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  00000000000001A8: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
-  00000000000001AC: 39 44 24 20        cmp         dword ptr [rsp+20h],eax
-  00000000000001B0: 7D 08              jge         00000000000001BA
-  00000000000001B2: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
-  00000000000001B6: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  00000000000001BA: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  00000000000001BF: 0F B7 0D 00 00 00  movzx       ecx,word ptr [currentoutsize]
-                    00
-  00000000000001C6: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  00000000000001CD: 48 03 D1           add         rdx,rcx
-  00000000000001D0: 48 8B CA           mov         rcx,rdx
-  00000000000001D3: 4C 8B C0           mov         r8,rax
-  00000000000001D6: 48 8B 54 24 38     mov         rdx,qword ptr [rsp+38h]
-  00000000000001DB: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
-  00000000000001E1: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  00000000000001E8: 03 44 24 24        add         eax,dword ptr [rsp+24h]
-  00000000000001EC: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  00000000000001F3: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  00000000000001FA: 3D 00 20 00 00     cmp         eax,2000h
-  00000000000001FF: 75 07              jne         0000000000000208
-  0000000000000201: 33 C9              xor         ecx,ecx
-  0000000000000203: E8 00 00 00 00     call        printoutput
-  0000000000000208: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  000000000000020D: 4C 8B C0           mov         r8,rax
-  0000000000000210: 33 D2              xor         edx,edx
-  0000000000000212: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
-  0000000000000217: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  000000000000021D: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  0000000000000222: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  0000000000000227: 48 03 C8           add         rcx,rax
-  000000000000022A: 48 8B C1           mov         rax,rcx
-  000000000000022D: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  0000000000000232: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
-  0000000000000236: 8B 4C 24 20        mov         ecx,dword ptr [rsp+20h]
-  000000000000023A: 2B C8              sub         ecx,eax
-  000000000000023C: 8B C1              mov         eax,ecx
-  000000000000023E: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  0000000000000242: E9 42 FF FF FF     jmp         0000000000000189
-  0000000000000247: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  000000000000024D: 4C 8B 44 24 30     mov         r8,qword ptr [rsp+30h]
-  0000000000000252: 33 D2              xor         edx,edx
-  0000000000000254: 48 8B C8           mov         rcx,rax
-  0000000000000257: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
-  000000000000025D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  0000000000000263: 4C 8B 44 24 40     mov         r8,qword ptr [rsp+40h]
-  0000000000000268: 33 D2              xor         edx,edx
-  000000000000026A: 48 8B C8           mov         rcx,rax
-  000000000000026D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
-  0000000000000273: 48 83 C4 58        add         rsp,58h
-  0000000000000277: C3                 ret
-  0000000000000278: CC                 int         3
-  0000000000000279: CC                 int         3
-  000000000000027A: CC                 int         3
-  000000000000027B: CC                 int         3
-  000000000000027C: CC                 int         3
-  000000000000027D: CC                 int         3
-  000000000000027E: CC                 int         3
-  000000000000027F: CC                 int         3
-printoutput:
-  0000000000000280: 89 4C 24 08        mov         dword ptr [rsp+8],ecx
-  0000000000000284: 48 83 EC 38        sub         rsp,38h
-  0000000000000288: 48 C7 44 24 20 00  mov         qword ptr [rsp+20h],0
-                    00 00 00
-  0000000000000291: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  0000000000000298: 44 8B C0           mov         r8d,eax
-  000000000000029B: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  00000000000002A2: 33 C9              xor         ecx,ecx
-  00000000000002A4: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconOutput]
-  00000000000002AA: 33 C0              xor         eax,eax
-  00000000000002AC: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  00000000000002B3: 41 B8 00 20 00 00  mov         r8d,2000h
-  00000000000002B9: 33 D2              xor         edx,edx
-  00000000000002BB: 48 8B 0D 00 00 00  mov         rcx,qword ptr [output]
-                    00
-  00000000000002C2: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  00000000000002C8: 83 7C 24 40 00     cmp         dword ptr [rsp+40h],0
-  00000000000002CD: 74 18              je          00000000000002E7
-  00000000000002CF: 48 8B 0D 00 00 00  mov         rcx,qword ptr [output]
-                    00
-  00000000000002D6: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
-  00000000000002DC: 48 C7 05 00 00 00  mov         qword ptr [output],0
-                    00 00 00 00 00
-  00000000000002E7: 48 83 C4 38        add         rsp,38h
-  00000000000002EB: C3                 ret
-  00000000000002EC: CC                 int         3
-  00000000000002ED: CC                 int         3
-  00000000000002EE: CC                 int         3
-  00000000000002EF: CC                 int         3
-  00000000000002F0: CC                 int         3
-  00000000000002F1: CC                 int         3
-  00000000000002F2: CC                 int         3
-  00000000000002F3: CC                 int         3
-  00000000000002F4: CC                 int         3
-  00000000000002F5: CC                 int         3
-  00000000000002F6: CC                 int         3
-  00000000000002F7: CC                 int         3
-  00000000000002F8: CC                 int         3
-  00000000000002F9: CC                 int         3
-  00000000000002FA: CC                 int         3
-  00000000000002FB: CC                 int         3
-  00000000000002FC: CC                 int         3
-  00000000000002FD: CC                 int         3
-  00000000000002FE: CC                 int         3
-  00000000000002FF: CC                 int         3
-ListModules:
-  0000000000000300: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
-  0000000000000305: 89 4C 24 08        mov         dword ptr [rsp+8],ecx
-  0000000000000309: 48 81 EC 98 02 00  sub         rsp,298h
-                    00
-  0000000000000310: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
-                    00 00 00
-  0000000000000319: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000321: 44 8B 84 24 A0 02  mov         r8d,dword ptr [rsp+2A0h]
-                    00 00
-  0000000000000329: 33 D2              xor         edx,edx
-  000000000000032B: B9 10 04 00 00     mov         ecx,410h
-  0000000000000330: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$OpenProcess]
-  0000000000000336: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  000000000000033B: 48 83 7C 24 28 00  cmp         qword ptr [rsp+28h],0
-  0000000000000341: 75 09              jne         000000000000034C
-  0000000000000343: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
-  0000000000000347: E9 4E 01 00 00     jmp         000000000000049A
-  000000000000034C: 41 B9 30 00 00 00  mov         r9d,30h
-  0000000000000352: 4C 8D 44 24 38     lea         r8,[rsp+38h]
-  0000000000000357: 48 8B 54 24 30     mov         rdx,qword ptr [rsp+30h]
-  000000000000035C: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  0000000000000361: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$VirtualQueryEx]
-  0000000000000367: 48 83 F8 30        cmp         rax,30h
-  000000000000036B: 0F 85 1A 01 00 00  jne         000000000000048B
-  0000000000000371: 48 83 BC 24 A8 02  cmp         qword ptr [rsp+2A8h],0
-                    00 00 00
-  000000000000037A: 0F 84 A0 00 00 00  je          0000000000000420
-  0000000000000380: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
-  0000000000000385: 48 39 44 24 40     cmp         qword ptr [rsp+40h],rax
-  000000000000038A: 75 7D              jne         0000000000000409
-  000000000000038C: 48 83 7C 24 40 00  cmp         qword ptr [rsp+40h],0
-  0000000000000392: 74 75              je          0000000000000409
-  0000000000000394: 41 B9 04 01 00 00  mov         r9d,104h
-  000000000000039A: 4C 8D 84 24 80 01  lea         r8,[rsp+180h]
-                    00 00
-  00000000000003A2: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
-  00000000000003A7: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  00000000000003AC: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$K32GetModuleBaseNameA]
-  00000000000003B2: 85 C0              test        eax,eax
-  00000000000003B4: 74 53              je          0000000000000409
-  00000000000003B6: 48 8D 94 24 80 01  lea         rdx,[rsp+180h]
-                    00 00
-  00000000000003BE: 48 8B 8C 24 A8 02  mov         rcx,qword ptr [rsp+2A8h]
-                    00 00
-  00000000000003C6: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strcmp]
-  00000000000003CC: 85 C0              test        eax,eax
-  00000000000003CE: 75 39              jne         0000000000000409
-  00000000000003D0: 41 B9 04 01 00 00  mov         r9d,104h
-  00000000000003D6: 4C 8D 44 24 70     lea         r8,[rsp+70h]
-  00000000000003DB: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
-  00000000000003E0: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  00000000000003E5: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$K32GetModuleFileNameExA]
-  00000000000003EB: 4C 8B 44 24 40     mov         r8,qword ptr [rsp+40h]
-  00000000000003F0: 48 8D 54 24 70     lea         rdx,[rsp+70h]
-  00000000000003F5: 48 8D 0D 00 00 00  lea         rcx,[$SG102248]
-                    00
-  00000000000003FC: E8 00 00 00 00     call        internal_printf
-  0000000000000401: C7 44 24 20 01 00  mov         dword ptr [rsp+20h],1
-                    00 00
-  0000000000000409: 48 8B 44 24 50     mov         rax,qword ptr [rsp+50h]
-  000000000000040E: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  0000000000000413: 48 03 C8           add         rcx,rax
-  0000000000000416: 48 8B C1           mov         rax,rcx
-  0000000000000419: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  000000000000041E: EB 66              jmp         0000000000000486
-  0000000000000420: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
-  0000000000000425: 48 39 44 24 40     cmp         qword ptr [rsp+40h],rax
-  000000000000042A: 75 45              jne         0000000000000471
-  000000000000042C: 48 83 7C 24 40 00  cmp         qword ptr [rsp+40h],0
-  0000000000000432: 74 3D              je          0000000000000471
-  0000000000000434: 41 B9 04 01 00 00  mov         r9d,104h
-  000000000000043A: 4C 8D 44 24 70     lea         r8,[rsp+70h]
-  000000000000043F: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
-  0000000000000444: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  0000000000000449: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$K32GetModuleFileNameExA]
-  000000000000044F: 85 C0              test        eax,eax
-  0000000000000451: 74 1E              je          0000000000000471
-  0000000000000453: 4C 8D 44 24 70     lea         r8,[rsp+70h]
-  0000000000000458: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
-  000000000000045D: 48 8D 0D 00 00 00  lea         rcx,[$SG102251]
-                    00
-  0000000000000464: E8 00 00 00 00     call        internal_printf
-  0000000000000469: C7 44 24 20 01 00  mov         dword ptr [rsp+20h],1
-                    00 00
-  0000000000000471: 48 8B 44 24 50     mov         rax,qword ptr [rsp+50h]
-  0000000000000476: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  000000000000047B: 48 03 C8           add         rcx,rax
-  000000000000047E: 48 8B C1           mov         rax,rcx
-  0000000000000481: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  0000000000000486: E9 C1 FE FF FF     jmp         000000000000034C
-  000000000000048B: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  0000000000000490: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$CloseHandle]
-  0000000000000496: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
-  000000000000049A: 48 81 C4 98 02 00  add         rsp,298h
-                    00
-  00000000000004A1: C3                 ret
-  00000000000004A2: CC                 int         3
-  00000000000004A3: CC                 int         3
-  00000000000004A4: CC                 int         3
-  00000000000004A5: CC                 int         3
-  00000000000004A6: CC                 int         3
-  00000000000004A7: CC                 int         3
-  00000000000004A8: CC                 int         3
-  00000000000004A9: CC                 int         3
-  00000000000004AA: CC                 int         3
-  00000000000004AB: CC                 int         3
-  00000000000004AC: CC                 int         3
-  00000000000004AD: CC                 int         3
-  00000000000004AE: CC                 int         3
-  00000000000004AF: CC                 int         3
-FindProcess:
-  00000000000004B0: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  00000000000004B5: 48 81 EC 78 02 00  sub         rsp,278h
-                    00
-  00000000000004BC: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
-                    00 00
-  00000000000004C4: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
-                    00 00 00
-  00000000000004CD: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
-                    00 00
-  00000000000004D5: C7 44 24 38 00 00  mov         dword ptr [rsp+38h],0
-                    00 00
-  00000000000004DD: 48 8D 0D 00 00 00  lea         rcx,[$SG102268]
-                    00
-  00000000000004E4: FF 15 00 00 00 00  call        qword ptr [__imp_GetModuleHandleA]
-  00000000000004EA: 48 8D 15 00 00 00  lea         rdx,[$SG102267]
-                    00
-  00000000000004F1: 48 8B C8           mov         rcx,rax
-  00000000000004F4: FF 15 00 00 00 00  call        qword ptr [__imp_GetProcAddress]
-  00000000000004FA: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
-  00000000000004FF: 48 8D 44 24 40     lea         rax,[rsp+40h]
-  0000000000000504: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
-  0000000000000509: 45 33 C9           xor         r9d,r9d
-  000000000000050C: 45 33 C0           xor         r8d,r8d
-  000000000000050F: BA 00 00 00 02     mov         edx,2000000h
-  0000000000000514: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
-  0000000000000519: FF 54 24 48        call        qword ptr [rsp+48h]
-  000000000000051D: 85 C0              test        eax,eax
-  000000000000051F: 0F 85 B0 00 00 00  jne         00000000000005D5
-  0000000000000525: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
-  000000000000052A: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessId]
-  0000000000000530: 89 44 24 30        mov         dword ptr [rsp+30h],eax
-  0000000000000534: 83 7C 24 30 04     cmp         dword ptr [rsp+30h],4
-  0000000000000539: 75 02              jne         000000000000053D
-  000000000000053B: EB C2              jmp         00000000000004FF
-  000000000000053D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetCurrentProcessId]
-  0000000000000543: 48 63 4C 24 30     movsxd      rcx,dword ptr [rsp+30h]
-  0000000000000548: 48 3B C8           cmp         rcx,rax
-  000000000000054B: 75 02              jne         000000000000054F
-  000000000000054D: EB B0              jmp         00000000000004FF
-  000000000000054F: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
-  0000000000000554: 74 15              je          000000000000056B
-  0000000000000556: 48 8B 94 24 80 02  mov         rdx,qword ptr [rsp+280h]
-                    00 00
-  000000000000055E: 8B 4C 24 30        mov         ecx,dword ptr [rsp+30h]
-  0000000000000562: E8 00 00 00 00     call        ListModules
-  0000000000000567: 89 44 24 34        mov         dword ptr [rsp+34h],eax
-  000000000000056B: 83 7C 24 34 00     cmp         dword ptr [rsp+34h],0
-  0000000000000570: 74 5E              je          00000000000005D0
-  0000000000000572: 41 B8 04 01 00 00  mov         r8d,104h
-  0000000000000578: 48 8D 54 24 50     lea         rdx,[rsp+50h]
-  000000000000057D: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
-  0000000000000582: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$K32GetProcessImageFileNameA]
-  0000000000000588: 48 8D 4C 24 50     lea         rcx,[rsp+50h]
-  000000000000058D: FF 15 00 00 00 00  call        qword ptr [__imp_SHLWAPI$PathFindFileNameA]
-  0000000000000593: 41 B8 04 01 00 00  mov         r8d,104h
-  0000000000000599: 48 8B D0           mov         rdx,rax
-  000000000000059C: 48 8D 8C 24 60 01  lea         rcx,[rsp+160h]
-                    00 00
-  00000000000005A4: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strncpy]
-  00000000000005AA: 4C 8D 4C 24 50     lea         r9,[rsp+50h]
-  00000000000005AF: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
-  00000000000005B4: 48 8D 94 24 60 01  lea         rdx,[rsp+160h]
-                    00 00
-  00000000000005BC: 48 8D 0D 00 00 00  lea         rcx,[$SG102273]
-                    00
-  00000000000005C3: E8 00 00 00 00     call        internal_printf
-  00000000000005C8: C7 44 24 38 01 00  mov         dword ptr [rsp+38h],1
-                    00 00
-  00000000000005D0: E9 2A FF FF FF     jmp         00000000000004FF
-  00000000000005D5: 8B 44 24 38        mov         eax,dword ptr [rsp+38h]
-  00000000000005D9: 48 81 C4 78 02 00  add         rsp,278h
-                    00
-  00000000000005E0: C3                 ret
-  00000000000005E1: CC                 int         3
-  00000000000005E2: CC                 int         3
-  00000000000005E3: CC                 int         3
-  00000000000005E4: CC                 int         3
-  00000000000005E5: CC                 int         3
-  00000000000005E6: CC                 int         3
-  00000000000005E7: CC                 int         3
-  00000000000005E8: CC                 int         3
-  00000000000005E9: CC                 int         3
-  00000000000005EA: CC                 int         3
-  00000000000005EB: CC                 int         3
-  00000000000005EC: CC                 int         3
-  00000000000005ED: CC                 int         3
-  00000000000005EE: CC                 int         3
-  00000000000005EF: CC                 int         3
-go:
-  00000000000005F0: 89 54 24 10        mov         dword ptr [rsp+10h],edx
-  00000000000005F4: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  00000000000005F9: 48 83 EC 58        sub         rsp,58h
-  00000000000005FD: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000605: C7 44 24 24 00 00  mov         dword ptr [rsp+24h],0
-                    00 00
-  000000000000060D: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
-  0000000000000612: 48 8B 54 24 60     mov         rdx,qword ptr [rsp+60h]
-  0000000000000617: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
-  000000000000061C: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataParse]
-  0000000000000622: 33 D2              xor         edx,edx
-  0000000000000624: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
-  0000000000000629: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataExtract]
-  000000000000062F: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  0000000000000634: E8 00 00 00 00     call        bofstart
-  0000000000000639: 85 C0              test        eax,eax
-  000000000000063B: 75 05              jne         0000000000000642
-  000000000000063D: E9 EB 00 00 00     jmp         000000000000072D
-  0000000000000642: 48 8D 15 00 00 00  lea         rdx,[$SG102292]
-                    00
-  0000000000000649: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  000000000000064E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strcmp]
-  0000000000000654: 85 C0              test        eax,eax
-  0000000000000656: 75 40              jne         0000000000000698
-  0000000000000658: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
-  000000000000065D: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataInt]
-  0000000000000663: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  0000000000000667: 44 8B 44 24 20     mov         r8d,dword ptr [rsp+20h]
-  000000000000066C: 48 8D 15 00 00 00  lea         rdx,[$SG102293]
-                    00
-  0000000000000673: 33 C9              xor         ecx,ecx
-  0000000000000675: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  000000000000067B: 48 8D 0D 00 00 00  lea         rcx,[$SG102294]
-                    00
-  0000000000000682: E8 00 00 00 00     call        internal_printf
-  0000000000000687: 33 D2              xor         edx,edx
-  0000000000000689: 8B 4C 24 20        mov         ecx,dword ptr [rsp+20h]
-  000000000000068D: E8 00 00 00 00     call        ListModules
-  0000000000000692: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  0000000000000696: EB 6E              jmp         0000000000000706
-  0000000000000698: 48 8D 15 00 00 00  lea         rdx,[$SG102297]
-                    00
-  000000000000069F: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  00000000000006A4: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strcmp]
-  00000000000006AA: 85 C0              test        eax,eax
-  00000000000006AC: 75 42              jne         00000000000006F0
-  00000000000006AE: 33 D2              xor         edx,edx
-  00000000000006B0: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
-  00000000000006B5: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataExtract]
-  00000000000006BB: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  00000000000006C0: 4C 8B 44 24 30     mov         r8,qword ptr [rsp+30h]
-  00000000000006C5: 48 8D 15 00 00 00  lea         rdx,[$SG102298]
-                    00
-  00000000000006CC: 33 C9              xor         ecx,ecx
-  00000000000006CE: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  00000000000006D4: 48 8D 0D 00 00 00  lea         rcx,[$SG102299]
-                    00
-  00000000000006DB: E8 00 00 00 00     call        internal_printf
-  00000000000006E0: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  00000000000006E5: E8 00 00 00 00     call        FindProcess
-  00000000000006EA: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  00000000000006EE: EB 16              jmp         0000000000000706
-  00000000000006F0: 48 8D 15 00 00 00  lea         rdx,[$SG102300]
-                    00
-  00000000000006F7: B9 0D 00 00 00     mov         ecx,0Dh
-  00000000000006FC: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  0000000000000702: 33 C0              xor         eax,eax
-  0000000000000704: EB 27              jmp         000000000000072D
-  0000000000000706: 83 7C 24 24 00     cmp         dword ptr [rsp+24h],0
-  000000000000070B: 75 14              jne         0000000000000721
-  000000000000070D: 48 8D 15 00 00 00  lea         rdx,[$SG102303]
-                    00
-  0000000000000714: B9 0D 00 00 00     mov         ecx,0Dh
-  0000000000000719: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  000000000000071F: EB 0A              jmp         000000000000072B
-  0000000000000721: B9 01 00 00 00     mov         ecx,1
-  0000000000000726: E8 00 00 00 00     call        printoutput
-  000000000000072B: 33 C0              xor         eax,eax
-  000000000000072D: 48 83 C4 58        add         rsp,58h
-  0000000000000731: C3                 ret
-
-  Summary
-
-          18 .bss
-          40 .chks64
-         2A2 .data
-          8C .debug$S
-          8F .drectve
-          48 .pdata
-         732 .text$mn
-          30 .xdata

KIT/FindLib/findlib.h

@@ -1,30 +0,0 @@
-#include <windows.h>
-
-//ListModules
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
-WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
-DECLSPEC_IMPORT SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$K32GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$K32GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, LPSTR lpFilename, DWORD nSize);
-
-
-//FindProcess
-typedef NTSTATUS (NTAPI * NtGetNextProcess_t)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Flags, PHANDLE NewProcessHandle);
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE Process);
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcessId();
-DECLSPEC_IMPORT DWORD WINAPI KERNEL32$K32GetProcessImageFileNameA(HANDLE hProcess, LPSTR lpImageFileName, DWORD nSize);
-DECLSPEC_IMPORT LPCSTR WINAPI SHLWAPI$PathFindFileNameA(LPCSTR pszPath);
-WINBASEAPI char* WINAPI MSVCRT$strncpy(char* dest, const char* src, size_t n);
-
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

KIT/FindRWX/README.md

@@ -1,14 +0,0 @@
-# FindRWX
-Find processes that already have memory allocated for read/write/execute (like most .NET processes).
-
-## Options
-* `<pid>`: specify target process ID to enumerate.
-
-## Usage
-* `findrwx <pid>`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindRWX/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindRWX/bofcompile.bat

@@ -1,4 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findrwx.c
-move /y findrwx.obj findrwx.o

KIT/FindRWX/findrwx.c

@@ -1,137 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <strsafe.h>
-#include <winternl.h>
-#include "beacon.h"
-#include "findrwx.h"
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-BOOL FindRWX(HANDLE hProcess) {
-	BOOL foundRWX = FALSE;
-	LPVOID addr = 0;
-	MEMORY_BASIC_INFORMATION mbi;
-	mbi.BaseAddress = 0;
-	mbi.AllocationBase = 0;
-	mbi.AllocationProtect = 0;
-	mbi.RegionSize = 0;
-	mbi.State = 0;
-	mbi.Protect = 0;
-	mbi.Type = 0;
-	
-	internal_printf("\nMemory address\t\t\tByte size\n");
-	internal_printf("================================================\n");
-	
-	while (KERNEL32$VirtualQueryEx(hProcess, addr, &mbi, sizeof(mbi))) {
-		addr = (LPVOID)((DWORD_PTR) mbi.BaseAddress + mbi.RegionSize);
-
-		if (mbi.Protect == PAGE_EXECUTE_READWRITE && mbi.State == MEM_COMMIT && mbi.Type == MEM_PRIVATE) {
-			internal_printf("%#-30llx\t%#7llu\n", mbi.BaseAddress, mbi.RegionSize);
-			foundRWX = TRUE;
-			
-		}
-	}
-	return foundRWX;
-}
-
-
-void go(char *args, int len) {
-	int pID = 0;
-	datap parser;
-	HANDLE hProcess = NULL;
-	BOOL res = NULL;
-	
-	BeaconDataParse(&parser, args, len);
-	pID = BeaconDataInt(&parser);
-	if(!bofstart()) return;
-	
-	hProcess = KERNEL32$OpenProcess(PROCESS_ALL_ACCESS, 0, pID);
-	if (hProcess == NULL) {
-		BeaconPrintf(CALLBACK_ERROR, "Error opening remote process or thread!\n");
-		return -1;		
-	}
-	
-	res = FindRWX(hProcess);
-	if(!res) {
-		BeaconPrintf(CALLBACK_ERROR, "No READ, WRITE, EXECUTE memory region found in the specified process!");
-	}
-	else {
-		printoutput(TRUE);
-	}
-
-	KERNEL32$CloseHandle(hProcess);
-	return 0;
-}
-
-

KIT/FindRWX/findrwx.cna

@@ -1,30 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "findrwx", "Find RWX memory regions in a target process.",
-    "INFO:\nFind processes that already have memory allocated for read/write/execute (like most .NET processes)\n\nOPTIONS:\n[pid]: target process to enumerate\n\n" .
-    "USAGE:\nfindrwx <pid>\n\n");
-
-alias findrwx {
-    $bid = $1;
-    $pid = $2;
-
-    if ($pid eq "") {
-        berror($bid, "Please make sure that the PID of the target process is specified.");
-        return;
-    }
-
-    # Read in the right BOF file
-    $handle = openf(script_resource("findrwx.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    $arg_data  = bof_pack($bid, "i", $pid);
-
-    blog($bid, "Tasked to verify if the target process has RWX memory regions..");
-
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-

KIT/FindRWX/findrwx.disasm

@@ -1,365 +0,0 @@
-Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
-Copyright (C) Microsoft Corporation.  All rights reserved.
-
-
-Dump of file findrwx.o
-
-File Type: COFF OBJECT
-
-bofstart:
-  0000000000000000: 48 83 EC 28        sub         rsp,28h
-  0000000000000004: BA 01 00 00 00     mov         edx,1
-  0000000000000009: B9 00 20 00 00     mov         ecx,2000h
-  000000000000000E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$calloc]
-  0000000000000014: 48 89 05 00 00 00  mov         qword ptr [output],rax
-                    00
-  000000000000001B: 33 C0              xor         eax,eax
-  000000000000001D: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  0000000000000024: B8 01 00 00 00     mov         eax,1
-  0000000000000029: 48 83 C4 28        add         rsp,28h
-  000000000000002D: C3                 ret
-  000000000000002E: CC                 int         3
-  000000000000002F: CC                 int         3
-  0000000000000030: CC                 int         3
-  0000000000000031: CC                 int         3
-  0000000000000032: CC                 int         3
-  0000000000000033: CC                 int         3
-  0000000000000034: CC                 int         3
-  0000000000000035: CC                 int         3
-  0000000000000036: CC                 int         3
-  0000000000000037: CC                 int         3
-  0000000000000038: CC                 int         3
-  0000000000000039: CC                 int         3
-  000000000000003A: CC                 int         3
-  000000000000003B: CC                 int         3
-  000000000000003C: CC                 int         3
-  000000000000003D: CC                 int         3
-  000000000000003E: CC                 int         3
-  000000000000003F: CC                 int         3
-internal_printf:
-  0000000000000040: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  0000000000000045: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
-  000000000000004A: 4C 89 44 24 18     mov         qword ptr [rsp+18h],r8
-  000000000000004F: 4C 89 4C 24 20     mov         qword ptr [rsp+20h],r9
-  0000000000000054: 48 83 EC 58        sub         rsp,58h
-  0000000000000058: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000060: C7 44 24 24 00 00  mov         dword ptr [rsp+24h],0
-                    00 00
-  0000000000000068: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
-                    00 00 00
-  0000000000000071: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
-                    00 00 00
-  000000000000007A: 48 8D 44 24 68     lea         rax,[rsp+68h]
-  000000000000007F: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  0000000000000084: 4C 8B 4C 24 28     mov         r9,qword ptr [rsp+28h]
-  0000000000000089: 4C 8B 44 24 60     mov         r8,qword ptr [rsp+60h]
-  000000000000008E: 33 D2              xor         edx,edx
-  0000000000000090: 33 C9              xor         ecx,ecx
-  0000000000000092: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$vsnprintf]
-  0000000000000098: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  000000000000009C: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  00000000000000A5: 83 7C 24 20 FF     cmp         dword ptr [rsp+20h],0FFFFFFFFh
-  00000000000000AA: 75 05              jne         00000000000000B1
-  00000000000000AC: E9 C2 01 00 00     jmp         0000000000000273
-  00000000000000B1: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000000B7: 41 B8 00 20 00 00  mov         r8d,2000h
-  00000000000000BD: BA 08 00 00 00     mov         edx,8
-  00000000000000C2: 48 8B C8           mov         rcx,rax
-  00000000000000C5: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000000CB: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
-  00000000000000D0: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  00000000000000D5: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
-  00000000000000DA: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  00000000000000E0: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
-  00000000000000E5: 4C 8B C1           mov         r8,rcx
-  00000000000000E8: BA 08 00 00 00     mov         edx,8
-  00000000000000ED: 48 8B C8           mov         rcx,rax
-  00000000000000F0: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
-  00000000000000F6: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
-  00000000000000FB: 48 8D 44 24 68     lea         rax,[rsp+68h]
-  0000000000000100: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  0000000000000105: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  000000000000010A: 4C 8B 4C 24 28     mov         r9,qword ptr [rsp+28h]
-  000000000000010F: 4C 8B 44 24 60     mov         r8,qword ptr [rsp+60h]
-  0000000000000114: 48 8B D0           mov         rdx,rax
-  0000000000000117: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  000000000000011C: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$vsnprintf]
-  0000000000000122: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  000000000000012B: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  0000000000000132: 8B 4C 24 20        mov         ecx,dword ptr [rsp+20h]
-  0000000000000136: 03 C8              add         ecx,eax
-  0000000000000138: 8B C1              mov         eax,ecx
-  000000000000013A: 3D 00 20 00 00     cmp         eax,2000h
-  000000000000013F: 7D 3E              jge         000000000000017F
-  0000000000000141: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
-  0000000000000146: 0F B7 0D 00 00 00  movzx       ecx,word ptr [currentoutsize]
-                    00
-  000000000000014D: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  0000000000000154: 48 03 D1           add         rdx,rcx
-  0000000000000157: 48 8B CA           mov         rcx,rdx
-  000000000000015A: 4C 8B C0           mov         r8,rax
-  000000000000015D: 48 8B 54 24 30     mov         rdx,qword ptr [rsp+30h]
-  0000000000000162: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
-  0000000000000168: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  000000000000016F: 03 44 24 20        add         eax,dword ptr [rsp+20h]
-  0000000000000173: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  000000000000017A: E9 C8 00 00 00     jmp         0000000000000247
-  000000000000017F: 48 8B 44 24 30     mov         rax,qword ptr [rsp+30h]
-  0000000000000184: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  0000000000000189: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
-  000000000000018E: 0F 8E B3 00 00 00  jle         0000000000000247
-  0000000000000194: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  000000000000019B: B9 00 20 00 00     mov         ecx,2000h
-  00000000000001A0: 2B C8              sub         ecx,eax
-  00000000000001A2: 8B C1              mov         eax,ecx
-  00000000000001A4: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  00000000000001A8: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
-  00000000000001AC: 39 44 24 20        cmp         dword ptr [rsp+20h],eax
-  00000000000001B0: 7D 08              jge         00000000000001BA
-  00000000000001B2: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
-  00000000000001B6: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  00000000000001BA: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  00000000000001BF: 0F B7 0D 00 00 00  movzx       ecx,word ptr [currentoutsize]
-                    00
-  00000000000001C6: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  00000000000001CD: 48 03 D1           add         rdx,rcx
-  00000000000001D0: 48 8B CA           mov         rcx,rdx
-  00000000000001D3: 4C 8B C0           mov         r8,rax
-  00000000000001D6: 48 8B 54 24 38     mov         rdx,qword ptr [rsp+38h]
-  00000000000001DB: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
-  00000000000001E1: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  00000000000001E8: 03 44 24 24        add         eax,dword ptr [rsp+24h]
-  00000000000001EC: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  00000000000001F3: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  00000000000001FA: 3D 00 20 00 00     cmp         eax,2000h
-  00000000000001FF: 75 07              jne         0000000000000208
-  0000000000000201: 33 C9              xor         ecx,ecx
-  0000000000000203: E8 00 00 00 00     call        printoutput
-  0000000000000208: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  000000000000020D: 4C 8B C0           mov         r8,rax
-  0000000000000210: 33 D2              xor         edx,edx
-  0000000000000212: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
-  0000000000000217: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  000000000000021D: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
-  0000000000000222: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
-  0000000000000227: 48 03 C8           add         rcx,rax
-  000000000000022A: 48 8B C1           mov         rax,rcx
-  000000000000022D: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
-  0000000000000232: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
-  0000000000000236: 8B 4C 24 20        mov         ecx,dword ptr [rsp+20h]
-  000000000000023A: 2B C8              sub         ecx,eax
-  000000000000023C: 8B C1              mov         eax,ecx
-  000000000000023E: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  0000000000000242: E9 42 FF FF FF     jmp         0000000000000189
-  0000000000000247: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  000000000000024D: 4C 8B 44 24 30     mov         r8,qword ptr [rsp+30h]
-  0000000000000252: 33 D2              xor         edx,edx
-  0000000000000254: 48 8B C8           mov         rcx,rax
-  0000000000000257: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
-  000000000000025D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
-  0000000000000263: 4C 8B 44 24 40     mov         r8,qword ptr [rsp+40h]
-  0000000000000268: 33 D2              xor         edx,edx
-  000000000000026A: 48 8B C8           mov         rcx,rax
-  000000000000026D: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
-  0000000000000273: 48 83 C4 58        add         rsp,58h
-  0000000000000277: C3                 ret
-  0000000000000278: CC                 int         3
-  0000000000000279: CC                 int         3
-  000000000000027A: CC                 int         3
-  000000000000027B: CC                 int         3
-  000000000000027C: CC                 int         3
-  000000000000027D: CC                 int         3
-  000000000000027E: CC                 int         3
-  000000000000027F: CC                 int         3
-printoutput:
-  0000000000000280: 89 4C 24 08        mov         dword ptr [rsp+8],ecx
-  0000000000000284: 48 83 EC 38        sub         rsp,38h
-  0000000000000288: 48 C7 44 24 20 00  mov         qword ptr [rsp+20h],0
-                    00 00 00
-  0000000000000291: 0F B7 05 00 00 00  movzx       eax,word ptr [currentoutsize]
-                    00
-  0000000000000298: 44 8B C0           mov         r8d,eax
-  000000000000029B: 48 8B 15 00 00 00  mov         rdx,qword ptr [output]
-                    00
-  00000000000002A2: 33 C9              xor         ecx,ecx
-  00000000000002A4: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconOutput]
-  00000000000002AA: 33 C0              xor         eax,eax
-  00000000000002AC: 66 89 05 00 00 00  mov         word ptr [currentoutsize],ax
-                    00
-  00000000000002B3: 41 B8 00 20 00 00  mov         r8d,2000h
-  00000000000002B9: 33 D2              xor         edx,edx
-  00000000000002BB: 48 8B 0D 00 00 00  mov         rcx,qword ptr [output]
-                    00
-  00000000000002C2: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
-  00000000000002C8: 83 7C 24 40 00     cmp         dword ptr [rsp+40h],0
-  00000000000002CD: 74 18              je          00000000000002E7
-  00000000000002CF: 48 8B 0D 00 00 00  mov         rcx,qword ptr [output]
-                    00
-  00000000000002D6: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
-  00000000000002DC: 48 C7 05 00 00 00  mov         qword ptr [output],0
-                    00 00 00 00 00
-  00000000000002E7: 48 83 C4 38        add         rsp,38h
-  00000000000002EB: C3                 ret
-  00000000000002EC: CC                 int         3
-  00000000000002ED: CC                 int         3
-  00000000000002EE: CC                 int         3
-  00000000000002EF: CC                 int         3
-  00000000000002F0: CC                 int         3
-  00000000000002F1: CC                 int         3
-  00000000000002F2: CC                 int         3
-  00000000000002F3: CC                 int         3
-  00000000000002F4: CC                 int         3
-  00000000000002F5: CC                 int         3
-  00000000000002F6: CC                 int         3
-  00000000000002F7: CC                 int         3
-  00000000000002F8: CC                 int         3
-  00000000000002F9: CC                 int         3
-  00000000000002FA: CC                 int         3
-  00000000000002FB: CC                 int         3
-  00000000000002FC: CC                 int         3
-  00000000000002FD: CC                 int         3
-  00000000000002FE: CC                 int         3
-  00000000000002FF: CC                 int         3
-FindRWX:
-  0000000000000300: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  0000000000000305: 48 83 EC 68        sub         rsp,68h
-  0000000000000309: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000311: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  000000000000031A: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
-                    00 00 00
-  0000000000000323: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
-                    00 00 00
-  000000000000032C: C7 44 24 40 00 00  mov         dword ptr [rsp+40h],0
-                    00 00
-  0000000000000334: 48 C7 44 24 48 00  mov         qword ptr [rsp+48h],0
-                    00 00 00
-  000000000000033D: C7 44 24 50 00 00  mov         dword ptr [rsp+50h],0
-                    00 00
-  0000000000000345: C7 44 24 54 00 00  mov         dword ptr [rsp+54h],0
-                    00 00
-  000000000000034D: C7 44 24 58 00 00  mov         dword ptr [rsp+58h],0
-                    00 00
-  0000000000000355: 48 8D 0D 00 00 00  lea         rcx,[$SG102129]
-                    00
-  000000000000035C: E8 00 00 00 00     call        internal_printf
-  0000000000000361: 48 8D 0D 00 00 00  lea         rcx,[$SG102130]
-                    00
-  0000000000000368: E8 00 00 00 00     call        internal_printf
-  000000000000036D: 41 B9 30 00 00 00  mov         r9d,30h
-  0000000000000373: 4C 8D 44 24 30     lea         r8,[rsp+30h]
-  0000000000000378: 48 8B 54 24 28     mov         rdx,qword ptr [rsp+28h]
-  000000000000037D: 48 8B 4C 24 70     mov         rcx,qword ptr [rsp+70h]
-  0000000000000382: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$VirtualQueryEx]
-  0000000000000388: 48 85 C0           test        rax,rax
-  000000000000038B: 74 50              je          00000000000003DD
-  000000000000038D: 48 8B 44 24 48     mov         rax,qword ptr [rsp+48h]
-  0000000000000392: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
-  0000000000000397: 48 03 C8           add         rcx,rax
-  000000000000039A: 48 8B C1           mov         rax,rcx
-  000000000000039D: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  00000000000003A2: 83 7C 24 54 40     cmp         dword ptr [rsp+54h],40h
-  00000000000003A7: 75 32              jne         00000000000003DB
-  00000000000003A9: 81 7C 24 50 00 10  cmp         dword ptr [rsp+50h],1000h
-                    00 00
-  00000000000003B1: 75 28              jne         00000000000003DB
-  00000000000003B3: 81 7C 24 58 00 00  cmp         dword ptr [rsp+58h],20000h
-                    02 00
-  00000000000003BB: 75 1E              jne         00000000000003DB
-  00000000000003BD: 4C 8B 44 24 48     mov         r8,qword ptr [rsp+48h]
-  00000000000003C2: 48 8B 54 24 30     mov         rdx,qword ptr [rsp+30h]
-  00000000000003C7: 48 8D 0D 00 00 00  lea         rcx,[$SG102132]
-                    00
-  00000000000003CE: E8 00 00 00 00     call        internal_printf
-  00000000000003D3: C7 44 24 20 01 00  mov         dword ptr [rsp+20h],1
-                    00 00
-  00000000000003DB: EB 90              jmp         000000000000036D
-  00000000000003DD: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
-  00000000000003E1: 48 83 C4 68        add         rsp,68h
-  00000000000003E5: C3                 ret
-  00000000000003E6: CC                 int         3
-  00000000000003E7: CC                 int         3
-  00000000000003E8: CC                 int         3
-  00000000000003E9: CC                 int         3
-  00000000000003EA: CC                 int         3
-  00000000000003EB: CC                 int         3
-  00000000000003EC: CC                 int         3
-  00000000000003ED: CC                 int         3
-  00000000000003EE: CC                 int         3
-  00000000000003EF: CC                 int         3
-go:
-  00000000000003F0: 89 54 24 10        mov         dword ptr [rsp+10h],edx
-  00000000000003F4: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
-  00000000000003F9: 48 83 EC 58        sub         rsp,58h
-  00000000000003FD: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
-                    00 00
-  0000000000000405: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
-                    00 00 00
-  000000000000040E: C7 44 24 24 00 00  mov         dword ptr [rsp+24h],0
-                    00 00
-  0000000000000416: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
-  000000000000041B: 48 8B 54 24 60     mov         rdx,qword ptr [rsp+60h]
-  0000000000000420: 48 8D 4C 24 30     lea         rcx,[rsp+30h]
-  0000000000000425: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataParse]
-  000000000000042B: 48 8D 4C 24 30     lea         rcx,[rsp+30h]
-  0000000000000430: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataInt]
-  0000000000000436: 89 44 24 20        mov         dword ptr [rsp+20h],eax
-  000000000000043A: E8 00 00 00 00     call        bofstart
-  000000000000043F: 85 C0              test        eax,eax
-  0000000000000441: 75 02              jne         0000000000000445
-  0000000000000443: EB 78              jmp         00000000000004BD
-  0000000000000445: 44 8B 44 24 20     mov         r8d,dword ptr [rsp+20h]
-  000000000000044A: 33 D2              xor         edx,edx
-  000000000000044C: B9 FF FF 1F 00     mov         ecx,1FFFFFh
-  0000000000000451: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$OpenProcess]
-  0000000000000457: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
-  000000000000045C: 48 83 7C 24 28 00  cmp         qword ptr [rsp+28h],0
-  0000000000000462: 75 19              jne         000000000000047D
-  0000000000000464: 48 8D 15 00 00 00  lea         rdx,[$SG102148]
-                    00
-  000000000000046B: B9 0D 00 00 00     mov         ecx,0Dh
-  0000000000000470: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  0000000000000476: B8 FF FF FF FF     mov         eax,0FFFFFFFFh
-  000000000000047B: EB 40              jmp         00000000000004BD
-  000000000000047D: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  0000000000000482: E8 00 00 00 00     call        FindRWX
-  0000000000000487: 89 44 24 24        mov         dword ptr [rsp+24h],eax
-  000000000000048B: 83 7C 24 24 00     cmp         dword ptr [rsp+24h],0
-  0000000000000490: 75 14              jne         00000000000004A6
-  0000000000000492: 48 8D 15 00 00 00  lea         rdx,[$SG102151]
-                    00
-  0000000000000499: B9 0D 00 00 00     mov         ecx,0Dh
-  000000000000049E: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
-  00000000000004A4: EB 0A              jmp         00000000000004B0
-  00000000000004A6: B9 01 00 00 00     mov         ecx,1
-  00000000000004AB: E8 00 00 00 00     call        printoutput
-  00000000000004B0: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
-  00000000000004B5: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$CloseHandle]
-  00000000000004BB: 33 C0              xor         eax,eax
-  00000000000004BD: 48 83 C4 58        add         rsp,58h
-  00000000000004C1: C3                 ret
-
-  Summary
-
-          18 .bss
-          40 .chks64
-          E6 .data
-          8C .debug$S
-          5D .drectve
-          3C .pdata
-         4C2 .text$mn
-          28 .xdata

KIT/FindRWX/findrwx.h

@@ -1,16 +0,0 @@
-#include <windows.h>
-
-//FindRWX
-DECLSPEC_IMPORT SIZE_T WINAPI KERNEL32$VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength);
-DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
-DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

KIT/FindSysmon/README.md

@@ -1,15 +0,0 @@
-# FindSysmon
-Verify if Sysmon is running. This can be done by checking the registry or by enumerating Minifilter drivers and search for one that is associated with Sysmon.
-
-## Options
-* `reg`: search the registry to check if Sysmon is present on the system and return the Sysmon service PID if active.
-* `driver`: list all the Minifilter drivers on the system and check manually if a minifilter is present that is associated with Sysmon (requires elevated privileges).
-
-## Usage
-* `findsysmon <reg | driver>`
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindSysmon/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindSysmon/bofcompile.bat

@@ -1,5 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findsysmon.c
-move /y findsysmon.obj findsysmon.o
-

KIT/FindSysmon/findsysmon.c

@@ -1,332 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <tdh.h>
-#include <pla.h>
-#include <oleauto.h>
-#include <tlhelp32.h>
-#include <fltuser.h>
-#include "findsysmon.h"
-#include "beacon.h"
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-//IID: https://gist.githubusercontent.com/stevemk14ebr/af8053c506ef895cd520f8017a81f913/raw/98944bc6ae995229d5231568a8ae73dd287e8b4f/guids
-BOOL PrintSysmonPID(wchar_t * guid) {
-	HRESULT hr = S_OK;
-	ITraceDataProvider *itdProvider = NULL;
-	IID CTraceDataProvider = {0x03837513,0x098b,0x11d8,{0x94,0x14,0x50,0x50,0x54,0x50,0x30,0x30}};
-	IID IIDITraceDataProvider = {0x03837512,0x098b,0x11d8,{0x94,0x14,0x50,0x50,0x54,0x50,0x30,0x30}};
-	IID IIDIEnumVARIANT = {0x00020404,0x0000,0x0000,{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}};
-	IID IIDIValueMapItem = {0x03837533,0x098b,0x11d8,{0x94,0x14,0x50,0x50,0x54,0x50,0x30,0x30}};
-	BOOL activeSysmon = FALSE;
-	
-	hr = OLE32$CoInitializeEx(NULL, COINIT_MULTITHREADED);
-	if(FAILED(hr)) return FALSE;
-
-	hr = OLE32$CoCreateInstance(&CTraceDataProvider, 0, CLSCTX_INPROC_SERVER, &IIDITraceDataProvider, (LPVOID *) &itdProvider); 
-	if(FAILED(hr))
-	{
-		BeaconPrintf(CALLBACK_ERROR,"Failed to create instance of object: %lX", hr);
-	}
-	
-	hr = itdProvider->lpVtbl->Query(itdProvider, guid, NULL);
-	if(FAILED(hr))
-	{
-		BeaconPrintf(CALLBACK_ERROR,"Failed to query the process based on the GUID: %lX\n", hr);
-	}
-	IValueMap *ivmProcesses = NULL;
-	hr = itdProvider->lpVtbl->GetRegisteredProcesses(itdProvider, &ivmProcesses);
-	
-	if(hr == S_OK) {
-		long count = 0;
-		hr = ivmProcesses->lpVtbl->get_Count(ivmProcesses, &count);
-		
-		if (count > 0) {
-			IUnknown *pUnk = NULL;
-			hr = ivmProcesses->lpVtbl->get__NewEnum(ivmProcesses, &pUnk);
-			IEnumVARIANT *pItems = NULL;
-			hr = pUnk->lpVtbl->QueryInterface(pUnk, &IIDIEnumVARIANT, (void **)&pItems);
-			pUnk->lpVtbl->Release(pUnk);
-			
-			VARIANT vItem;
-			VARIANT vPID;
-			OLEAUT32$VariantInit(&vItem);
-			OLEAUT32$VariantInit(&vPID);
-			
-			IValueMapItem *pProc = NULL;
-			while ((hr = pItems->lpVtbl->Next(pItems, 1, &vItem, NULL)) == S_OK) {
-				vItem.punkVal->lpVtbl->QueryInterface(vItem.punkVal, &IIDIValueMapItem, (void **) &pProc);
-				pProc->lpVtbl->get_Value(pProc, &vPID);
-				
-				if (vPID.ulVal) {
-					internal_printf("Sysmon procID:\t\t%d\n", vPID.ulVal);
-					activeSysmon = TRUE;
-				}
-
-				OLEAUT32$VariantClear(&vPID);
-				pProc->lpVtbl->Release(pProc);
-				OLEAUT32$VariantClear(&vItem);
-			}
-		}
-	}
-	ivmProcesses->lpVtbl->Release(ivmProcesses);
-	itdProvider->lpVtbl->Release(itdProvider);
-	OLE32$CoUninitialize();
-
-	return activeSysmon;
-}
-
-
-BOOL FindSysmon() {
-    DWORD status = ERROR_SUCCESS;
-    PROVIDER_ENUMERATION_INFO * penum = NULL;    
-    PROVIDER_ENUMERATION_INFO * ptemp = NULL;
-    DWORD BufferSize = 0;                       
-    HRESULT hr = S_OK;                          
-    WCHAR StringGuid[MAX_GUID_SIZE];
-	
-    HKEY hKey;
-	DWORD cbLength = MAX_DATA_LENGTH;
-	DWORD dwType;
-	char* RegData = NULL;
-	wchar_t guid[256];	
-	BOOL activeSysmon = FALSE;
-
-
-	if(ADVAPI32$RegOpenKeyExA(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational"), 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
-		RegData = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbLength);
-		if (RegData == NULL) {
-			return FALSE;
-		}
-
-		if(ADVAPI32$RegGetValueA(hKey,	NULL, "OwningPublisher", RRF_RT_ANY, &dwType, (PVOID)RegData, &cbLength) != ERROR_SUCCESS) {
-			return FALSE;
-		}
-		
-		if (MSVCRT$strlen(RegData) != 0) {
-			KERNEL32$MultiByteToWideChar(CP_UTF8, 0, RegData, -1, guid, 256);
-		}
-		else return FALSE;
-	}
-	else return FALSE;
-	if(RegData) KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, RegData);
-	ADVAPI32$RegCloseKey(hKey);
-	
-	
-    status = TDH$TdhEnumerateProviders(penum, &BufferSize);
-    while (status == ERROR_INSUFFICIENT_BUFFER) {
-        ptemp = (PROVIDER_ENUMERATION_INFO *) MSVCRT$realloc(penum, BufferSize);
-        if (ptemp == NULL) {
-            return FALSE;
-        }
-
-        penum = ptemp;
-        ptemp = NULL;
-
-        status = TDH$TdhEnumerateProviders(penum, &BufferSize);
-    }
-	
-    if (status != ERROR_SUCCESS) 
-		BeaconPrintf(CALLBACK_ERROR,"TdhEnumerateProviders failed.\n");
-	
-    else {
-        for (DWORD i = 0; i < penum->NumberOfProviders; i++) {
-            hr = OLE32$StringFromGUID2(&penum->TraceProviderInfoArray[i].ProviderGuid, StringGuid, ARRAYSIZE(StringGuid));
-            if (FAILED(hr)) return FALSE;
-			
-			if (!MSVCRT$_wcsicmp(StringGuid, (wchar_t *)guid)) { 
-
-				internal_printf("[!] Sysmon service found:\n===============================================================\n");
-				activeSysmon = PrintSysmonPID(guid);	
-
-				if(!activeSysmon) internal_printf("Sysmon service status:\tStopped\n");
-				else internal_printf("Sysmon service status:\tRunning\n");
-				
-				internal_printf("Sysmon provider name:\t%ls\nSysmon provider GUID:\t%ls\n", (LPWSTR)((PBYTE)(penum)+penum->TraceProviderInfoArray[i].ProviderNameOffset), StringGuid); 
-				if (penum) {
-					MSVCRT$free(penum);
-					penum = NULL;
-				}
-				return TRUE;
-			}
-			
-        }
-    }
-
-    if (penum) {
-        MSVCRT$free(penum);
-        penum = NULL;
-    }
-	
-	return FALSE;
-}
-
-
-
-int PrintMiniFilterData(FILTER_AGGREGATE_STANDARD_INFORMATION * lpFilterInfo) {
-
-	FILTER_AGGREGATE_STANDARD_INFORMATION * fltInfo = NULL;
-	char * fltName, * fltAlt;
-	
-	fltInfo = (FILTER_AGGREGATE_STANDARD_INFORMATION *) lpFilterInfo;
-
-	int fltName_size = fltInfo->Type.MiniFilter.FilterNameLength;
-	LONGLONG src = ((LONGLONG) lpFilterInfo) + fltInfo->Type.MiniFilter.FilterNameBufferOffset;
-	fltName = (char *) MSVCRT$malloc(fltName_size + 2);
-	MSVCRT$memset(fltName, 0, fltName_size + 2);
-	MSVCRT$memcpy(fltName, (void *) src, fltName_size);
-	
-	int fltAlt_size = fltInfo->Type.MiniFilter.FilterAltitudeLength;
-	src = ((LONGLONG) lpFilterInfo) + fltInfo->Type.MiniFilter.FilterAltitudeBufferOffset;
-	fltAlt = (char *) MSVCRT$malloc(fltAlt_size + 2);
-	MSVCRT$memset(fltAlt, 0, fltAlt_size + 2);
-	MSVCRT$memcpy(fltAlt, (void *) src, fltAlt_size);	
-	
-	if (fltInfo->Flags == FLTFL_ASI_IS_MINIFILTER) {
-		internal_printf("%-29ls%ls\t%26d\n", fltName, fltAlt, fltInfo->Type.MiniFilter.NumberOfInstances);
-	}
-	MSVCRT$free(fltName);
-	MSVCRT$free(fltAlt);	
-	
-	return 0;
-}
-
-
-BOOL FindMiniFilters() {
-	HRESULT res;
-	DWORD dwBytesReturned;
-	HANDLE hFilterFind;
-	DWORD dwFilterInfoSize = 1024;
-	LPVOID lpFilterInfo = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), NULL, dwFilterInfoSize);
-	BOOL foundMinifilter = FALSE;
-	
-	res = Fltlib$FilterFindFirst(FilterAggregateStandardInformation, lpFilterInfo, dwFilterInfoSize, &dwBytesReturned, &hFilterFind);
-	if (res == HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS)) return foundMinifilter;
-	if (res != S_OK) return foundMinifilter;
-	
-	internal_printf("[+] Found MiniFilter drivers.\n[*] Check if you can identify one that is associated with Sysmon (e.g. SysmonDrv):\n\n");
-	internal_printf("Name Minifilter\t\tPriority altitude\t\tLoaded instances\n=======================================================================\n");
-	PrintMiniFilterData((FILTER_AGGREGATE_STANDARD_INFORMATION *) lpFilterInfo);
-	foundMinifilter = TRUE;
-
-	while(true) {
-		res = Fltlib$FilterFindNext(hFilterFind, FilterAggregateStandardInformation, lpFilterInfo, dwFilterInfoSize, &dwBytesReturned);
-		if (res == HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS)) break;
-		if (res != S_OK) return foundMinifilter;
-		PrintMiniFilterData((FILTER_AGGREGATE_STANDARD_INFORMATION *) lpFilterInfo);		
-	}
-	
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), NULL, lpFilterInfo);
-    return foundMinifilter;
-}
-
-
-
-int go(char *args, int len) {
-	BOOL res = NULL;
-	CHAR *action;
-	datap parser;
-	
-	BeaconDataParse(&parser, args, len);
-	action = BeaconDataExtract(&parser, NULL);
-	if(!bofstart()) return;
-	
-	if (MSVCRT$strcmp(action, "reg") == 0) {
-		res = FindSysmon();
-		if(!res) {
-			BeaconPrintf(CALLBACK_OUTPUT, "[+] No Sysmon service found :)\n");
-			return 0;
-		}
-		else  {
-			printoutput(TRUE);
-		}
-	}
-	else if (MSVCRT$strcmp(action, "driver") == 0) {
-		res = FindMiniFilters();
-		if(!res) {
-			BeaconPrintf(CALLBACK_ERROR,"Couldn't list Minifilter drivers. Running with high enough privileges?\n");
-			return 0;
-		}
-		else  {
-			printoutput(TRUE);
-		}
-	}
-	else {
-		BeaconPrintf(CALLBACK_ERROR, "Please specify one of the following enumeration options: reg | driver (must be elevated)\n");
-	}
-
-	return 0;
-}
-
-

KIT/FindSysmon/findsysmon.cna

@@ -1,32 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-    "findsysmon", "Verify if Sysmon is running.",
-    "INFO:\nVerify if Sysmon is running. This can be done by checking the registry or by enumerating Minifilter drivers and search for one that is associated with Sysmon.\n\nOPTIONS:\n[reg]: search the registry to check if Sysmon is present on the system and return the Sysmon service PID if active.\n[driver]: list all the Minifilter drivers on the system to check manually (requires elevated privileges).\n\n" .
-    "USAGE:\nfindsysmon <reg | driver>\n\n");
-
-
-alias findsysmon {
-    $bid = $1;
-    $action = $2;
-
-    if ($action eq "reg" || $action eq "driver") {
-    }
-    else {
-        berror($bid, "Please specify one of the following enumeration options: reg | driver\n");
-        return;
-    }
-
-    # Read in the right BOF file
-    $handle = openf(script_resource("findsysmon.o"));
-    $data   = readb($handle, -1);
-    closef($handle);
-
-    # Pack our arguments
-    $arg_data  = bof_pack($bid, "z", $action);
-
-    blog($bid, "Tasked to find Sysmon..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}
-
-

KIT/FindSysmon/findsysmon.h

@@ -1,60 +0,0 @@
-#include <windows.h>  
-
-#pragma comment(lib, "tdh.lib")
-#pragma comment(lib, "Ole32.lib") 
-#pragma comment(lib, "Advapi32.lib")
-#pragma comment(lib, "OleAut32.lib")
-#pragma comment(lib, "FltLib.lib" )
-
-#define HRESULT_FROM_WIN32(x) (x ? ((HRESULT) (((x) & 0x0000FFFF) | (FACILITY_WIN32 << 16) | 0x80000000)) : 0)
-#define MAX_GUID_SIZE 39
-#define MAX_DATA_LENGTH 65000
-#define true 1
-
-//PrintSysmonPID
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
-DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
-DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
-DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantInit(VARIANTARG *pvarg);
-DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantClear(VARIANTARG *pvarg);
-
-//FindSysmon
-DECLSPEC_IMPORT LONG WINAPI ADVAPI32$RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
-DECLSPEC_IMPORT LSTATUS WINAPI ADVAPI32$RegGetValueA(HKEY hkey, LPCSTR lpSubKey, LPCSTR lpValue, DWORD dwFlags, LPDWORD pdwType, PVOID pvData, LPDWORD pcbData);
-DECLSPEC_IMPORT LONG WINAPI ADVAPI32$RegCloseKey(HKEY hKey);
-//DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetProcessHeap();
-//DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-//DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
-DECLSPEC_IMPORT int __cdecl OLE32$StringFromGUID2(REFGUID rguid, LPOLESTR lpsz, int cchMax);
-WINBASEAPI TDHSTATUS WINAPI TDH$TdhEnumerateProviders(PPROVIDER_ENUMERATION_INFO pBuffer, ULONG *pBufferSize);
-WINBASEAPI void* __cdecl MSVCRT$realloc(void *ptr, size_t size);
-WINBASEAPI size_t __cdecl MSVCRT$strlen(const char *str);
-WINBASEAPI int __cdecl MSVCRT$_wcsicmp(const wchar_t *str1, const wchar_t *str2);
-DECLSPEC_IMPORT int WINAPI KERNEL32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, _In_NLS_string_(cbMultiByte)LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
-
-//PrintMiniFilterData
-WINBASEAPI void * __cdecl MSVCRT$malloc(size_t size);
-//WINBASEAPI void * __cdecl MSVCRT$memcpy(void *dest, const void *src, size_t count);
-//WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI int __cdecl MSVCRT$wprintf(const wchar_t *format, ...);
-//WINBASEAPI void __cdecl MSVCRT$free(void *ptr);
-
-//FindMiniFilters
-WINBASEAPI HRESULT WINAPI Fltlib$FilterFindFirst(FILTER_INFORMATION_CLASS dwInformationClass, LPVOID lpBuffer, DWORD dwBufferSize, LPDWORD lpBytesReturned, LPHANDLE lpFilterFind);
-WINBASEAPI HRESULT WINAPI Fltlib$FilterFindNext(HANDLE hFilterFind, FILTER_INFORMATION_CLASS dwInformationClass, LPVOID lpBuffer, DWORD dwBufferSize, LPDWORD lpBytesReturned);
-
-//main
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
-WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
-WINBASEAPI int __cdecl MSVCRT$getchar(void);
-
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

KIT/FindWebClient/README.md

@@ -1,27 +0,0 @@
-# FindWebClient
-Find hosts with the WebClient service running using a list with predefined hostnames or IP addresses. The list is loaded from your own attacker system.
-
->A valid list with hostnames is considered newline separated and ends with a newline. Furthermore, the following hostname notations are correct: `database`, `database.example.local`, `10.100.10.1`.  
-
-## Arguments
-* `<path to file>`: the path on your own attacker system to the file containing the list with predefined hostnames.
-* `debug`: optional argument to include hostnames in the output that couldn't be reached or on which the WebClient was not running.
-
-
-## Usage
-* `findwebclient <path to hostname file> [opt:debug]`
-
-
-## Examples
-* `findwebclient C:\Users\RTO\Documents\hostnames.txt`
-* `findwebclient C:\\Users\RTO\Documents\hostnames.txt debug`
-
-
-## Compile
-- 1\. Make sure Visual Studio is installed and supports C/C++.
-- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
-- 3\. Run the `bofcompile.bat` script to compile the object file. 
-- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 
-
-## Credits
-This project is based on the [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus) BOF and created as a more user friendly version.

KIT/FindWebClient/beacon.h

@@ -1,69 +0,0 @@
-/*
- * Beacon Object Files (BOF)
- * -------------------------
- * A Beacon Object File is a light-weight post exploitation tool that runs
- * with Beacon's inline-execute command.
- *
- * Additional BOF resources are available here:
- *   - https://github.com/Cobalt-Strike/bof_template
- *
- * Cobalt Strike 4.x
- * ChangeLog:
- *    1/25/2022: updated for 4.5
- */
-
-/* data API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} datap;
-
-DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
-DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
-DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
-DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
-DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
-DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
-
-/* format API */
-typedef struct {
-	char * original; /* the original buffer [so we can free it] */
-	char * buffer;   /* current pointer into our buffer */
-	int    length;   /* remaining length of data */
-	int    size;     /* total size of this buffer */
-} formatp;
-
-DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
-DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
-DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
-DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
-DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
-DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
-
-/* Output Functions */
-#define CALLBACK_OUTPUT      0x0
-#define CALLBACK_OUTPUT_OEM  0x1e
-#define CALLBACK_OUTPUT_UTF8 0x20
-#define CALLBACK_ERROR       0x0d
-
-DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
-DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
-
-
-/* Token Functions */
-DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
-DECLSPEC_IMPORT void   BeaconRevertToken();
-DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
-
-/* Spawn+Inject Functions */
-DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
-DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
-DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
-DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
-
-/* Utility Functions */
-DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindWebClient/bofcompile.bat

@@ -1,6 +0,0 @@
-@ECHO OFF
-
-cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findwebclient.c
-move /y findwebclient.obj findwebclient.o
-
-

KIT/FindWebClient/findwebclient.c

@@ -1,134 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include "findwebclient.h"
-#include "beacon.h"
-
-
-//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
-#ifndef bufsize
-#define bufsize 8192
-#endif
-char *output = 0;  
-WORD currentoutsize = 0;
-HANDLE trash = NULL; 
-int bofstart();
-void internal_printf(const char* format, ...);
-void printoutput(BOOL done);
-
-int bofstart() {   
-    output = (char*)MSVCRT$calloc(bufsize, 1);
-    currentoutsize = 0;
-    return 1;
-}
-
-void internal_printf(const char* format, ...){
-    int buffersize = 0;
-    int transfersize = 0;
-    char * curloc = NULL;
-    char* intBuffer = NULL;
-    va_list args;
-    va_start(args, format);
-    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
-    va_end(args);
-    
-    if (buffersize == -1) return;
-    
-    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
-	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
-    va_start(args, format);
-    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
-    va_end(args);
-    if(buffersize + currentoutsize < bufsize) 
-    {
-        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
-        currentoutsize += buffersize;
-    } else {
-        curloc = intBuffer;
-        while(buffersize > 0)
-        {
-            transfersize = bufsize - currentoutsize;
-            if(buffersize < transfersize) 
-            {
-                transfersize = buffersize;
-            }
-            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
-            currentoutsize += transfersize;
-            if(currentoutsize == bufsize)
-            {
-                printoutput(FALSE); 
-            }
-            MSVCRT$memset(transferBuffer, 0, transfersize); 
-            curloc += transfersize; 
-            buffersize -= transfersize;
-        }
-    }
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
-	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
-}
-
-void printoutput(BOOL done) {
-    char * msg = NULL;
-    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
-    currentoutsize = 0;
-    MSVCRT$memset(output, 0, bufsize);
-    if(done) {MSVCRT$free(output); output=NULL;}
-}
-//END TrustedSec BOF print code.
-
-
-int go(char *args, int len) {
-    char* pipeNameHead = "\\\\";
-    char* pipeNameTail = "\\pipe\\DAV RPC SERVICE";
-    BOOL pipeStatus = 0;
-    char* hostname;
-	char* nextHostname;
-	char* debug;
-    int iBytesLen = 0;
-    CHAR *hostFileBytes;
-    datap parser;
-
-    BeaconDataParse(&parser, args, len);
-    hostFileBytes = BeaconDataExtract(&parser, &iBytesLen);
-	debug = BeaconDataExtract(&parser, NULL);
-	if(!bofstart()) return;
-	
-    if(iBytesLen != 0) {
-        BeaconPrintf(CALLBACK_OUTPUT, "[*] Loaded file in memory with a size of %d bytes\n", iBytesLen); 
-		
-		internal_printf("\nEnumeration results:\n");
-		internal_printf("==============================================\n");
-	
-        hostname = MSVCRT$strtok(hostFileBytes, "\r\n");
-        while (hostname != NULL) {
-			nextHostname = MSVCRT$strtok(NULL, "\r\n");
-            if (nextHostname == NULL) {
-                break;
-            }
-
-            size_t len = MSVCRT$strlen(hostname);
-            char* fullPipeName = (char*) MSVCRT$malloc(len + MSVCRT$strlen(pipeNameHead) + MSVCRT$strlen(pipeNameTail) + 1);
-            MSVCRT$strcpy(fullPipeName, pipeNameHead);
-            MSVCRT$strcat(fullPipeName, hostname);
-            MSVCRT$strcat(fullPipeName, pipeNameTail);
-		
-            pipeStatus = KERNEL32$WaitNamedPipeA(fullPipeName, 3000);
-
-			if (pipeStatus == 0 && (MSVCRT$strcmp(debug, "debug") == 0)) {
-				internal_printf("[-] WebClient service not running on %s\n", hostname);
-			} else if (pipeStatus == 0) {
-            } else {
-				internal_printf("[+] WebClient running on %s\n", hostname);
-            }
-            MSVCRT$free(fullPipeName);
-            hostname = nextHostname;
-        }
-		printoutput(TRUE);
-
-    } else {
-        BeaconPrintf(CALLBACK_ERROR, "Couldn't load the host file from disk.\n");
-    }
-	
-	
-    return 0;
-}
-

KIT/FindWebClient/findwebclient.cna

@@ -1,38 +0,0 @@
-# author REDMED-X
-
-beacon_command_register(
-	"findwebclient", "Find running WebClient services.",
-	"INFO:\nFind hosts with the WebClient service running based on a list with predefined hostnames or IP addresses. The list is loaded from your own attacker system.\n\n" .
-	"ARGUMENTS:\n[<path to file>]: the path on your own attacker system to the file containing the list with predefined hostnames. Each hostname must be newline separated.\n[debug]: optional argument to include hostnames in the output that couldn't be reached or on which the WebClient was not running.\n\n" .
-	"USAGE:\nfindwebclient <path to hostname file> [opt:debug]\n\n" .
-	"EXAMPLES:\nfindwebclient C:\\Users\\redmed\\Documents\\hostnames.txt\nfindwebclient C:\\Users\\redmed\\Documents\\hostnames.txt debug\n\n");
-	
-alias findwebclient {
-    $bid = $1;
-	$path = $2;
-	$debug = $3;
-	
-	if ($path eq "") {
-		berror($bid, "Please specify the path on your own attacker system to the file containing the list with newline separated hostnames.\n");
-		return;
-	}
-
-	
-	# read in the .txt file
-	$handle = openf("$path");
-	$file = readb($handle, -1);
-	closef($handle);
-	
-	blog($bid, "path: $+  $path");
-	
-    # Read in the right BOF file
-    $handle = openf(script_resource("findwebclient.o"));
-    $data = readb($handle, -1);
-    closef($handle);
-
-	# Pack our arguments
-    $arg_data = bof_pack($bid, "bz", $file, $debug);
-
-	blog($bid, "Tasked to find running WebClient services..");
-    beacon_inline_execute($bid, $data, "go", $arg_data);
-}

KIT/FindWebClient/findwebclient.h

@@ -1,25 +0,0 @@
-#include <windows.h>  
-
-//main
-WINBASEAPI BOOL WINAPI KERNEL32$WaitNamedPipeA(LPCSTR lpNamedPipeName, DWORD nTimeOut);
-WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T);
-WINBASEAPI SIZE_T WINAPI MSVCRT$strlen(const char* str);
-WINBASEAPI void* WINAPI MSVCRT$strcpy(const char* dest, const char* source);
-WINBASEAPI void* WINAPI MSVCRT$strcat(const char* dest, const char* source);
-//DECLSPEC_IMPORT void __cdecl MSVCRT$free(void* _Block);
-DECLSPEC_IMPORT FILE* __cdecl MSVCRT$fopen(const char* _Filename, const char* _Mode);
-DECLSPEC_IMPORT int __cdecl MSVCRT$fclose(FILE* _File);
-DECLSPEC_IMPORT char* __cdecl MSVCRT$fgets(char* _Buffer, int _MaxCount, FILE* _File);
-WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
-DECLSPEC_IMPORT char* __cdecl MSVCRT$strtok(char* _String, const char* _Delimiters);
-WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
-
-//bofstart + internal_printf + printoutput
-WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
-WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
-WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
-WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
-WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
-WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
-WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
-WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);