- This is a
Cobalt StrikeBOFfile (a mildly massaged port of @N4k3dTurtl3's existing PoC , meant to use ascertain information regarded importedDLLs(via theENTRY_RESOURCE) within current process that your beacon associated with.
- Given my current projects regarding
DLLs, this is yet another blindspot I wanted to address after seeing @N4k3dTurtl3's work. - I wanted to support both
32-bitAND64-bitBeaconsessions. - I wanted to have verbose or minified output, given an operator's desire
- I wanted to keep the original design of @N4k3dTurtl3's intact; minimal API calls.
- This is solved this by rolling our own from
groked orcribbedimplementations elsewhere.
- This is solved this by rolling our own from
- In this case, you have two options:
- Use the existing, compiled object file, located in the
distdirectory (AKA proceed to major step two) - Compile from source via the
Makefilecd srcmake cleanmake
- Use the existing, compiled object file, located in the
- Load the
Aggressorfile, in theScript Manager, located in thedistdirectory
- From a given
Beacon:
- We're still using the
Win32API andDynamic Function Resolution. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp). - You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
