- This is a
Cobalt StrikeBOFfile, meant to use two or three arguments (path toDLL, and/or a third argument[all | fancy]) - If a third argument is supplied:
allextracts the values, and creates a string representation of a valid.DEFfile for the providedDLLfancyuses the work of @anthemtotheego) to create anNTFS transactionto provide a memory-residing copy of the corresponding data, which is then synchronized to yourCobalt Strikedownloads view.
- During recent conversations with colleagues in regard to
DLL-based attacks; sideloading, proxying, insert-vector-here, it came to my attention that there are certain instances in which having the exact path to the trueDLLto offload requests was necessary. - I wanted to support both
32-bitAND64-bitexecutable images. - I wanted the
Baseto be represented properly, as not all ordinal base values begin at1. I wanted the values to be accurate. - I wanted an operator to understand how many functions in total are exported from a given executable, so they can make a better determination of whether to download a copy, send the output of this application to the
Beaconconsole, or download an "in memory" variant of the contents.
- In this case, you have two options:
- Use the existing, compiled object file, located in the
distdirectory (AKA proceed to major step two) - Compile from source via the
Makefilecd srcmake cleanmake
- Use the existing, compiled object file, located in the
- Load the
Aggressorfile, in theScript Manager, located in thedistdirectory
- From a given
Beacon:
- We're still using the
Win32API andDynamic Function Resolution. This is for you to determine as far as "risk". - You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
- There are absolutely bugs in this code; these may or may not come down in the future. I wrote this as a PoC. JohnLaTwC is my hero.
