You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a Cobalt StrikeBOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , meant to use ascertain information regarded imported DLLs (via the ENTRY_RESOURCE) within current process that your beacon associated with.
What problem are you trying to solve?
Given my current projects regarding DLLs, this is yet another blindspot I wanted to address after seeing @N4k3dTurtl3's work.
I wanted to support both 32-bit AND 64-bitBeacon sessions.
I wanted to have verbose or minified output, given an operator's desire
I wanted to keep the original design of @N4k3dTurtl3's intact; minimal API calls.
This is solved this by rolling our own from groked or cribbed implementations elsewhere.
How do I build this?
In this case, you have two options:
Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
Compile from source via the Makefile
cd src
make clean
make
Load the Aggressor file, in the Script Manager, located in the dist directory
How do I use this?
From a given Beacon:
Any known downsides?
We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp).
You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.