initial BOF commit

trustedsec · May 17, 2021 · fffdf75 · fffdf75
1 parent c46f814
commit fffdf75
Show file tree

Hide file tree

Showing 7 changed files with 190 additions and 7 deletions.
diff --git a/SA/SA.cna b/SA/SA.cna
@@ -1134,3 +1134,30 @@ alias enumLocalSessions{
 	beacon_inline_execute($1, readbof($1, "enumLocalSessions"), "go", $null);
 }
 
+alias findLoadedModule{
+	local('$iswow64 $modname $procname $args');
+	if(-is64 $1 && barch($1) eq "x86")
+	{
+		berror($1, "Unable to run this BOF properly when under WOW64 (32bit proc on 64bit host)");
+		return;
+	}
+	if(size(@_) > 3 || size(@_) < 2){
+		berror($1, "Invalid number of arguments");
+		berror($1, beacon_command_detail("findLoadedModule"));
+		return;
+	}
+	$modname = $2;
+	$procname = iff(-istrue $3, $3, "");
+	$args = bof_pack($1, "zz", $modname, $procname);
+	beacon_inline_execute($1, readbof($1, "findLoadedModule"), "go", $args);
+}
+
+beacon_command_register(
+	"findLoadedModule",
+	"Finds processes loading a specific dll",
+	"Usage:
+	findLoadedModule <part dll name> [opt: part proc name]
+
+	Searches are done in *<part>* manner, so partial matches will hit
+	If you specify a proc name then only processes matching that partial hit will be searched"
+);
diff --git a/SA/findLoadedModule/findLoadedModule.x64.o b/SA/findLoadedModule/findLoadedModule.x64.o
diff --git a/SA/findLoadedModule/findLoadedModule.x86.o b/SA/findLoadedModule/findLoadedModule.x86.o
diff --git a/src/SA/findLoadedModule/Makefile b/src/SA/findLoadedModule/Makefile
@@ -0,0 +1,25 @@
+BOFNAME := findLoadedModule
+COMINCLUDE := -I ../../common
+LIBINCLUDE := -lshlwapi
+CC_x64 := x86_64-w64-mingw32-gcc
+CC_x86 := i686-w64-mingw32-gcc
+CC=x86_64-w64-mingw32-clang
+
+all:
+	$(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c entry.c -DBOF 
+	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
+	mkdir -p ../../../SA/$(BOFNAME) 
+	mv $(BOFNAME)*.o ../../../SA/$(BOFNAME)
+
+test:
+	$(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE)  -o $(BOFNAME).x64.exe
+	$(CC_x86) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe
+
+scanbuild:
+	$(CC) entry.c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE)
+
+check:
+	cppcheck --enable=all $(COMINCLUDE) --platform=win64 entry.c
+
+clean:
+	rm $(BOFNAME).*.exe
diff --git a/src/SA/findLoadedModule/entry.c b/src/SA/findLoadedModule/entry.c
@@ -0,0 +1,107 @@
+#include <windows.h>
+#include "bofdefs.h"
+#include "base.c"
+
+
+BOOL ListModules(DWORD PID, const char * modSearchString)
+{
+	MODULEENTRY32 modinfo = {0};
+	modinfo.dwSize = sizeof(MODULEENTRY32);
+	HANDLE hSnap = INVALID_HANDLE_VALUE;
+	DWORD count = 0;
+	BOOL retVal = FALSE;
+	hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, PID);
+	BOOL more = KERNEL32$Module32First(hSnap, &modinfo);
+	while(more)
+	{
+		if(SHLWAPI$StrStrIA(modinfo.szExePath, modSearchString))
+		{
+			//May be benificial to print off all hits even within a single process
+			internal_printf("%s\n", modinfo.szExePath);
+			retVal = TRUE;
+			//break;
+		}
+		more = KERNEL32$Module32Next(hSnap, &modinfo);
+	}
+
+	end:
+	if(hSnap != INVALID_HANDLE_VALUE) { KERNEL32$CloseHandle(hSnap); }
+	return retVal;
+
+}
+
+void ListProcesses(const char * procSearchString, const char * modSearchString)
+{
+	//Get snapshop of all procs
+	PROCESSENTRY32 procinfo = {0};
+	procinfo.dwSize = sizeof(PROCESSENTRY32);
+	HANDLE hSnap = INVALID_HANDLE_VALUE;
+	DWORD count = 0;
+	hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if(hSnap == INVALID_HANDLE_VALUE)
+	{
+		BeaconPrintf(CALLBACK_ERROR, "Unable to list processes: %d", KERNEL32$GetLastError());
+		goto end;
+	}
+	//And now we Enumerate procs and Call up to List Modules with them
+	BOOL more = KERNEL32$Process32First(hSnap, &procinfo);
+	//internal_printf("First call returned : %d\n", more);
+	while(more)
+	{
+		if(!procSearchString || SHLWAPI$StrStrIA(procinfo.szExeFile, procSearchString))
+		{
+			if(ListModules(procinfo.th32ProcessID, modSearchString))
+			{
+				internal_printf("%-10d : %s\n", procinfo.th32ProcessID, procinfo.szExeFile);
+				count++;
+			}
+		}
+		more = KERNEL32$Process32Next(hSnap, &procinfo);
+	}
+	//Check that we exited because we were done and not an error
+	DWORD exitStatus = KERNEL32$GetLastError();
+	if(exitStatus != ERROR_NO_MORE_FILES)
+	{
+		BeaconPrintf(CALLBACK_ERROR, "Unable to enumerate all processes: %d", exitStatus);
+		goto end;
+	}
+
+	if(!count)
+	{
+		internal_printf("Successfully enumerated all processes, but didn't find the requested module");
+	}
+	end:
+	if(hSnap != INVALID_HANDLE_VALUE) { KERNEL32$CloseHandle(hSnap); }
+	return;
+}
+
+#ifdef BOF
+VOID go( 
+	IN PCHAR Buffer, 
+	IN ULONG Length 
+) 
+{
+	if(!bofstart())
+	{
+		return;
+	}
+	datap parser = {0};
+	BeaconDataParse(&parser, Buffer, Length);
+	const char * modSearchString = BeaconDataExtract(&parser, NULL); //Must Be set
+	const char * procSearchString = BeaconDataExtract(&parser, NULL);
+	procSearchString = (procSearchString[0]) ? procSearchString : NULL;
+
+	ListProcesses(procSearchString, modSearchString);
+	printoutput(TRUE);
+};
+
+#else
+
+int main()
+{
+ListProcesses("explorer", "ntdll");
+ListProcesses(NULL, "Kernel32.dll");
+ListProcesses(NULL, "asdfasdfadsf");
+}
+
+#endif
diff --git a/src/SA/get-netsession/entry.c b/src/SA/get-netsession/entry.c
@@ -80,6 +80,7 @@ void NetSessions(wchar_t* hostname){
             NETAPI32$NetApiBufferFree(pBuf);
             pBuf = NULL;
         }
+
     }    
     while (nStatus == ERROR_MORE_DATA);
     // Check again for an allocated buffer.

diff --git a/src/common/bofdefs.h b/src/common/bofdefs.h
@@ -6,11 +6,13 @@
 #include <imagehlp.h>
 #include <iphlpapi.h>
 #include <stdio.h>
+#include <tlhelp32.h>
 #include <windns.h>
 #include <dbghelp.h>
 #include <winldap.h>
 #include <winnetwk.h>
 #include <wtsapi32.h>
+#include <shlwapi.h>
 
 //KERNEL32
 #ifdef BOF
@@ -72,6 +74,14 @@ DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalFree(HGLOBAL hMem);
 DECLSPEC_IMPORT LPTCH WINAPI KERNEL32$GetEnvironmentStrings();
 DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$FreeEnvironmentStringsA(LPSTR);
 WINBASEAPI DWORD WINAPI KERNEL32$ExpandEnvironmentStringsW (LPCWSTR lpSrc, LPWSTR lpDst, DWORD nSize);
+WINBASEAPI HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Module32First(HANDLE hSnapshot,LPMODULEENTRY32 lpme);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Module32Next(HANDLE hSnapshot,LPMODULEENTRY32 lpme);
+
+
+
 DECLSPEC_IMPORT WINBASEAPI int WINAPI KERNEL32$lstrlenA(LPCSTR);
 
 //WTSAPI32
@@ -172,6 +182,9 @@ WINUSERAPI LPWSTR WINAPI USER32$CharPrevW(LPCWSTR lpszStart,LPCWSTR lpszCurrent)
 //secur32
 WINBASEAPI BOOLEAN WINAPI SECUR32$GetUserNameExA (int NameFormat, LPSTR lpNameBuffer, PULONG nSize);
 
+//shlwapi
+LWSTDAPI_(LPSTR) SHLWAPI$StrStrIA(LPCSTR lpFirst,LPCSTR lpSrch);
+
 //advapi32
 WINADVAPI WINBOOL WINAPI ADVAPI32$OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
 WINADVAPI WINBOOL WINAPI ADVAPI32$GetTokenInformation (HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength);
@@ -318,6 +331,8 @@ DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeA(LPCSTR lptstrFilena
 DECLSPEC_IMPORT WINBOOL WINAPI VERSION$GetFileVersionInfoA(LPCSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData);
 DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen);
 
+
+
 #else
 #define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size)
 #define intRealloc(ptr, size) (ptr) ? KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, ptr, size) : KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size)
@@ -360,7 +375,7 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define KERNEL32$DeleteFileW  DeleteFileW 
 #define KERNEL32$CreateFileW  CreateFileW 
 #define KERNEL32$GetFileSize  GetFileSize 
-#define KERNEL32$ReadFile  ReadFile
+#define KERNEL32$ReadFile  ReadFile 
 #define KERNEL32$OpenProcess  OpenProcess 
 #define KERNEL32$GetComputerNameExW  GetComputerNameExW 
 #define KERNEL32$lstrlenW  lstrlenW 
@@ -374,20 +389,30 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define KERNEL32$FindClose  FindClose 
 #define KERNEL32$SetLastError  SetLastError 
 #define KERNEL32$HeapAlloc HeapAlloc
+#define KERNEL32$HeapReAlloc HeapReAlloc
 #define KERNEL32$HeapFree HeapFree
 #define MSVCRT$memset memset
 #define KERNEL32$GlobalAlloc GlobalAlloc
 #define KERNEL32$GlobalFree GlobalFree
 #define KERNEL32$GetEnvironmentStrings GetEnvironmentStrings
 #define KERNEL32$FreeEnvironmentStringsA FreeEnvironmentStringsA
-#define KERNEL32$ExpandEnvironmentStringsW ExpandEnvironmentStringsW
+#define KERNEL32$ExpandEnvironmentStringsW  ExpandEnvironmentStringsW 
+#define KERNEL32$CreateToolhelp32Snapshot CreateToolhelp32Snapshot
+#define KERNEL32$Process32First Process32First
+#define KERNEL32$Process32Next Process32Next
+#define KERNEL32$Module32First Module32First
+#define KERNEL32$Module32Next Module32Next
 #define KERNEL32$lstrlenA lstrlenA
+#define WTSAPI32$WTSEnumerateSessionsA WTSEnumerateSessionsA
+#define WTSAPI32$WTSQuerySessionInformationA WTSQuerySessionInformationA
+#define WTSAPI32$WTSFreeMemory WTSFreeMemory
 #define IPHLPAPI$GetAdaptersInfo  GetAdaptersInfo 
 #define IPHLPAPI$GetAdaptersInfo GetAdaptersInfo
 #define IPHLPAPI$GetIpForwardTable  GetIpForwardTable 
 #define IPHLPAPI$GetNetworkParams GetNetworkParams
 #define IPHLPAPI$GetUdpTable  GetUdpTable 
 #define IPHLPAPI$GetTcpTable  GetTcpTable 
+#define IPHLPAPI$GetIpNetTable GetIpNetTable
 #define MSVCRT$calloc calloc
 #define MSVCRT$memcpy memcpy
 #define MSVCRT$realloc realloc
@@ -399,7 +424,6 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define MSVCRT$wcscpy_s wcscpy_s
 #define MSVCRT$wcslen wcslen
 #define MSVCRT$sprintf  sprintf 
-#define MSVCRT$strncmp strncmp
 #define MSVCRT$wcscmp wcscmp
 #define MSVCRT$wcstok wcstok
 #define MSVCRT$wcsstr wcsstr
@@ -411,12 +435,13 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define MSVCRT$wcsncat wcsncat
 #define MSVCRT$wcsrchr wcsrchr
 #define MSVCRT$wcsrchr wcsrchr
+#define MSVCRT$strcat strcat
 #define MSVCRT$strnlen strnlen
 #define MSVCRT$strlen strlen
 #define MSVCRT$strcmp strcmp
+#define MSVCRT$strncmp strncmp
 #define MSVCRT$strcpy strcpy
 #define MSVCRT$strstr strstr
-#define MSVCRT$strcat strcat
 #define MSVCRT$strtok strtok
 #define MSVCRT$strtok_s strtok_s
 #define MSVCRT$strtoul strtoul
@@ -457,10 +482,8 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define USER32$GetWindowTextA GetWindowTextA
 #define USER32$GetClassNameA GetClassNameA
 #define USER32$CharPrevW CharPrevW
-#define WTSAPI32$WTSEnumerateSessionsA WTSEnumerateSessionsA
-#define WTSAPI32$WTSQuerySessionInformationA WTSQuerySessionInformationA
-#define WTSAPI32$WTSFreeMemory WTSFreeMemory
 #define SECUR32$GetUserNameExA  GetUserNameExA 
+#define SHLWAPI$StrStrIA StrStrIA
 #define ADVAPI32$OpenProcessToken  OpenProcessToken 
 #define ADVAPI32$GetTokenInformation  GetTokenInformation 
 #define ADVAPI32$ConvertSidToStringSidA ConvertSidToStringSidA