Home

Awesome

DLL Exports Extraction BOF

What is this?

What problem are you trying to solve?

  1. During recent conversations with colleagues in regard to DLL-based attacks; sideloading, proxying, insert-vector-here, it came to my attention that there are certain instances in which having the exact path to the true DLL to offload requests was necessary.
  2. I wanted to support both 32-bit AND 64-bit executable images.
  3. I wanted the Base to be represented properly, as not all ordinal base values begin at 1. I wanted the values to be accurate.
  4. I wanted an operator to understand how many functions in total are exported from a given executable, so they can make a better determination of whether to download a copy, send the output of this application to the Beacon console, or download an "in memory" variant of the contents.

How do I build this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory

How do I use this?

Any known downsides?

What does the output look like?

Standard (Number-total only output):

Verbose (All data sent to beacon console):

Transactional NTFS Download of File: