Awesome
DLL Image Resource Version Enumeration BOF
What is this?
- This is a
Cobalt Strike
BOF
file (a mildly massaged port of @N4k3dTurtl3's existing PoC , meant to use ascertain information regarded imported DLLs
(via the ENTRY_RESOURCE
) within current process that your beacon associated with.
What problem are you trying to solve?
- Given my current projects regarding
DLLs
, this is yet another blindspot I wanted to address after seeing @N4k3dTurtl3's work.
- I wanted to support both
32-bit
AND 64-bit
Beacon
sessions.
- I wanted to have verbose or minified output, given an operator's desire
- I wanted to keep the original design of @N4k3dTurtl3's intact; minimal API calls.
- This is solved this by rolling our own from
grok
ed or cribbed
implementations elsewhere.
How do I build this?
- In this case, you have two options:
- Use the existing, compiled object file, located in the
dist
directory (AKA proceed to major step two)
- Compile from source via the
Makefile
cd src
make clean
make
- Load the
Aggressor
file, in the Script Manager
, located in the dist
directory
How do I use this?
- From a given
Beacon
:
Any known downsides?
- We're still using the
Win32
API and Dynamic Function Resolution
. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp
).
- You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
What does the output look like?
All known DLL
s associated with the process
Verbose output of the aforementioned
Verbose output of the aforementioned with needle