Awesome
HandleKatz_BOF
What is this?
This is a (mostly complete) port of the functionality presented by @thefLink and Code White GmbH. You guys deserve a large amount of thanks for taking the time to present your research!
Why?
This was a personal question to answer if this would work within Cobalt Strike
, and if so, how?
What are the options this currently supports
- There are two required parameters, a
PID
and a filepath to write the dumpfile to. (e.g.handlekatz 780 C:\Users\User\Desktop\obfuscated.dmp
)
How do I run this?
- In this case, you have two options:
- Use the existing, compiled object file, located in the
dist
directory (AKA proceed to major step two) - Compile from source via the
Makefile
cd src
make clean
make
- Use the existing, compiled object file, located in the
- Load the
Aggressor
file, in theScript Manager
, located in thedist
directory
Any known downsides?
- We're still using the
Win32
API andDynamic Function Resolution
. This is for you to determine as far as "risk" - You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.
Where can we go from here?
- Implement the one remaining overt
Win32 API
call invoked with theDynamic Function Resolution
syntax (VirtualAlloc
) to be a call toNtAllocateVirtualMemory
. I've included the necessary header(s) with implementation insyscalls.h
. Enjoy! :)