Home

Awesome

HalosGate Processlist Cobalt Strike BOF

Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly, to return a list of processes.

Getting that Processlist using direct systemcalls via HalosGate/HellsGate

Verbose mode (-v) shows the memory addresses back to the CS console for debugging

Compile with x64 MinGW (Only tested from MacOS compiling atm):

x86_64-w64-mingw32-gcc -c halosgate-ps.x64.c -o halosgate-ps.x64.o -masm=intel

Run from Cobalt Strike Beacon Console

beacon> halosgate-ps

To Do List

Usage

beacon> halosgate-ps
[*] HalosGate Processlist BOF (Author: Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[*]               Credits to: @SEKTOR7net @zodiacon @smelly__vx @am0nsec
[+] host called home, sent: 3232 bytes
   PID    PPID    Name
   ---    ----    ----
     0       0    (null)
     4       0    System
    92       4    Registry
   312       4    smss.exe
   436     424    csrss.exe
   512     424    wininit.exe
   532     504    csrss.exe
   624     504    winlogon.exe
   648     512    services.exe
   692     512    lsass.exe
   ...

Credits / References

Reenz0h from @SEKTOR7net (Creator of the HalosGate technique )
@smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
Pavel Yosifovich (@zodiacon)
OutFlank - Direct Syscalls in Beacon Object Files
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF