Awesome
This is a derivative work of https://github.com/gabriellandau/PPLFault.
Please view that repo for all of the original research and further information This conversion intentionaly does not modify IOC's of the original tool release.
PPLFaultDumpBOF
Takes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike.
If you would like to run this in other projects please consider using our BOF runner implementation COFFLoader
Building
Normally I like to use mingw-w64 to build my BOF's but given that this expolit requires modern version of windows 10 to work, it was easier to convert and compile against cl.exe.
You need to start an x64 native visual studio developer prompt. Then from that prompt run makebof.bat
Code layout
The layout of this code closely matches the original, but the original solution files have been removed as they are unused in a BOF build. Start at entry.c as that is the BOF entry point and where all other .h / .c files are included.
Example Output
Usage
First load PPLFault.cna into cobalt strike
Then in any console run pplfaultdump <pid> <outputpath>
License
Silhouette is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.
Credits
Inspired by PPLdump by Clément Labro, which Microsoft patched in July 2022.
ANGRYORCHARD was created by Austin Hudson, who released it when Microsoft patched PPLdump.
PPLFault From Gabriel Landau at Elastic Security