Awesome

This is a derivative work of https://github.com/gabriellandau/PPLFault.

Please view that repo for all of the original research and further information This conversion intentionaly does not modify IOC's of the original tool release.

PPLFaultDumpBOF

Takes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike.

If you would like to run this in other projects please consider using our BOF runner implementation COFFLoader

Building

Normally I like to use mingw-w64 to build my BOF's but given that this expolit requires modern version of windows 10 to work, it was easier to convert and compile against cl.exe.

You need to start an x64 native visual studio developer prompt. Then from that prompt run makebof.bat

Code layout

The layout of this code closely matches the original, but the original solution files have been removed as they are unused in a BOF build. Start at entry.c as that is the BOF entry point and where all other .h / .c files are included.

Example Output

Usage

First load PPLFault.cna into cobalt strike Then in any console run pplfaultdump <pid> <outputpath>

License

Silhouette is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.

Credits

Inspired by PPLdump by Clément Labro, which Microsoft patched in July 2022.

ANGRYORCHARD was created by Austin Hudson, who released it when Microsoft patched PPLdump.

PPLFault From Gabriel Landau at Elastic Security